Web-based email is booming. Services such as Gmail, Yahoo Mail and Hotmail are convenient, accessible and, best of all, free. Many of us have come to rely on them without giving it a second thought. But second thoughts may be in order, according to security experts, privacy advocates and some webmail users. Few consider the fact that webmail is inherently different than POP3 email. It differs in who administers it and how, in the ways it may be vulnerable to hacking, and in the type of help you can expect when you have a problem. For example, the most popular webmail services are prime targets of malicious hackers. Some webmail users run into mysterious technical problems that are never explained or solved. And most webmail users never really know where their data is being stored or for how long — or how well it is being safeguarded.
Sample clause:"When you sign up for a Google Account or other Google service or promotion that requires registration, we ask you for personal information (such as your name, email address and an account password). For certain services, such as our advertising programs, we also request credit card or other payment account information which we maintain in encrypted form on secure servers. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information."
Sample clause:"Yahoo! collects personal information when you register with Yahoo!, when you use Yahoo! products or services, when you visit Yahoo! pages or the pages of certain Yahoo! partners, and when you enter promotions or sweepstakes. Yahoo! may combine information about you that we have with information we obtain from business partners or other companies."
- Microsoft Online Privacy Statement
Sample clause:"Microsoft collects and uses your personal information to operate and improve its sites and deliver the services or carry out the transactions you have requested. These uses may include providing you with more effective customer service; making the sites or services easier to use by eliminating the need for you to repeatedly enter the same information; performing research and analysis aimed at improving our products, services and technologies; and displaying content and advertising that are customized to your interests and preferences."
"If you read the fine print in end-user licence agreements, there's always the possibility for the government to intervene," says Larry Ponemon, founder and chairman of the Ponemon Institute, a privacy and information management research firm. Google's policy, for example, is to notify an email user when the government orders it to turn over records, "except in cases where we're not legally able to do so because notification threatens to impede a law enforcement investigation," says a Google spokesperson. This isn't a theoretical problem. Back in 2006, Google was served with a subpoena from the US Department of Justice: The DoJ wanted two months' worth of search queries from users, together with as many as a million web addresses, to bolster its arguments in a Pennsylvania pornography case. After some legal back and forth, it was finally decided in March 2007 that Google did have to supply the DoJ with 50,000 web addresses, but not any of the user search queries. Google isn't the only webmail supplier that has found itself in the courts. Yahoo made headlines when news organisations reported that the company had handed over the contents of personal email accounts to the Chinese government, resulting in the arrest and imprisonment of several Chinese dissidents.
Do: Use a strong password that is unique to your email account and change it frequently. (You can use services such as Security Stats Com's Password Security web applet to check your password's effectiveness). Do: Change your password and contact the webmail provider immediately if you suspect your account has been hacked or hijacked. Do: Keep a separate backup of your webmail. One way is to configure your webmail to forward a copy of everything to another email account. In addition, Google offers instructions on how to back up your email to your POP3 email client. Do: Find out how the service provider protects your data in transit and in storage. For example, does it provide an option to use SSL encryption when sending an email? Does it encrypt the data on its servers? Are there backups in case those servers fail? Don't: Use your webmail address as a sign-on for other accounts. If you do and your webmail is hacked, then the hacker will automatically have access to those other accounts. Don't: Use your webmail as storage for your old email unless you're completely comfortable doing so. You're better off backing up your email to a local hard drive and then deleting it from the service. Do: Be cautious when checking your webmail on public terminals in places like airports, and libraries. Make sure you haven't left any cookies and clear your private data (such as cache and browsing history). And remember that your work computer is not private. Do: Use a secure HTTPS connection whenever possible. Sessum wishes Google could be more responsive, especially to users like her who are basing their small businesses on its platforms. "I don't buy this line that these are free services and so you get what you pay for," she says. "They make money off of me by serving ads up every time I send an email." She says she'd gladly pay Google some type of premium fee that would get her better support and perhaps guaranteed backups of her email. Google's Grant won't discuss individual problems like Sessum's, citing user privacy. Google can sometimes restore deleted email, she says, depending on how much time has passed. Ultimately, Google permanently deletes it, but she won't specify the amount of time that Google waits before doing that. "We must strike this balance between, on the one hand, keeping that email around just in case of situations like this so that we could recover the email for the user and, on the other hand, doing what the user has told us to do when they tell us to delete the email," she says. Tellingly, Sessum still uses Gmail and her other Google apps. Indeed, most users seem willing to accept the trade-offs in exchange for the features, usability and accessibility of these services. Sessum, for example, admits that she should have been more conscientious about keeping her own backup of her Gmails. Ironically, she's configured her Gmail account to forward a copy of everything to her Yahoo Mail. "So my backup to my web-based email is another web-based email account," she says.