Friday, May 17, 2013

HostGator - The Privacy Saga Continues

HostGator: A friend after all?
As I wrote yesterday, HostGator locked me out of my brand-new account because of "suspicious" activity.  I called back to push them further on it.  Do I really need to email them my personal data—scanned copies of  my passport or driver's license, as well as my credit card—to prove I'm not a fraud?

This time I spoke with Charles.  He was more inquisitive that Phillip (yesterday's rep) and thus more willing to explore my hesitation to provide scans of my passport/driver's license and credit card for their records.  His interest gave me some opportunity to talk about my background in privacy, and ask him about HostGator's storage protocol, retention period and destruction of customers' scanned identification.  He had no idea how my data would live in their records, but I credit him for being honest.

In return, he shared that the reason my account had been flagged was that I had signed up through a proxy.  "I was at work, surfing on my lunch break," I explained.  A proxy isn't always the sign of ill intent; sometimes it's just the design of a large network.

In any event, my email address is now permanently flagged in their system's database as "trouble".  If I sign up again from home, using a different email address, all should be well and I should not be flagged a second time.

Perhaps so, but in any event I'd wait for my refund first, just in case.  Thank you, Charles.

Note to businesses: It's really amazing how customer experiences can differ depending on which service  representative answers the call. Will they blindly repeat what they've heard others say?  Or dogmatically tow the company's official line?  Or... will they open themselves to discussing options with a legitimate customer who might have been treated unfairly?


Later word from HostGator's official twitter account was less encouraging:

"This information is only requested when necessary for verification. If you DM your account info, we will be happy to call you.1 There are steps we can take to assure that your information is only seen by qualified personnel.2 If you provide us with the ticket ID, we can move your information to a queue that only auth'd personnel can see.3 We are sorry to hear of your decision. Unfortunately, verification is a necessary evil in our industry.4"

"A necessary evil."  Their policy is intended to prevent fraud.  In their brief dealings with me they made two errors:
  1. Incorrectly identifying my purchase as fraudulent, and freezing my account.
  2. Continuing to insist on applying their verification policy against the rightful owner of a credit card that made a lawful purchase.
I think the "evil"' here is a webhosting company that indiscriminately collects  personal information whether the circumstances are fraudulent or not, with no transparency as to how the information is handled, where it is stored, how long it exists, how it is protected, and when it is destroyed, if ever. I have every reason to assume that like my "flagged" email address, it will remain a part of their loss prevention/fraud detection database forever.

I won't give HostGator my personal information; you shouldn't either.  If they demand it as a condition of service, get your service elsewhere.

_______________________________________________
1- https://twitter.com/hostgator/status/335112160566976515
2 - https://twitter.com/hostgator/status/335112438116655104
3 - https://twitter.com/hostgator/status/335146404521574400
4 - https://twitter.com/hostgator/status/335153917245661185