Earlier this year, news that Yahoo intended to recycle dormant email addresses was initially greeted with a largely favorable response.
“Get the Yahoo email address of your dreams at Yahoo’s wish list,” said Joanne Stern on Good Morning America, for example.
But the move soon opened up debate on whether Yahoo was inviting privacy invasions, as some users reported getting unwanted emails intended for someone else.
Still, some security experts say the recycled email policy was as inevitable as the phone company recycling old phone numbers. The burden lies with users to be watchful, respectful, and in some cases discreet, with the unsolicited email they receive, security professionals advised.
Unfortunately, there is usually no return-to-sender option with email.
Get your favorite email ID now!
Yahoo’s idea was simple enough. Many people had seemingly stopped using their Yahoo email accounts, and those addresses would be made available again to new and active subscribers. Yahoo wanted to put more email IDs on the market, and dormant accounts use up considerable unwanted storage. Plus, the developer hoped the move could bring more users into the fold, as individuals grew excited by having an email address ID that they really wanted.
“If you’re like me, you want a Yahoo! ID that’s short, sweet, and memorable like email@example.com instead of firstname.lastname@example.org,” said Jay Rossiter, senior vice president of platforms at Yahoo, in a blog.
The public was invited to submit requests for new email IDs, in the hope they might now be available to them from recycled accounts.
“To get the Yahoo! Username you’re always wanted, we’ve set up page where you can request your top five choices. If your first choice isn’t available, we’ll try one of your backups,” wrote Yahoo's senior director of platforms Dylan Casey in blog. “In mid-August, you’ll get an email letting you know which of your picks is available, with link to claim it within 48 hours. And just like that, it’s all yours.”
But the public got something else as well: reports from some new subscribers that they were receiving unwanted emails from the grave.
Specifically, although the former account holders had not been using their Yahoo accounts for a while, those accounts were still on record with people, companies, and organizations they used to have contact with. Those contacts continued to send out emails, and some of them were definitely of a sensitive nature.
Too much information
Then came the Yahoo email blog heard round the world. Tom Jenkins, an IT security professional, wrote at the time that he had been receiving unsolicited emails to the former holder of his new Yahoo account name.
“I can gain access to their Pandora account, but I won’t,” Jenkins wrote. “I can gain access to their Facebook account, but I won’t. I know their name, address and phone number. I know where their child goes to school. I know the last four digits of their social security number. I know where they had an eye doctor’s appointment last week, and I was just invited to their friend’s wedding.”
No one in the media knew who Tom Jenkins was up to that point. But they were certainly quick to share his story. Jenkins’s revelations became one of the largest stories centered on Yahoo’s new policy.
Reactions to the recycling
So what has happened and what have we learned regarding email recycling? A few things.
First off, Yahoo responded to the unwanted attention.
“We took many precautions to ensure this was done safely -- including deleting any private data from the previous account holder, sending bounce-backs to the senders for at least 30-60 days letting them know that the account no longer existed and unsubscribing the accounts from commercial,” the BBC reported a Yahoo representative as saying.
Yahoo! also rolled out a new “Not My Email” feature, which allows users to report emails they receive that are not intended for them.
Following the flak over Yahoo's move, media learned Microsoft was recycling unused Hotmail, Live, and Outlook.com accounts. Microsoft's user agreement warns subscribers that they must log on at least once every 270 days -- but doesn't mention recycling email addresses, PC World reported.
When a Microsoft account becomes inactive, "the email account is automatically queued for deletion from our servers. Then, after a total of 360 days, the email account name is made available again," the developer told PC World.
The Yahoo email recycling policy sparked considerable debate on the wisdom and necessity of such a practice. Critics were quick to point out the privacy pitfalls of recycling emails. But many security professionals saw the move as not only inevitable, but smart.
A move whose time had come
From a developer's point-of-view, adding more attractive email addresses back into the pool makes sense -- although Yahoo, Microsoft, and any other email companies using this policy must take extensive precautions, experts said.
“It was not a bad move, but from a privacy perspective, I can understand the concern that new email recipients can receive email intended for the old account holder,” says Jason Warnock, vice president of marketing intelligence and deliverability at Yesmail, an enterprise email service provider in Chicago with 274 employees.
Warnock believes the 12-month dormant period that Yahoo used to decide that an account is no longer active is sufficient. He has not witnessed lots of problems with recycled accounts, and feels the Tom Jenkins example got more traction in the media than it really deserved.
“We have our ear to the ground, and we haven’t seen anything like that,” Warnock said. “We saw just one instance of [privacy concerns], and we’re always on the lookout.”
Recycling email IDs certainly makes sense, Warnock said, and he believes people have grown use to receiving communication not intended for them.
“It’s the same problem as with phone numbers,” Warnock pointed out, “but email users are most sophisticated, and people have become more aware to be watchful.”
Good policy, bad execution
Another IT security professional who empathizes with Yahoo's policy is Eva Velaquez, president and CEO of the Identity Theft Resource Center.
“I understand the need to recycle email accounts. If we didn’t, in 10 to 15 years we’d have email accounts that don’t make any sense,” Velaquez said.
The move was inevitable, she said. Still, from a public relations perspective, Yahoo's process “was poorly executed,” Velaquez noted.
The Tom Jenkins example is a perfect case in point, she says. Fortunately, Jenkins is a good guy, and had no intention of acting on the personal information he received. But not everyone fits that positive mold. Plus, Velaquez warned, if personal information is shared with the wrong recipient and that information is used in a case of identity theft, it could take months for the victim to know they had been wronged.
Adding Not My Email was a good immediate step, Velaquez says. But she urged email account providers to take the matter a step further -- send an automatic email to anyone attempting to contact a recently dormant account.
Veelaquez likens it to the Post Service delivering return-to-sender mail that can’t be forwarded, in the hope the sender won’t send out more communication.
— David Weldon is an experienced editor, writer and research analyst with over 30 years of experience in the communications and research fields.