I think you’re misreading this. OP has an email account. Someone else signed up for some website that doesn’t verify that you own the address before allowing you to log in and use the service. If the site did verify it, the user wouldn’t have been able to log in because OP would have been getting the verification emails, and not the user.
Later, after OP told the user and they failed to change their address, OP logged into the site and changed their password, putting an end to the spam they were receiving from the user’s actions.
I don’t have an ethical qualm with this. He didn’t want to sign up for the service. Someone else signed his email address up for it. Legally, I can’t imagine that being prosecutable.
One thing I've found, occasionally the hard way, is that helpful bystanders are always offering advice based on "ethical", "intuitive", "logical" and "common sense", usually without any aspect of "legal".
I got divorced a decade ago, and every well-wishing person in my life was strongly urging me to do things which were shockingly counter-productive / dangerous / wrong, based on their confident understanding (assumption, really) of the law which was completely and dangerously inaccurate.
Hacker News audience is global. People start accounts for various purposes. Yet people still freely share the notion that logging in to some unknown website run by an unknown company from a hard to spell country and then touching things is universally safe.
I miss the old "IANAL" tag which at least provided basic warning and self-awareness :-).
While true, I think that's implicit in all online conversations. I'm certain my thinking is 100% wrong in some jurisdictions elsewhere. Anything I say is wrong somewhere.
"It's OK: you can curse on the Internet." "Not when you're typing from Iran!" "Well, OK, if you're in Iran, don't take this American's advice for dealing with a government."
Part of our obligation as a reader is to consider what others are saying in the context of our own circumstances and experiences before trying to apply it. If you don't, and things end badly, that's on you.
But I stand on my words: I think it's ethically OK. You may not. That's alright. We're not required to have the same ethics or morals. And I don't think that's prosecutable. That's my opinion, based on my circumstances, not a statement of fact that applies in all jurisdictions around the world.
Above all else, I got tired of giving disclaimers about every single thing I say lest someone jump in with a "gotcha! scenario" I hadn't considered because it's not relevant to the context of the discussion.
IANYL, though! Offering legal advice with the disclaimer “I am not a lawyer” could be prosecuted as practicing law if a reasonably party could still infer a potential lawyer-client relationship from your message and/or intent. Instead, “I am not your lawyer” explicitly denies the lawyer-client relationship, which closes the door on both being accused of practicing law illegally and on being found as party to a lawyer-client relationship whether or not you have the appropriate certifications.
Right. Techies are always quick to suggest I do something naughty or funny with this "great power" I've unwittingly gained, but in reality it's just a liability. If I ignore it and they do something nasty and implicate me, it's a pain. If I touch it with a 10 ft pole, now I'm even more actively involved.
Just include "not me!" In the verification email, dam it
I think it’s more like you registered the car in their name. Now they’re allowed to use it, and also responsible for the thing which they didn’t want.
Consider that the “imposter” starts uploading child porn or something, and it’s on an account registered to your address. I think it’s perfectly A-OK to tell the service that it’s not me using the thing and I want them to close the account someone created in my name.
On the other hand, in Hong Kong it would be straight to jail. Someone was sent a link by the airlines, he changed a couple of characters and it ended up showing another person’s data. The guy voluntarily reported the vulnerability and all he got was a criminal charge and found guilty
I’m a different person, but this happens to me, too. I have the kstrauser@yahoo.com email address because I signed up for it like 25 years ago. I log in every 6 months to see what the few other kstrausers in the world have signed me up for.
Not jsmith, but kstrauser. Not Gmail, but Yahoo. And I still get banking docs, and HOA meeting minutes, and birthday party invitations, and Facebook logins, and other bizarre random stuff.
I have so many questions. I’ve typoed my address before and had to correct it. That’s understandable. But to wholly invent one and say, yep, that looks good even though I’ve never used it before, I’m sure it’ll be fine! I just don’t get it.
I have a catch-all on a .com.au domain where there exists a later 1000+ people organisation with the equivalent .gov.au. I get what you described but from many, many people - divorce proceedings, legal discussions, financial documents, health things, etc.
Yeah I have josephg@gmail. The amount of spam that account gets is wild - about 50-100 emails hit the inbox per day. I got soft-locked out of google docs a few months ago because my google account's 25gb quota was exhausted.
Some of the emails are really unfortunate stuff. "Your account was added as a backup address." - Then inevitably, a few weeks later, dozens of password reset emails. Sorry bud. I've received pay stubs. Orders and invoices. I get phone bills every month for someone in India. Its chaos.
Early on I'd sometimes reply to these random emails telling people they've got the wrong address. The most astonishing reply I ever got was from HSBC bank telling me I needed to come into the branch to change my email address. Over the course of a week, I explained about 3 times that that was impossible. That I live in Australia. That I'm not their customer, and its not my account. Eventually they told me they were disabling online banking on my account. Now I've given up replying at all.
Send emails into that pit of PII misery if you want. I don't read them.
Some of these banks are ridiculous. HDFC bank insists that I send them my photo id, address, phone number, and my Indian id number to prove that I'm not their customer. I tried explaining that I don't have an Indian id number because I don't live in India but they insisted they can't help me unless I provide all of this. Then they sent me legal notices threatening me for not paying "my" bills. I send all their stuff to spam now.
I had one that person seemed to think their @twitter name was the same thing as my gmail address. Haven't seen it in a while, maybe they figured it out after I told their kid's teacher they had the wrong person...
That may be what they're hoping for, using a similar modus operandi as those WhatsApp/IM messages from strangers who text you with things in the vein of ‘Hey, it was great meeting you at the conference’ or ‘Did Martha like your flowers?’ etc.
A few months later, the owner of the u/batman account added my mail as password reset mail.
I looked up the account. It was hardly ever used in 15 years, mostly for once in a blue moon dropping in a random comment role-playing as Batman. It was not obviously anyone I knew. It looked like they were basically inviting me to take over the account.
That was actually a bit tempting, but then the owner, whoever they were, would know who I was, and I still didn't know who they were.
(For that reason I've changed the name, it wasn't Batman, but it was equally "I can't believe you got THAT as your Reddit username" rare.)
So I clicked "this wasn't me" instead. After a few weeks the account was deleted by the owner. It seems they were willing to burn a 15+ year old account with a super-desirable (to many) name in order to get me back to Reddit, and then when I refused they just deleted it. That was VERY weird, and I wish I knew what was going on.
There are times where you just can't... someone uses my email address in person at tractor supply co. and I'm getting a ton of marketing email I can't usnsub to.
I've had this happen several times... There's a lawyer I used for a dispute a few years ago, and they now have another "First Last" name that matches mine, and he keeps emailing me... my reply, "Wrong Michael, again..."
It's kind of annoying all around... I need to get off my butt and get a few things shifted, then just start relying on my own MTA again, instead of forwarding *@mydomain to my gmail to. I'll still wildcard the domain, but to a single mailbox on my own mta.
I'm not sure how bad the spam might get though... I've had a test account on my mta for a couple years and it hasn't really recived any... my wildcard accounts either... I use the wildcard so I can do things like walmart@mydomain, to see if/where an email address is sold/leaked from regarding spam.