Hey Substack! Get Your Sh*t Together! You’re (Nearly) Breaking the Law!
Unchecked, illegal, and annoying activity flourishing on the internet.
Over the past few months, I’ve noticed I’ve gotten more and more random emails from some idiotic accounts and companies. Most numerous were those of substack accounts. Perhaps it’s the fault of each of the owners of these accounts, and they are working with various shady newsletter pumping services, or perhaps it’s just botnets auto-subscribing me to half the internet! I don’t know, and I don’t really care.
Could it be that substack doesn’t even require an email confirmation? I decided to look into this, and my fears were confirmed. Indeed, you can subscribe to any substack account without confirming your email. Guess what that means? Using a trivial script, you can auto-subscribe any email to any given substack URL in a matter of seconds, no confirmation steps needed. Here’s one written by yours truly after only about 20 minutes fighting scrapy and web driver:
I’m going to leave this here. Out of spite. So people can abuse this script and perhaps enough people will get spammed to the point where the law changes.
I gotta admit, even after running this script for my own email, I still felt that something must be wrong. Surely the first email I get would ask me to confirm my email before getting more, right? Again, not the case, here’s the very first email I got after running my script:
Regardless of who, what, when, how, or why, this should not be happening, or more importantly, it should not be allowed to happen. Let’s look into some GDPR law, Article 7, Section 1:
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
Well, that’s nice. Since it’s trivial (as in 20 minutes trivial, as mentioned above) to subscribe any given email address to any given account on substack (sorry to pick on them, but they won the prize of the most amount of spam on my email account, so it’s them I’ll stick with as the example), they are by proxy breaking GDPR law, as I have of course clearly NOT given my consent to receive infinite emails from them, nor to be subscribed to any ONE of the accounts I was subscribed to.
Now, I know I’m just one guy and substack probably has an army of lawyers at the ready, but can’t we do better people? Can’t we obfuscate forms, make double opt-in a requirement, and finally - go after these damn bot nets scouring the internet? It’s all just so bleak and disappointing.
So, to sum up, if you didn’t get it already, let me be clear:
Substack, along with thousands of other sites on the internet are blatantly disregarding GDPR law.
Yeah, I’m not very happy, because while half of the younger generation claim ChatGPT is our ultimate savior, all I see is more and more junk, by the minute, trolling around on the internet, making it worse for all of us, meanwhile, Congress is voting on who is going to be the highest clown in the House, and the rest of us who just want to enjoy the internet are stuck with the cesspool of endless noise and low-quality content.
Oh and Medium, feel free to take this down, but I’ll just go on ahead and post it on my blog and elsewhere around the internet.
Yours in rage 🤬,
-Chris
Bonus: sites I’m tracking that are either doing shady marketing or part of the botnet that continually resubscribe my email (I will update this as my email account continually gets repopulated with garbage):
- Potentially any substack (*.substack.com)
- Cockroach DB (cockroachlabs.com)
- Gitkraken (gitkraken.com)
- Instamobile (instamobile.io)
- Talent.io (talent.io)
- Bezinga Research (bezinga.com)
