Yes, multi-millions of sites! And to me (luckily I don’t use Paypal) just as a programmer I consider it Gross Negligence on their part. It might be that they might have in their “terms” something that says “not liable” or “no responsibility” or other clause(s) that might waive rights. But in my opinion at least they might be chargeable under (Malicious) Mischief laws of states. What they have effectively done is not any different than someone posting another person’s telephone number to phone solicitors or akin to posting a person’s credit card in plain view.

The issue/problem “can” be fixed, and I would venture a guess that it could be done in just a few days. Scenario. Whatever their data base is….. simply get it to reformat or add a new field for account number (could be binary or string). For 10 million who knows how long that would take to run, but programs are very fast. Next would be to assign each account a unique alpha numeric account number, maybe that could be done at the first part. Strictly numeric has limitations, such as 1 to 10,000, but alpha numeric such as A0001 to Z0001 and a0001 to z0001 and so on gives a lot more numbers if you catch on to that aspect. They already use a lookup program to find the account by email so they could “add” code within it to find the account by the new field (thus easy transgression from old to new). And they can easily change their formatting of any display windows for either buyers or for people managing their accounts to show the new field.

Very simplified. If they add account numbers, change their look up code to “include” the new account number field, and set their pages to display the account number, then the “final fix” by the ecommerce sites can be done by programmers of those sites as soon as they can do it. No interruption of service either.

It would be interesting to hear a VALID and justified reason why it has not been done.

Just alike the thoughts that myself and others have with regards to A/V programs where I have often wondered if any A/V program manufacturers might have on “hidden payroll” people making up new trojans etc….. one might wonder about why Paypal has not fixed this problem that can only result in spam. Are they willingly supportive of spammers? One can only try to second guess their reasons.

Nevertheless, the matter does touch on privacy, security, and has a great effect on spam, thus any spam laws come into play along with rulings pertaining to complicity, negligence, and harm (as aforementioned, many states have laws against mischief that causes harm).

Glad that you’ll be doing a follow up on this. As a programmer and having spotted this issue on a site I’ve been working on, I feel strongly about the matter and so I am pushing it as much as I can to get it fixed. Most definitely is not right.

Thanks for whatever help you can give on this.

george
(ps you can post this or keep it quiet, your choice)

Thanks for the comment and letting me know about this.

I personally haven’t used the paypal ‘add to cart’ buttons much, but I do see how paypal is making a huge mistake by having the email address in the button. Judging by the quantity of website’s using paypal as their shopping cart, I would think it is safe to say that millions of email addresses get spam because of paypal. It is completely irresponsible of paypal to have the email so available, especially without better informing their customers. I will definitely post a blog on the subject in the next week.

Thanks
Jamie

Although my email provided above is NOT valid (no contact is necessary or desired) it is provided as invalid to prevent spam.

I wrote two recent articles, both similar and on the topic related to Paypal and spam. Any ecommerce site that uses the paypal “add to cart” buttons are required to have their email address in that html coding. Such can be harvested by bots, thus, Paypal’s means of identifying an e-commerce site merely enhances the chance that more spam will come to that email address. Paypal should identify a site by an Account Number, or by the site domain name, not by an email address.

If you include this information, please reference my main site at http://www.riverpages.com/ and a person should click on the “If it doesn’t fit…” button then the “Paypal spam risk” button. (Second article is at the bottom of the first article.)

Apparently an issue that Paypal has probably known about since at least 2003, and recently brought to their attention by myself as a programmer, Paypal does nothing to correct the problem. I believe there could be issues of liability posed against Paypal and possibly a class action could be brought against them.

How many people have been harmed by this stupid requirement of Paypal’s to identify a site by their email address?

Ignorance and complicity. Additionally, any terms in their contract which would tend to nulify any California No-Spam Laws or other protective laws would not be valid.