Bennett Haselton, 3/5/2001
| Update, 3/19/2001: Since the release of this report, InfoSpace.com has changed the format of listings on their Web site so that email addresses are no longer publicly displayed, and spammers and other third parties can no longer use InfoSpace to harvest HotMail users' email addresses. |
After receiving complaints from HotMail users about junk mail in accounts that had never been "publicized" anywhere, we found that HotMail was sharing its member email addresses with InfoSpace.com, which makes the addresses available on its Web site where they can be "harvested" by third parties, including spammers. The statement on the InfoSpace Web site -- "For privacy, we don't show the full email addresses of people listed in our directories" -- turned out not to be correct, since HotMail provides its users with a search interface that allows them to harvest the email addresses of users listed on InfoSpace, including other HotMail users.
- The details
- Reverse lookup (updated 3/19/2001)
- HotMail's statements on privacy
- Why publicize it
- How we found out about this
When HotMail users create a new account at HotMail's signup page, the following text appears at the very bottom of the page, separated from the signup form by a full screen-length of other small print:
This small print refers to the "Internet White Pages" checkbox in the signup form, which is checked by default:Internet White Pages
Click this option, and your name, location, and Hotmail e-mail address will be automatically listed in one or more Internet e-mail directories so others can look you up and send you messages! All other information about you is kept confidential.
For privacy, we don't show the full email addresses of people listed in our directories. You may use the form below to send a message, and your recipient may reply if he or she chooses.But, if you are logged in to your HotMail account, you can click on the "Directories" link from your Inbox page and follow the "Email Search" link, which points to the InfoSpace "HotMail Email Search" form at
http://lw10fd.law10.hotmail.msn.com/cgi-bin/compose?curmbox= F000000001&a=5923bd6c1845c649c283ccfc41212975&mheader=to&log in=&mheader=to&address=gtii@hotmail.com&curmbox=ACTIVEwhich contains "John Smith's" email address. If you're logged in to HotMail, clicking on that link takes you to a "Compose Message" page, with the recipient's email address already filled in.
By default, InfoSpace lists only 5 member email addresses at a time, but
you can list up to 100 addresses per page by taking the URL for the search results:
http://kevdb.infospace.com/info/kevdb?OTMPL=%2Femail%2Femail-out.html &QK=5&QN=smith&QF=john&KCFG=email&ran=14657and changing "QK=5" to "QK=100", giving you a URL that lets you collect up to 100 email addresses at a time:
http://kevdb.infospace.com/info/kevdb?OTMPL=%2Femail%2Femail-out.html &QK=100&QN=smith&QF=john&KCFG=email&ran=14657
InfoSpace also provides a form where users can enter an email
address and find a person's location:
http://www.infospace.com/info/redirs_all.htm?pgtarg=reve
(go to the form at the bottom of the page)
At various times, the HotMail member signup page has asked
new members to either their city and state of residence, or only
their state (currently, only the state of residence is requested).
But the form also requests a zip code, and the user
is prompted to re-enter their information if the city/state and
zip code don't match. So the location information associated
with most HotMail users is correct, since the only way for a new
user to enter
incorrect information when they sign up,
would be to look up a valid zip code for
another city, and most users don't bother.
Most HotMail users might assume that a person corresponding with them over the Internet can't determine their location based on their address, but this isn't true if their address is listed at InfoSpace.
HotMail's privacy policy states:
Hotmail keeps all of your Personal Information private and does not share it with any third parties. Hotmail will not disclose your Personal Information unless acting under a good faith belief that such action is necessary to: (1) conform to legal requirements or comply with legal process; (2) protect and defend the rights or property of Microsoft; (3) enforce the TERMS OF USE; or (4) act to protect the interests of its members or others.and:
Hotmail will not sell, lease or rent its member lists with any third parties.Privacy advocates disagree on whether a default-checked box on a member signup page, accompanied by small print, constitutes obtaining a user's "consent" to have their information shared. However, HotMail's privacy policy does not say that they obtain a member's permission before sharing their information -- it says that they do not share their member lists, period. The practice of publishing their members' email addresses through InfoSpace appears to violate this policy; it was probably done as part of a business partnership with InfoSpace.
Publishing this report does raise the issue of whether it is ethical to reveal this information, including the details of how to collect the email addresses of HotMail members that HotMail shares with InfoSpace. However, the amount of spam received by HotMail users who never published their email addresses, suggests that many spammers had already discovered how and where HotMail makes its members' email addresses available. Since HotMail and InfoSpace will probably stop publishing member email addresses immediately after this report is brought to light, the window of opportunity for any new spammers to exploit this loophole is too short to be of any use, and the end result should be less spam for HotMail users in the long run.
In January 2001, we publicized that HotMail had been silently blocking their users from sending us mail (as part of a private boycott against our service provider), returning the messages to the sender with a bogus "Returned Mail" error. Most of our members with HotMail addresses were outraged to find out that HotMail had been blocking their outgoing mail to Peacefire.
HotMail immediately stopped blocking outgoing mail, but defended the boycott as a "spam-fighting" tactic. (Our ISP refuses to host spammers, but was targeted for the boycott anyway because of the content of some hosted sites including ListSorcerer.com and BulkISP.com, which do business with spammers located on other providers. This "boycott blocking" is of course different from the far more common practice of blocking actual spam, which ISP's do to protect their user's accounts, usually with their approval, and not for any boycott-related reasons.)
Our members with HotMail addresses, in addition to being outraged to find out that they had been co-opted into this "boycott" without their permission, said in some cases that the "spam-fighting" excuse was ironic, given that they had been receiving spam in HotMail accounts that they had never publicized anywhere. We began investigating whether HotMail had made its member addresses available to third parties where spammers might have harvested them, and found the connection to InfoSpace.
Bennett Haselton, 3/5/2001