Home / Blogs

A Case of Mistaken Identity

As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email—it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.

Unlike in the past where users switched emails frequently, we now have hotmail and gmail and personalized accounts that we can take with us as we switch jobs or ISPs. Email is private (at least, as private as snail mail) and if my bank feels comfortable sending me alerts and other information over email, than it is definitely secure enough for the rest of us.

So if email is destined to become the equivalent of your social security number or identification number (depending on which country you live in) how do we proof check that the email address we typed does not contain any typos? Most identification numbers have a controlling digit that acts like a checksum to make sure the ID was typed correctly. With email, we don’t have that and so you’re sending an email with the newest Vista joke to your coworker friend Bill Howards over at the Vista team and your finger slips and the mail goes to [email protected]

Or worse—with gmail I’ve been receiving emails that belonged to some other Aviram that was too slow to catch [email protected] before I did. Most of this misguided email ranges from boring to funny, but today I got a purchase confirmation with the order number, amount and last 4 digits of the CC number. Since I “own” the email that is associated with this account, what prevents me from logging in to this guy’s account (have the e-commerce site send the password to “my” email due to my temporary amnesia) and redirecting the order to another zip code that happens to be my house?

Sure, I would never do that to a fellow Aviram. But what happens when our possible-future-Internet ID, our email, is typed wrong into some government database and all our IRS information, special Internet-voting code and who-knows-what-else is sent to our alternate identity, the guy that lives right by us on the keyboard? Not good.

My receiving another person’s order information is an obvious lesson for web sites: Make sure you verify the email address. Sending a test email and waiting for confirmation is good security practice since you’re not only confirming the person typed his email address correctly but you’re also confirming he did not sign up his mother in law to your wonderful daily adult joke service as pay back for last thanksgiving.

By Aviram Jenik, Chief Executive Officer

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

John Levine  –  May 19, 2008 5:49 PM

Does anyone still have only one e-mail address?  I give a different (real) one to every web site that asks for one, so I can tell who’s leaking what.

On the other hand, I’ve certainly also gotten my share of mail intended for people with names similar to mine.  Even though you can’t assume that the same person will have the same address, you always need to confirm the addresses that people provide. That’s long standing good practice.

Lynda L. True  –  May 21, 2008 1:29 AM

As far as facebook is concerned, your email is your identification. This is true for other social networks like linkedin, and is slowly catching on to many other Web 2.0 services. It actually makes a lot of sense that your unique identifier (your “ID”) would be your email — it’s unique by definition, it’s easy to remember and most services need the email information anyway (for example, to send you a password reset). So combining the ‘email’ and ‘username’ fields makes a lot of sense.

Seriously? Just to make sure (I don’t use Facebook much), I checked. It’s a quick edit, and you’re using a different email address. I have changed the primary email account on LinkedIn twice, and I have multiple other email addresses on LinkedIn (for those folk that only know me through one). Your email address is not particularly useful as an identifier, other than for trivial applications such as the currently popular social networks.

I have more than twenty email addresses that I check on a daily basis, and five or so that I check whenever I’m near a computer. I don’t use the email on my blackberry often, but it’s useful when I need it. Which email address would be my identity?

Email is also *not* private. If you’re using one of the free ones, then it’s stored on someone else’s server. Even if you have a local server, privacy is not necessarily guaranteed. Encryption is the only guarantee of privacy, and even that is easily misused. My PGP key is a unique identifier.

I guess typographical errors in email addresses are something we’ll just have to live with. I can understand being disconcerted when random strangers mistake you for another, but it certainly seems careless on the part of the other fellow that such things have occurred. Not near so much a case of mistaken identity as a lack of care on some other Aviram’s part.

I cannot believe that email will ever be the same as a social security number. It’s uncontrolled, too easy to forge, and there are any number of other issues that would also matter. Long, long ago, I used to think of myself as the only “shrdlu” but even those days are long past.

Aviram Jenik  –  May 21, 2008 9:05 AM

John Levine said:

Does anyone still have only one e-mail address?  I give a different (real) one to every web site that asks for one, so I can tell who’s leaking what.

Yup. Isn’t qmail awesome :-)

I’m betting you’ll have to start getting used to one email address, though. I used to create usernames like: .(JavaScript must be enabled to view this email address) but then when I had to login I couldn’t remember what I put as the ‘servicename’ and which domain I used. Slowly I’m realizing that I’m using mainly 2 emails (personal and work) and soon enough I’ll be using just one.

So at least in my case it’s not the technical issue of having one email address (I have as many as I need) but a convenience of always remembering my username (=my “one” email).

Aviram Jenik  –  May 21, 2008 9:16 AM

Lynda L. True said:

As far as facebook is concerned, your email is your identification.

Seriously? Just to make sure (I don’t use Facebook much), I checked. It’s a quick edit, and you’re using a different email address. I have changed the primary email account on LinkedIn twice, and I have multiple other email addresses on LinkedIn (for those folk that only know me through one). Your email address is not particularly useful as an identifier, other than for trivial applications such as the currently popular social networks.

Not sure what you mean here. I never said you couldn’t have multiple emails, only that your email is unique (i.e. no one else has it) and so it’s a convenient login name.

I have more than twenty email addresses that I check on a daily basis, and five or so that I check whenever I’m near a computer. I don’t use the email on my blackberry often, but it’s useful when I need it. Which email address would be my identity?

I’m with you here. But read my answer to John - I have a feeling that soon enough we’ll all have to merge into one or two email addresses that “identify” us, just like you give out a certain physical mailing address even if you spend a lot of time at your sister’s.

Email is also *not* private. If you’re using one of the free ones, then it’s stored on someone else’s server. Even if you have a local server, privacy is not necessarily guaranteed. Encryption is the only guarantee of privacy, and even that is easily misused. My PGP key is a unique identifier.

I disagree. Email *is* private. Maybe it’s not secure, but it’s private. If your email provider is reading your emails they might be breaking the law. Just like your medical records are private even though they are written in plain text and sit in an easily accessible drawer somewhere.

I cannot believe that email will ever be the same as a social security number. It’s uncontrolled, too easy to forge, and there are any number of other issues that would also matter. Long, long ago, I used to think of myself as the only “shrdlu” but even those days are long past.

Much of what you said is true for 7 numeric digits that make up your social security number. And even if shrdlu is not unique, I’m pretty sure [email protected] is unique.

John Levine  –  May 21, 2008 11:39 AM

Aviram Jenik said:

I’m betting you’ll have to start getting used to one email address, though. I used to create usernames like: .(JavaScript must be enabled to view this email address) but then when I had to login I couldn’t remember what I put as the ‘servicename’ and which domain I used.

I’ve found the exact opposite.  I use the name of each site to invent an address, and only use my real address when corresponding with individuals.  As far as remembering what address goes with what site if your addresses weren’t memorable enough, gee, maybe we could use a computer or something to keep track of them.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Domain Management

Sponsored byMarkMonitor