Yahoo will begin offering a new ‘Not My Email’ button this week that gives owners of newly claimed, previously dormant, user names the ability to ‘return’ messages that were not meant for them. This is part of Yahoo’s ongoing efforts to mitigate any potential harm that may come from its recent ‘user name recycle program‘.
In order to continue providing tools to prevent these newly minted owners from getting the previous users’ email, Yahoo is doing a few things including the new button. The button, which will be easily accessible from the Yahoo Mail inbox, will allow users to reject mail that isn’t theirs. This will function in a similar manner to the way you can put a ‘not at this address’ message on physical mail that comes to your house by mistake.
The program, which allowed people to claim names that were deemed dormant by Yahoo, came under immediate skeptical fire for its potential to be harmful or dangerous to the privacy of the previous owners of the names. After the initial outcry, Yahoo outlined a series of steps it took to prevent issues including a 12-month minimum on dormancy, 30 days of messages to the user to notify them that their account was going to be given away and bouncing emails back to senders to notify them that the account was deactivated and no longer valid.
But anecdotal evidence over the intervening weeks that there are users who are receiving the previous occupant’s messages has continued to roll in. Most recently, an InformationWeek article cited several first-hand experiences of users getting email not intended for them, including financial information and other personal details.
We spoke with Yahoo Senior Director, Platforms Dylan Casey about the issues some users are seeing and he acknowledged that there have been some cases. Yahoo has been monitoring its systems for claims about mistaken deliveries and were able to quickly identify what was going on with some of these accounts.
Yahoo discovered that in some cases, the email bounce method was not enough to convince institutions and senders that the email was no longer valid. The signals that Yahoo were giving off to inform senders that they should no longer send any email to this address for the old owner were not being recognized.
We’re hearing that the percentage is very, very small, even in light of the sheer number of users of Yahoo’s service. Casey would only tell us that there was a small enough number that he was able to reach out to many of the accounts that reported issues personally to figure out what was going on.
The new ‘Not My Email’ button will allow users to train their inboxes, rejecting email even before they’ve read it if they recognize it’s not meant for them from the subject line. Casey says that they’re also doing individual outreach to any users or senders that they can. The risk, Casey says, is mitigated to some degree by the fact that financial institutions rarely send detailed information in emails any more. Most basic security precautions have banks sending links to log in rather than statements, for instance.
Yahoo is also continuing to investigate and improve the program. In addition to encouraging senders to subscribe to its new Require Recipient Valid Since (RRVS) protocol — developed with Facebook — it says that it is also reaching out to vendors like eBay, Paypal, Amazon and Walmart to more effectively target email to current users, rather than the previous name-holders.
Casey notes that the potential target area of many of the claimed emails is much bigger than average. This is due to the fact that they’re largely ‘initials’ or first-name at Yahoo addresses. This means that people filling out forms for hotels may give a fake name@yahoo answer in a field, resulting in misdirected hotel invoices.
Yahoo is providing resources to help old users of email addresses reclaim their accounts if they wish or need to and is taking a number of other steps:
- Account reclamation for users who’ve
lost their namereceived notice that it will be released - Outreach to users as prompt and in as many ways as possible (phone, email, etc.)
- Extending grace periods for inactive accounts
Companies recycle usernames all of the time, but email is a uniquely personal thing and becomes a repository for personal and financial information. It’s only reasonable that it should require the utmost care and consideration when ‘freeing’ these identities for others to use. Yahoo appears, at least from the steps mentioned above, to be taking it seriously and the issues don’t seem incredibly wide-spread.
In the end this is about more than just Yahoo, but Casey says that he hopes Yahoo’s efforts to both release the names and ensure that users don’t get mis-delivered email will ‘help the internet’ in the long run. The argument is simple: Yahoo is far from the last company who is going to have to deal with ‘user ID fatigue’ in the long run.
Twitter already deals with it, and it’s a much younger company. Short or first-name usernames are in high demand and no one wants to be known as Matthew563527bslash6. Google is trying to link real names to online identities but will likely run up against Gmail user fatigue hard soon enough, if it hasn’t already. Yahoo is doing it on a large scale and is probably one of the first to have to plow through some of these issues as it’s an old company by ‘Internet’ standards. But its trials are just the beginning.
The new button will roll out before the end of the week and should help users with a direct ‘return to sender, address unknown’ option, but the ‘account fatigue’ and reset questions are just beginning to rear their heads. How this will play out over the next 10 years of the internet will be interesting.