When Yahoo announced its plan to recycle old email addresses earlier this year, it was supposed to be a simple process. Yahoo would shut down email addresses that had not been used for 12 months or more. Those email addresses would then be made available to a new owner.
However, when the process rolled out, something happened that the company didn’t plan for: new email owners started receiving emails intended for the original owner. Along with e-newsletters and other mundane items, more personal and even dangerous messages such as medical information, credit statements, bank account credentials, and more were delivered to new owners.
Yahoo responded to the complaints and fears of their customers by developing a button which new users could click on to say that an email was not intended for them. While this helped new email owners cut down on the previous owner’s spam, it did not do anything to prevent the privacy violations for the person who previously used that email address.
The company also implemented a new type of validation called “Require-Recipient-Valid-Since.” This process requires the sender, such as a company like Facebook, to add a line to the header of an email to a Yahoo user specifying when Facebook last confirmed the email address, such as when someone initially signs up for their service and provides their contact information. Yahoo would then compare Facebook’s “last confirmed” date with the date of the new Yahoo email address ownership, and if the “last confirmed” date from Facebook is before the creation of the new ownership, the email would not be delivered and be bounced back to Facebook.
This method requires the participation of anyone who is sending an email to the Yahoo email address owner, so there is no guarantee that this process will work for every incoming email. According to an article published on PCWorld, Microsoft confirmed they also recycle Hotmail, Windows Live ID and Outlook accounts. Microsoft’s Service Agreement requires that users sign in to their account every 270 days, otherwise their account may be deleted; however, they do not mention that the email addresses may be recycled. The article also quotes an email from Microsoft describing that when an email account becomes inactive, “The email account is automatically queued for deletion from our servers. Then, after a total of 360 days, the email account name is made available again.”
All of this makes Google look good, as they confirmed that they have never recycled addresses and will never allow anyone to use your email address once it is deleted.
Personal Privacy: Your Home’s Mailbox Vs. Email Inbox
When the Identity Theft Resource Center was asked how this could affect the privacy of an individual or even lead to identity theft, we compared the situation to receiving someone’s regular mail. What if an individual received your mail, which may include bills, personal statements, tax returns, or a medical insurance company’s explanation of benefits? They would then have quite a bit of personally identifying information. Perhaps the person would send the mail back and inform the sender that the address was now incorrect? Maybe they would destroy the documents?
Of course, there are other more harmful options. The recipient could use whatever sensitive personal information contained in that mail and wreak havoc in someone’s life by stealing their identity or blackmailing them. So while it may have been exciting for Internet users to have the chance to grab their desired email address, the process needs to be worked out to provide better protection for prior email address owners.
It is our hope that Yahoo will investigate this problem and begin thinking of privacy and security as a necessity rather than an afterthought. It just may help stop a case of identity theft before it even begins.