Using the same email address everywhere isn’t helping you be more private. But short of creating a multiple new mailboxes and subsequently managing them – what can you do?
Your personal email address is a unique – and reliable – identifier. This is regardless of what email provider you may use – whether a typical one or an encrypted, privacy-friendly email provider.
Think about it… many users likely use the same email everywhere, for everything like:
- bank accounts
- insurance accounts
- social media
- newsletters
- ecommerce accounts/purchases
- forum registrations
- resumes
- personal communications
… and everything in between.
This same email address may even be involved in data breaches and data leaks. Data breaches generally occur when a service/provider suffers a cyberattack and user/employee/personal information is stolen or otherwise compromised; data leaks are similar, but don’t necessarily result from a cyberattack – an organization could inadvertently directly expose sensitive/personal data from their systems, often available publicly.
In either case, given the ubiquity of collecting email addresses, using them for account creation, and as general purpose identifiers, they are often exposed (alongside other data) in these breaches and leaks. Keep in mind data breaches/leaks are just one way your email address could be exposed – many services may share your information, which can include your email address – with data brokers, partners, affiliates, and contractors
Thus, by “following the email address” you can be relatively easy to track and target for marketing, general spam, scam attempts, or phishing attempts alike.
However, creating and then subsequently managing a bunch of different inboxes for different uses or use cases can be difficult and frustrating. Enter the email alias (or forwarder)!
Note: Some email providers may provide aliasing capabilities, though these capabilities may vary.
Generally speaking, an email alias is a forwarding email address. Emails sent to the alias are automatically forwarded to another email address. You do need an email account (an inbox) to use forwarders/aliases.
There are different forms of email aliasing: plus addressing (+aliases) and unique/custom aliasing. Plus addressing is also called subaddressing. Though, to be fair, when “email aliasing” is mentioned, generally it is in reference to unique aliasing – a unique address forwarding to an email inbox.
While useful for organization, plus addressing isn’t that great for privacy. This is because plus addressing still uses the email’s “root,” which is easily discernible. Take for example this list of plus addresses:
For each plus address, the actual email is easy to figure out for just about anyone: .
As a result, you may still find this email address on marketing lists, spam lists, combolists (where the email is commonly paired with leaked/cracked passwords), among others. Naturally, the more places it is used (especially for important accounts), the more it is tied to your identity online and off.
… and it has non-privacy benefits too. The privacy benefits of custom aliasing primarily stems from the fact that third parties won’t know your actual email address.
Phishing and spam often go hand-in-hand, though some “legitimate” or otherwise non-malicious entities certainly engage in spam or spam-like tactics.
The primary benefit of using email aliases is reducing spam and phishing attempts. As mentioned previously – think about what your personal or “primary” email address is tied to. By extension, your email address may be sold, exposed (ex: data breaches or data leaks), or leaked to other parties outside of the party you shared your email with.
It’s difficult to prevent spam – which may include cold-outreach emails and some marketing tactics – when your email address is, well, known. This can happen a variety of ways (as described in the previous paragraph) With an alias, once you begin receiving spam, you can simply disable that alias, rendering it inactive; you won’t receive the spam.
Likewise, if you begin receiving phishing emails – especially in the aftermath of a data breach – you can disable the alias, thus eliminating delivery of phishing emails to your inbox. This can reduce the possibility you fall for a phishing attack; email remains a common and effective phishing vector. Phishing attempts often come as spam but can also be more targeted, leveraging publicly available information or information leaked in data breaches to make the lure more believable.
As mentioned earlier, users can be easily tracked by their email address. Many people have the same email for years – which is fine – but this same email address has probably been used across many different accounts, services, ecommerce purchases, newsletters, personal correspondence, etc. In some cases, “people search websites” – often owned by data brokers – may even list this email!
Long-term and widespread use of a single email address likely means it has been disclosed to many entities and may have been disclosed even further, without your expressed knowledge. For example, you may make a purchase from an ecommerce store and be automatically opted in to receiving emails from them. In an effort to (re)target users via advertising to drive more sales, they may take their email list and share it with other marketers or advertisers. This is not a hypothetical example; BetterHelp was exposed for doing almost exactly this and more.
How does using an email alias help here? By using aliases across different accounts, you begin breaking the association of your identity with a single email address. This can make it harder to track your activity across different platforms.
Of course, if other collected/provider identifiers are consistent (such as an address or a phone number), correlations can be drawn. But this doesn’t necessarily negate the effectiveness of decoupling your identity from a single email address.
Similarly, if a service/provider manages to compromise your email address, you can disable the alias.
SimpleLogin, addy.io, and DuckDuckGo Email Protection are email aliasing tools designed to make generating and using email aliases easier.
SimpleLogin is an open source email aliasing service. Users can both receive and send emails with aliases created using SimpleLogin. It has support for custom domains.
SimpleLogin was acquired by Proton in April 2022. Users can still sign up to SimpleLogin separately…
*** This is a Security Bloggers Network syndicated blog from Avoid The Hack! authored by Avoid The Hack!. Read the original post at:
