I forwarded a link to my article to the DMA’s consumer affairs email address.  To their credit, they responded the same day.  Unfortunately, there response did nothing to reassure me that they have a clue about how to run a proper Web site; exactly the opposite, in fact.  Here’s why:

It turns out that you did not have to create new accounts for those names yesterday after all.

I did a little research on your behalf and found that you had already created two accounts last year for the same seven family members back on 08/14/2008 for Jonathan Kamens, [four other names elided] which does not expire until 09/14/2011. The old username for the 2008 account is: [elided] and the old password is: [elided].

The second account for the other two names [names elided] was created on 08/14/2009 and expires on 09/14/2011. The old username name was: [elided] and password [elided].

Yes, that’s right, they emailed me my passwords.

Here’s how I responded:

It simply astounds me that you were able to email my password to me. In this day and age, when there are new stories in the media every day about major Web sites being hacked and user databases being stolen, it is incredibly irresponsible for the DMA or any other Web site to store passwords in plain-text. People tend to reuse the same password on many sites, so if anyone were to break into your site and steal your user database, they would be able to use the passwords you store there to impersonate your users on other sites on which they are registered. In other words, by storing passwords in plain-text, you are endangering not merely the security of your own site, but also the security of every other site your users use.

As documented at http://docforge.com/wiki/Web_application/Security#Encryption, http://www.owasp.org/images/1/14/OWASP_Top_10_090708.ppt (slide 37), http://www.fishnetsecurity.com/sites/com.fishnetsecurity/downloads/Forgot_Password_Best_Practices_v2.0.pdf, http://blog.codahale.com/2007/02/28/bcrypt-ruby-secure-password-hashing/, http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf, and by many other experts in many other places all over the Internet, passwords on Web sites should always be stored as the output of a one-way hash algorithm, so that even if someone steals the user database from the site, they won’t be able to get any plain-text passwords out of it.

Independent of the fact that you choose to store your passwords in an insecure manner, you should never, ever send passwords through email. How you do know there isn’t somebody eavesdropping on my email account? How do you know I’m the only one who uses it?

The fact that you store passwords in plain-text and you were willing to email me my password shows that the DMA has given no real thought at all to the security of your application and the private user data stored within it. That’s scary.

Aside from all that, you haven’t addressed the root cause of my complaint with your Web site. While it’s nice that you were able to fix my account to give me access to your site, that doesn’t change the fact that the site didn’t work properly for me, and apparently doesn’t work properly for other people too, and it doesn’t appear that anyone at the DMA actually cares a bit about this or intends to do anything about it.

In short, while I do appreciate the fact that you’ve made it possible for me to use the site, that doesn’t change the fact that the people who implemented and support it all appear to be a bunch of amateurs, and you don’t really care all that much whether it works properly and is secure.

Why would an association whose members make their money from direct mailings offer a service to allow people to opt out?  While they cloak their motives in all kinds of fancy language about consumer choice, protecting the environment by reducing unwanted mailings, etc., the real reason why is to offer voluntary self-regulation to dissuade the states and federal government from regulating the industry.  And it works — the mail direct marketing industry is essentially unregulated.

However, as noted, the DMA’s members don’t actually want consumers to opt out of their mailings, so they’ve always made it difficult and annoying to sign up for the MPS.  For example:

1. Enrolment expires after three years.
2. There is no notification from the DMA when your enrolment is going to expire.
3. Obviously, the DMA and its members are intimately familiar with utilizing the U.S. Postal Service’s change-of-address lists to update their mailing lists when people move.  They could easily use the same lists to update the MPS, thus obviating the need for entries on the list to expire at all, but they don’t do this.
4. Long after everybody under the sun was doing things like this on-line, the DMA continued to require people to send in forms by U.S. Mail to enroll in the MPS.
5. When they did finally start letting people enroll on-line, they charged a fee, and the enrolment Web site was awful. (I’m not certain, but I think there was a time during which they were even charging a fee for enrolments sent in via the U.S. Mail.)
6. They’ve finally started letting people enroll on-line for free, but the (new) Web site is just as awful and doesn’t work, and they don’t care, which is what has prompted me to write this blog entry.

Last year, I enrolled everyone in my family in the MPS using the previous version of their Web site.  Yesterday, I tried to use the Web site (http://dmachoice.org/) to confirm the status of our enrolment, and I discovered that they’ve redesigned the site, and my old login credentials no longer work.  Clever!

I therefore set out to register with the new site and enroll us in the MPS again, just to make certain we were enrolled.  They only allow up to five names to be associated with a single account on the Web site, so to register all seven members of our family, I have to create two accounts on the Web site.  Unfortunately, the Web site uses your email address as your username, so if you only have one email address, you can’t register twice on the Web site and therefore you can’t register your entire family if it has more than five people in it.  Brilliant!

Fortunately, my mail server supports extended addresses, i.e., messages sent to jik+foo@kamens.brookline.ma.us, jik+bar@kamens.brookline.ma.us, etc., will all be delivered into my “jik” mailbox.  Note that “+” is a perfectly legitimate character to include in an email address.  Unfortunately, the DMA Web site does not accept email addresses with “+” in them.  Amazing!

Fortunately, I administer my own mail server, so I was able to create a new address for myself “jik-dma@…” (note “-” instead of “+”), register on the site using that email address, and use the newly created account to register five of the seven members of my family.

I then attempted to repeat the process, this time with another newly created email address, “jik-dma2@…”.  Alas, it didn’t work.  I filled out the registration screen completely and clicked the “Submit” button, but instead of being shown a confirmation screen and receiving an account activation email message, I was shown a blank screen (except for the menu bar) and no activation email was sent.  Excellent!

I tried clearing my cache and cookies and registering again; that didn’t work.  I tried with two other computers, two other browser versions and two other Internet connections; none of them worked.  Wonderful!

I sent a request for help through their Web site.  A day later, they responded with, basically, “Yeah, sometimes the Web site doesn’t work.  Too bad!  You’ll just have to print out the form and register via U.S. Mail.”

Isn’t that just so precious?