Pebble steals your email address from an unsubscribed form

Problem

Pebble makes smart watches –the kind of watch with a digital display that connects to your phone to show your messages and information that are shared via an application installed on the phone. Their website promises that it “can” do a lot and I have no doubt that there’s at least one thing it can do great: stealing my information!

Pebble promises to do everything you can imagine

Pebble promises to do everything you can imagine

So the story is that I went to Pebble’s website as a prospective buyer. I should admit the design of the website is fabulous and modern. So after getting some technical info I decided to buy one. I went to the checkout page and filled the information starting with my email address. But at the bottom of the page, it asked for my credit card number. With all due respect for its hefty features, I didn’t feel comfortable giving these sensitive information mainly because I don’t know the website (by the way, there’s a company that handles this kinds of risk).

Even though Pebble looks like a great concept, the website looks like a one-product start-up with no connection to a big brand that I know. It’s not Sony. It’s not Philips. It’s not Apple or Samsung. It’s Pebble, a brand I got to know a couple of days ago when talking to my geek friends. Therefore no trust is built on the first place. So I gave up the checkout page and headed to a shop I trust: Amazon!

A day later I got a marketing email:

Hi there, You forgot me and your wrist is probably lonely. I just wanted to remind you how awesome I am, plus, they’re letting me ship anywhere in the world today for FREE! I promise to sync seamlessly with your Android or iPhone and give you immediate access to what's most important to you. Want to know when the surf's up, check the scores or simply find your phone? I'm a Pebble. I can do that. Click here to take me home with free expedited shipping. See you soon, Your Pebble

The capture your email address even without submitting the form

So the email is telling me that I’ve been sloppy and forgot the watch back in the shop and my hands are “lonely” without it. My immediate reaction was: “I didn’t forget you! I didn’t even want you because the shop that sells you wanted my credit card information and I don’t even know the site! PS. My wrist is not lonely! I have lots of watches!”

So the problem is: if I don’t trust the site on the first place, why would I be happy that they have captured my email address from an un-submitted checkout form and used it for spamming me with useless marketing insult?

I’m not sure if legally a company is allowed to capture user information that haven’t officially be submitted. Being a web developer myself, I went back to their website to see what’s going on. Turns out Pebble actually sniffs whatever I type in the email address field and dynamically sends it back to the server using an Ajax call. Here is an example of network message sent to their server when I wrote something in the email field:

An example of how Pebble sends your email address without even submitting the form

An example of how Pebble sends your email address without even submitting the form

The email definitely didn’t convince me to buy a Pebble. If anything, it gave me a reason to be suspicious to how they handle my personal information that will be naturally shared with my smart watch. If they are so aggressive stealing my information from an un-submitted from, how can I carry it on my arm on a day to day basis and give it full access to my email, SMS, Facebook and other personal information via pairing with my smartphone? Never ever!

It’s like you go to a shop to just take a look at the merchandise and next day when you wake up the delivery man is banging on their door saying: “hey you forgot to buy what you were checking out yesterday at that shop!”. So let’s make it clear. I’m not buying because:

  1. You tracked me even though I didn’t explicitly mentioned that I want to be in touch (some websites have a submit form that is more polite)
  2. You actively used this unwanted tracking information to approach me with unwanted advertisement (that says you don’t care about my privacy policy)
  3. I am not going to trust an aggressive data-gatherer with a product that is directly exposing my security to a 3rd party that I don’t even know! (who is Pebble after all?)
  4. You use negative copy and convict me of being sloppy and forgetting what I was about to do (let’s be honest, this may apply to 1% of people who have a fish memory, but the rest of us know why we leave an activity)
  5. Your email doesn’t give me any new information. The price is the same and the shipping is free even when I use an un-tracked new browser session.

Solution

First of all, marketing people are the most unpleasant people after the security people when it comes to user experience. (How many times they bother you by ads or stupid security mechanisms daily?)

Sending a marketing email to someone that has left the checkout form may sound like a smart idea at first glance, but they should keep in mind that if you have left their page it is for a good reason and they should respect your choice. It’s not like now that you have left their page, they have nothing to loose and can use the most aggressive marketing methods to hunt you down to come back and buy from them! People may leave a website for many reasons: some don’t have enough money at the moment, some cannot make up their mind and need to ask their friends or lookup the reviews, some are there just to see how much it costs because they are curious… Let people leave with good impression. They may come back. If not, they’ll talk nicely about you with others. This is exactly why a polite salesperson says goodbye and wishes you a nice day when you leave their shop without even buying something (not all of them do that though, but when they do, I feel connected and important. I will definitely keep that shop in mind when I’m out to buy next time).

So if you want to get in touch with your prospective customer, use a “submit to newsletter and offers” website. I submitted my email happily to Qualcomm’s Toq smart watch website and happily read their email.

Notes

Most smart watches need you to install an app into your phone in order to send the information to the watch or back to the servers of the company that made it. Pebble has such an app too. So I went to the Android market and found the Pebble app to see what kind of information it accesses and here is the list of permissions this app needs today:

  • read sensitive log data
  • read your contacts
  • full network access
  • Your personal information
  • receive text messages (SMS)
  • reroute outgoing calls
  • read phone status and identity
  • test access to protected storage
  • Your social information
  • read calendar events plus confidential information
  • modify or delete the contents of your USB storage
  • pair with Bluetooth devices
  • access Bluetooth settings
  • find accounts on the device
  • prevent device from sleeping

I don’t have any stats on how many people actually read the permissions before installing their apps (or even buying such “smart” devices), but it will not hurt to ask why a smart watch needs to re-route my calls or have full network access while having access to my personal information?

I’m sure Pebble has very good answers for the issues mentioned in this post, so I’ll contact them and share any information they want to share.

Leave a comment