Wednesday, May 12, 2010


Email, IP addresses, and privacy

Facebook has some nasty privacy-violation things going on, and it just gets worse over time, as they eat more and more into what the users have control of, taking the control away. They’re getting a lot of bad press about it, including some high-profile recommendations to bail out of Facebook entirely, and groups developing alternatives. The Facebook privacy thing has gotten bad. Really bad.

But that doesn’t mean everything is a privacy violation. Last week, Xeni, at BoingBoing, posted about how Facebook “exposes” your IP address when you send mail:

As Matt points out in the blog post, this may not be the most onerous of Facebook’s privacy problems, and it’s certainly not the only one. But no good purpose for users is served by leaking user IPs, and there are many good reasons not to. Facebook, get your shit together for chrissakes.

And Facebook has “fixed” it, as of last weekend; this from Facebook’s Barry Schnitt, in the BoingBoing comments:

We originally included IP address information in these email headers as part of industry best practices designed to improve spam filters. This is similar to what many webmail providers do. However, we agree this practice no longer makes sense for Facebook and we’ve discontinued it. Thank you for bringing this to our attention.

The thing is, the reason they included it was exactly right. They did have “their shit together”, and they’ve now broken the normal audit trail that exists in email for various trace purposes, including abuse tracking. Email standards specify that a “Received:” line be added to the email headers each time a message is passed from one place to another. Including the sending computer’s IP address in the “from” clause of the first “Received:” line is not considered a “privacy violation” in any other context.

For example, here are the operative lines from each of a number of different messages I have in my inbox now. I chose ones sent by a variety of webmail systems, as well as a couple sent using “traditional” email programs (Outlook and Thunderbird, here). I’ve obscured the IP addresses, as well as any other information that might point to the senders... but the addresses in my inbox are real, and give me the identities of the senders’ Internet service providers and the senders’ geographic locations.

AOL webmail
Received: from by
        ( with HTTP (WebMailUI);
        Wed, 05 May 2010 11:17:04 -0400
Yahoo! webmail
Received: from [] by via HTTP;
        Mon, 10 May 2010 15:06:12 PDT webmail
Received: from [] from with HTTP;
        Mon, 10 May 2010 22:56:47 -0400
Gmail webmail
Received: by with HTTP; Wed, 5 May 2010 02:02:24 -0700 (PDT)
Gmail Thunderbird
Received: from xxxxxxxxx ( [])
        by with ESMTPS id xxxx.xxxx.xxxx
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Wed, 05 May 2010 04:39:32 -0700 (PDT)
Earthlink, Outlook
Received: from [] (helo=xxxxxxxxxx)
        by with esmtpa (Exim 4.67)
        (envelope-from <>) id xxxx-xxxx-xxxx
        for xxxx@xxxx.xxxx; Sat, 08 May 2010 15:50:40 -0400

As you can see, only Gmail’s web interface chose to omit the “from” clause, and did not “expose” the sender’s IP address. In all other cases, the information is there. And, in fact, the lack of it in the Gmail web message means that for mail sent that way, the sender’s IP address and ISP can’t be used as filtering criteria, and it’s harder to do forensic analysis to track down abuse (spammers, phishers, and so on) because one need’s Gmail’s cooperation.

Facebook can certainly choose not to include that information (and as it goes, it was included in a non-standard way, anyhow, with an “X-Facebook:” header field, rather than a “Received:” header field), but including it should not have been thought of as a privacy violation.

No comments: