Unsolicited mail-configuration assistance

/dev/oei

... beats /dev/random for entropy. This is a tumblelog of quotes, links, snippets, and occasionally a few paragraphs of my own. Your feedback is most welcome; please look for "Send a message" on my Google profile

March 9, 2010

7:03 pm

From the leaflet boxed with my new phone:

Your device supports easy, network-assisted e-mail set-up. […] During the e-mail activation process, your e-mail address, user name, and password, along with technical information, such as your device ID, may be sent to Nokia. Nokia will not process or store any personal, identifiable information after the activation, without your consent.

I understand why they need the e-mail address - the domain name is probably used to figure out the server configuration options - but the password? The only reason they’d need the password that I can think of, is that the configuration server tests the settings by logging-in, before sending the settings to the phone. That’s an innocent, but not a good reason.

Somehow, between the legal and the usability department, it was decided that a friendly leaflet in the box would be better than a pop-up at configuration time. I would have preferred the pop-up notification, which might have offered the option to decline auto-configuration.

It’s a one-time only thing, and it’s done with the best of intentions, and I’m sure the little leaflet covers them legally. Nonetheless, it puts a man in the middle, and that’s not a best practice.