Being anonymous online

Famed hacker Kevin Mitnick on how to protect your privacy on the web in 'The Art Of Invisibility' 

Published 7 years ago on Apr 16, 2017 5 minutes Read

If you’re like me, one of the first things you do in the morning is check your e-mail. And, if you’re like me, you also wonder who else has read your e-mail. That’s not a paranoid concern. If you use a Web-based e-mail service such as Gmail or Outlook 365, the answer is kind of obvious and frightening.

Even if you delete an e-mail the moment you read it on your computer or mobile phone, that doesn’t necessarily erase the content. There’s still a copy of it somewhere. Web mail is cloud based, so in order to be able to access it from any device anywhere, at any time, there have to be redundant copies. If you use Gmail, for example, a copy of every e-mail sent and received through your Gmail account is retained on various servers worldwide at Google. This is also true if you use e-mail systems provided by Yahoo, Apple, AT&T, Comcast, Microsoft, or even your workplace. Any e-mails you send can also be inspected, at any time, by the hosting company. Allegedly this is to filter out malware, but the reality is that third parties can and do access our e-mails for other, more sinister and self-serving, reasons.

In principle, most of us would never stand for anyone except the intended recipient reading our mail. There are laws protecting printed mail delivered through the US Postal Service, and laws protecting stored content such as e-mail. Yet in practice, we usually know and probably accept that there’s a certain trade-off involved in the ease of communication e-mail affords. We know that Yahoo (among others) offers a free Web-mail service, and we know that Yahoo makes the majority of its money from advertising. Perhaps we’ve not realised exactly how the two might be connected and how that might affect our privacy.

One day, Stuart Diamond, a resident of Northern California, did. He realised that the ads he saw in the upper-right-hand corner of Yahoo Mail client were not random; they were based on the contents of the e-mails he had been sending and receiving. For example, if I mentioned in an e-mail an upcoming speaking trip to Dubai, the ads I might see in my e-mail account would suggest airlines, hotels, and things to do while in the United Arab Emirates.

This practice is usually carefully spelled out in the terms of service that most of us agreed to but never read. Nobody wants to see ads that have nothing to do with our individual interests, right? And as long as the e-mail travels between Yahoo account holders, it seems reasonable that the company would be able to scan the contents of those e-mails in order to target ads to us and maybe block malware and spam, which is unwanted e-mail.

However, Diamond, along with David Sutton, also from Northern California, began to notice that the contents of e-mails sent to and received from addresses outside Yahoo also influenced the ad selection presented to them. That suggested that the company was intercepting and reading all their e-mail, not just those sent to and from its own servers.

Based on the patterns they observed, the two filed a class-action lawsuit in 2012 against Yahoo on behalf of its 275 million account holders, citing concerns around what is essentially equivalent to illegal wiretapping by the company.

Did that end the scanning? No.

In a class-action suit, there is a period of discovery and response from both parties. In this case that initial phase lasted nearly three years. In June of 2015, a judge in San Jose, California, ruled that the men had sufficient grounds for their class-action suit to proceed and that people who sent or received Yahoo Mail since October 2, 2011, when the men filed their initial request, could join in the lawsuit under that state’s Invasion of Privacy Act. That case is still pending.

In defending itself against another e-mail scanning lawsuit, this one filed early in 2014, Google accidentally published information about its e-mail scanning process in a court hearing, then quickly attempted and failed to have that information redacted or removed. The case involved the question of precisely what was scanned or read by Google. According to the plaintiffs in the case, which included several large media companies, including the owners of USA Today, Google realised at some point that by scanning only the contents of the inbox, they were missing a lot of potentially useful content. This suit alleged that Google shifted from scanning only archived e-mail, which resides on the Google server, to scanning all Gmail still in transit, whether it was sent from an iPhone or a laptop while the user was sitting in Starbucks.

Sometimes companies have even tried to secretly scan e-mails for their own purposes. One well-known instance of this happened at Microsoft, which suffered a huge backlash when it revealed that it had scanned the inbox of a Hotmail user who was suspected of having pirated a copy of the company’s software. As a result of this disclosure, Microsoft has said it will let law enforcement handle such investigations in the future.

These practices aren’t limited to your private e-mail. If you send e-mail through your work network, your company’s IT department may also be scanning and archiving your communications. It is up to the IT staff or their managers whether to let any flagged e-mail pass through their servers and networks or involve law enforcement. This includes e-mails that contain trade secrets or questionable material such as pornography. It also includes scanning e-mail for malware. If your IT staff is scanning and archiving your e-mails, they should remind you each time you log in what their policy is — although most companies do not.