Two automated mails were sent using mailpoet, two automated mails were delivered. It works.
I discovered a disturbing thing yesterday when exporting my Mailchimp e-mail contacts for IFF. Mailchimp has more personal data than I asked for. When signing up for my weekly digest, all I want to know is an e-mail address. It’s the only thing I need to know for sending an e-mail to a person. I deliberately do not ask for names or other details. The less I know, the better considering the chances of data breaches and GDPR legislation. After exporting my contact list from Mailchimp I found out the service has more data on record than I asked for. For instance for one person who registered for my e-mail subscription list I have a first name, a last name and birthday on record. I’ve never had input fields for that information in my subscription form, so how do those personal details end up in my contact list on Mailchimp?
The only explanation I can think of is that Mailchimp keeps unique ID’s based on an e-mail address. The data that person discloses to a Mailchimp mailing list then ends up in all other mailing lists that person subscribes to using the same mail address. A hint for that explanation are the ID numbers that I also received in my data export from Mailchimp. All users are assigned two ID numbers, a LEID and an EUID. This is Mailchimp’s explanation about these ID’s:
LEID is the unique identifier for a contact, specific to an audience. EUID is the unique identifier for a contact on the account level, across all audiences.
Whatever the reason and mechanics behind Mailchimp’s user ID’s, I’m really shocked to find out I own personal data I never asked for. Even worse, the person subscribing to my mailing list never agreed for me to have that data. A serious breach of trust (and the law).
There is more data in the export file. IP address is logged at opt in and again when confirming ones subscription. Latitude and longitude. And based on that information country and province are logged. I was under the assumption I only asked for an e-mail address and that would be the only thing on record. I was wrong.
My conclusion is that I should never have used Mailchimp in the first place for sending my automated blog digest. I exposed my readers to a data collector. I deeply apologize for that.
I am now switching to a WordPress plugin called Mailpoet. The sign-up data is stored in the database belonging to this blog. The only data I transferred from Mailchimp to my blog are e-mail addresses, as subscribers agreed to when signing up. The only extra information that is logged are IP addresses when signing up and confirming. With that data I can prove consent for signing up to anyone asking (or a subscriber to prove an e-mail address was misused for signing up). I will delete my account for IFF with Mailchimp and remove the export files on my computer.
This case clearly shows how easy it is to collect excess data. Lesson learned.
Following Frank’s lead, I started to migrate out of Mailchimp’s data collection empire. I use Mailchimp for three e-mail subscription lists, all of them below a hundred subscribers. Mailchimp is so much overkill for the simple task of the occasional e-mail I send to a handful of people. Most of them are friends and family anyway. Therefore I decided to download Mailpoet on this website and recreate the e-mail subscription process to my blog posts. Apparently they are revamping the whole tool, but Mailpoet has everything I need for automatically sending a summary of all blog posts written in the past week.
In two hours time I:
- created a new list and imported my subscribers;
- set up an account to be able to use Mailpoets mailservice (free for less than 1000 subscribers);
- created a new subscription form to replace the Mailchimp form;
- had dinner;
- changed some language in the basic messages for singing up;
- created a template for the e-mail and scheduled it to be sent out on every Sunday again;
- tested the sign-up process and all seems to be working.
Fingers crossed e-mail subscribers will see this message in their inbox next Sunday. And in case you want to receive the e-mail yourself, you can subscribe here.
On my other website I published a fairly long piece of writing (in Dutch). The starting point for writing that piece was a screenshot of a facebook post that was included in an academic paper which analysed all posts on HPV vaccination within a certain time frame. This particular post got a special mention since it was by far the most shared and commented on. The whole lay-out and wording used in that post sent out warning signals for being untrue. I got curious. What are the actual facts and arguments behind this message?
I thought I would write a blog post about it. Then I started documenting my findings during my search and quickly the whole exercise to follow my curiousity resulted in a three week long research into the use of false arguments, misinterpretations of statistics and scientific research results. I came to the conclusion that the group of authors I came across during my research try to win a political debate by using tragic illnesses and deaths of young people as a starting point to discredit a company and the government.
Through my research I learned some lessons about how false arguments and interpretations spread between websites, what kind of tricks organisations use to look more credible than they really are and what types of signals to look for when checking for credibility of messages. By sharing these lessons I hope to vaccinate the reader against the next fake news story that plays your emotion.
So instead of a blog post, I published a blog research article of about 7500 words. If you’re fluent in Dutch, go to Storymines and check it out. Get yourself lost in a world of thoughts that might not be yours. I really enjoyed writing it and I hope you will be immunized afterwards.
I just finished listening to an episode of Recode Decode in which the authors of the book called The Hive, the couple Lyga and Baden, were a guest. They talked about their Young Adult book in which they explore the idea what the consequences would be for people when acting on social media is mandatory and your behaviour on it has real, think financial or physical, consequences. The book, published in 2019, sounds like something I should read. Its theme fits perfectly within the research I’m doing on Facebook right now. On the to order list. The podcast episode was wonderful to listen to as well, as it was an interesting discussion on whether and how we can fix it for the next generation. A direct link to the episode is not available, so you’ll have to search for it in your podcast app. It’s called Barry Lyga and Morgan Baden: What if everyone had to use social media?
I downloaded my fb data and started digging in the data. The folder ads_and_businesses was my biggest interest. Not very surprising, but there is little data to go through. Five brands under ‘Who Uploaded a Contact List With Your Information’. Seven brands under ‘Your Off-Facebook Activity’. One brand on this list surprised me. Headspace. Headspace is a wonderful service to help me meditate. I’ve been a subscriber to Headspace for six years. It has been a big help to get me through rough patches in life. I pay good money for this service on a yearly basis (just under €45) so I was surprised to see Headspace participating in surveillance capitalism. Also, how could they make a match between my Headspace account and my Facebook account? Time to dive deeper into privacy policies and data collected by Headspace.
Headspace proactively shares data with Facebook, including paying customers
This is what fb logged on my Headspace behavior in the past few months. It does not seem to be a complete list.
1. DATA WE MAY COLLECT
- Facebook profile information, such as name, email address, and Facebook ID, if you choose to log in to the Products through Facebook
9. USES MADE OF THE DATA
- To serve our advertisements to you through third party platforms, such as Facebook or Google, on other sites and apps or across your devices, to the extent that you have provided consent for such uses under applicable law.
11. DISCLOSURE OF YOUR DATA
- With third parties, such as Facebook, in order to serve Headspace advertisements on such third party platforms, to the extent that you have consented to such practices under applicable law.
I’m already a customer, so Headspace doesn’t have to show me ads on fb. If they want to communicate with me, they have a valid email address to connect with me. The only reason I can think of they want a connection to fb through me is to reach my friends. Well, guess what. I already recommend the service to my friends, by telling them in person. Way more convincing than an ad on fb. But knowing what I know now, they make me think twice about recommending Headspace to my friends. They even make me re-evaluate whether I’ll want to renew my subscription.
In a week or two I will file a new data request with fb to see if new data on Headspace log ins showed up or not. I’ll report back on that in a few weeks, when I have a better answer to the more disturbing question:
How does Headspace know who I am on Facebook?
The curious thing about this case is that I have absolutely no idea how Headspace was able to match my Headspace id with that of my fb account. In this article fb explains how businesses can match their clients with fb users. By uploading phone numbers, which will then be encoded, businesses can serve ads to their clients using fb. Fb implies this is done using email addresses, phone numbers or other personal information. Now here’s the thing. I can’t think of a single piece of information Headspace has on me to match me with fb. I use unique email addresses for both Headspace and Facebook. That can’t provide a match. And as far to my knowledge I never provided my telephone number to Headspace. I use a nickname for my Headspace account, and payment for the service is done through paypal, again using an unique email address. So how does Headspace know what my Facebook account is? In order to find this out I sent a data request to Headspace for my full record. Perhaps they know more of me than they show me in my account information. This story will be continued.