Many people use their primary email to sign in to practically everything. That’s a privacy nightmare, and you might be shocked to see how easily someone can use it to effectively stalk you and violate your privacy.
Your Email Can Be Used to Identify Which Services You Use
Typically when people talk about serious privacy issues related to your email address or other kinds of logins, the focus is on data breaches, leaked information, and other high-profile problems.
No doubt about it, having the account data for a service you use leaked is a privacy problem that reveals your personal information to strangers and anyone out there mining leaked data dumps. It would be less than ideal to have your readily identifiable firstname.lastname@example.org (or any email that can be easily linked to your real identity) appear in a file dump containing tens of thousands of emails.
Especially if that dump is from a service you’d prefer people didn’t know you used—whether that service was related to pornography, a support group for a mental health or medical issue you have, or anything else you wanted to keep private.
But that’s not the only way your email address can unmask information about you. Poorly designed login systems can reveal whether or not an email address is associated with an account. You know when you forget your password and use the Forgot Password link on a login portal? You put your email address in, you click submit, and you get some sort of feedback.
The properly designed login portals provide no identifiable feedback. You might get a message like: “If that email address or login is associated with an account, you will receive an email with a password reset link.”
But poorly designed login portals will give identifiable feedback indicating that there is no email associated with the account or that the email is associated with an account. If someone manually uses the forgot password function, you’ll receive a notice in your email inbox that they have done so.
But more troubling, many of these login portals are exploitable, and the validity of an email can be checked without triggering a full password reset request (so there would be no email sent to alert you that someone is probing the account for information about you). Automated tools like Holehe OSINT will probe hundreds of commons services for whatever email@example.com you put in and return a list of results indicating whether the service has an account associated with that email.
The existence of the Holehe tool shouldn’t unsettle you as much as the existence of the exploit it is taking advantage of. Because of poorly designed login portals, it’s trivial for people to see if you have registered your email with a given service.
How to Avoid Your Email Login Becoming a Privacy Nightmare
If you read over the previous section with an uneasy feeling and dislike the idea that somebody could piece together where you’ve been on the internet in such a stealthy fashion just because they know your email address, we hardly blame you.
Even though online privacy is an illusion in many ways, we all want to do as much as we can to maintain our privacy in whatever way we can. So let’s look at how to handle dealing with this email privacy issue from a bad, better, and best practice perspective.
While we’re focused on the idea of email logins because they have much bigger privacy implications than other things, you can apply this general thinking to literally everything you use your email address for newsletters, store coupons, and so on.
Bad: You Use Your Personal Email for Every Login
Far too many people find themselves in this situation, and if you’re reading this article and it’s how you do it, then you’re certainly in a large crowd.
But using your personal email address as a login for everything you sign up for is a terrible practice. Even putting aside the privacy implications we outlined already here, it eventually leads to an inbox full of spam emails and difficulty controlling who or what has access to your email.
If you take away nothing from this article, we hope you take away what a privacy-endangering practice this is (and hopefully, you adopt the practices we suggest in the next sections).
Better: You Use a Throwaway Email for Sensitive Logins
At the bare minimum, everyone should have a throwaway “junk” email address (or ten!) that they use for services, subscriptions, forums, and other things they don’t want to associate with their primary email address and identity.
Do note that this isn’t the same as using a temporary disposable email address to get a coupon code or some such thing. This is setting up a separate email you use for whatever purpose (adult content, participating in a forum focused on a medical issue you’d like to keep private, etc.) and that purpose alone.
Best: You Use an Email Alias Service for Every Login
Setting up a few junk email addresses to use in place of your real primary email address is a viable strategy, but it’s not the best strategy. It’s easy to end up using the same email addresses for so many services that what started as a “junk” email address just for a few things becomes almost like a secondary and easily identifiable email that gets as much use as your primary email.
The ideal solution is to use an email alias service. An email alias service allows you to create and manage unique email addresses you can use for different purposes. You can use a single alias for a single site or use it for a few sites as part of a particular hobby or niche interest.
Instead of limiting yourself to either using your primary email or whatever “junk” secondary email you’ve set up, you can use many unique aliases for whatever service you wish, turning them on and off at will or deleting them entirely to “memory hole” the entire identity built up around that particular email.
Apple users can lean on Apple’s Hide My Email relay service. You can also use DuckDuckGo’s Email Protection service or ProtonMail’s SimpleLogin email alias service. If you’re a 1Password user, you might also consider looking at FastMail. In 2021, 1Password partnered with FastMail to integrate the service directly into its password manager for seamless on-the-fly email aliases.
Whatever service you use for email aliases, however, we strongly encourage you to start using it today. Whenever you sign up for a new service, use an alias. And whenever you log into an existing service that relies on your personal email address, consider switching it over to an alias. In short order, you’ll have liberated your personal email address and put a wall of email aliases between you and the people who would chip away at your privacy.
And while you’re thinking about private communication and privacy in general, now’s the perfect time to look at the best ways to send encrypted emails, the benefits of a secure email service like ProtonMail, and to consider incorporating a good VPN into your routine.