The more some of us delve into the Care2 breach, the more it becomes clear that the only reason the social networking site can claim almost 18 million members is because many “members” never knowingly signed up as members and had their “membership” created for them without their knowledge or direct consent.
Following my post the other day, the individual who sent me the e-mail notification of the breach used the password retrieval mechanism to see what password Care2 showed for the account she had no recollection of creating. The password they sent her was one they had created for her “account.” Using that, she attempted to retrieve her profile. After being forced to do a password reset, she explored her profile and learned that the account must have been created after she had used the site several years ago to sign a petition. Her “profile” reflected the information she had provided in signing the petition.
At the same time that she was trying to figure out how she wound up with an account she never requested or explicitly authorized, Lee from CyberWarNews.info was sending Care2 public relations an e-mail asking them to comment on numerous complaints from people who also stated they had never knowingly created accounts. In response, they sent him a boilerplate reply, which he kindly forwarded to DataBreaches.net:
From: Randy Paynter
Date: Sun, Jan 1, 2012 at 3:30 AM
Subject: Re: Care2 Public RelationsPlease forgive the nature of this automated response. We are working to help everyone as quickly as we can. The best way we can do this is to help you help yourselves using some tools we have made available. These will get you quicker service, and enable us to personally assist those of you who have outstanding requests.
*Unaware that you had an account at Care2.com?
*We sent a warning email about our recent hacking incident to everybody who had at some point in the past 12 years created an account on Care2.com or ThePetitionSite.com. You might not recall having ever done this, which would make our warning email confusing, however at some point in the past you or someone (not us!) created an account with the email address we sent the message to.[…]
It would seem that people who used the site to sign a petition had a durable account created for them, without their knowledge or explicit consent. If they had consented, they would have created a password instead of what the site shows as the password.
So what did the site’s privacy policy say about use of The Petition Site? According to their privacy policy (archived in the Wayback Machine):
PetitionSite: Care2 owns and maintains the nonpartisan PetitionSite.com. Petition and Public Comment signers are required to provide certain personal information such as name, email address and often street address. This information is required to validate the petition / public comment. Care2 uses cookies and a signature database to provide data integrity and ease of use.
For petitions and surveys you’ve signed or completed, we treat your name, city, state, country and comments as public information—for example, we may provide compilations of petitions, with your comments, to the President and legislators, other targets, or to the press. Unless you have requested to be shown as ‘anonymous,’ this information will also be visible on the website. We will not make your street address publicly available, but we may transmit it to members of Congress, to other public officials, or to other targets as part of a petition to validate your signature. We may also make your comments, along with your first name, city, state and country, available to the press and public online.
Care2 hosts two kinds of petitions: free petitions sponsored by individuals and petitions sponsored by nonprofits.
For the free petitions, only the public information listed above is made available to the petition sponsors or targets.
For many of the petitions sponsored by nonprofits, we provide an advocacy service allowing individuals to send individual e-mails to public officials, legislators, and other targets as well as public comments to government agencies, through our website. These messages are sent in your name, with your e-mail address as the return address and your full name and contact information is provided as part of the submission. These messages will only be sent out under your name as you approve them on an individual basis by signing an action. You are solely responsible for the specific message(s) you send using our email tool. Optional comments will be included in the body of the email message delivered to the petition target.
During the signing process, you may opt to receive certain email newsletters and online memberships, in which case Care2 will send required contact information to those 3rd party providers. However, unless you specifically opt to receive such online offers or send your contact information to 3rd parties during the signing process, Care2 will keep your email address information confidential.
Is that what they view as creating an account because nowhere does it mention that an account is created for the individual or that they are now a “member.” They do note that the site was TRUSTe certified at the time. Big help that was, huh?
If you got caught up in this mess, you can cancel the account you never knew you had. Here’s how:
1. Login to http://www.care2.com/passport/login.html. Use the e-mail address that received the e-mailed breach notification. Click “forgot password” and have them send you a password. Login with that password and
2- Go to: http://www.care2.com/accounts/delete_this_account.html. Click the button to confirm deletion.
The person who contacted DataBreaches.net was fortunate in that the e-mail address used in signing the petition was still a working e-mail address. Others, who no longer have access to the e-mail addresses they had used are posting messages on Care2.com seeking help in getting back into the accounts so that they can see what information was stored about them in their public profile or so that they can delete their account.
I’ve had numerous discussions over the years with others about the need for explicit opt-in consent. This is just one more example of how people can wind up with their information in databases because they visited or used a site years ago, never knowing what they were getting themselves into.
Update: A commenter notes that when s/he experienced a problem reported by other commenters in deleting accounts, logging out and logging back in seemed to enable account deletion.
So I’ve been redding about a dead end when you try to delete your account. The post was from 2 years ago and apparently you still cannot delete your account. I just tried it and was unable to delete it due to a dead end website after clicking delete. This website is garbage.
So you were able to login with a re-set password but unable to delete account despite their instructions saying that you can delete your account? Sheesh…
I just went and tested deletion from the Petition Site by entering the e-mail address that they had on file for a user who had deleted her account after getting notified of the breach and learning that they had created an account for her. The login attempted resulted in a message that there was no account for that e-mail address. So at least some of the deletions are working. Maybe there’s a difference between deleting from the petition portion of the site and the rest of it.
Have you posted on their blog to ask for help deleting your account? I’d be interested in hearing their explanation as to why your deletion didn’t work. Please keep us updated on this.
Here’s another thought: Privacy Rights Clearinghouse just launched a privacy complaints center. You might want to report this there, too: http://www.privacyrights.org/complaint
I went through the whole process and got to the final screen where you check the box to delete the account and hit the ok button. After hitting ok, it brings me to a white screen that says “table ‘carecards.fo_images’ doesn’t exist. I got it on my phone and computer.
Try logging out and back in, then deleting again.
Thankyou for the info. I had never heard of the site, Care2, until I received the email about the security breach. I never set up an acct. on their site. I probably did sign a petition on Facebook. This is ridiculous that they stored my info and created me an acct! I found your article, when I googled Care2 to see what the heck it was. Thank you for your steps on how to delete acct.
I have been trying since the “breach” announcement email to delete my account with Care2 and have gotten the same “table ‘carecards.fo_images’ doesn’t exist” page. Several attempts at contacting their support has resulted in no response.
Thank you for posting that Privacy Rights Clearinghouse site. Maybe that will encourage a response.
I sent Care2 a media query last night asking about that complaint after another reader alerted me to the problem. So far, no response to the inquiry. If I get one, I’ll post it.
I was able to resolve this by logging out and back in, then trying to delete it again.
Thanks for sharing what worked for you. I hope others who are having problems see your comment and let us know if that approach works for them.
I had the same problem, and no response from support to delete the account. I finally found tiny print on their privacy page: http://www.care2.com/help/general/privacy.html
Scroll down to Will Care2 use my information for direct e-mailings? and click on the link they provide to delete the account. Your account number, not user name, will appear. This worked for me.