Welcome to “Your Edge Case is Showing!”  In this series I discuss real world software edge cases that happened to me.  The goal is to have a constructive analysis of the problem, the thinking behind it, and why it probably hasn’t been fixed despite being broken in production.  As a general disclaimer – I’m using the software because I like the company and I’m a customer.

————

I do most of my grocery shopping at Jewel Osco, they have mastered the number one most important consideration: They are the closest grocery store to my house.  They also have a really good selection of apples, are cheaper than their competitors, and they are open late.  What they don’t have is a good mobile app.

After placing my latest online order I noticed that they were sending a receipt to [my phone number]@dummy.com

Does Jewel Osco own dummy.com?

They do not!  Someone in the Bahamas owns it.

What’s Probably Going On

My shopping app account is based on Jewel’s rewards program, and I signed up for the rewards program with my phone number.  I have never given Jewel my email, mostly because they never asked!

My guess is that email is a required field in the app’s data model.  So the developers handle the missing data using what they have, my phone number.  Adding “@dummy.com” to make a technically valid, but obviously fake email address.

Why Doesn’t It Get Fixed?

The app has a LOT of problems.  It’s unstable, it’s slow, and it apparently sends receipts to anonymous domain owners in the Bahamas.

I can imagine managers prioritizing stability and pushing edge cases like email receipts to the side.  After all, if no one can use the app, it can’t leak any data!  Fixing bugs is also much easier than changing fundamental data constraints.  I wrote a whole series of articles on the topic!

Wildly discounting the cost of privacy leaks is a common mistake!

I have submitted a bug report.  Fingers crossed this is not what it looks like, or will be fixed very soon.