Privacy and security often stand and fall with a password. Keeping one’s passwords secret is therefore very important, even more so with regard to services carrying a high risk of abuse.
Email accounts are one important example, since unauthorized access to one can reveal sensitive information such as private messages and contact information, thereby endangering not only the privacy of the account holder, but that of his or her contacts as well. (Of course, email encryption can add a layer of protection.)
Given the above, I was disappointed to see a popular social networking site incite its users to provide their email passwords so that the site would be able to log in to the email accounts of the users in order to scan for friends. — This, however, was only the beginning of the story. Consider the following (slightly abbreviated) email exchange (in which the Subject: line, throughout, contained the social networking site’s slogan for their “give us your email passwords” campaign):
From me to the social networking site:
Please do not incite users to give you their email passwords. Although I am sure that you treat such passwords responsibly, your example sets the scene for e.g. phishers to obtain similar information.
Additionally, the terms of service of many email providers prohibit users from disclosing their passwords to anyone. Thus, complying with your request might place such users in a disadvantageous position should they ever end up in litigation or some other dispute with the provider.
Their first reply:
[We do] not insist on the password you have with the email address. We require a valid email address and the password is of your choice.
Moreover, [we are] committed to handling customer information with the highest standards of security measures and it is not possible for someone to hack your information stored [in our service], unless he/she has your –– account password [for our site].
I hope this clarifies.
My reply to them:
In order for your system to log into a customer’s mailbox to find those friends, surely the customer needs to give you the correct password for that mailbox.
Please understand that regardless of how well you protect that password, it is wrong to convince users to give their passwords to any third party, because it is then easy for phishers and other criminals to exploit the situation, either through saying “we are [the social networking site]; give us your password”, or “since you can give your password to [the social networking site], of course you can also give it to us”.
Their second reply:
I understand your concern.
[We have] very robust Privacy (sic) and Security (sic) policies and we take enough measure (sic) to safe guard (sic) our customers (sic) data stored on our servers.
At that point, I gave up.
Those replies were sent from the abuse address of the social networking site. It is highly disturbing that even those people, who should be security specialists, seem to lack a basic understanding of fraud prevention. My main point, of course, was not whether the social networking site handles the email passwords of their users carefully, but above all that accustoming users to provide their email passwords to any third party whatsoever is dangerous and wrong!
What do you think? Please post your comments!