Wednesday, May 12, 2004

Gmail lacks basic privacy protections: missing timeout and multiple IP detection

The privacy community and legislators continue to miss two basic design flaws in Gmail: It doesn't have a session timeout, and it does not detect it when you log in from more than one computer.

Scenario one: you log into a public terminal -- say in a public library or a cybercafe. You forget to click the Sign Out button, and you get up and leave.

The next person who walks up to that terminal now has your entire life at her fingertips -- years of e-mail, efficiently searchable. Your life history remains exposed as long as that computer is turned on and the Web browser remains open. The session never expires.

Scenario two: you visit your boss or a colleague and quickly check your Gmail for that report you mailed last week. You forget to sign out. When you go back into your own office, you sign back into Gmail. Everything seems perfectly fine. But the other Gmail session is still active. In fact, it's automatically updating your Inbox listing. Your boss can read your new mail, search your old mail, or even send new messages from your mailbox -- indefinitely. You have no way to close his view into your life, and, if he doesn't send or delete, you have no way to detect it.

Gmail's rivals figured these exposures out eons ago, and implemented session timeouts and multiple login detections as remedies. While the privacy community wails over a robot serving up relevant ads, they're missing the entire point.

As a Gmail beta tester, I dutifully reported these flaws to Google. They haven't responded. These flaws shouldn't be hard to fix. Because Gmail can expose years of your life, Gmail should "time out" aggressively -- maybe after only 15 minutes of inactivity. If you time out, Gmail should prompt for your ID and password, and resume your session. (It should not log you out and send you back to a fresh login.

It should be easy for Gmail to detect when you log into a second session. How should the Gmail system react? At a minimum, it should log out the first session -- the one you left logged in for the boss to read.

1 comment:

Rubes said...

Apparently someone at Google was listening to you (if not me). My session timed out today, but I was not informed, so I kept typing, for say, another hour. When I hit send for the e-mail that I'd worked so hard on, it told me, "We signed you out," and sent me to the log-in screen.

I thought, "Surely it would have saved my e-mail," but no. My e-mail was reduced to a single paragraph.

It was not remotely helpful that there was no place to report this problem, either. I routinely write long, well-researched e-mails, and the thought that I can't do so without timing out -- can I stress this enough? -- with zero, zilch, not a drop of notification is completely appalling. Almost appalling enough to revert to Hotmail. And if it happens to me again, I will do exactly that. No more will I ever click on your Ad-non-sense links at the top of my mail, Google.

And to think, I used to be a devotee. I have been researching Gmail problems all day long, and there are some real winners. I am pretty ticked. Next time you talk to them, please let them know, K? Because they won't take my e-mails.