Recycled Yahoo addresses and PII leaks

Infoweek interviewed a number of people who acquired new Yahoo addresses during Yahoo’s address recycling and reuse process. It seems that at least for some small percentage of former Yahoo users, there is a major risk of information going to the wrong people.

I can gain access to their Pandora account, but I won’t. I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school, I know the last four digits of their social security number. I know they had an eye doctor’s appointment last week and I was just invited to their friend’s wedding […]

I still don’t think this address recycling will cause delivery problems. Some senders may see an increase in “this is spam” hits from new account holders, but as long as they remove addresses and stop mailing people that shouldn’t cause delivery issues over the long term.
I still suggest that companies using email addresses as account “keys” should understand the implications of an email account (Yahoo or otherwise) being recycled. This isn’t just a Yahoo issue, all ISPs recycle usernames. In this case, Yahoo just did it more publicly and in a shorter time frame than most ISPs do.
Using an email address as a key and failing to do any upkeep or data maintenance will result in PII leaked to third parties. Banks, social networks, online fora, mailing lists and websites should all have ways to address email address recycling, if only to protect user information. Yahoo may not have handled the address recycling process well, but that only means the companies using email addresses as keys need to have plans and processes in place to verify the addresses in use.

Related Posts

Motion to dismiss in Penkava v. Yahoo case

Earlier this month Yahoo filed a motion to dismiss in the Penkava v. Yahoo. This is the class action lawsuit where an Alabama resident is attempting to sue Yahoo for violation of the California wiretapping law.
Here’s the short synopsis.
People send mail to Yahoo. Yahoo “creeps and peeps” on that mail so they can profit from it. Plaintiff doesn’t like this, and thinks that he can use the California Invasion of Privacy Act (“CIPA”), (Cal. Penal Code § 630, et seq;) to stop Yahoo from doing this. Additionally, there is a whole class of people who live in every state but California who have also been harmed by Yahoo’s actions. The plaintiff would like the court to make Yahoo stop doing this. (First Amended Complaint)
Yahoo’s motion to dismiss is actually pretty dry and there aren’t really any zinger pull quotes that make sense without reading the whole 35 pages. The short version is that what Yahoo is doing is not a violation of California law, it is simply handling email as it has to be done to get it to recipients. Plus, California law cannot apply to mail sent from a non-CA resident to a non-CA resident because that would violate the dormant commerce clause. The class as defined makes no sense. Finally, the plaintiff continues to send mail to Yahoo addresses knowing the mail is being “scanned” and that is implicit permission for Yahoo to do it.
In the initial complaint there was an allegation that Yahoo’s behaviour was a violation of Federal and/or California Wiretapping laws. These allegations appear to have been dropped in the First Amended Complaint.
Right now there is a hearing scheduled for March 13, 2013. I’ll keep an eye on the filings.

Read More

No expectation of privacy, says Google

I spent yesterday afternoon in Judge Koh’s courtroom listening to arguments on whether or not the class action suit against Google based on their scanning of emails for advertising purposes can go forward. This is the case that made news a few weeks ago because Google stated in their brief that users have “no expectation of privacy” in using online services.
That does appear to be what Google is actually saying, based on the arguments by attorney Whitty Somvichian. He made it clear that Google considers everything that passes through their servers, including the content of emails, covered under “information provided to Google” in the privacy policy. Google is arguing that they can read, scan, and use that content to display ads and anything else they consider to be in the normal course of business.
I have pages and pages of notes but I have some paying work to finish before I can focus on writing up the case. There were multiple reporters and bloggers in the courtroom, but I’ve not found many article. Some I’ve found are:

Read More

Images at Yahoo

For a while, Yahoo was giving preferential “images always on” treatment to Return Path Certified senders. The tricky part of this was the senders had to register a DKIM selector key with Yahoo. I had a lot of (somewhat rude) things to say about this particular design decision.
Over the last few months, a number of senders have complained about being unable to update their selector keys with Yahoo. (Insert more rude comments about how broken it is to use the selector as a part of reputation.) Around the same time, a few of us have noticed that Yahoo seems to be turning on a lot of images by default. A few of the ESP delivery folks collaborated with me on checking into this. They could confirm that images were on by default for some of their customers without certification and without selector key registration.
Earlier this week, Return Path sent out an email to users that said that Yahoo would no longer be turning images on by default for Return Path Certified IPs.

Read More