I recently came across the Postagram app by Sincerely, and was eager to give it a try. The service makes it trivially easy to send a physical postcard through the US Mail, custom printed with a photo of your choosing. It’s a neat idea. Unfortunately, I am worried about what appears to be a trivially easy mechanism for a stalker/predator to trick people into giving up their physical street address.
Now, I really hope I’ve missed something here. But I experimented with it and was disturbed by what I found. I started by creating an account on the Sincerely website. I was then given a chance to build my personal address book with which to send postcards to my friends… and this is where I started to get nervous.
One of the methods for doing this was by providing email addresses for each of my friends. They, in turn, receive an email message from Sincerely on my behalf. They don’t receive any verifiable information at all in this message that truly indicates it is coming from me on the other side of the process. The email message looks like this:
When the user on the receiving end clicks the link in the email, they are directed to the following page on the Sincerely website:
I went through this process to send a message to another email address that I own. On the receiving end, I filled in the relevant address information on the website and pressed the “Send Securely” button. Sure enough, the original sender gets direct access to the street address in their online “Address Book” on the Sincerely website.
Does this raise red flags for anyone else? A stalker needs only two pieces of information — your email address and the name of a person you trust — to effectively trick you into providing them with your home address. Very disturbing in my eyes. Are your kids savvy enough to avoid this kind of internet deception?
Hey Patrick, thanks for checking out our new URL system. We totally understand your privacy concerns and wanted to mention that we don’t share the addresses of Sincerely users, instead we only show their name and city. If you are are not a Sincerely user and just fill out the form, then you are correct, we will add a name and address into the contact book.
If I understand correctly, you are worried that someone would create a fake Sincerely URL, then pass it out trying to collect addresses of people they don’t actually know, is that correct? That’s a condition that I don’t think we’ve talked about yet. I’ve brought it up with our web dev and we’ll see if there’s something we can come up with on our end. If so, I’ll try to get back here with an update. Thanks again for your thoughts.
Thank you for the comment, and I think you basically understand my concern. Overall, I don’t believe the danger is with the URL itself, but rather the system in which Sincerely will send that invitation and URL by email on a user’s behalf. That’s the part that concerns me the most, since it obscures the actual source of the action.
As an example, if I create a fake URL but have to email it to people myself, they will clearly see my “real” return email address or whatever. But when they receive an email message from Sincerely containing the URL, I think it’s too easy for people to accept that it has originated from the “name” they see on your page without really questioning it.
Thanks!