The darker side of Webmail
Web-based e-mail may be exposing you to privacy and security problems you didn't expect
By Tam Harbert
April 28, 2008 12:00 PM ET
Computerworld - Web-based e-mail is booming. Services such as Gmail, Yahoo Mail and Hotmail are convenient, accessible and, best of all, free. Many of us have come to rely on them without giving it a second thought.
But second thoughts may be in order, according to security experts, privacy advocates and some Webmail users. Few consider the fact that Webmail is inherently different than POP3 e-mail. It differs in who administers it and how, in the ways it may be vulnerable to hacking, and in the type of help you can expect when you have a problem.
You may not think these differences matter. And they don't -- unless they end up biting you in the backside. For example, the most popular Webmail services are prime targets of malicious hackers. Some Webmail users run into mysterious technical problems that are never explained or solved. And most Webmail users never really know where their data is being stored or for how long -- or how well it is being safeguarded.
How private is Webmail, really?
Although Webmail is often billed as a free service, the old adage "you can't get something for nothing" definitely applies here. While you're not giving the Webmail provider any of your cash, you are making a trade: Your personal information in exchange for the service.
Most Webmail users never really know where their data is being stored or for how long -- or how well it is being safeguarded.
"It's all about accumulating information about the user," notes Rob Douglas, a privacy and security consultant who edits InsideIDTheft.info
. "Sure these services are 'free,' but the trade-off is that they are obtaining information about you that has value in the world of advertising and marketing." (Admittedly, most of the time this information is collected in the aggregate, so that no individuals are actually picked out.)
Not too worried about that? Maybe you should be. "I believe individuals tend to forget that much of what they do online is being recorded," says Douglas. "This collection of information is all done behind the scenes; it's not visualized when individuals are using their computers."
It can be shocking to realize how much about yourself you reveal on the Web, particularly when vendors combine information from your Webmail account with other Web 2.0 sites, such as online social networking platforms. "You start to leave a trail of information about yourself on the Internet," says Stephen Northcutt, president of the SANS Technology Institute. "Do you really want to get ads on burial plots because you drink, smoke and engage in unprotected sex?"
Showing others your e-mail
It's fairly easy (if you know how) to gain access to and read others' Webmail without permission, either legally or not, notes Jeremiah Grossman
, founder and chief technology officer at WhiteHat Security Inc.
, which tests Web sites for vulnerabilities. "Webmail should never be considered private, ever," he says. "It can be read in many, many different ways," including rogue customer service reps at the e-mail provider, law enforcement with a subpoena or a national security letter, or a curious hacker sniffing packets on the Internet.
It was simple for the SANS Technology Institute to get a subpoena when it noticed a Gmail user was stealing its exam questions and posting them on the Internet, says Northcutt. People think that just because they don't use their real name or identifiable information in their e-mail sign-on -- using some obscure jumble of numbers and letters instead -- that no one can tie it back to them. "Of course, we can," says Northcutt. For example, an ISP can be subpoenaed to reveal the contact information that a person used when signing up for the account.
Here are links to the privacy policies of the Big Three Webmail providers -- Google, Yahoo, and Microsoft -- together with a sample of what they contain. Forewarned is forearmed.
Sample clause: "When you sign up for a Google Account or other Google service or promotion that requires registration, we ask you for personal information (such as your name, email address and an account password). For certain services, such as our advertising programs, we also request credit card or other payment account information which we maintain in encrypted form on secure servers. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information."
Sample clause: "Yahoo! collects personal information when you register with Yahoo!, when you use Yahoo! products or services, when you visit Yahoo! pages or the pages of certain Yahoo! partners, and when you enter promotions or sweepstakes. Yahoo! may combine information about you that we have with information we obtain from business partners or other companies."
- Microsoft Online Privacy Statement
Sample clause: "Microsoft collects and uses your personal information to operate and improve its sites and deliver the services or carry out the transactions you have requested. These uses may include providing you with more effective customer service; making the sites or services easier to use by eliminating the need for you to repeatedly enter the same information; performing research and analysis aimed at improving our products, services and technologies; and displaying content and advertising that are customized to your interests and preferences."