Security

CONSUMER REPORT

Price of Free Internet Mail Might Be Too Costly

Using e-mail for personal and business correspondence has become as commonplace today as the VCR and the office water cooler. All three items are often taken for granted. Consumers have come to expect certain constants when it comes to computing: antivirus and firewall software are must-have security tools and e-mail should be free.

The notion of free e-mail is reinforced by two major factors. Internet service providers give subscribers multiple mailboxes for the price of the monthly Internet connection. Web site information and search portals lure users to become repeat visitors by plying them with offers of free Web-based e-mail accounts.

The term “free e-mail,” however, means one thing to e-mail operators and quite another to consumers and businesses who accept the come-on for a free e-mail account. So-called free e-mail accounts are not truly free. Users often pay for the mail service without parting with their dollars and cents.

The true cost of free e-mail service, computer security exerts warn, is the loss of privacy and exposure to greater risk of virus and spyware infiltration.

Web-Based Versus ISP-Based E-Mail

“Users of Web-based e-mail end up paying for their free service with advertising bombardments,” Guy Morgan, CEO of Farm9, a managed Internet security services company, told the E-Commerce Times.

To the unaware consumer, there appears to be little difference in e-mail provided by a consumer’s Internet service provider (ISP) and mail that is delivered through a Web-based e-mail service. Deciding which type of e-mail to use is often made on the basis of convenience and circumstance.

A consumer or employee who rarely leaves the home or office computer does fine with ISP-based mail. When travel from the main computer is required, consumers can usually reach their mail by accessing the ISP’s Web site. Even ISP’s like AOL that have their own software-based client let subscribers dial in from a guest location to check e-mail.

Using a Web-based free e-mail service like Google, Yahoo, AOL’s Netscape or Microsoft’s Hotmail provide constant access to e-mail from any Internet-tethered computer. These make ideal choices for users who don’t have a home- or office-based computer. Web-based e-mail is also an option for subscribers to other services who want secondary e-mail addresses for different purposes. Some computer users also prefer not having their e-mail stored on one computer in a dedicated mail client such as Microsoft Outlook, Microsoft Outlook Express or third-party software such as Eudora Mail.

“Another major downside to using Web-based e-mail is the lack of customer service,” said Leeron Kuller, vice president of marketing at IncrediMail.

Differences Abound

“ISP and Internet e-mail services are different,” according to Farm9’s Morgan. “Those differences evolve around three categories.”

One of the biggest differences among e-mail purveyors is the privacy policy. When it comes to free Internet e-mail, one size definitely doesn’t fit all. Web-based privacy policies can vary dramatically, Morgan said.

All Web portals include advertising within the e-mail service. Some attach ads to the message display screen. Usually, the ads are not focused on preferred user services. Internet e-mail providers encourage subscribers to upgrade to larger message limits or ad-free e-mail.

Transportation methods and encryption procedures also vary greatly among the different Web-based e-mail services. Virus scanning is a given for most but not all services. However, none of them uses secure encryption such as SSL, Morgan said.

Protocol standards are not universally applied with Internet-based e-mail systems. IMAP, SMPT and other protocols are industry standards in computer-based e-mail clients. But e-mail portals use their own customized applications that generally do not meet industry standards. So the security risk, especially from spyware, is much greater with a Web-based e-mail account.

Easier To Spam

Publicizing one’s e-mail address on the Internet provides fodder for scavenger programs that mine addresses for junk mailing lists. When the e-mail address resides on a public (aka free) e-mail server, subscribers can expect to be inundated with junk mail. Unlike computer-based e-mail clients, third-party spam filters don’t work. Subscribers to the free Web-based e-mail accounts must rely on whatever mail filtering software the portal provides.

Therein might be one of the biggest obstacles to using Web-based e-mail services. Mail filters used by ISP’s and enterprise mail servers often flag legitimate mail sent by subscribers of a Hotmail or Yahoo account as being spam.

“There is still a stigma in business for these public Internet mail systems,” Morgan said. “They make it very easy for someone to mask an identity from a corporate server or other ISP mail system.”

Privacy Controversy

One of the biggest controversies involving free e-mail involves Google’s new G-Mail. Initial accounts of the service explained that Google would scan subscribers’ e-mail to determine the best mix of targeted advertising to send. Google claims that its practice is not much different from what other Internet e-mail providers do.

“In personal e-mail communications, there has always been, and always should be, an expectation of privacy between the sender and the intended recipients of a message, enabling open communication with friends, colleagues, family and others,” Google declares in its privacy statement.

It continues: “Privacy is compromised, however, if personal information or private e-mail content is shared with parties other than the sender and intended recipients without their consent. This is not the case when people use G-Mail. Google does not share or reveal e-mail content or personal information with third parties. E-mail messages remain strictly between the sender and intended recipients, even when only one of the parties is a G-Mail user.”

According to Google, showing relevant advertising in its e-mail delivery gives subscribers more value than merely displaying random pop-ups or untargeted banner ads. Its G-Mail system adds text ads and links to related pages that are relevant to the content of the senders’ messages.

“The links to related pages are similar to Google search results, and are culled from Google’s extensive index of Web pages. They are selected solely for their helpfulness and are not paid advertisements,” according to the Google policy statement.

Morgan urged consumers to read the privacy statements and decide if giving up their privacy is too big a price to pay for “free” e-mail services on the Internet.

Security Risks

A striking example of the kinds of security risks subscribers to Internet-based e-mail services face occurred in late August. California-based secure content management firm Finjan Software discovered a new critical cross-site scripting vulnerability in Yahoo’s popular Web-based e-mail service.

Cross-site scripting occurs when hackers embed malicious JavaScript code into a site’s dynamically generated pages, affecting the machine of any user that views that site.

The vulnerability could have potentially allowed a worm to read users’ Windows address book, replicate and send itself to all of the users’ contacts and have this process repeat itself at an exponential rate. It could have also harvested e-mail addresses from local files and use the Yahoo Web mail vulnerability to send the e-mail messages.

“Many organizations are adequately prepared for e-mail attacks, but few are prepared for Web-based attacks that exploit the browser,” Shlomo Touboul, founder and CEO of Finjan Software, said. “Web-based attacks can be just as damaging as e-mail-based attacks, and proactive behavior-blocking technology is the most effective way of protecting against them.”

Client-Based Alternative

IncrediMail started offering free e-mail five years ago and has grown to more than 40 million users. The service might offer the best of both e-mail worlds.

IncrediMail is a stand-alone e-mail client for Internet mail. The e-mail client provides numerous enhanced features that include junk mail filters, 3-D graphics for dressing up the appearance of messages, and animated notifications for incoming mail. It handles mail in HTML format.

The company advertises that its service is available worldwide. However, the e-mail client must be installed on whatever computer is used to access the IncrediMail server.

The software can be configured to retrieve mail from a user’s Hotmail account or ISP mail server. The free version, which includes most of the company’s services, has advertising banners, but the premium version is advertising free. The premium version has a one-time fee of US$29.95.

“We use a White List for mail security. Quarantined mail is placed in a folder on our server. Subscribers can view mail on our server but not get it in their computers. This eliminates bad e-mail,” IncrediMail’s Kuller said.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Security

E-Commerce Times Channels