I'd like to bend your ear, and express my disgust with something I was subjected to the other day. Something AAFES did that I'm very upset about. Something any AAFES customer should be upset about. A horrible breach of trust, a documented violation of a stated privacy policy, association with a law breaking advertising firm that uses spammer tactics.

Let's get started...

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

Some background:
AAFES (Army & Air Force Exchange Service) is a store. It's the 'BX' or 'PX' (Base Exchange/Post Exchange). To millions of customers it's a benefit worth fighting for (their have been a few attempts to take away this benefit). AAFES is commercial retail outlet for the military and DoD (Department of Defense) ID holders. It's managed and run by the U.S. military. Civilians are hired to staff and work in the stores, and their are a few military members who perform various administrative functions. There are hundreds of these stores all over the world. They provide an invaluable service to military members and their families. The military takes care of their own, and this service is something of a shining example in that regard.

The BX sells anything and everything that a soldier could need. Everything from blue-jeans to oil-changes and automobiles. Another benefit? It's tax free. Because the merchandise is sold by the U.S. government on federal property to federal employees (and retirees), it's tax free. You see AAFES isn't a standard 'For Profit' corporation. Their profits do not go to stock-holders or the board of directors. No one in AAFES is lining their pockets or making themselves rich off our military. Of course most overhead and employee expenses are paid out of the profits, but anything left over from day-to-day operations is put back into the military community. AAFES profits are used to improve stores on military bases, expand services to the military members, and improve quality of life for the military and their families.

AAFES is an awesome (tax payer supported) institution. I love it, and as a retired (20 year) military member, the benefit to shop in the exchange is a right that I cherish and appreciate. I support AAFES as a military benefit, and I'd fight to keep it as such. However, the personnel who administer and run AAFES have a responsibility to conduct the business in the best way possible. They must maintain an extremely high standard of ethical behavior (Believe me I know all about this. Today's military thrives on good conduct, and deplores lies, cheats and less than honorable conduct), and they must never violate the trust that they have in the military family.

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

So, what happened?
Once upon a time, I received an email. I thought it might be spam. It looked kind of hinky. It said it was from AAFES, but it didn't look like the typical AAFES correspondence.

So, being the long time spam fighter that I am, I set about analyzing the full header and raw source of the message. Analysis of this email message confirms that this is most likely spam (aka unsolicited commercial email), that it is not in compliance with the law (the FTC's Can-Spam act of 1 Jan, 2004), and it led to an email exchange with an AAFES representative confirming my suspicions regarding the email, it's origins, and the fact that AAFES violated its own Privacy Policy.

Let's break it down:
What in the header or raw source of the message proves that this is spam? Why and how would I make such a claim?

What does all this mean? Well, let's break it down and go over each item in detail.

1st - The From: address in the header. The email was clearly sent by Zoomerang.com, not AAFES. I have analyzed the full header, done lookups and trace routes on the domain names and IP addresses listed in the messages header. This email definitely came from Zoomerang.com, which is owned by Market Tools, Inc. A marketing research firm. I do not have any relationship (prior or present) with this company. This email was sent to me unsolicited. I did not ask for it, and they sent it to me without my permission. That is an unsolicited email, and in many peoples books, that's spam. Sure AAFES asked them to send the message to me, but Zoomerang is attempting to deceive me by forging the header data, and trying to make me think that AAFES sent the message.

So, Market Tools (aka Zoomerang) sent me an email, and marked the From: address as "telecomsurvey@aafes.com". They wanted me to think that the email came from AAFES. Changing/Forging the From: address in this manner is a direct violation of one of the Can-Spam act's main provisions. According to the FTC's law:

2nd - The fact that the message does not contain the usual AAFES newsletter indicators. This is what made me think that this is spam. Or possibly some sort of phishing attempt (a spammer posing as a trusted institution or business in an attempt to solicit personal, private, or financially sensitive information for illegal purposes). After seeing the From: address, but none of the usual AAFES indicators, I decided to dig a little deeper. The lack of a valid physical postal address is another violation of the FTC's Can-Spam act.

3rd - Closing with the phrase "AAFES We go where you go" is another attempt at making me think that AAFES sent this email. That I would be corresponding with, interacting with, and otherwise conducting business with AAFES. A company/institution that I have (had) a considerable amount of trust in.

4th - The OPT-OUT link is non-functional. But that's not all. There are three very confusing lines at the very end of this email.

I do not want to receive any more surveys and emails from this sender.

This section of the message indicates that I can be removed from "this sender's mailing list". Who are they talking about? Are they talking about AAFES? The party they are pretending to be‚ or Zoomerang, the party I have no prior relationship with? I certainly don't want any further surveys from Zoomerang. However, clicking on the link will definitely result in address delivery verification, and confirmation of my email address/personal information by Zoomerang. Since they sent this message without my authorization/request, and I don't really know who they are, I'm not about to click the 'remove' link.

5th - Two references to Zoomerang. The reference to Zoomerang left me confused. Did AAFES give away my email address? The email address that I use to communicate with AAFES is unique. I have never used it in communication with any other company/person, yet it was the email address that this email was sent to? Did AAFES lose control of my personal information? It wouldn't be the first time that a government agency has lost control of personal information. Or, did AAFES violate their own Privacy Policy, and provide my personal information to a third party?

Is this email legitimate? Is it a spammer or phishing attempt? This email raised a lot of questions. It's definitely not from AAFES. That's for sure.

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

Looking for answers:
The receipt of this message raised a lot of questions and privacy concerns on my part. Looking for answers, I sent an email to the telecomsurvey@aafes.com email address listed in the email message. My email requested clarification and an explanation. Had AAFES given my email address to Zoomerang? If so why? As of 21 April 2006, AAFES posted Privacy Policy (replicated here in case it's changed) clearly states "We do not sell or exchange names or any other information about our online customers with third parties."

This is a pretty clear statement. It's unequivocal. And I was glad to see it when I signed up to receive the AAFES newsletter. I am concerned about my personal information. I take it seriously. Millions of Americans are affected by fraud daily, and I for one expect the company I keep to treat my personal information as a valuable asset. Something to be protected, not something to be bought and sold without my permission. I read the privacy policies of web sites I visit, and I refuse to join or provide personal information when I find a policy that doesn't protect my privacy/personal information.

I have no problem receiving email from AAFES, as a matter of fact I appreciate it; but receiving email from someone other than AAFES is not something I have agreed to. AAFES didn't request my permission to share my personal information with a third party, and they didn't tell me that you would be sharing my email address with this third party (Zoomerang).

I don't know much about Zoomerang, but I have serious reservations/concerns regarding their use/protection of my email address (or any other personal information they may have obtained). I've removed/redacted my email address from the posted messages associated with this incident, but I was using a specifically targeted email address in order to track the dissemination of my email address (a spam reduction/fighting technique). Since I only used that specific email address in correspondence with AAFES, it is most likely that Zoomerang obtained the email address from AAFES. They likely violated their own privacy policy.

Keep in mind that Zoomerang is run by a marketing research company (Market Tools, Inc.). Zoomerang's privacy policy (as of 22 April 2006) clearly points out that they "cannot ensure that Personally Identifiable Information will not be disclosed to third parties." As a matter of fact, they even state "If another company acquires MarketTools or substantially all of its assets, that company will (a) possess the Personally Identifiable Information of Survey Respondents" They recognize and realize how difficult it is to protect personal/private information, but their privacy policy does little to protect the privacy of survey respondents, and it basically indemnifies them against any disclosure.

If Zoomerang ever goes belly up (what, a dot-com go bankrupt???) their personal information database will become the most valuable asset on the auction block. So much for AAFES protecting my personal information. Yes, my email address is personal information. If spammers didn't have it, I'd be a lot happier person.

My email to AAFES had some hopes and expectations. I expected them to respond to my email. I hoped that they would discontinue the use of Zoomerang services in order to conduct surveys. I expected that they would request that Zoomerang purge my personal information (including email address and any other personal information if any) from their database(s) in order to restore compliance with the AAFES privacy policy. I hope that this sort of incident doesn't happen again. I expect them to comply with their privacy policy.

Most of all, I was hoping that they would restore my confidence in an institution that I trusted for over 20 years.

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

We're just doing a survey:
The response that I received from AAFES (credit is given for providing a response) didn't go very far towards restoring any trust. The first part of the email basically confirmed my suspicions and fears. That the email was sent by Zoomerang on behalf of AAFES. AAFES had hired this marketing firm (Market Tools, Inc) to conduct this web based survey. In order to conduct the survey, AAFES provided my email address (and the email address (I would assume) of every AAFES newsletter subscriber) to Zoomerang. Zoomerang then sent an email to all the addressees (that makes it a commercial email, and subject to the CAN-SPAM act of 2004), soliciting their participation in a marketing research survey. Zoomerang broke the law by pretending to be AAFES. AAFES violated their own privacy policy, and my trust, in order to conduct a web based marketing research survey.

In my email to AAFES, I indicated that, there are plenty of freeware and inexpensive shareware survey scripts (ASP, PERL, JSP) out there. I recommended that they hire someone to create a survey tool for you, rather than trusting your customer data to a dot com marketing research company. The two closing paragraphs were the most depressing/distressing.

I felt that these statements pretty much summed up the betrayal I had just experienced. It confirmed the worst of my fears with regards to AAFES disdain for my concerns, and their utter lack of concern when it came to my privacy. I had to write back.

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

You blew it!
If AAFES really valued me as a customer, they wouldn't have violated my trust by breaching their privacy policy. Unfortunately, their response did very little to address my concerns, or the fact that AAFES (in giving my email address to a third party) has violated its own stated privacy policy. Since I can no longer expect AAFES to keep my personal information (including my email address) private, I am left with no alternative. I've unsubscribed from the AAFES newsletter. Hopefully, that will prevent further release of my personal information. Unfortunately, I have no way of ensuring or knowing that 'Zoomerang' will purge or not release my email address (and any other personal information) to anyone else.

You blew it. You breached my trust, failed to correct an obvious problem, and now you're going to act like it never even happened. I predict that their will be no change to the AAFES privacy policy. They won't admit that they intentionally violated the policy to the public at large, and they won't change their privacy policy. That would be bad for business. They certainly don't want all their customers to know that they don't care about their privacy.

The project manager claimed that they took every precaution possible... I find that extremely hard to believe. It wouldn't have been very difficult to simply 'not give away my email address'. It seems to me that they don't get it. The only thing a spammer needs in order to harass me is my email address. There are plenty of PHP scripts for surveys available on the internet (Google: "php survey scripts" = http://answers.google.com/answers/threadview?id=311751), and many of them are free. You didn't have to give away your customers email addresses to a third party.

You could have asked me to participate in a survey without giving my email address to a third party. You could have asked me to provide my email address before giving it away to 'Zoomerang'. Instead you chose to ignore your own policy, violate my trust, and put my personal information in the hands of a third party without my consent.

Dismissal:
Eventually (Nearly a month later), The AAFES inspector general sent me their 'Official Response'. Curiously, it seems that they became involved only after someone inside AAFES made them aware of my complaint. Apparently, my complaints to the AAFES IG went nowhere (as it appeared). The response was dismissive in nature. It didn't address any of my concerns, mis-represented the facts of my complaint and basically blew me off with the following response:

Mr Vaessen – I checked with our Sales Division. They contracted Zoomerang to do a survey for AAFES with a non-disclosure agreement in place. There were 51,000 surveys sent out with you being our only complaint about spam or their personal information leaking out. I am confident that Zoomerang is living up to their end of the deal.

So, the Deputy Inspector General has effectively dealt with my complaint. He has dismissed it. His email doesn't address any of the points I raised, and I could care less about whether Zoomerang is living up to their end of the deal. What I'm concerned with is AAFES inability to live up to their end of the deal. They published a policy that said they wouldn't give away my information to anyone else, and then they did. I especially liked the line where he implies that my complaint isn't valid because I was the only one who complained. You know what, the email message was forged to look like it came from AAFES. Most people wouldn't notice the difference. I did.

Considering the recent theft of VA data, this lack of concern, inability to even understand my complaint, and dismissive email leaves no doubt that the government doesn't take privacy seriously. This is just another example of beuracracy in action.

I haven't written the Deputy Inspector General back yet, but I will.

My concerns restated:
After receiving a brief dismissive response to my concerns (see dismissal above), I kind of got the feeling that maybe, just maybe, the Inspector General didn't really understand my concerns. Perhaps he was confused. Perhaps he hadn't taken the time to actually read and consider the points I made in my email. I gave it another chance. I sent him another email. Now it was my turn to actually present my concerns to the Inspector General himself. Surely, he will see that my concerns are valid, and he will make a positive change in regards to the way AAFES shares the personal information of its customers. Here's an excerpt from the email that I sent:

Perhaps I didn't adequately convey my concerns.

1. I'm not concerned about Zoomerang's non-disclosure agreement.
2. I'm concerned with the AAFES privacy policy. A publicly posted policy which states that my information would not be given to a party such as Zoomerang. AAFES violated their own policy in that regard.
3. AAFES did not ask me if I would permit the release of my personal information. They simply handed my information over to a third party.
4. In conducting the survey, Zoomerang sent email that was forged to look like it came from AAFES. That's a federal crime. It's a clear violation of the CAN-SPAM act. The email forgery ,and fact that I didn't request this Zoomerang email, constitutes a spam message sent by them on your behalf.
5. I have no confidence in the security of my personal information now that Zoomerang has it. AAFES no longer has control of the information. Despite the existence of a non-disclosure agreement. AAFES cannot with certainty know what will happen to my information. Once AAFES gave away the information, it's completely out of their control.

I'm not claiming that Zoomerang violated their policies with you. I'm claiming that AAFES violated its agreement with me!

The attitude of the AAFES inspector general (and the other AAFES employees that I've dealt with in regards to this matter), is dismissive and clearly demonstrates a lack of concern for my personal information. Why bother having a privacy policy if it doesn't actually mean anything?

Thankfully, the only information given away (by AAFES) was my name and email address (so far as I know). Unfortunately, AAFES also holds some of my financial information. Based on AAFES lack of concern, proven disregard for privacy policies, and dismissive attitude towards these matters, I wouldn't be surprised if my financial information was inadvertently (or intentionally) released to a third party.

I urged the AAFES Inspector General to reconsider this AAFES practice (Giving personal information to a third party). As I pointed out in my previous email(s), there are alternative ways to conduct their survey that do not require the violation of AAFES policy or the trust of their customers.

So, how did the Inspector General respond to my email? Perhaps you'll be shocked. Unfortunately, I wasn't.

In denial:
I thought that 'surely the Inspector General will see the validity to my concerns. He will see how AAFES violated it's own privacy policy. He'll recommend that AAFES abide by their privacy policy, that they never again give away the personal information of their customers'. Yeah, that's what I thought.

Unfortunately, I was dealt a harsh dose of reality instead. Below is the latest AAFES IG response and my reply. My comments are standard style in black, and the AAFES comments/quotes are in blue enclosed by parenthesis and quotes.

Lt Col -

Once again thanks for the reply. No further response is necessary. 

It is now apparent that you understand most of my concerns and complaints. Unfortunately, it appears that you just don't care. You've managed to ignore or dismiss my concerns. You've convinced yourself that AAFES is permitted to give away my personal information to whomever they want. You've even managed to justify the violation of federal laws.

From the content of your response, it's apparent that you don't understand what spam is, and you really don't care whether the personal information of more than 50,000 AAFES customers was given away to a third party. 

"AAFES hired Zoomerang to do a survey for them." 

That's fine, AAFES is free to hire a third party to do a survey. I don't have a problem with that.

"In doing this survey, Zoomerang represented AAFES as a contractor and had our permission to use our name to take the survey."

This I have a problem with. Nowhere in the survey solicitation does it state that Zoomerang is acting as a contractor to conduct a survey on the behalf of AAFES. Instead they pretended to be AAFES. They attempted to deceive the recipients. They tried to make people think that they were AAFES. Zoomerang is not AAFES. Despite the fact that AAFES hired Zoomerang, it is still illegal for Zoomerang to represent itself as AAFES. You cannot give Zoomerang permission to break the law. You cannot give Zoomerang permission to misrepresent their identity in an email. They sent the email, not AAFES. They did not disclose who they were. They did not indicate that they were offering a solicitation on the behalf of AAFES. 

If AAFES had sent the email there wouldn't have been a violation of federal law:

According to the Federal Trade Commissions web site <http://www.ftc.gov/bcp/conline/pubs/buspubs/canspam.htm> The CAN-SPAM act:

bans false or misleading header information. Your email's "From," "To," and routing information – including the originating domain name and email address – must be accurate and identify the person who initiated the email.

AAFES did not initiate this email. Zoomerang did. They forged the From: address on the email. That is a violation of the CAN-SPAM act.

"After the survey, they provided the results to AAFES and deleted the contact info that was retrieved.  This was their obligation to AAFES."

I'm really not interested in what the contract between AAFES and Zoomerang was. I was not a willing party to that contract. You didn't solicit my permission to be a party to that contract, and I had no option in regards to how they obtained my personal information. Their obligation to AAFES is immaterial to me.

"The proof of this is that out of over 50,000 surveys that they did, we have had one person complain about being contacted by Zoomerang." 

I fail to see how that 'proves' that Zoomerang fulfilled their obligation to AAFES. I fail to see how that proves that they deleted the personal information that AAFES gave them. You cannot know for certain that Zoomerang deleted the information. I don't know whether they deleted the information, and you don't know whether they deleted the information. Just because they say they did, that doesn't mean they're not lying to you. After all, they lied to over 50,000 AAFES customers when they sent that survey solicitation.

They forged their emails to make them look like they came from AAFES. Apparently, I was the only one able to see past their deception and discover the facts of the matter. How can you say that the lack of complaints (mine being the only one) 'Proves' that Zoomerang deleted the personal information? That doesn't prove anything.

I certainly hope they deleted the personal information. That's not the point though. The point is that AAFES gave my personal information to Zoomerang. AAFES violate their publicly posted privacy policy.

Perhaps a reminder is necessary?

Reference the AAFES Privacy and Security notice <http://www.aafes.com/docs/privacy.htm>, paragraph 3.

We do not sell or exchange names or any other information about our online customers with third parties. 

AAFES gave my personal information to Zoomerang. What else do I need to say?

The only glimmer of light is your personal apology.

"I apologize if it offended you that we shared your name with this trusted contactor."

Thanks. Unfortunately, I wasn't asking for your personal apology. I'm trying to get AAFES to admit that they violated their own privacy policy. I'd like AAFES to admit that they gave away the personal information of over 50,000 customers. This is worse than theft of data. Here was intentional release of personal information to a third party. Only by admitting that they made a mistake will AAFES be able to move forward and take corrective action to prevent future violations of their privacy policy.

"If you don’t want to take the survey, that is your prerogative."

In light of the facts, I would not and did not take part in the survey. If 'AAFES' had asked me (Instead of Zoomerang pretending to be AAFES) to participate in the survey I would have.

In either case, this is irrelevant to the real issue at hand. AAFES gave my personal information to a third party. AAFES directly violated their own publicly posted privacy policy.

"In summary, AAFES did not violate our promise to you that we would not share your personal information."  

Yes AAFES did. They shared my personal information with a third party. Come on, you've got to be kidding. How can you say that AAFES didn't share my personal information? Did Zoomerang steal the information? Did they get my information (which is uniquely tagged to indicate its source) from a different source altogether? How can you actually claim that AAFES did not give my information to Zoomerang? The evidence is overwhelming and incontrovertible. As a matter of fact, you even admit that AAFES gave my information to Zoomerang.

"we shared your name with this trusted contactor."

AAFES shared more than my name, they shared my email address as well. If AAFES hadn't give my name and email address to Zoomerang, they wouldn't have been able to conduct this survey. Your claim that AAFES didn't share my personal information is patently absurd. This statement pretty much sums up the entire problem. AAFES is unable to admit that they gave my information to a third party.

To do so would be tantamount to admitting that they violated their own privacy policy. Despite the fact that you are the IG, it's rather apparent that you will do and say whatever is necessary to vindicate, justify and indemnify the actions of AAFES in this matter. You have no interest in showing AAFES to be 'in the wrong'. 

If AAFES didn't give my personal information to Zoomerang, why was a non-disclosure agreement necessary?

You also stated that Zoomerang "deleted the contact info." What contact info were you talking about? Perhaps you were talking about some totally unrelated contact information. It certainly seems clear to me that you were talking about 'My contact info'.

"We used your personal information to conduct a survey to ensure we were offering you the best service possible." 

That's not true. AAFES gave my personal information to a third party, and they conducted the survey. AAFES could have conducted the survey themselves. There are plenty of survey scripts, programs and options available in order to conduct online surveys. If AAFES didn't have the expertise to configure the necessary scripts and or software in order to conduct the survey entirely in house, they could have hired a contractor to configure the necessary scripts and software for them, while still 'conducting' the survey in house. 

Instead, AAFES chose to contract a third party in order to 'conduct' the survey. AAFES then provided this third party contractor with the personal information of over 50,000 customers.

"Zoomerang was contracted, as an employee of AAFES, to perform that task.  This is a common practice in retail." 

So here you attempt to justify the violation of federal laws (and AAFES violation of their own privacy policy) by labeling Zoomerang as an AAFES employee. Most spammers are hired by someone else in order to send solicitations (spam). The spammer sends the solicitation on behalf of the guy who's selling the cut rate pharmaceuticals. You have just led me to describe the AAFES - Zoomerang relationship in an equivalent light. 

Sure, hiring a contractor to perform a task that you can't accomplish is common practice in retail. Giving my personal information to a third party is still a direct violation of the contract AAFES had with me.

Once again I find that I must reference the AAFES privacy policy <http://www.aafes.com/docs/privacy.htm>, paragraph 3.

We do not sell or exchange names or any other information about our online customers with third parties. 

AAFES gave my personal information to Zoomerang.

Despite your claims to the contrary, Zoomerang is not AAFES. Even if they were hired by AAFES, they are still not AAFES, and the fact that they were hired by AAFES does not justify AAFES violation of their publicly posted privacy policy.

I provided my personal information to AAFES in full expectation that AAFES would not give my personal information to a third party. AAFES gave my personal information to a third party.

"If you are contacted by Zoomerang again for business other than AAFES business, feel free to let us know and we will review that contact."

I'm not expecting them to contact me, but that's irrelevant to my concerns. I'm more upset with AAFES than I am with Zoomerang. Zoomerang didn't have a contract with me. AAFES did. Zoomerang didn't violate any contract with me, AAFES did.

Once again thanks for the reply, but no further response is necessary. 

I get it. We disagree. I can clearly see how AAFES violated their own privacy policy when they gave my information to Zoomerang.

You on the other hand, think that AAFES can do anything they want with that personal information. All you have to do is justify it by saying 'we hired them, therefore they are AAFES employees, therefore they are us, therefore we didn't give away your personal information.' Your circular logic is impeccable but corrupt.

Contacting you hasn't been a total waste of time, through our email conversation you have made it clear that AAFES has no interest in protecting the privacy of their customers, and you've helped me clarify my objections to this violation of policy. You've also convinced me that I cannot expect the AAFES IG to seriously consider any issue which might find AAFES to be in the wrong.

I'll look for other avenues to express my concerns. Maybe there's someone in the government who cares about this willful violation of privacy policy. I'll have to do some research.

Good day

- Robert Vaessen

As I close out this section of the page, I'd like to point out one particularly poignant quote from the AAFES privacy policy:

We are committed to ensuring your privacy as a customer and will only use this information to improve your overall Exchange Online Store shopping experience.

Why does AAFES even have a privacy policy? What purpose does it server? Is it just there so that someone at AAFES can say "We have a privacy policy"? I'll bet it's a requirement. You know, something they have to do. It's not something they believe in. It's not something they're commited to. It's not something that they want to do. It's something that they are compelled to do in accordance with Army regulation or Air Force instruction. The people at AAFES don't believe in this privacy policy. They violate it at their convenience, and fabricate justification after the fact in order to deny any wrong-doing. This privacy policy serves AAFES, not the customer.

In closing:
AAFES admits that they gave away my email address in violation of their own publicly posted (as of 22 Apr 2006) Privacy Policy. They gave my email address to an internet marketing research firm without asking. A subsidiary of that company (Zoomerang) then forged an email to make it look like it came from AAFES, and sent it to an email address that I had only used in commerce with AAFES. They violated the law while acting on behalf of AAFES, and now they've got my email address. Their privacy policy clearly points out that they can't prevent further dissemination of my personal information. How can I control their dissemination of my personal information? I can't, neither can AAFES. Do you subscribe to the online/electronic version of the AAFES newsletter? If you do, I recommend that you immediately unsubscribe. If you value your privacy, stop providing AAFES with any further personal information.

AAFES isn't interested in protecting your (or my) personal information, and they've demonstrated that they don't care about your privacy concerns. Am I supposed to continue to trust them after this breach? How can I? Have I just lost one of my military benefits? If I can't trust them to keep my personal information private, what am I supposed to do? Should I forfeit my entitlement in order to prevent further release of my personal information? What's next to go? Is AAFES going to sell my credit information to a group of credit card forgers? or my social security number to an identity theft ring?

I wonder how many military members know about this incident? I wonder how many people are just as upset as me?

If you have any questions, concerns or comments regarding this article, please feel free to email me. If you feel that this article is factually incorrect in any way, please contact me.

Unsubscribed/Resubscribed:
Shortly after the original incident occured, I unsubscribed from the AAFES email distribution (26 Apr 06). I followed the procedures listed in their email newsletters and online web forms. I figured that this would result in the removal of my name and email address from their 'mailing list'. I wouldn't need to worry about them giving away my email address anymore. Well, apparently AAFES only honors those unsubscribe requests for a specific period. They didn't actually remove my email address from their database. They simply suppressed my receipt for a couple of years. I stopped receiving the newsletters until recently (24th of October, 2008). Without requesting it, I have been 'Opted in' to their newsletter.

With no changes to their privacy policy, and apparently no regard for the wishes of their customers, I have been 'resubscribed' to their email newsletters. I unsubscribed in 2006, but now they've decided that I need to recieve the newsletter again. According to the newsletter I received via email, I can always unusbscribe - again. Well, I'm not going to bother. Why should I unsubscribe again? As long as I hold an AAFES/STAR card, they can do as they wish. Under the terms of the CAN-SPAM act, they can classify me as an 'Existing Customer', and therefore any such messages can be declared 'Relationship' messages. The lesson here? Don't expect AAFES to honor your 'unsubscribe' request. As long as you shop there, or have a STAR card, you're their 'customer' and they can send you as many 'relationship' messages as they want.

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

Protecting Privacy:
In creating this web page, numerous materials had to be reviewed and edited to remove personally identifiable information. I don't have a personal grudge against the AAFES project manager who I corresponded with, and there's no reason to reveal his identity to the whole world. I'm going to refrain from releasing his personal information to any third parties (that's more than AAFES did for me). You already know my name, and now Market Tools and Zoomerang (commercial entities that I have no personal relationship with) have my email address (and possibly some other personally identifying information). Personally identifiable information has been marked as 'Redacted' in the reference materials I've made available.

Unlike some, I care about the personal information of others. I have gone to great lengths to protect not only my own email address, but those of people who have visited my web sites, sent me email, and corresponded with me. I've taken measures to prevent spam-bots from collecting personally identifiable information from my web site. I've even created and promoted the use of techniques designed to protect the privacy of other netizens. Yes my email address is posted (in graphic format to deter email harvesting spam-bots) on my web pages, but I control that dissemination. I didn't willingly give it to a marketing research firm.

You might argue that 'Information wants to be free', and once I made my email address available to anyone, it automatically becomes the property of everyone. If you argue that, chances are that you're a spammer. That's their line. They only believe in their own privacy, not mine or yours. Imagine how incensed that AAFES employee (the one I corresponded with) would be if I provided his personal information to a direct marketing firm without his permission. As a matter of fact, he might even try to sue me! After all, isn't that the way we solve problems in the U.S.?

I care about personal privacy. The web is not a safe place to leave your personal information laying about. AAFES gave mine away.

Follow up - Years later:
A few years have passed since I received that original 'survey' (April of 2006). The one that AAFES opted me in to without my authorization. See all my arguments regarding that policy/violation of my privacy above. Back in 2006, I attempted to 'opt-out' of these Zoomerang surveys, the link didn't work. When I complained to AAFES... Well, let's just say that they eventually assured me that my contact had been 'deleted'. If that's true, then why do I continue to receive survey requests? I received one in July of 2009, and another in March of 2010. Despite the assurances of AAFES; despite the assurance may have given AAFES, they never deleted my contact info. I continue to receive survey requests from Zoomerang (on behalf of AAFES). AAFES gave away my personal info (email address and my name). Despite the AAFES privacy policy. My trust was violated by AAFES, and I still harbor a grudge against AAFES, Zoomerang, and the managers at AAFES who refused to seriously consider or address my concerns. Zoomerang is just like any other spammer. Once you're on their list, you can never get off.

This statement from the AAFES Inspector General (a Lt. Col) pretty much sums up their level of concern when it comes to my personal privacy or their policy "If you are contacted by Zoomerang again for business other than AAFES business, feel free to let us know and we will review that contact." That's right. Notice the 'other than AAFES' part. They don't care that Zoomerang is still contacting me; despite their and Zoomerang's claims to the contrary. They don't care that I didn't 'opt-in' to this spam. They don't care that I want off the spammers list. They just don't care about me and the thousands of AAFES customers who trusted AAFES with their personal information. FYI: To this date (Mar 16, 2010), AAFES has not changed their privacy policy and I doubt that they've changed their attitudes when it comes to customer privacy. If you give them any personal info, you shouldn't expect them to protect your information - because they won't!

What am I planning to do about it? Not much. Ranting here is my only effective way of getting any relief. Maybe someone will read this and avoid the mistake I made (of giving AAFES my email address/contact information). I've tried contacting AAFES (read extensive content above) on numerous occassions, but they've proven to me (through repeated correspondence) that they aren't interested in doing anything about this/the continued violation (by them) of their publicly posted privacy policy. They just don't care about the privacy of their customers, and that's a fact!

[ Background | What happened | Looking for answers | Just doing a survey | You blew it | Dismissal | Restated | In Denial | In closing | Subscriptions | Protecting privacy | References ]

References:
Just in case you don't believe me. Here's a list of references used in creating this web page. Keep in mind that I have no control over materials & web pages external to my domains, and they may have changed since I originally posted this web page (April 2006). I have altered some of the original documents/materials in order to protect personal information (email addresses and some names redacted) and present the materials in a web ready format.

AAFES home page <http://www.aafes.com/>
Zoomerang home page <http://info.zoomerang.com/>
Market Tools home page <http://www.markettools.com/>
AAFES Authorized customers <https://www.robsworld.org/authorized.pdf> Reproduced from AAFES website - 22 April, 2006.
AAFES privacy policy <http://www.aafes.com/docs/privacy.htm> Available as of 22 April, 2006.
Reproduced AAFES privacy policy <https://www.robsworld.org/aafesprivacypolicy.pdf> Reproduced from AAFES website - 18 April, 2006 (just in case they change it).
The original email that I received <https://www.robsworld.org/surveymail.pdf> Forged to appear as if it came from AAFES.
The raw source of the original email <https://www.robsworld.org/emailfullheader.pdf> For those who know how to read the header data.
The FTC's CAN-SPAM act of 2004 <http://business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business/> What the law requires of commercial emailers.
My email to AAFES <https://www.robsworld.org/myemailtoaafes.pdf> Requesting clarification, verification and an explanation.
Zoomerang's Privacy Policy <http://info.zoomerang.com/about/privacy.htm> Not much to cheer about here.
AAFES response <https://www.robsworld.org/aafesresponse.pdf> to my email message.
My final email to AAFES <https://www.robsworld.org/myfinalemail.pdf> Too little, too late.
AAFES IG response <https://www.robsworld.org/FW__IGAR_2006-0236.pdf> Dismissal of my complaint.
My attempt to clarify my concerns <https://www.robsworld.org/RE__IGAR_2006-0236.pdf> to the AAFES inspector general.
My point by point reply <https://www.robsworld.org/RE_IGAR_2006-0236.pdf> to another AAFES IG response.
Why do spammers forge header data? <https://www.robsworld.org/forgery.html> A primer on some deceptive spammer practices.
How can you protect email addresses on your web site? <https://www.robsworld.org/pbmtopng.html> Converting text into graphics.
My attempt to unsubscribe from the AAFES newsletter sent via email. <https://www.robsworld.org/aafesunsubscribe.pdf>
An email indicating that I have been 'Opted In' to receive the AAFES newsletter <https://www.robsworld.org/aafesresubscribed.pdf>
Additional surveys received from Zoomerang (forged to look like they came from AAFES) after I supposedly unsubscribed: July 2009, Mar 2010 <https://www.robsworld.org/aafeszoomerang07_27_2009.png>, <https://www.robsworld.org/aafeszoomerang03_16_2010.png>

Author: Robert L. Vaessen e-mail:
Take me to the Main Page of Robert's Home Page.
Last Updated:
This page has been accessed times since 22 Apr, 2006.