Finnish Institute for Health and Welfare (THL) has asked SSM Suomen Suoramainonta to deliver a letter about the best practices against the COVID-19. However if you never received such a letter like I didn’t, you could’ve complained about it in the address provided by THL in their own blog post. Unfortunately I think I’m going to pass this one. This is mainly because of 3 reasons.
Feedback URL itself is insecure
And it’s not about due lack of 301/302 redirect to a secure HTTPS protected version of the URL (http://www.jakelupalaute.fi/korona). There simply isn’t a valid SSL certificate that could protect the following information being sent on the network:
- Street address
- ZIP code
- City
- Phone number
- Delivery date
- Product
- Feedback type
- Notes
Instead they’re serving a certificate that’s valid for some other hostname suora.net owned also by the same company that does the letter delivery. User using an insecure network has a good chance to have their personal information stolen:
There is no privacy policy
As the heading says, there is no privacy policy that exists. Based on HTTP POST requests, the information sent on the form is sent to a script in jakelupalaute.fi hostname which processes the information, giving the information in insecure way to the direct marketing company.
Google tracks you on this page, too
In the page designed to receive the complaints there is a Google Analytics tag that’s being used on other websites designed by SSM:
And as said before, there is no privacy policy on the website that says anything about this tracking.
THL chose this company to the delivery job
THL shows unprofessionalism in choosing partners that handle user data carelessly and in ways that might interest the Finnish Data Protection Ombudsman.