The dark side of webmail

It's convenient, but it has its downsides, says Tam Harbert

Web-based email is booming. Services such as Gmail, Yahoo Mail and Hotmail are convenient, accessible and, best of all, free. Many of us have come to rely on them without giving it a second thought. But second thoughts may be in order, according to security experts, privacy advocates and some webmail users. Few consider the fact that webmail is inherently different than POP3 email. It differs in who administers it and how, in the ways it may be vulnerable to hacking, and in the type of help you can expect when you have a problem. For example, the most popular webmail services are prime targets of malicious hackers. Some webmail users run into mysterious technical problems that are never explained or solved. And most webmail users never really know where their data is being stored or for how long — or how well it is being safeguarded.

Although webmail is often billed as a free service, the old adage "you can't get something for nothing" definitely applies here. While you're not giving the webmail provider any of your cash, you are making a trade: Your personal information in exchange for the service. When you click that box on the licensing agreement — you know, the one you didn't read — you're probably giving the provider permission to use the personal information you entered when you signed up. For example, Google's Privacy Policy specifically states that it collects personal information such as your name and email address; it also collects information collected through your browser (such as which sites you visit) and from the text of your emails, which the provider uses to customise ads and conduct research. Most webmail users never really know where their data is being stored or for how long — or how well it is being safeguarded. "It's all about accumulating information about the user," notes Rob Douglas, a privacy and security consultant. "Sure these services are 'free', but the trade-off is that they are obtaining information about you that has value in the world of advertising and marketing." (Admittedly, most of the time this information is collected in the aggregate, so that no individuals are actually picked out.) Not too worried about that? Maybe you should be. "I believe individuals tend to forget that much of what they do online is being recorded," says Douglas. "This collection of information is all done behind the scenes; it's not visualised when individuals are using their computers." It can be shocking to realize how much about yourself you reveal on the web, particularly when vendors combine information from your webmail account with other Web 2.0 sites, such as online social networking platforms. "You start to leave a trail of information about yourself on the internet," says Stephen Northcutt, president of the SANS Technology Institute. "Do you really want to get ads on burial plots because you drink, smoke and engage in unprotected sex?" It's fairly easy (if you know how) to gain access to and read others' webmail without permission, either legally or not, says Jeremiah Grossman, founder and chief technology officer at WhiteHat Security Inc., which tests websites for vulnerabilities. "Webmail should never be considered private, ever," he says. "It can be read in many, many different ways," including rogue customer service reps at the email provider, law enforcement officials with government authorisation, or a curious hacker sniffing packets on the internet. Those of us who spend a lot of time working with online and offline technology tend to shrug when confronted with bothersome details such as manuals, EULAs, and privacy policies. However, if you take a few minutes to really read them, you may find that the privacy policy of your webmail service provider may include a few provisions that you want to at least be aware of. Here excerpts from the privacy policies of the Big Three Webmail providers — Google, Yahoo, and Microsoft — together with a sample of what they contain.

  • Google Privacy Policy

    Sample clause:

    "When you sign up for a Google Account or other Google service or promotion that requires registration, we ask you for personal information (such as your name, email address and an account password). For certain services, such as our advertising programs, we also request credit card or other payment account information which we maintain in encrypted form on secure servers. We may combine the information you submit under your account with information from other Google services or third parties in order to provide you with a better experience and to improve the quality of our services. For certain services, we may give you the opportunity to opt out of combining such information."
  • Yahoo Privacy Policy

    Sample clause:

    "Yahoo! collects personal information when you register with Yahoo!, when you use Yahoo! products or services, when you visit Yahoo! pages or the pages of certain Yahoo! partners, and when you enter promotions or sweepstakes. Yahoo! may combine information about you that we have with information we obtain from business partners or other companies."
  • Microsoft Online Privacy Statement

    Sample clause:

    "Microsoft collects and uses your personal information to operate and improve its sites and deliver the services or carry out the transactions you have requested. These uses may include providing you with more effective customer service; making the sites or services easier to use by eliminating the need for you to repeatedly enter the same information; performing research and analysis aimed at improving our products, services and technologies; and displaying content and advertising that are customized to your interests and preferences."

"If you read the fine print in end-user licence agreements, there's always the possibility for the government to intervene," says Larry Ponemon, founder and chairman of the Ponemon Institute, a privacy and information management research firm. Google's policy, for example, is to notify an email user when the government orders it to turn over records, "except in cases where we're not legally able to do so because notification threatens to impede a law enforcement investigation," says a Google spokesperson. This isn't a theoretical problem. Back in 2006, Google was served with a subpoena from the US Department of Justice: The DoJ wanted two months' worth of search queries from users, together with as many as a million web addresses, to bolster its arguments in a Pennsylvania pornography case. After some legal back and forth, it was finally decided in March 2007 that Google did have to supply the DoJ with 50,000 web addresses, but not any of the user search queries. Google isn't the only webmail supplier that has found itself in the courts. Yahoo made headlines when news organisations reported that the company had handed over the contents of personal email accounts to the Chinese government, resulting in the arrest and imprisonment of several Chinese dissidents.

The increasing popularity of third-party webmail also presents new and sometimes poorly understood security problems for corporate IT departments. Most corporate email travels through an SMTP server, which typically scans incoming email and attachments for malware and inspects outgoing mail for any violations of corporate policy. Not so with webmail, which goes through the corporate HTTP server and is usually not inspected on its way into the network, notes Chenxi Wang, an analyst at Forrester Research Inc. That means webmail can bring in security threats and send out sensitive corporate data. "Unless you've got scanning in place there, it's a huge hole for corporations," says John Maddison, general manager of Trend Micro's network security services group. Some organisations sabotage themselves through ignorance or misguided policies. A company might forbid the use of corporate email for personal business, leaving employees little choice but to use their webmail accounts. Even without a formal policy, "people might think it's the right thing to use their Gmail account for personal business rather than to use their corporate email," says Ponemon. In other cases, a company might make employees jump through so many security hoops to access their email remotely that they use webmail instead, says David Cowings, senior manager of operations in security response at Symantec. For example, employees might forward copies of inbound corporate email to their webmail account rather than go through a complicated process such as using a rotating access key to dial in through a VPN from home or while traveling. Or perhaps corporate IT limits the size of attachments, so if employees needs to send a 2M file, they turn to webmail, says Frank Cabri, vice president of marketing and product management at FaceTime Communications, a security vendor that specialises in securing noncompay-sanctioned applications like webmail. Indeed, when companies start to look at what's travelling through their HTTP channel, "usually IT people are very surprised at the extent of this unsanctioned traffic," Cabri says. On the other hand, the dynamic nature of webmail can be a security plus, says Jen Grant, a group product marketing manager at Google. "The advantage of webmail and the cloud is that we can adapt and adjust almost instantaneously, so the second a new type of malware is there, we can adapt, adjust and update our system and protect our users," says Grant. Contrast that with a static system on a corporate desktop, she says. "In order for them to adapt, they have to download something, they have to install something. It's just not as fast." Webmail isn't necessarily any more vulnerable than corporate mail, says Petko D Petkov, founder and senior security consultant at Gnucitizen, which does penetration testing for companies. Although directly attacking corporate email systems is harder, there are other ways to break into the system, through social engineering or sniffing unprotected wireless connections of corporate laptops at Starbucks, for example. "There are so many variations," he says. "It's just a matter of creativity and innovation." However, there's no denying that Webmail, because it is a web application, is subject to attacks from black-hat hackers looking for vulnerable targets. "It's the law of large numbers," says Ponemon. "The seriously bad criminals — computer jocks in places like Romania and China — they look for the big brands because that's where they'll get the most traction from their criminal activity." The two most prevalent vulnerabilities today are cross-site scripting and cross-site request forgeries, according to Petkov. In fact, cross-site scripting is the most prominent vulnerability on the web, notes Grossman. "It's what's used most often to break into webmail accounts specifically". In webmail cross-site scripting, a cybercriminal will send an email that contains some malicious HTML and JavaScript code in it. When the victim opens that webmail message, the code automatically executes and sends their cookies, which contain the information needed to get access to that webmail account, back to the bad guys. Once that happens, the criminals "have everything they need to log in as you," says Grossman. "There's not much you can do about it." Cross-site request forgery uses cross-site scripting as its first step, says Petkov, but it goes further and uses that info to impersonate the victim to gain access to other accounts. Last year, Petrov reported a Gmail vulnerability that could allow a hacker to use cross-site request forgery to log into users' email accounts and configure them to forward copies of all the user's emails to the attacker's address. Or they might configure it to simply send copies of all emails that contain words like "account number" or "password", which might deliver the information needed to sign into the victim's bank account. Most users would never even realise this was happening — that is, until they logged into their bank account and found it had been drained. Google fixed the vulnerability (although, according to Petkov, it wasn't a complete fix and some users were compromised). And Petkov isn't singling out Google for special criticism. All webmail vendors are engaged in a constant battle against these and other types of exploits, he says. "I'm sure Google is putting a lot of effort into securing their software, but mistakes happen," Petkov notes. "Especially on the web, where everything is constantly changing and people are always striving to add new features. Every time they add a new feature, there could be a problem." Finally, what can you do if you have a problem with webmail? For example, if your emails disappear. That's what happened to Jeneane D Sessum, a writer and consultant who uses Gmail and several other Google web-based applications. Last November, a large chunk of the email messages she had stored on Google's server simply disappeared. When she tried to contact Google support, she was directed to its online help forums. She couldn't find an answer there. Then she filled out a contact form to report a technical problem. In reply, she received a form email saying that Google had determined that there was no outage or data problem that would have caused her email to vanish. "That was it," says Sessum. "No advice on what to do". She had to work through her own personal network to reach an actual person at Google, someone in technical support. "But still nobody could tell me anything except that nothing was wrong on their end." How to protect yourself

Do: Use a strong password that is unique to your email account and change it frequently. (You can use services such as Security Stats Com's Password Security web applet to check your password's effectiveness). Do: Change your password and contact the webmail provider immediately if you suspect your account has been hacked or hijacked. Do: Keep a separate backup of your webmail. One way is to configure your webmail to forward a copy of everything to another email account. In addition, Google offers instructions on how to back up your email to your POP3 email client. Do: Find out how the service provider protects your data in transit and in storage. For example, does it provide an option to use SSL encryption when sending an email? Does it encrypt the data on its servers? Are there backups in case those servers fail? Don't: Use your webmail address as a sign-on for other accounts. If you do and your webmail is hacked, then the hacker will automatically have access to those other accounts. Don't: Use your webmail as storage for your old email unless you're completely comfortable doing so. You're better off backing up your email to a local hard drive and then deleting it from the service. Do: Be cautious when checking your webmail on public terminals in places like airports, and libraries. Make sure you haven't left any cookies and clear your private data (such as cache and browsing history). And remember that your work computer is not private. Do: Use a secure HTTPS connection whenever possible. Sessum wishes Google could be more responsive, especially to users like her who are basing their small businesses on its platforms. "I don't buy this line that these are free services and so you get what you pay for," she says. "They make money off of me by serving ads up every time I send an email." She says she'd gladly pay Google some type of premium fee that would get her better support and perhaps guaranteed backups of her email. Google's Grant won't discuss individual problems like Sessum's, citing user privacy. Google can sometimes restore deleted email, she says, depending on how much time has passed. Ultimately, Google permanently deletes it, but she won't specify the amount of time that Google waits before doing that. "We must strike this balance between, on the one hand, keeping that email around just in case of situations like this so that we could recover the email for the user and, on the other hand, doing what the user has told us to do when they tell us to delete the email," she says. Tellingly, Sessum still uses Gmail and her other Google apps. Indeed, most users seem willing to accept the trade-offs in exchange for the features, usability and accessibility of these services. Sessum, for example, admits that she should have been more conscientious about keeping her own backup of her Gmails. Ironically, she's configured her Gmail account to forward a copy of everything to her Yahoo Mail. "So my backup to my web-based email is another web-based email account," she says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags webmailSecurity ID

Show Comments