Who Best Safeguards the Privacy of Your Web Mail?

Privacy Watch image
Illustration: Harry Campbell
Search engine privacy policies are improving, but e-mail contains far more sensitive and personal information than searches do.

To find which free service does the best job of protecting your Web mail privacy, I dug into the policies of the big three--Google, Microsoft, and Yahoo--to see what information each company collects, how it uses that information for things like targeted ads, and how long deleting an e-mail really takes.

In terms of what gets saved when you use the service, Microsoft came out on top. It typically doesn't record IP address, log-in time, or other user-specific information in its logs, says Brendon Lynch, its director of privacy strategy. Both Yahoo and Google collect that type of data, along with your browser and what you clicked on the page.

However, Google asks for the least amount of personal information when you sign up: just your name and the country you live in. Yahoo and Microsoft ask for your name, gender, birthday, and zip code. (Of course, you could say that you're 107 and live in Mongolia.)

Yahoo and Microsoft use some of that data to display targeted ads. According to Lynch, Microsoft masks personal information such as your name and e-mail address, and then combines demographic data like your zip code with data from third parties.

Yahoo didn't disclose its full procedure, but it too uses demographic information that has been aggregated with third-party data to send you advertisements. Anne Toth, the company's senior director for privacy policy, says that might mean using census data to determine the median income of people in your zip code before deciding what ads to show you. Neither Yahoo nor Microsoft introduces third-party data into your saved user information.

Google approaches ad selection differently: When you read e-mail, Gmail scans for keywords in the message and displays ads based on those keywords. The one-time scan is automated, and nothing is saved, says Peter Fleischer, global privacy counsel for Google.

But Google may take up to 60 days to completely remove that "Vegas was great" e-mail from its servers after you delete it. In contrast, Microsoft takes three days or less; and Yahoo says that, though removing the actual e-mail content may take a short while, the information becomes dissociated from your account almost as soon as you delete it, such that not even Yahoo could retrieve it.

The time-to-delete can be a factor with subpoenas, for instance. Procedures vary in criminal cases, but all three companies say that they notify customers anytime a civil subpoena (in a divorce case, for example) requests copies of e-mail, and give the user time to respond before handing over the data. For Hotmail, the grace period is two weeks. Google waits 20 days, and Yahoo waits 15.

Since Google asks for less up-front and makes the least use of demographic and personal information, I credit Gmail with having the best Web mail privacy policy. But it's not a hands-down victory, because the company takes so long to eradicate e-mail messages that you want gone. Microsoft, meanwhile, scores points for not saving user-specific data on visits in its Web server logs.

Subscribe to the Security Watch Newsletter

Comments