Sophos Cloud Optix
Just a couple of weeks ago I wrote about how Yahoo was recycling old email addresses and IDs and how some people who took over old accounts were receiving messages aimed at the previous owners.
Considering the implications of this I would have thought that it was an isolated policy that no-one else else would be foolish enough to copy.
Microsoft, however, seems to have done just that.
While the company has a long-standing policy of reusing Hotmail accounts it has not extended to its other services before. Now users who have an old Outlook.com or Windows Live ID account will need to be aware that it may get recycled if they do not sign in from time to time.
According to Webwereld (you’ll need to use Google translate or similar), Microsoft is recycling these types of accounts despite not mentioning that it could do so in its service agreements:
The Microsoft branded services require that you sign in to your Microsoft account periodically, at a minimum of every 270 days, to keep the Microsoft branded services portion of the services active, unless provided otherwise in an offer for a paid portion of the services. If you fail to sign in during this period, we may cancel your access to the Microsoft branded services. If the Microsoft branded services are cancelled due to your failure to sign in, your data may be permanently deleted from our servers.
There is not, however, any suggestion within the terms that cancelled email accounts could be recycled.
A recent email from Microsoft to Webereld says something altogether different about lapsed accounts though:
These email accounts are automatically put in the row to be deleted from our servers. Then, after a total of 360 days, the e-mail account name [is made] available again.
Mike Rispoli, a spokesman for London-based non-profit organisation Privacy International, told the Dutch IDG publication that,
When Yahoo announced this, experts warned of serious privacy and security implications. Yahoo downplayed these risks, ignored the critics, and now we see that the concerns have become a reality.
Rispoli also said that Microsoft should clearly communicate their recycling policy in their service terms and that users need to be aware of the situation, adding that,
These companies do this purely from [a] profit perspective to lure more users, but without any respect for privacy and users' [rights]. This is a serious matter of trust, and [that] trust is violated.
Webwereld say it has received one email from a Hotmail user who claims he received messages for a previous owner of his account who shared the same name. As a result he is now considering submitting a complaint about Microsoft to CBP, the Dutch data protection agency.
Though it looks like the number of Microsoft customers receiving email destined for previous account users is minimal this is still concerning. Many people use accounts like these as backups for password resets, which means sensitive data could, potentially, end up in the wrong hands.
For that reason it would appear that the best solution for Hotmail, Outlook.com and Windows Live users would be to ensure that they sign into their accounts every 270 days in order to retain control over them.
Considering that this recycling of IDs also applies to Yahoo users, those of you using Gmail may be pleased to hear that there are no such concerns there. Google has confirmed that it has never recycled its email addresses.
Indeed, on its support pages, it says:
Deleting your address won’t free up your username. Once you delete your Gmail address, you won’t be able to use that same username (username@gmail.com) in the future.
What do you think of Microsoft’s policy and the potential risks to your privacy and security?
I'd lean towards legislation. It'd be far more useful than "cookie protection".
This isn’t new for MS; they’ve been recycling Hotmail addresses for years.
And they're one to bash Gmail with their Scroogled campaign. Hypocrites.
Never recycling an old user name is not an option, either for a couple of main reasons:
1) Some of the account names are used for short-term purposes, scamming or re-selling the name. For example, someone may get "billclinton@hotmail.com". If this is indeed used for fraudulent purposes, gets detected and then closed, does it mean our former President can never get that name, ever?
2) Over a long period of time, pretty much everyone will have undesirable names, such as adm9890_109, since any other name even remotely recognizable will have been used up forever.
Moreover, how is this different than addresses, social security numbers or phone numbers? They get reused and the same problems occur there. So should we have 1,000-digit phone numbers or social security numbers? Should addresses change every time someone moves in? No! It is the responsibility of the owner of the name to notify the parties he/she cares about that the address is no longer valid.
People attempting to surreptitiously obtain private information can't simply claim your old postal address or phone number, not the way they can email addresses. If Social Security numbers are reused, they can be verified with the government as to period of validity.
If your bank sends your pin number out in the post to your old address, you may have a serious problem – however, it is not apparent that the letter contains a pin unless the recipient opens it. And again, it is much more difficult for someone to pretend to be you and have the pin number sent to a different address.
Passwords however are routinely sent in the open, or password reset links sent to old email addresses. This is where the problem of recycling "expired" email address names lies. It is trivial for someone to scoop up a bunch of old email accounts and trigger or wait for private information to be sent in the clear without any identity verification.
What if facebook did this? If you don't sign into your facebook account for a few months, suddenly someone else can take your username – effectively your friends could think this was still you.
Most people, as you clearly demonstrate, have a very limited awareness of the value of online identity, and how easily it can be spoofed. Large service providers should not be making this easier for the bad guys.
I agree with SRD. This is another example of IT security/privacy folks living in their own self-serving world. I still get mail for the previous owner of my house, after 4 years! What’s the average level of risk? … Way lower than the cost of never recycling.
That seems short sighted as far as I can tell. For one, it's easy to tell mail isn't for you, and you can return it, and then they can deal with it, you don't need to open it or look at it. For email you have everything open and waiting for you to click on it. Another issue is a lot of websites simply send 'password reset' requests to your email, and don't require security answers and the likes, you can go around to different websites, enter the email, hit 'forgot password' and then change the user's password with the form link you get in your email. Even worse, if someone setup that hotmail address as a secondary to their gmail, then they can get credential resets send to their old address they don't use anymore, and now the new hotmail owner can gain access.
There are systems in place in the real world for making sure everyone knows your new address, not every website has a 'change email' function as those are typically your user/account name.
What exactly is the "cost of never recycling" ??
May I suggest $10 per year for a new domain name, hotmail2.com, and oh look a full pool of new addresses available with no ill effects to previous customers!
My broadband supplier has told me that my e-mail address will be recycled if I do not use it for an extended period of time (in the order of 6 months). However, unlike hotmail which is free, I think that since I pay the broadband company every month, they should not be able to recycle my e-mail.
I'm paying for the service – surely if I decide not to use it that's my choice? (In practice, I 'm not likely to leave my e-mail address inactive for such a long period but it's the principle.)
I bet they would not offer to refund the previous 6 month's charges if they did recycle my e-mail address.
(@SRD: The big difference between e-mail addresses and normal addresses is that the user considers that the address is still valid. Only if I stopped subscribing to my broadband supplier's services would I think to let other parties know.)
they do and always have done, that is Microsoft for you. besides I don't see a problem with it, USE it or LOSE it simples.
and what if say, you dont have access to it for a period of time? then what, its your fault that you lost it? thats what happened to me, i did not have access to the internet for a year, oops, i made a bbig mistake dident i? sure i could have went to the library and used that one, but oh, dont have a library card, and dont get mail with my name on it, so, okay, i could have gone to my sisters house and used her computer, but oops, my sister does not trust me with her computer, so, i guess i could have used my phone right? but oh no, my phone was broke and turned off longer then my computer, now what? what do i have left? can you tell me how to check my email? sure i never got anything important, but now i cannot listen to music on cirtian sites, ie playlist.com cause i no longer have the email that i used to set it up with, now i get to spend another few years makeing another playlist that probably will not complair to my original, all cause why? a year of not being able to get access to delete bad email? yeah, thats what i thought
Brian if you really had any interest in keeping your e-mail you would have done whatever was required to keep it , so yes it is your fault.
Anyone over 16 should know that profit trumps privacy. The simplest solution: write your rarely used email addresses on a post-it note, and write the date you want to sign into them every month. On that date, sign in/sign out, sign in/sign out, etc. It will seem like a pain the first month, but once you get into the habit, it's a breeze.
I highly doubt anyone attaches important accounts to an email account they don't use. I don't see any harm in it and it free's up the good addresses. People switch email services all the time and take their important accounts with them to their new address. I don't want some shitty email address with numbers at the end because someone else tied up a decent address but hasn't logged in for the last 5 years.