Just seconds ago I received an email regarding research for people working at home, some student seemed to have send this over to me and approx 20 other people. This email was send unsollicited, without mentions on how the addresses were collected, the recipients were all displayed in the TO list of the email; there were mentionings of “strict confidence” and “assured anonimity”. As a certified CISSP engineer, I would like to point out a few things so that people can learn from this and be properly educated (it might be a little over the top of you, but if the entire world starts like this; then we have a serious problem);
The reason I point this out is that I have a severe issue with the mail and attitude displayed; whilst the student seems to do the right thing she obviously made a few errors:
First of all; IF you send an email like this, make sure you have the proper authorisation to do so. I am not one of the people that wishes to receive these kind of emails; and if I want to I will search for them myself (I am included in several research projects on where I can display my opinion and fill-in forms)
Secondly: The email addresses of all recipients are displayed without even trying to mask the addresses; This is a problem. If someone gets infected with a virus or malware they can potentially harm all recipients and people in their mailbox. Those people do not ask for those kind of things (neither is the one that gets slammed by this in the first place). There is a simple prevention from that to reduce a lot of the risk involved: BLIND COPY everyone [BCC]. If you blind copy everyone then others are unware and only a little risk is there for people getting hurt.
Then there are mentionings of both Confidence and Anonimity. I asked the student what “Strict confidence” means in this regard, there is no verification on who the person is, for which entity the research is performed, so where is the confidence chain of trust there? The only verification method is email and a name. Everyone can forge that, so I dismiss the “strict confidence” suggestion. In addition the student talks about full anonimity, that isn’t true either. There will potentially be people that reply-all. People dont read so they make mistakes. Anonimity is gone at that stage. But not only then, the student asks us to fill in the form and return it to her so that she can process it. That’s not anonymous, she can and probably will register who replies and what reply is from which person so that she can differentiate between them etc. (That is the positive part, the evil part is that she might be working for a marketing company and now might obtain interesting and valueable personal information about the people involved, she might sell it to others, and cause a large privacy hole there).
I asked for a clarification of the email bringing up the above points; while I was sending the email I took a look at the mail address and host that would be receiving this email; the host is prefixed with “spam2.
The main purpose of this writing is that people should be aware of what they send to people, what they might cause by disrespecting the privacy rules, what they claim to offer and the receivers that they should be very carefull in looking into these things in the first place. The same questions apply to you as for the sender. DO THINK TWICE before replying and sending such an email.