The email problem no one is talking about: mistaken identity

This post is part of Me, online, Mashable’s ongoing series digging into online identities.

In 2009, a San Francisco web strategist named Tim — last name withheld for reasons that will become clear — opened his Gmail to find a message from a Build-a-Bear workshop in St. Louis. The email was addressed to someone called Tamara. 

That’s odd, thought Tim, but thought little more about it. Days later he received an email directed at someone called Toby. It contained photos of a family eating an Easter meal with, his correspondent assured him, “lots and lots of BACON!” 

So far so mundane. But the misdirected emails — for Tyrells, Terrys, Thomases — kept coming at an alarming rate. They often contained the kinds of things you really don’t want shared with strangers: hook-up notes (“I got a bottle so we could drink and I’m putting on a dress”), medical records, divorce papers, real estate deals, demands from a debt collector, a request from a police officer for his license plate, even an autopsy report. 

Tim keeps a folder in his Gmail now, purely for the more random, weird, indiscreet ones he’s received over the last nine years. The folder currently contains 1,355 messages. 

“At first I would write back and say ‘you have the wrong email,'” says Tim. But sometimes the correspondent would keep bugging him: Okay, what’s the right email? The debt collector kept hounding him regardless. These days, with the misdirected emails coming at the rate of one a day, he simply deletes or sends them to spam.

Cases of mistaken identity like this are becoming more common as more people around the globe acquire email addresses — and more of their correspondents misremember or mistype them. But so far as we know there are no email providers, much less startups or security researchers, working to solve the problem. Unlike with spam, there isn’t even a catchy name for it. 

For many recipients, the problem is amusing at best and irritating at worst. Some misdirected emails can even be useful. (One Mashable editor receives regular discount coupons from a liquor store intended for someone else; she invariably uses them.) 

Yet the risk is real. Not just the risk of personal embarrassment when a stranger sees your family photos or love notes, but the risk of identity theft when they see your bank records, mortgage application, divorce decree, or any other of the astonishing amount of personal documents we send via the internet these days. 

Examples are everywhere. You don’t have to look very far on message boards for Microsoft or Apple to find people locked out of their accounts when a security code was sent to the wrong address. In 2016, the National Australia Bank admitted sending emails containing account numbers for some 60,000 customers to the wrong address. The cause? “Human error.”  

No confirmation required

I could empathize with Tim’s problem because it was mine, too. We’d both heard about the arrival of Gmail before it launched in April 2004. We’d both rushed on day one to grab Gmail accounts based on our first initial and last name. We both celebrated our good fortune at the time, not realizing the tangled web that would await years later when you have a common initial-last name combo.

For me, it’s been a long decade and a half of fielding emails for what seems like every Chris, Charles, Cynthia, Claire, Clare, Christian, Catherine and Cheryl Taylor on the planet. I’ll often wake up to discover a flurry of follow-up emails from auto dealerships in North Carolina — this seems to happen in the Carolinas more than other states, for some reason — and surmise that yet another Charles Taylor has gone car shopping and misremembered his email address. (Or worse, he deliberately fobbed those pesky salesmen off with a Gmail address that sounded like it could be his.) 

Like Tim, I’ve given up trying to respond and mark most of these emails as spam, even though that doesn’t quite describe what they are. And even that doesn’t fix the problem, because there are invariably more email newbies making fresh mistakes. It isn’t the greatest thing for productivity; I probably spend a good half-hour of every day extracting misdirected missives from my poor beleaguered inbox.

If that’s all it was, I’d be relatively fine with it. The even larger problem is this: Many popular online services don’t require proof that your email says what you say it is — or they treat “ctaylor” and “c.taylor” as different addresses, whereas mail providers like Gmail treat them as one and the same. 

That means you can sign up for Instagram, say, with someone else’s email address, and they’ll be hit with annoying messages from that day forward. Years ago, someone signed up for Instagram with my email address — or at least, the c.taylor version. Occasionally they’ll try to log in, and guess where the reset code is sent? 

PSA: My actual Instagram account is @futurechris.

PSA: My actual Instagram account is @futurechris.

Meanwhile, someone named Lloyd Taylor successfully signed up for an Apple ID using my Gmail address. (I used a pre-existing account for my Apple ID.) He requests a password reset that gets sent to my email with such regularity, about once every two weeks, that I assumed it was part of some elaborate phishing expedition. 

To its credit, when I contacted the company for this story, Apple was able to confirm that Lloyd is for real. As I write, Apple reps are going through the process of disentangling my address from his account. 

How common is this problem? I asked Twitter, and 56% of those who replied said they’d never encountered it in their own digital lives. But that means a whopping 44% did. 

Granted, it’s not a scientific poll, and more study is needed. But given that there are an estimated 4 billion email accounts in the world (owned by roughly 2 billion people), if 10 percent of people are encountering this problem “all the time,” that’s up to 200 million people affected. This is a hell of a problem for something that doesn’t even have a name. 

I didn’t even have to look that far. My wife Jess has a similar issue, even though she doesn’t have a common last name like me or Tim. And she was smarter than both of us, reasoning at the time that merely using her first initial in the account would bring her more misdirected email than she bargained for.

Then in 2010, a woman with the exact same name in Vermont, evidently disappointed by being beaten to the account, signed up for an email using “Jes” rather than Jess. Ever since, it seems, almost everyone emailing that Jess reached my Jess by mistake — especially since the rise of autocorrect. 

West Coast Jess has received dozens of wedding planning emails, job applications, rental contracts, Comcast logins, orthodontic and hospital appointments for Vermont Jess’ kids, and a hospital ID login. She emailed “Jes” directly, who didn’t seem to see the problem. She tried emailing her correspondents, but found the same thing that Tim and I discovered: Whereas you can say the words “wrong number” and people will understand you when they call, you don’t get the same reaction when you write back and simply say “wrong email.” 

“People think you’re crazy for pointing it out,” Jess says. “They’re adamant that they’ve reached the right person.”

This is where technology could help. Gmail has a button that lets us easily report spam — and unsubscribe from annoying lists — with two clicks. How about a button that will have Gmail write a form letter back to the correspondent, explaining that they have not reached the person they think they’ve reached, to check their records and try again, and maybe don’t hound this person for debt payments?

It’s an interesting concept, but we’re going to have to wait to find out whether Google is interested in implementing it. When I contacted the company for this story, I was told that the Gmail product team is “all heads down” in advance of Google Cloud Next, a conference that isn’t happening for another month from now, and an official “no comment.” 

If and when Gmail and other email providers get around to implementing a fix for the mistaken identity problem, let’s just hope those press releases make their way to the intended inboxes. 

from Mashable!