Finnish Institute for Health and Welfare (THL) shares your COVID-19 letter complaints with an insecure direct marketing company

Finnish Institute for Health and Welfare (THL) has asked SSM Suomen Suoramainonta to deliver a letter about the best practices against the COVID-19. However if you never received such a letter like I didn’t, you could’ve complained about it in the address provided by THL in their own blog post. Unfortunately I think I’m going to pass this one. This is mainly because of 3 reasons.

Feedback URL itself is insecure

And it’s not about due lack of 301/302 redirect to a secure HTTPS protected version of the URL (http://www.jakelupalaute.fi/korona). There simply isn’t a valid SSL certificate that could protect the following information being sent on the network:

  • Street address
  • ZIP code
  • City
  • Email
  • Phone number
  • Delivery date
  • Product
  • Feedback type
  • Notes

Instead they’re serving a certificate that’s valid for some other hostname suora.net owned also by the same company that does the letter delivery. User using an insecure network has a good chance to have their personal information stolen:

Output from openssl s_client -connect jakelupalaute.fi:443

There is no privacy policy

As the heading says, there is no privacy policy that exists. Based on HTTP POST requests, the information sent on the form is sent to a script in jakelupalaute.fi hostname which processes the information, giving the information in insecure way to the direct marketing company.

Google tracks you on this page, too

In the page designed to receive the complaints there is a Google Analytics tag that’s being used on other websites designed by SSM:

Maltego generated list of websites connected by same tracking code in different websites from open sources

And as said before, there is no privacy policy on the website that says anything about this tracking.

THL chose this company to the delivery job

THL shows unprofessionalism in choosing partners that handle user data carelessly and in ways that might interest the Finnish Data Protection Ombudsman.

Leave a Reply

Your email address will not be published. Required fields are marked *