HotMail Sharing Member Email Addresses

Bennett Haselton, 3/5/2001

Update, 3/19/2001: Since the release of this report, has changed the format of listings on their Web site so that email addresses are no longer publicly displayed, and spammers and other third parties can no longer use InfoSpace to harvest HotMail users' email addresses.

After receiving complaints from HotMail users about junk mail in accounts that had never been "publicized" anywhere, we found that HotMail was sharing its member email addresses with, which makes the addresses available on its Web site where they can be "harvested" by third parties, including spammers. The statement on the InfoSpace Web site -- "For privacy, we don't show the full email addresses of people listed in our directories" -- turned out not to be correct, since HotMail provides its users with a search interface that allows them to harvest the email addresses of users listed on InfoSpace, including other HotMail users.

- The details
- Reverse lookup (updated 3/19/2001)
- HotMail's statements on privacy
- Why publicize it
- How we found out about this

The details

When HotMail users create a new account at HotMail's signup page, the following text appears at the very bottom of the page, separated from the signup form by a full screen-length of other small print:

Internet White Pages
Click this option, and your name, location, and Hotmail e-mail address will be automatically listed in one or more Internet e-mail directories so others can look you up and send you messages! All other information about you is kept confidential.

This small print refers to the "Internet White Pages" checkbox in the signup form, which is checked by default:
Services Hotmail Member Directory
Internet White Pages
Use the checkboxes to indicate whether you wish to be listed in these Internet directories. More information about Directories.
"Internet White Pages" refers to the the Email directory. (This was difficult to track down, since InfoSpace Email search is not referred to as the "Internet White Pages" anywhere else, but the "White Pages" search made available to HotMail users while they are logged in, is actually a link to the InfoSpace Email search.) If you use the InfoSpace Email search page to search for "John Smith", the resulting listings display only a domain name, not the full email address:

and clicking on the "Send Email" link takes the user to a new page with the message:
For privacy, we don't show the full email addresses of people listed in our directories. You may use the form below to send a message, and your recipient may reply if he or she chooses.
But, if you are logged in to your HotMail account, you can click on the "Directories" link from your Inbox page and follow the "Email Search" link, which points to the InfoSpace "HotMail Email Search" form at

You can actually follow the above link and use the form without being logged in to HotMail -- search for "John Smith", and the results will be the same as the results that were displayed by the public search interface, except that now the "Send Email" link points to a URL of the form:
which contains "John Smith's" email address. If you're logged in to HotMail, clicking on that link takes you to a "Compose Message" page, with the recipient's email address already filled in.

By default, InfoSpace lists only 5 member email addresses at a time, but you can list up to 100 addresses per page by taking the URL for the search results:
and changing "QK=5" to "QK=100", giving you a URL that lets you collect up to 100 email addresses at a time:

Reverse lookup

InfoSpace also provides a form where users can enter an email address and find a person's location:
(go to the form at the bottom of the page)
At various times, the HotMail member signup page has asked new members to either their city and state of residence, or only their state (currently, only the state of residence is requested). But the form also requests a zip code, and the user is prompted to re-enter their information if the city/state and zip code don't match. So the location information associated with most HotMail users is correct, since the only way for a new user to enter incorrect information when they sign up, would be to look up a valid zip code for another city, and most users don't bother.

Most HotMail users might assume that a person corresponding with them over the Internet can't determine their location based on their address, but this isn't true if their address is listed at InfoSpace.

HotMail's statements on privacy

HotMail's privacy policy states:

Hotmail keeps all of your Personal Information private and does not share it with any third parties. Hotmail will not disclose your Personal Information unless acting under a good faith belief that such action is necessary to: (1) conform to legal requirements or comply with legal process; (2) protect and defend the rights or property of Microsoft; (3) enforce the TERMS OF USE; or (4) act to protect the interests of its members or others.
Hotmail will not sell, lease or rent its member lists with any third parties.
Privacy advocates disagree on whether a default-checked box on a member signup page, accompanied by small print, constitutes obtaining a user's "consent" to have their information shared. However, HotMail's privacy policy does not say that they obtain a member's permission before sharing their information -- it says that they do not share their member lists, period. The practice of publishing their members' email addresses through InfoSpace appears to violate this policy; it was probably done as part of a business partnership with InfoSpace.

Why publicize it

Publishing this report does raise the issue of whether it is ethical to reveal this information, including the details of how to collect the email addresses of HotMail members that HotMail shares with InfoSpace. However, the amount of spam received by HotMail users who never published their email addresses, suggests that many spammers had already discovered how and where HotMail makes its members' email addresses available. Since HotMail and InfoSpace will probably stop publishing member email addresses immediately after this report is brought to light, the window of opportunity for any new spammers to exploit this loophole is too short to be of any use, and the end result should be less spam for HotMail users in the long run.

How we found out about this

In January 2001, we publicized that HotMail had been silently blocking their users from sending us mail (as part of a private boycott against our service provider), returning the messages to the sender with a bogus "Returned Mail" error. Most of our members with HotMail addresses were outraged to find out that HotMail had been blocking their outgoing mail to Peacefire.

HotMail immediately stopped blocking outgoing mail, but defended the boycott as a "spam-fighting" tactic. (Our ISP refuses to host spammers, but was targeted for the boycott anyway because of the content of some hosted sites including and, which do business with spammers located on other providers. This "boycott blocking" is of course different from the far more common practice of blocking actual spam, which ISP's do to protect their user's accounts, usually with their approval, and not for any boycott-related reasons.)

Our members with HotMail addresses, in addition to being outraged to find out that they had been co-opted into this "boycott" without their permission, said in some cases that the "spam-fighting" excuse was ironic, given that they had been receiving spam in HotMail accounts that they had never publicized anywhere. We began investigating whether HotMail had made its member addresses available to third parties where spammers might have harvested them, and found the connection to InfoSpace.

Bennett Haselton, 3/5/2001