My Correspondence with PayPal

March 20 (via a form on PayPal's Web site)

I have received a message with a replica of the PayPal login screen and the message "The email address or password you have entered does not match our records. Please try again." Since I haven't tried to use PayPal in a long time, and since the return address of the message is some domain in Poland, I assume this is an attempt to defraud PayPal customers.

If I had an email address where I could contact you, I would forward the entire message to you. The headers of the message are...

[If you're actually interested in those details, click here.]

March 21 (email from webform@paypal.com)

Dear ,

Thank you for contacting PayPal.

If you have any further questions, please feel free to contact us again.

Sincerely,

Patrick

PayPal Customer Service


We at PayPal would like to know how well this response accommodated your request. Click on the appropriate link to send your feedback. We welcome your comments.

If this email exceeded your expectations:

mail to:exceededexpectations@paypal.com

If this email met your expectations:

mail to:metexpectations@paypal.com

If this email did not meet your expectations:

mail to:didnotmeetexpectations@paypal.com

Thank you for your feedback.


March 21 (email to didnotmeetexpectations@paypal.com)

In exchange for a report of what is, by all appearances, an attempt by someone to spam your customers en masse in an attempt to defraud them, I would have expected a little more than a form letter. At the very least, the programmers who designed the form letter could have taken the trouble to include my name after "Dear " (you got it right in the email header, after all), and to make the feedback links say "mailto:" rather than "mail to:" so that Outlook would have rendered them as real links.

Just a thought.

March 24 (email from didnotmeetexpectations@paypal.com)

Dear Gordon,

Thank you for contacting PayPal.

First of all please let me apologize for our previous correspondence.

I would like to let you know that PayPal has a very strict privacy policy. If you received unwanted email after revealing any information to PayPal, please note that your information may have been acquired from a different source. It is possible that another website with which you signed up, such as an auction site, has made your email address visible upon request to its pool of members.

When you sign up for PayPal, you agree to have your name (or business name, if you have a Business Account) and email address made available to anyone whom you have paid or who has paid you through PayPal. Your email address will be available only to those people with whom you conduct transactions through PayPal.

PayPal will not give third parties individually identifiable information about users, except for these limited purposes:

  1. We are compelled to do so by order of a duly-empowered governmental authority.
  2. We have the express permission of the consumer.
  3. We are required to disclose it in order to process transactions.
  4. We may share aggregated statistical data with our business partners or the general public. For example, we may tell the general public that 10% of our users live in California.
  5. When a user signs up for a co-branded version of PayPal (e.g. PayPal-eGroups or PayPal-eCircles) through links on our co-branded partner's website, PayPal will share with the co-branded partner that user's name, email address and physical address. If you signed up through a co-branded partner, the partner's logo will appear at the top of your PayPal screen after you log in. Our co-branded partners also have privacy policies to protect users. You can consult the eCircles privacy policy by visiting http://wwwld-00-07-ec.ecircles.com/templates/ec/x/policy/privacy.html . The eGroups privacy policy is available at http://www.egroups.com/info/privacy.html
PayPal has been reviewed and approved by TRUSTe, an independent non-profit dedicated to safeguarding the privacy of Web users. You may wish to read PayPal's complete privacy policy by visiting: http://www.paypal.com/cgibin/webscr?cmd=home/privacy

If you have any further questions, please reply to this email.

Sincerely,

Laurie

PayPal Customer Service


We at PayPal would like to know how well this response accommodated your request. Click on the appropriate link to send your feedback. We welcome your comments.

If this email exceeded your expectations:

mail to:exceededexpectations@paypal.com

If this email met your expectations:

mail to:metexpectations@paypal.com

If this email did not meet your expectations:

mail to:didnotmeetexpectations@paypal.com

Thank you for your feedback.


March 27 (snail-mail to David Thiel, CEO of PayPal)

On March 20, I informed your company, through a form on your Web site (inquiry tracking code KMM9283278C0KM), that someone was trying to defraud your customers by sending email spam with a replica of your login screen. In response, I have received two form letters: one of these has no substance, and the other seems to have been chosen by someone who did not actually understand the important part of my message. (Both letters are attached.)

I informed you of this fraud attempt not because my own money was at risk (since I have never done any business with PayPal), but because I felt it was my civic duty. If I do not get a reasonable response from you in ten days (either by letter or email), I will conclude that PayPal is not serious about protecting its customers from fraud, and it will be my civic duty to warn others of this fact. I'm sure that readers of Slashdot and comp.risks, for example, would be fascinated by a transcript of my correspondence with PayPal.

Much later

(I never did get a response to my letter. Unfortunately, I was too lazy to follow through on my threat. Shame on me.)

Seth Gordon -- sethg@ropine.com -- March 2001 -- comments?