The more some of us delve into the Care2 breach, the more it becomes clear that the only reason the social networking site can claim almost 18 million members is because many “members” never knowingly signed up as members and had their “membership” created for them without their knowledge or direct consent.
Following my post the other day, the individual who sent me the e-mail notification of the breach used the password retrieval mechanism to see what password Care2 showed for the account she had no recollection of creating. The password they sent her was one they had created for her “account.” Using that, she attempted to retrieve her profile. After being forced to do a password reset, she explored her profile and learned that the account must have been created after she had used the site several years ago to sign a petition. Her “profile” reflected the information she had provided in signing the petition.
At the same time that she was trying to figure out how she wound up with an account she never requested or explicitly authorized, Lee from CyberWarNews.info was sending Care2 public relations an e-mail asking them to comment on numerous complaints from people who also stated they had never knowingly created accounts. In response, they sent him a boilerplate reply, which he kindly forwarded to DataBreaches.net:
From: Randy Paynter
Date: Sun, Jan 1, 2012 at 3:30 AM
Subject: Re: Care2 Public Relations
Please forgive the nature of this automated response. We are working to help everyone as quickly as we can. The best way we can do this is to help you help yourselves using some tools we have made available. These will get you quicker service, and enable us to personally assist those of you who have outstanding requests.
*Unaware that you had an account at Care2.com?
*We sent a warning email about our recent hacking incident to everybody who had at some point in the past 12 years created an account on Care2.com or ThePetitionSite.com. You might not recall having ever done this, which would make our warning email confusing, however at some point in the past you or someone (not us!) created an account with the email address we sent the message to.
It would seem that people who used the site to sign a petition had a durable account created for them, without their knowledge or explicit consent. If they had consented, they would have created a password instead of what the site shows as the password.
For petitions and surveys you’ve signed or completed, we treat your name, city, state, country and comments as public information—for example, we may provide compilations of petitions, with your comments, to the President and legislators, other targets, or to the press. Unless you have requested to be shown as ‘anonymous,’ this information will also be visible on the website. We will not make your street address publicly available, but we may transmit it to members of Congress, to other public officials, or to other targets as part of a petition to validate your signature. We may also make your comments, along with your first name, city, state and country, available to the press and public online.
Care2 hosts two kinds of petitions: free petitions sponsored by individuals and petitions sponsored by nonprofits.
For the free petitions, only the public information listed above is made available to the petition sponsors or targets.
For many of the petitions sponsored by nonprofits, we provide an advocacy service allowing individuals to send individual e-mails to public officials, legislators, and other targets as well as public comments to government agencies, through our website. These messages are sent in your name, with your e-mail address as the return address and your full name and contact information is provided as part of the submission. These messages will only be sent out under your name as you approve them on an individual basis by signing an action. You are solely responsible for the specific message(s) you send using our email tool. Optional comments will be included in the body of the email message delivered to the petition target.
During the signing process, you may opt to receive certain email newsletters and online memberships, in which case Care2 will send required contact information to those 3rd party providers. However, unless you specifically opt to receive such online offers or send your contact information to 3rd parties during the signing process, Care2 will keep your email address information confidential.
Is that what they view as creating an account because nowhere does it mention that an account is created for the individual or that they are now a “member.” They do note that the site was TRUSTe certified at the time. Big help that was, huh?
If you got caught up in this mess, you can cancel the account you never knew you had. Here’s how:
1. Login to http://www.care2.com/passport/login.html. Use the e-mail address that received the e-mailed breach notification. Click “forgot password” and have them send you a password. Login with that password and
2- Go to: http://www.care2.com/accounts/delete_this_account.html. Click the button to confirm deletion.
The person who contacted DataBreaches.net was fortunate in that the e-mail address used in signing the petition was still a working e-mail address. Others, who no longer have access to the e-mail addresses they had used are posting messages on Care2.com seeking help in getting back into the accounts so that they can see what information was stored about them in their public profile or so that they can delete their account.
I’ve had numerous discussions over the years with others about the need for explicit opt-in consent. This is just one more example of how people can wind up with their information in databases because they visited or used a site years ago, never knowing what they were getting themselves into.
Update: A commenter notes that when s/he experienced a problem reported by other commenters in deleting accounts, logging out and logging back in seemed to enable account deletion.