An insurance agent who I called on the phone for a quote demanded my email address. I resisted, said he could have my fax number instead. He said the form he is filling out in order to get me a quote will not move forward without an email address. I got the impression this was not a requirement of the agent but rather the underwriting company, which means no matter which agent sells me the policy it’s impossible to get insurance from that underwriter without an email address. I would be denied insurance with this underwriter had I not supplied an email address in a phone conversation. They assume if you have access to a phone line, you have email.

So I gave him a disposable. This is still not an okay solution. The quote he sent by email traversed Microsoft servers and contained sensitive information without encryption. It doesn’t matter that MS did not get my real email address considering they still got lots of personal info about me from the quote.

It’s also interesting to note that mortgage lenders require borrowers to always have homeowner’s insurance. So I will dream about pulling this activist move: drop the insurance after securing a mortgage, tell the bank “I cannot get insurance because I don’t have an email address”. Insurance companies tend to refuse to sell policies to someone who is not the beneficiary of the policy, so the bank would not be able to insure the home on their side. I would just love to see that shitshow play out. If anyone wants to drop their homeowners insurance for any reason, this might be your best defense for doing so.

Funnily enough, the insurer offers a “paperless discount”, which means they actually have a paper-sending service for those who are not paperless. Yet everyone must have an email address before they even get a quote.

  • evenwicht@lemmy.sdf.orgOPM
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    2 months ago

    I would indeed be concerned with hosting. But to a lesser extent than email. Email service is gratis & paid for by advertising. The terms of service for email explicitly gives the surveillance advertiser carte blanche on snooping and exploiting email traffic for all it’s worth which is understood by all parties involved.

    Hosting service is a paid subscription. Hosting users have the option of controlling their own keys. It is not customary or expected for a web hosting provider to snoop on the traffic they are hosting. Unlike email snooping, I believe it would be a malicious act for a hosting provider to collect data from traffic they host. That said, internal breaches are common, like that of Capitol One data being exfiltrated by an AWS contractor. So it’s not entirely wise to trust MS and Amazon not to snoop on Azure and AWS.

    Consider US 3 letter agencies doing their unlawful unwarranted snooping. Because they need to conceal their own snooping activity, they cannot liberally exploit the data they collect. They have to use parallel construction to create a legally plausible scenario by which they obtained the data. This substantially limits how they can use the data and to what extent. I think this is similar to MS’s situation with Azure. How can they use the web traffic data without revealing that they are using it? Not easy. Risks are high. Disgruntled employees tattle on their employers.

    You have to decide for yourself where to draw the line. But certainly you’re setting the bar as low as possible if you tolerate email snooping, and a bit higher if you reject email snooping but are not worried about web traffic snooping. A good place to set the bar is to reject email snooping and also reject using their website if hosted by GAFAM or proxied Cloudflare (Cloudflare almost always manages the keys, thus a bit foolish to use lemmy.world).

    In the case at hand the prospective insurer blocks Tor, which again means they are demanding more info from me than contractually necessary (my IP address). So I would not use their website regardless of their hosting provider. They will charge a penalty fee for not being paperless.

    The insurance company would still likely have your data in a dodgy outsourced cloud space even if you don’t use the website. But in that case control is almost entirely out of your hands. Generally you cannot even be informed about their internal ops. The more out of your control it is, the more liable the insurance company is for misuse. If email traffic to you is abused or misused, you share the blame because you signed up for it by sharing your email address knowing that Outlook traffic is openly surveilled on the table. You willfully feed Microsoft in that case. But when you don’t know how your data is stored for their internal ops, there is nothing you can do and no decision on your part to make.