Thoughts on Systems

Emil Sit

Mar 24, 2006 - 3 minute read - Rants bike cookies privacy security

Boycott Performance Bike

Boycott Performance Bike.

Performance is a company that sells bike components. They’re pretty big and have acquired their former competitors like Nashbar and SuperGo. That’s too bad because I really don’t like Performance. Maybe you shouldn’t either.

In 2001, Kevin Fu and I (along with some other members of the Applied Security Reading Group) were looking into the security of web cookies. We broke some cookie authentication schemes and made some recommendations about how to improve them. Most companies were very receptive and thankful when we contacted them privately and pointed out potential problems. Performance, Inc did not. Their site in 2001 had several problems, most notably guessable session ids that would allow anyone to access personal (e.g., password, address, credit card numbers) about other customers. They delayed for over a month on fixing these problems and suggested simply that I order over the phone if I was worried. That’s not the answer you want to hear from a company with your credit card number: anyone could have stolen as many credit cards as they wanted with a simple Perl script.

So, instead of making phone orders or checking if they’ve fixed their problems, I decided to delete all my credit card information from their website (as best I could), sign off all their mailing lists and never buy from them again. (It does look like their security scheme is slightly different now, but I don’t know how much better.)

On Monday, I got an unsolicited e-mail from them:

Welcome and thank you for subscribing to our specials email list!

As a subscriber, you will be the first to receive notice of all our special online promotions. Plus, you are now eligible to receive exclusive, online deals not offered to anyone else.

Thanks again, we know you will enjoy receive [sic] our mail. And remember, all online purchases are 100% guaranteed by Performance.

I didn’t subscribe to their list; I can only conclude they went through a list of people who had stopped ordering from them and added them to this specials list. And today, they sent me their latest specials.

I hate that I don’t have control over whether companies send me ads/catalogs and that I have to explicitly tell them not to sell my address, preferences, and who knows what else (“opt out”). I hate that most companies don’t let me tell them to delete information about me. And most, I hate those companies that still contact me (and, potentially, share my information) after I’ve told them not to.

I can’t fix privacy laws, but I’ve switched to supporting my local bike store: they don’t send me spam or keep my credit card information online. My suggestion for you? Boycott Performance Bike.