The Internet’s Next Identity Crisis: Pseudo anonymous Email
A user’s primary identity is becoming less effective than before
Privacy Implications
If it feels like email could use updating regarding the laws governing it and your privacy, you are right. Today, the primary law governing the privacy of all electronic communications in the united states is the Electronic Communications Privacy Act (ECPA). This legislation dates back to 1986, which according to internet history, was at least three years before the internet as we know it was even invented.
Identity data has always been beneficial both for law enforcement as well as commercial reasons. Unique identifiers were at the core of our telephone and postal systems. Delivering electronic mail has been centered around email addresses for obvious reasons too. Given the widespread use of emails as an identifier, it has also become a legal requirement in some cases. The contact method is now standard for both legal, government use cases and also commercial ones. It’s hard to imagine logging into any online service that is not tied to or is not based on your email address.
The use of email for identity and its dangers
The convenience of having a single identity was a significant advancement for early internet users. Still, it quickly became a nuisance when the same snail mail flyers started to take place online. From unwanted newsletters to mass communications, billions of people appear on thousands of mailing lists bought and sold online.
Beyond the perception of loss of privacy thanks to the commercialization of this identifier and combining it with others such as user agents, cookies, session ids, and others, it’s important to highlight that your email is one of the first attack vectors a threat actor would like to focus on.
From getting into your bank account via email to resetting any account based on the said email account, your inbox is a throve of information for an internet hacker, and selling that data can be valuable pursuit on its own.
Pseudo Anonymous Email
A myriad of services is increasingly surfacing that promise to keep your actual email address a secret. These services offer an additional email alias and even the option to generate unique emails whenever you have to fill out one of those pesky forms we dislike. However, the promise is that all these random email addresses will forward all mail traffic, possibly removing the tracking pixels directly to your inbox. That way, the sender cannot even tell if you even opened the email in the first place.
A headache for marketers
Any improvement in our data privacy is an immediate blow to the billion-dollar internet digital advertising industry. The loss of this unique identifier and the trend to remove tracking details from email hurts marketers because they are both unable to know who the individual behind an email address is and get no indication of the effectiveness of a campaign, offer, or outreach effort.
A blessing for users
As an end-user, I’m happy that this trend is taking place. I managed a version of this manually for a while. That entailed registering domain names and using them as email aliases to forward all mail to a lesser-known email account which connected all my critical applications and data. That way, if my credentials were ever leaked in a data dump from a famous hack, the attackers wouldn’t know precisely what my email address was for critical things like bank accounts and others.
If combined with a password manager, this approach now allows you to have unique credentials for every account and service that you have signed up for.
Also a blessing for threat actors
The ability to trace a unique identifier to a bad cyber actor has been the bread and butter of many threat hunters, network defenders, and cyber security intelligence experts. When email providers became abundant, especially encrypted providers, threat actors actively managed to create throw-away accounts. Some of these providers have increased the safety nets to prevent programmatic account creation, so bad actors were limited to lower volume creation. Unfortunately, this set of new services could be what attackers look for many times as a way to get anonymous email accounts that can be managed from a central inbox.
Cybersecurity Implications
As mentioned earlier, attribution is a crucial aspect of information security. The new services empower bad actors to use the tools to become even more anonymous online or, at the very least, potentially simplify and make it even easier to have good operational security as an attacker. It would be interesting to see how these providers enable mitigation for abuse of these services. It will be even more interesting to see if service providers block these email services altogether, rendering them useless. While bringing a short sight of relief for privacy-aware users, this internet identity crisis could also affect the security of those users thanks to bad actors doing what they do best; adapting.
