Almost everyone, if not absolutely everyone with an Internet connection uses email. There are a lot of standard tips about the dangers of opening attachments and so forth, but here are seven things I believe the majority of email users haven't been sufficiently warned about... Or if they have, they haven't taken enough notice...
1. Opening or viewing new emails with full image content
If you do this, you’re almost inevitably being tracked. When a sender incorporates a hotlinked image into an email, the hotlink is fetched as you open the mail (or view it in a viewing pane), and the image is loaded – just as it would be when you visit a forum page with hotlinked images. The fetching of the hotlinked content from the mail sender’s server creates a ‘hit’. It’s just like them getting a hit on their website, except that rather than an entire page, only an image loads up. But the hit still registers, with a timestamp, your IP address, etc. When the sender gets that hit, they know you’ve opened the email. They’ve been able to spy on something you may have thought was private.
Web-based mail services like Hotmail or Yahoo! Mail are not reliable in blocking images. Even though they may give you an option to block image content or ‘active’ content, it appears they make exceptions for affiliated organisations so you can still be tracked by some senders. See this thread for an example with Hotmail. I've also found that Yahoo! looks to be bypassing its own image hotlink blocking for Flickr emails. So the best practice is to import all your Web-based email to a desktop email client before opening or viewing anything (see Point 4 for more details). That way, not only can you most likely set up a more reliable block on image or ‘active’ content, but for 100% safety you can physically lock your Internet connection before opening your mail. Even if the desktop client for some reason fails to block image hotlinks and the like, your computer literally can’t communicate with the sender’s site, so you can’t be tracked.
2. Using the same provider for email as you do for Web search
Tying in your Web search in with your personal life is not a good idea. This is not about having something to hide. It’s about not letting one organisation profile you in the way that such a situation would allow. The information you’re sending in emails is often exceptionally personal and very private. Your email reveals who you really are, but your Web search reveals what you really think. I mean, what you really think. Not what you say you think when you interact with other people in your life. The likes of Google, Yahoo!, Microsoft or AOL knowing more about you possibly even than your own family should not bear thinking about. It’s just too much information to be giving to one organisation – especially when you don’t really know who they are. I'd recommend keeping your search provider separate from your email provider, and always searching logged out, with cookies disabled.
3. Failing to use a disposable email address for people you don’t know
If you don’t have a disposable email address, get one, immediately. And if your email service provider doesn’t support disposable email addresses, find another provider, who does. One person I know gets so much spam to his personal, home email address that he can barely find an email you sent him two hours ago. On occasion, he’s phoned me because my mail got drowned in the sea of crap constantly streaming into his inbox, and he thought I hadn’t sent it. That’s how serious a problem he has with spam.
Is his email like this because he signs up for every single service he sees on the Internet? Of course not. It’s because he gave the address to one or two rogue online entities, and they passed it on to other rogue entities, and before he knew it, he was snowed under with spam. If he’d kept his personal email address for personal mail (i.e. to and from friends, family, and very important known contacts), and used at least one disposable address for other types of mail, he could simply have ditched the disposable address, replaced it with another, and gone straight back to living in peace.
Remember that your disposable email address doesn't necessarily have to be officially categorised as disposable by your service provider. You can set up an entire 'disposable' account if you like, and just drop it when you need to. Sometimes, in fact, this is better than using an official disposable address within your main account, because you can better customise a disposable account for sending email. You can ensure that the account never references your real name, doesn't give any access to your real personal details, etc. With a full 'disposable' account (which is just a normal email account you regard as disposable), you can send messages in any name, and without risk of being personally identified.
Don’t, incidentally, be under any illusions about the potential for your email address to be misused – even by supposedly reputable businesses. I caught a major retail chain breaking data protection laws with my email address last year. The only reason I was able to catch them out was that I have a zero tolerance policy on spam, and the email address that ended up getting spammed was 100% clear of any other spam. Suddenly, a regime of spam started out of nowhere, and I contacted the company demanding to know how they got my email address. It turned out they’d added it to their marketing list illegally and in contravention of several DPA laws.
Of course, had that email address been an all-purpose receiver taking a huge raft of different mail types, I doubt I’d have noticed. But this showed that you can’t even trust apparently reputable high street brands. And if you can’t trust them, you certainly can’t trust small, obscure entities on the Web. Set up at least one disposable email address, and use it for anyone you don’t know.
4. Irrevocably deleting email
I wouldn’t recommend deleting any email. Instead, use folders to archive old mail, and don’t delete your archive folders until you’ve backed them up safely to your own media. This is another compelling reason, if you use Web mail (like Hotmail, Gmail, AOL or whatever), to import everything into a desktop client like Outlook or Outlook Express. Among the popular Web email services, you can access Gmail, Hotmail or Outlook from the desktop via the POP3 protocol, and you can access AOL or Gmail via IMAP. These protocols let you connect to your Web mail from your desktop client and import everything onto your hard drive.
Yahoo! is missing from the above list, because Yahoo! doesn’t allow any offline access without a paid upgrade [UPDATE: Yahoo! does now give POP3 access on free accounts]. The other services listed above give free access. As I discussed earlier, you get better control over how you read your emails when you do it on your own PC rather than online. But you also get the wherewithal to back up your mail using your mail client’s Backup or Export function. If you then have to start deleting old mail from your Web service, you still have it archived and stored offline, should you need to revisit anything. You never know who’s going to make what kind of claim at some point in the future. If someone tries to claim you failed to do something you know you did, or that they didn’t agree to something they expressly agreed to, being able to dig up their email, or your email, can save you an enormous amount of bother, and possibly even expense.
And don’t forget that when you sign up for a service online, the original activation email often contains ‘life saving’ information which can rescue your entire account when you’re in danger of losing it.
I even hang onto the spam that ends up in my Spam folder. Mind you, I hardly get any, because I always unsubscribe, and complain with bells on if my ‘unsubscribe’ request is not honoured. Speaking of which…
5. Failing to unsubscribe from all unnecessary email
If you start to let one or two entities occasionally spam you after signing up to online services, forums and what have you, what happens is that over time, the number of entities steadily increases. There isn’t a problem if it’s just one or two entities sending occasional mail, but before long, you reach the point where you can’t remember who, exactly, does or doesn’t have permission to mail you. At that point, you’ve lost control. You don’t know whose mails are legitimate, and whose require a stiff response to the sender reminding them that spamming against your requests is illegal. Trying to clean up your inbox from a position where you don’t know who’s doing what is extremely difficult.
So I’d recommend checking your email settings immediately after signing up to anything new, and de-selecting any mail it’s possible to de-select. If you subsequently get an email, look for the unsubscribe link, and use it, straight away. If you get used to routinely and systematically unsubscribing, you’ll know instantly if someone ignores your prefs and sends you mail anyway. And some will. Even massive, global businesses you’d think would know better sometimes have to be ‘disciplined’ for spamming non-solicitable addresses. Some more than once!
In my experience, unsubscribing down to zero spam (even if it takes a written opt-out) does work, and means that any transgressions stand out like a sore thumb.
Incidentally, don’t block senders using the email service’s own Block tool. All that does is prevents the messages getting to your inbox. The sender still regards you as solicitable, and may spread your information to other ‘carefully selected companies’, which will mean you’ll have more senders to add to your block list in due course – maybe quite a lot. Unsubscribing with the sender may take longer, but it’s a much better, 'cleaner' system in the long run.
6. Storing contacts
Storing contacts makes things convenient, but I really don’t think it’s a good idea to store them online in a Web-based email service, on a Contacts List. If you deal with any site which has terrible privacy standards, one of their first goals will be to get hold of your Contacts List. Not only is this a privacy threat for everyone whose email address you’ve placed on the list – it’s also a privacy threat to you, because you’re being associated with all of those contacts, and you can’t predict the future.
I’d suggest leaving your contacts list empty and storing people’s email addresses offline if you really need to. Most of us don’t communicate with that many people whose email addresses we really need to store. In other words, people whose email addresses can’t be found quickly and easily on the Web. Many email users just store addresses in their Contacts by default, but the majority of those they store are just commercial addresses which are readily available on the company websites in the unlikely event that they're ever required again.
It’s also the case that if you store your contacts offline (as well as backing up your emails as I advised earlier), you won’t be compromised if you need to close down a root email address and start again from scratch. Speaking of which…
7. Becoming too dependent on one email service or address
It’s a situation that should be avoided at all costs… Having a single email address that you haven’t backed up, and which contains all your important contact information, dialogues, etc… Lose that account, either because someone hacked it and deleted everything, or because you unwittingly broke the Terms of Service, or because the service provider unexpectedly went out of business, and, to put it as politely as possible, you’re completely stuffed. Always consider what you’d do if your main email was suddenly gone. Could you cope? If not, you need to act now. Most people back up their hard drives, but a lot fewer back up their email.
There's a balance to be found between minimising the risk of losing everything, and maintaining adequate privacy. For example, you could feasibly import all your mail from one Web-based service to another - just to be safe and 'backed up'. However, if two organisations have all your data, you're at twice the risk of a privacy problem. My preferred option would always be to effectively 'download' your email to your hard drive, using POP3 or IMAP, and then back it up in a full export.