Finnish Institute for Health and Welfare (THL) has asked SSM Suomen Suoramainonta to deliver a letter about the best practices against the COVID-19. However if you never received such a letter like I didn’t, you could’ve complained about it in the address provided by THL in their own blog post. Unfortunately I think I’m going to pass this one. This is mainly because of 3 reasons.
Feedback URL itself is insecure
And it’s not about due lack of 301/302 redirect to a secure HTTPS protected version of the URL (http://www.jakelupalaute.fi/korona). There simply isn’t a valid SSL certificate that could protect the following information being sent on the network:
- Street address
- ZIP code
- Phone number
- Delivery date
- Feedback type
Instead they’re serving a certificate that’s valid for some other hostname suora.net owned also by the same company that does the letter delivery. User using an insecure network has a good chance to have their personal information stolen:
Google tracks you on this page, too
In the page designed to receive the complaints there is a Google Analytics tag that’s being used on other websites designed by SSM:
THL chose this company to the delivery job
THL shows unprofessionalism in choosing partners that handle user data carelessly and in ways that might interest the Finnish Data Protection Ombudsman.