Just a couple of weeks ago I wrote about how Yahoo was recycling old email addresses and IDs and how some people who took over old accounts were receiving messages aimed at the previous owners.
Considering the implications of this I would have thought that it was an isolated policy that no-one else else would be foolish enough to copy.
Microsoft, however, seems to have done just that.
While the company has a long-standing policy of reusing Hotmail accounts it has not extended to its other services before. Now users who have an old Outlook.com or Windows Live ID account will need to be aware that it may get recycled if they do not sign in from time to time.
The Microsoft branded services require that you sign in to your Microsoft account periodically, at a minimum of every 270 days, to keep the Microsoft branded services portion of the services active, unless provided otherwise in an offer for a paid portion of the services. If you fail to sign in during this period, we may cancel your access to the Microsoft branded services. If the Microsoft branded services are cancelled due to your failure to sign in, your data may be permanently deleted from our servers.
There is not, however, any suggestion within the terms that cancelled email accounts could be recycled.
A recent email from Microsoft to Webereld says something altogether different about lapsed accounts though:
These email accounts are automatically put in the row to be deleted from our servers. Then, after a total of 360 days, the e-mail account name [is made] available again.
Mike Rispoli, a spokesman for London-based non-profit organisation Privacy International, told the Dutch IDG publication that,
When Yahoo announced this, experts warned of serious privacy and security implications. Yahoo downplayed these risks, ignored the critics, and now we see that the concerns have become a reality.
Rispoli also said that Microsoft should clearly communicate their recycling policy in their service terms and that users need to be aware of the situation, adding that,
These companies do this purely from [a] profit perspective to lure more users, but without any respect for privacy and users' [rights]. This is a serious matter of trust, and [that] trust is violated.
Webwereld say it has received one email from a Hotmail user who claims he received messages for a previous owner of his account who shared the same name. As a result he is now considering submitting a complaint about Microsoft to CBP, the Dutch data protection agency.
Though it looks like the number of Microsoft customers receiving email destined for previous account users is minimal this is still concerning. Many people use accounts like these as backups for password resets, which means sensitive data could, potentially, end up in the wrong hands.
For that reason it would appear that the best solution for Hotmail, Outlook.com and Windows Live users would be to ensure that they sign into their accounts every 270 days in order to retain control over them.
Considering that this recycling of IDs also applies to Yahoo users, those of you using Gmail may be pleased to hear that there are no such concerns there. Google has confirmed that it has never recycled its email addresses.
Indeed, on its support pages, it says:
Deleting your address won’t free up your username. Once you delete your Gmail address, you won’t be able to use that same username (email@example.com) in the future.
What do you think of Microsoft's policy and the potential risks to your privacy and security?