Internet

Go Network mulls security issue

Disney's decision to include user names and passwords in an email campaign sparks security concerns.

Disney's recently launched Go Network is charging ahead with a direct-email campaign aimed at drawing traffic from the media giant's affiliated sites.

But in its effort to help users make a smooth transition from the affiliate sites, Disney included user names and passwords in the email messages, raising concern about the network's security.

"Although I was told I would not get unsolicited mail, I got this email with my user name and password in a completely unsecure way," said Sanjay Mathur, a regular user of ESPN.com, one of Disney's online properties, along with ABCNews.go.com and Family.go.com.

"What bothers me is that someone could possibly use that information to get my credit card information," Mathur added. "I do whatever I can to maintain security, and here is someone just piping it over the Internet."

But the Go Network quickly noted that it is more of a customer satisfaction issue than a security problem, adding that there is no way to retrieve credit card information from their sites either over the Internet or by email.

"The broadcast email that was sent to ESPN subscribers to inform them of their benefits on GO Network did not compromise the users' credit card information in any way," said Patrick Naughton, executive vice president of products at the Go Network.

Even if credit card security is not vulnerable in the email messages, Disney could lose precious credibility and members simply because of the perception of risk. As hacks, free email breaches, and other security issues make regular headlines, those who are newer to the Net often are unsure where they are safe. And with entertainment, portal, and other companies locked in intense competition for members, there are plenty of choices for users looking to make a switch.

No company knows that more than the image-conscious Disney. "If we find that many users feel more comfortable specifically requesting their password information be mailed to them, we'll adjust the content of our email messages to not contain this convenient information up front," Naughton said.

The company said it had not yet received any complaints about the campaign but that it would look into the security issues involved. An ESPN.com spokesman said a call from a CNET News.com reporter was the first time he had heard that the direct email effort has raised concern.

"I think it is a good call-out that it could be a security issue," said Barak Berkowitz, Go Network's senior vice president of worldwide marketing. "We are checking to make sure, but everyone believes you would not be able to get any credit card data with that user ID and password."

The Go Network said several different emails have been sent out recently to users. Among them, one deals with parental notification when someone under 13 joins, while another is a confirmation email that a new subscriber receives when he or she registers for the service. Both contain user names and passwords, ESPN.com and Go confirmed.

The letter that people like Mathur received was to inform members of new services available at the Go Network, which now has about 9 million members.

"What we are going to do is right now is a fairly quick security review," Berkowitz said. "If there is no clear benefit to keeping the password there, we should definitely get rid of it."

Meanwhile, Mathur is not quite appeased. Although he sent a complaint to ESPN, he is still waiting for a response.

"I actually am thinking about ending my membership," he said. "I don't want to reward them for that kind of behavior. And I can get enough [sports news] for free on their site anyway."