Every online purchase nowadays requires an email address. Every organisation, company, form or review left online asks for your email address. This dark-pattern has become so ubiquitous that we are domesticated and we will gleefully provide it. However, just because someone asks for your email address, doesn’t mean that they can protect it and along with it, access to a host of other accounts you might have. With this in mind, I will detail some of these risks as well as provide some ways of mittigating them.
The first and the most pressing risk associated with you sharing your email with an organisation, is that the organisation might experience a data breach or a hack. A recent example shows that improper security practices mean that Opensubtitles has its SQL database hacked which contained email addresses, usernames and passwords. This in turn means that if you use the same email and the same password with another service, the attacker could now have access to those resources as well.
To be fair, due to the size of some of these hacks, it can take a while for someone to go through all the accounts and find potential attack areas. While time and volume might protect you, most of these leaks become public months after they occur. Opensubtitles had its SQL database accessed in August 2021 and they posted publicly about it in January 2022. That means that in the meantime, your information could have been used and sold on to different groups which might be committing a variety of crimes. In highly regulated environments, companies need to share information as soon as possible, but even then companies might not be willing to blow the horn too soon.
While it’s maybe unfair to bash on Opensubtitles (after all, they did start this project with very limited resources), the same thing can happen even with a company that helps you check your credit score. You would think a company with over 11,000 employees and over $4.1 billion in revenue in 2020 could keep the information of its users safe, but that wasn’t the case. Over 140 million users are believed to have been affected by the Equifax breach and it’s estimated that the attackers were active on the company’s network for over 2 months before being discovered.
A quick visit to the list of data breaches on Wikipedia paints a grim picture and shows that this problem isn’t limited to a few isolated cases, but rather that this is becoming the new norm.
Apart from the obvious threat of hacks and breaches, another, more insidious risk associated with your email address is that of mass data collection. Email addresses tend to be used extensively, especially by fraud prevention companies to help limit company losses. The extent to which information is shared amongst such entities is quite shocking, with your email address acting as an anchor that ties it together with purchases made from online retailers, organisations and other entities that share that information with fraud prevention companies.
An email address can be used to highlight patterns of behavior which can reveal the person behind the data. While your email address might very well be firstname.lastname@example.org, some people might not use their full name in their email address to prevent sharing that bit of information with the outside world. However, companies such as LexisNexis will know who you are generally by linking together information from a wide variety of sources. Because they provide analytics for 7 out of the world’s 10 largest banks, chances are good they might already know your email address. They might also know the last time you made a purchase from Amazon, added a payment card to your iOS or Android device and most likely the SSID of your router, the coordinates of your router or device and a host of other features.
While some might argue that these are all positive things as preventing fraud has a net positive impact on society since it combats other types of crime, the reality is that fraud prevention is not the only field data analytics companies work in. In the past LexisNexis has passed on information to governmental organisations such as ICE to aid in deportations. Another data analytics company, Palantir has been working with law enforcemet on predictive policing. So while we can use technology to positively improve the lives of people, it can also easily evolve into surveilance capitalism where we are nothing else but collections of data points.
The first thing to note is that it’s hard to say what impact using another email address might have on the data collection efforts of companies such as LexisNexis, Palantir and others. However, each layer added between yourself and your online activity can at least increase your personal privacy.
The first and simplest step might be to not provide a real email address unless it’s really needed. Did you buy a pineapple in the store and you were asked for an email address? Chances are, email@example.com will be sufficient for this purpose. While it might seem obvious, there are still plenty of situations where you can deny providing an email or providing one which doesn’t exist. The key here is to break away from the normalization of - “if asked for an email address, provide it!”.
Another solution would be to use a service like Firefox Relay. You can try out the service and get 5 email inbox aliases which will point to your Firefox account email. What this means is that your actual email address will receive the emails, but the email you provide to someone nosy will be firstname.lastname@example.org. They can send you emails to that email address which will relay it to your actual account, email@example.com.
There are a few downsides as Firefox Relay has a 150KB limit on the email size, so emails that might have attachments or images will not be forwarded!. The 150KB message limit has been removed recently, which means that Relay can be used for most use cases without any issues (special thanks to Vinnl for highlight this). The only limitation is that you cannot reply from those email addresses, as your email address hasn’t changed, it just acts as a recipient. For $0.99 a month, you can even add your domain to the address and you no longer have to manually generate aliases as they are generate upon receipt of an email that is mean for that subdomain. For example, my subdomain would be psy.mozmail.com so if I were to say that my email is firstname.lastname@example.org that email address alias would be generated upon receipt of the first email.
In the alias category, we have Cloudflare Email which allows you to generate aliases for your own domains that will point to a given email account. If you own the domain cookies.com you can generate any alias that you want on that domain - email@example.com or firstname.lastname@example.org. Similar to Firefox Relay, these are different names under which your inbox is known as. Any emails sent to the addresses that you generate in Cloudflare will be redirected to the destination you selected.
With both of these solutions you don’t get additional inboxes or new email accounts, so there are no additional passwords or accounts to manage. It also allows you to continue using whatever provider you decided to use. The downsides are that Firefox Relay has a limited transfer capacity which might mean some emails get lost. You cannot reply from those aliases either as those just sit in front of your email account, so any replies would have to go through your main account anyway.
Finally, the last option would be to use an email provider that allows you to create aliases, which in turn means that you still have the one email account, but this will be known under many different names. Since these are created by your provider, it also means that you can reply from those email addresses. There are many providers that I would recommend, but my top recommendations would be, in no particular order:
It’s annoying that we’re living in a world where every person needs at least four email accounts, but considering the low cost of entry, you should spend the time in finding a solution to protect your details. With more weight being put on email addresses for a variety of activities (online banking, shoping, dating and so on), you run a serios risk of exposing yourself unnecessarily.
Power users, people working in tech and those concerned with privacy in the modern paradigm need to make these changes and convince as many people they can to do so as well. We have solutions and a lot of them are available to us easily, so it’s important that we use them. It’s also important that whenever possible we try to protect these bits of information, because if we don’t, next up they’ll ask you to buy something that can easily replay conversations you had in your home or film everything going on in front of your home while it’s harassing your kids.
Hang on, I guess, they don’t even need to ask.