Don’t sign Avaaz.org petitions

[NOTE FOR THOSE LACKING CLUE: Comments are closed on this post for a reason. Commenting on other posts about it is moronic and futile. Fuck off.]

Not if you value your email address, that is. I’ve signed quite a few of them on prompting from Sista, but recently I’ve started received spam on the unique email address I set up to subscribe. I reported it to Avaaz and received an assurance that they don’t sell or share their list, but that they’ve received reports and are investigating. I asked them to follow up, they didn’t. Obviously their security has been breached.

45 Responses

  1. I can second that! After signing several petitions on Avaaz.org I started receiving numerous spam-mails on the unique adress I used. Most of them are in German language.
    No more Avaaz signing for me!
    (BTW, found your site after Googling ‘Avaaz spam’).
    More people should be made aware that their adresses are harvested from this site.

  2. TBH I don’t think the addresses were harvested from the site, as they don’t appear to make the signatures public. I reckon they had a data leak, which is worse again.

    adam

  3. Indeed disappointing.

    Whichever way my -uniquely chosen- address ended up in the wrong hands, Avaaz.org are responsible.

    I contacted them twice. They don’t answer.

    I was just cleaning out my spam-folder, noticed it again, googled on “avaaz.org spam” and came here.

    The stats: I get 300 spam per day, 20 are on the address that I gave to Avaaz.org only….

    They should do a petition aginst spam! :-)

  4. I don’t get spam any more via that address as I deleted it, but it was increasing just before I did. I never received a report on the “investigation”, as requested. So they’re either dodgy, negligent or just plain stupid. I’m not entirely sure which yet.

  5. Hi folks – I’m the Executive Director at Avaaz.org. Our mission is to serve our members, and we know our members like their information to be absolutely private and safe, so we take data security *extremely* seriously. I wanted to write to give you a sense of what happened in this case and what we’re doing about it.

    99.99% of our subscribers’ data is completely safe, and has never been compromised. However — thanks to messages from a few folks like you — we were able to discover a small crack in our security that had allowed a hacker using a packet sniffer to detect email addresses containing the word “avaaz.” This resulted in spam messages being sent mainly to our staff–and to members who had signed our petitions with special email addresses with “avaaz” in the usernames.

    After correcting the error and conducting an internal security review, we hired a leading firm to do a comprehensive, formal penetration test of our site. They found our security very tight, and suggested a number of minor tweaks–all of which we implemented immediately.

    We have plans in place to run new penetration tests regularly. One area where we clearly need to improve, however, is in writing back more quickly to folks who were affected by the security issue, to make sure they know how we’ve followed up. We do read and answer virtually every email we get at Avaaz, so we’re also trying to understand how yours fell through the cracks.

    Please let me know if there are any other questions I can answer, or if you have any further advice for us on this. Needless to say, we are absolutely not an email harvesting outfit, and we’re as distressed as everyone else at how spammers are steadily dimming the promise of the internet to be a powerful tool for democratic change. I”m sorry you had this bad experience, and I hope it won’t keep you from being active members in our community in the future.

    Thanks and best to you,

    Ricken Patel
    Co-Founder and Executive Director
    Avaaz.org

  6. Ricken,

    While I appreciate your response, the way in which you’ve done it demonstrates that despite your apparent efforts, you’re still not getting it. Here’s several reasons why:

    1) You replied on my blog. Don’t get me wrong, you should absolutely have replied here, but it should be common sense to send an individual reply first. Replying here and sending someone else to point to this post – I had already seen it, thank you, it’s my blog – doesn’t come across as genuine or sincere. It comes across as a PR response.

    2) The fact that you didn’t send me an individual reply suggests that you didn’t send one to anyone else either, despite the fact that you yourself highlighted this as one of your failings in your reply above. Where’s your apology for those people, are they supposed to come across this post by chance? What about the people who haven’t even figured out the source of this spam? Of course if you’ve contacted everyone else, you can discount this point.

    Just as a follow-up to point 2, I should add that in some states in the US it’s quite likely were actually breaking the law when you didn’t notify users of the data leakage after it had been reported to you, as new laws have been put in place in the last few years precisely because of incidents like this; albeit larger ones obviously. The European Data Protection Commissioners would probably have a few words to say to you about it too.

    3) This is probably the most important point: I don’t know you from Adam, so expecting me and the commentors on this blog to just take your word for it is kind of asking a bit too much. While I’m inclined to believe you, I’m not convinced and I certainly wouldn’t tell my readers all is a-ok now. If you expect us to believe you fully, why not name this leading firm, or better yet publish their report, instead of just alluding to them?

    adam

  7. Hmmm, that silence is hurting my ear-drums with its deafening decible level. I’ve recently been studying law, in its broad sense, dealing with spam and have grown to intensely dislike the evasive culprits. Unfortunately we seem to live in age where money, howsoever attained, is king and the morally upright are paupers.

    Figures show spam to account for 80-90% of all e-mails. I’m fortunate that my main account hasn’t been infitrated (I trust you not to divulge my identity adam!) but I can appreciate the extreme annoyance this gargantuan problem causes. Is there any possible solution? Public condemnation of those connected would appear to be a good starting point. But it is difficult to imagine, given the pervasive onset of bot-nets and ever-wiley wankers, an eradication of this scourge. What’s your panacea Adam??

  8. Don’t believe “blah-blah% of all email is spam” kh, it’s guff perpetrated and perpetuated by press release whores like “IE Internet”. All their figures prove is that they’re either spam magnets or liars, or quite possibly both. Different types of users get different quantities of spam, and it’s pretty much given that a honeypot set up specifically to attract spam is going to get quite a lot of it. Conversely, a careful user can avoid spam for quite some time, if not indefinitely.

    Public condemnation won’t work except for amateurs that don’t matter anyway. Spammers are shameless hyper-capitalist assholes that don’t give a care what you or anyone else thinks. They don’t care about the law either, since they generally operate outside it, and don’t pay fines when they get hit with them. They rarely go to jail, since spamming is a white collar crime and white collar criminals always get a better deal, despite the damage that they do. The only solution is to push up the prison sentences until it’s no longer worth it. Spammers are intelligent, they understand economics.

    In the meantime find a good host that does good filtering. Right now there’s 261 emails in my Junk folder, which is about a day and a half’s worth of spam trapped by MailScanner on the server side; i.e. I never download it. Every couple of days I’ll take a quick scan through it, but false positives are the exception rather than the norm, maybe one a week; same goes for false negatives hitting my Inbox, maybe one a day. Hardly noticeable really, particularly when you consider the amount of mail I deal with day to day.

  9. Thanks for this information. I like the reply that Avaaz should organise a petition against spam !!!!

  10. I’m sorry guys, but it seems to me that avazz do such good work that your complaining about not getting a personal email & accusing them of being spamers themselves is a bit sad. I don’t get spam from them… only mail about the campaign that interests me.

  11. We didn’t get spam from them, we got spam from someone else using the addresses we signed up to Avaaz with. That and my scepticism about Avaaz’s credentials aside, are you trying to tell us that charities should be allowed to spam, have lax security policies, and break data protection law?

    adam

  12. wow, you’re one angry, anal man. dude, they’re a great organisation (credible enough to have managed to reach the UN, Gordon Brown and the EU) that is doing awesome work around the world. Seriously don’t think they’d masquerade as an ‘advocacy outfit’ and go around presenting climate change petitions to the UN if all they wanted to do was sell your email address. it seems like it was a problem which they have fixed. i think ricken was only trying to reach a large number of people through your blog, and given that they have 1.7 million members, it’s forgivable that he didn’t send a personalised email address to all you sorry critters. try focusing on the bigger problems man

  13. How is asking questions and looking for answers “angry” and “anal” exactly? Next time, before you starting typing, try reading the post and the comments in full. Then you won’t look like an illiterate, impatient idiot when you type your little tirade. M’kay?

  14. I know for sure that Avaaz spam, and complaining about it doesn’t make you “one angry man”. Though I had previously received spam, due to great care with my emails I had not received spam in 1 year of use. I signed up to Avaaz for some campaign this summer and because I felt it was really worthwile signed up with both of my email addresses (I had googled avaaz spam at that stage but found nothing). Within 2 days I was jammed with spam, british in content just like my .co.uk email addresses (featuring MY NAME and no mention of Avaaz in the message. I would like to help if this organisation is genuine but I have the impression that my data was just sold on as soon as it was obtained.

  15. The tosser above would probably call you “one angry lady” Sarah.

    The more I hear about this crowd the more I think they’re not a genuine charity at all.

    adam

  16. I’ve signed several petitions for Avaaz and have not received any spam.

    They are a legit organization. They are affiliated with MoveOn, to which I’ve belonged to since their inception and have never had a problem with spam there either.

    For some reason, today I’ve not been able to get into Avaaz at all; I’m getting nothing but error messages.

  17. They don’t seem to be very tech savvy tbh. I wouldn’t deny outright that they’re not legit, but I don’t accept it either. I await a registered number or simalar, or perhaps even the follow up I’ve long been awaiting from good old Rick.

  18. I love what Avaaz does, and I have to say that I’ve never recieved any spam to an address that i keep a watch on.

    And I’m really impressed with their tech – its pretty amazing how fast they have become so important to the global community, and its just the beginning, I think

  19. I donated for the burma-campain last october, and was curious what happened with the money they raised. Unfortunately, the information on their website is rather poor. Apart from the petition which was offered to the british government, a website is mentioned ). Also this is mentioned

    “$315,000 raised in a week for practical assistance to Burmese groups to break the blackout. The average donation was $28. Well done to everyone. The first shipment is on its way.” by Paul Hilder on October 26, 2007

    That’s all is all I could find…

    Peculiar that they don’t justify their expenses in any way. The fact that they “have managed to reach the UN, Gordon Brown and the EU” as one post mentions, doesn’t say anything about their credibility. The UN, EU and politicians need to come across as “listening to the people” and actually benefit from accepting petitions etc. The Burmese people don’t.

    I unsubscribed from their mailinglist, I have the feeling all they do is take the momentum out of a crisis and make it appear as if something is being done about it. Offering some petition just won’t work, and not showing what you do with the money being raised makes it just plain murky.

  20. Read all the above with interest.
    I have sent on Avaaz emails to friends and family and felt I was doing a good thing.
    My sister recently told me that she had not received spam on her iMac until she replied to Avaaz. I personally receive only about 6 or 7 spams a day on average (I also have an iMac) but haven’t noticed an increase since responding to Avaaz.

    While I like to support any effort to improve the world, I remain wary and can see what a tremendous opportunity this would be for a sociopath (a person with no conscience).
    I’m holding off any further support for Avaaz until convinced otherwise.
    I continue to support Greenpeace, Oxfam and about a dozen others with monthly donations. I am confident in their activities.
    Rickens first response to yourself was encouraging, but the lack of followup does raise questions in my mind.

    Incidentally, I recently came across a report that gave a figure of 1 in 25 as the proportion of sociopaths. That causes me concern. (“The Sociopath next door” by Martha Stout, Broadway Books).

  21. What I find most intesting is the one-hit-wonders that come here and slag me off, and disappear again when I allow their posts through and rebut them. Very much inline with Avaaz policy…

    adam

  22. Found your site while trying to decide how genuine Avaaz really is. Ricken comes across well in this video: http://www.vimeo.com/369614 and on several other sites. I don’t mind Avaaz raising funds and using them to fund their activities, but it would be good to have more transparency if possible. If they raise funds for aid-type work they should donate it to established NGOs who could use it most effectively and publicly acknowledge the contribution – but perhaps better to focus on the petitions and promote other agencies’ campaigns on the side.

    And of course they should take care with spam. But according to you it’s easy to deal with spam even when the spammers have your address, so no worries there, eh?

    I find the 80% figure believable. I have a few unused accounts that just collect spam – that’s all they do. My host collects spam on the accounts I do use. About a third of the emails I actually receive could be classed as spam, depending on your definition (which has to be a big part of the variance in estimates).

    My answer to spam: hosts should charge 5 cents or 10 cents per email, and reduce other charges based on the expected revenue. This will make it harder for spammers to make a profit – currently the marginal cost of their sending another email is probably close to zero. Great if we could get all hosts to go along with this. But I’m not a techo – there are probably all sorts of problems with this idea.

    Another idea is that we should all close down those old, unused accounts…

  23. Sadly I have to deal with more spam than the average user, since I’m the system administrator for my mail servers. I also have to deal with the bounces, the flak from joe-jobs, etc. So worries, worries. :)

    The “billing for email” model doesn’t work I’m afraid, if you follow it up with some googling you’ll find it’s been debunked time and time again. There’s no magic bullet when it comes to spam, we need to use a combination of legislative and technical solutions to minimise it.

    adam

  24. There’s certainly a major problem with SMTP, but changing a protocol in one foul swoop is an immense – if not impossible – task. Making SMTP AUTH mandatory would be a good start, but that won’t stop all the morons running trojaned machines. Sending Microsoft on a security course might help….

    adam

  25. Hmmm. TMDR. :P

    So … can you summarize, is Avaaz.org legit or is it a scam outfit for some spammers?

  26. I wonder how many of the people complaining about their “Avaaz” email address being used for spam sent messages to friends using that email address, or sent out emails that happened to contain that email address, to promote a petition? For example, did they use the Avaaz website tool for emailing everyone in their address book?

  27. dk, I don’t know. Do you?

    GeraldNZ, if you read the post and comments, you’d see that at least three people, myself included, used unique email addresses specifically for signing up to Avaaz. I don’t know what their definition of ‘unique’ is, but mine is that it was used once and once only, to sign up to Avaaz. I subsequently received spam on that address.

    Plus of course someone claiming to be the boss of Avaaz has admitted to a data leak. So the question doesn’t appear to be whether data leaked from Avaaz, it’s whether they got paid for that data. Other questions include what they did to prevent another breach if they’re actually telling the truth; and whether they’re a legitimate charity at all.

    adam

  28. Hi Folks,

    Apologies for not being in more frequent touch on this blog, but if you go to technorati.com you’ll see Avaaz listed on 8000 blogs this year, and we’re a small team of 12 people that gets 1000s of member communications per week. We could easily spend 100% of our time on that correspondence, and not have any time to pursue our mission to campaign on human rights, democracy, climate change and poverty!

    I’m answering again because this is a terrible concern being expressed that we are a criminal organization that harvests and profits from spam. I think anyone who looks around our website, google searches us, looks for press hits, or even glances at the info at the bottom of any of our emails would not have this concern.

    For example, have a look at technorati and see if you can find just one other blog out of 8000 that makes this accusation. Or look at:

    http://www.avaaz.org/en/report_back_1 (including video of us hosting British foreign secretary David Miliband’s first speech)
    http://www.avaaz.org/en/bali_report_back (including a video of the leader of the Canadian opposition praising us to the skies, and reports of our partnership with Al Gore)
    http://www.avaaz.org/en/burma_report_back (including video of us taking Burmese monks to meet British prime minister Gordon Brown)
    (an Associated Press story today talking about us winning YouTube video of the year award) – if you seach for more press you’ll find the Economist saying we’re poised to deliver a deafening wake up call to world leaders, or the Nation, Washington Post, Indian Express, Suddeutsche Zeitung, Reader’s Digest and dozens of others praising our work.

    In answer to your specific questions Adam, our corporate name is Avaaz Foundation, In the US we’re a registered non-profit in the state of Delaware, our New York office is at 260 5th Avenue, 9th floor, NY NY 10001, where you’ll find my office. We’re co-founded by very respectable global charity organizations like Oxfam. The firm that does our penetration testing and internet security is Datagram, and we also hire hackers to attack our system and find chinks in it.

    If you want to look deeper, look at the biographies of our staff when you google them – my own, or Paul Hilder or Ben Wikler our campaign directors. We’ve spent our lives in social change work – I spent years in Sierra Leone, Liberia, Sudan and Afghanistan working on conflict resolution and human rights. Does all this sound like a criminal organization?

    We feel terrible about the packet sniffing incident I posted on above, but even Ebay and the CIA have been compromised – the internet is a hostile environment. Far from profiting from spammers, we are spending hundreds of thousands of dollars a year to protect ourselves from them – a heavy burden for a nonprofit like ours.

    Avaaz is an exciting new online community of wonderfully good hearted people who are doing great work to stop climate change, end the crises in the Middle East, and reduce global poverty. In just a year we’ve grown to 2.3 million members all through friend to friend viral spread. Our members are passionate about our community. I hope that I’ve been able to address your questions about us, and I hope you’ll join us and see for yourself what we’re all about.

    Best to you,
    Ricken (Executive Director at Avaaz)

  29. I don’t, that’s why I asked you. Yours is the only website critical of them listed on google. Judging by the other sites listed it seems you four are the only ones with problems. Now, while it is possible that they sold emails to spammers, I would expect a larger number of complaints given the number of members they profess.

    A quick check on guidestar.org shows that they are registered in the U.S. as a tax-exempt organization under 501(c)(4). So yeah, they seem to be legit. :/

  30. My google research doesn’t give me any reason to doubt the credentials of Avaaz or of Ricken, who appears to be a very genuine guy. To my eye, his comments on this blog do not look like PR. They look like the words of someone doing something he is passionate about. I’m not surprised he decided not to take more time out from saving the world to engage in an extended debate on this blog. I had no worries signing the Avaaz petition re. the violence in Tibet yesterday. I did not notice any increase in spam after I first signed up, maybe a year ago.

    As for the spam, what’s the phrase? Don’t put down to malice what is more easily explained by human incompetence? I’m not convinced that all the posters referred to above were as thorough about steering clear of spyware as they might believe, or as careful as they might believe about protecting that unique address. Avaaz sends an acknowledging email when you sign a petition and encourages people to forward it on to promote the petition. Very easy to forget that your “unique” email address happens to be incorporated in that email. As for whether Avaaz security is adequate, well, there are doubts about whether the US military’s security is adequate and they have billions of dollars to spend on it.

    A little bit of cynicism is sensible, but sometimes doing the right thing means taking a small risk.

  31. I was checking out whether or not to respond to an Avaaz message re:Tibet, and am happy I stumbled across this discussion, I’ve set up a unique e-mail address for my response to it. We’ll see how it goes after a few days….

    eddie

  32. Just chippng in because Ive asked someone recently not to send me these petition emails simply because they are useless (seriously, they achieve absolutely nothing). The people who send them are usually people I’ve spoken to before about using B.C.C so everyone’s email address isn’t splashed around .
    I find it perfectly credible that avaaz could be both inspiring this kind of activism AND selling the email addresses for profit. I don’t think the avaaz defenders realise how much money could be made in a scam like this. Running a real .org that really sends on the petitions and really does everything they claim is a perfect cover for dishonest activity. Low cost, volunteer labour and a cheap web presence. And squillions of gullible folks who just don’t realize how totally amoral and depraved so many of our fellow humans are!

  33. @Ricken, back with the same old crap, eh? Part answer some questions, reference Technorati of all places ffs, and avoid the key issue of security. Packet sniffing my hole. Show me this report you referenced earlier or stay off my site, understand?

    @dk, if you had that information in the first place, why didn’t you post it instead of shitstirring?

    That’s a fair point Alan

    At this point I’ve had enough of the insults to me and my intelligence in the comments here, I won’t be publishing any more unless they add something substantial. The shills certainly won’t be getting any more comment through.

    adam

  34. I read some of your comments from 2008 as I was googling for commentaries on Avaaz.I have been intellectually supportive of some of their campaigns.Their latest campaign with a wild claim stating Canada is no longer Democratic and raising money to try to defeat a specific political party led by Steven Harper.They are interfering in the affairs of citizens who have the right to vote by actually campaigning against a legitimate recognized party using foreign money to change the course of the election for what appears to be an Avaaz political agenda.I am not for Harper but I am certainly against Avaaz as a political propagandist whether it be NDP,Conservative or Liberal parties.
    Considering the ties to George Soros I wouldn’t be surprised the agenda is to knock out Harper for the NDP(New Democratic Party) which is a misnomer for what every Canadian knows as pure Socialists.Some Canadians certainly want socialism not unlike Obama the socialist who meets with Soros for lunch regularly.
    Bottom line:avaaz has stepped over the line trying to influence elections instead of staying with some of their good work.
    Now I don’t trust them and will work to let people see the underside of this organization with there attempt to influence elections.I think all is NOT TRANSPARENT.Your thoughts?

  35. I’ve migrated your comment to the correct post daniel, instead of the one you picked at random because you just HAD to have your say even if it inconveniences someone else.

    While I’m not surprised by it, I don’t have any further interest in Avaaz, aside from the incredible amount of traffic that people such as yourself send to this post. Ultimately, Avaaz had zero respect for my data and zero respect for me, so I have zero respect for them. After that, I couldn’t give a flying fuck at the moon about them.

    That’s my final comment on the matter, and for those of you having difficulty with the lack of a comment form on this post, it’s because I’m not interested in any further comments. Go figure.