Earlier this year, Yahoo! announced they would recycle user IDs so “loyal users and new folks [could have] the Yahoo! ID they’ve always wanted.”
Though this announcement was met with some concern about potential security risks -- that personally identifiable information from the original user may be sent to the new user -- Yahoo! assured stakeholders they were: “going to extraordinary lengths to ensure that nothing bad happens to our users."
These extraordinary lengths included:
- User inactivity for a minimum of 12-months
- 30 days of messages notifying the user his/her account was going to be recycled
- Bounce messages relayed to senders to notify them that the account was deactivated
- Correspondence with brands such as eBay, Paypal, Amazon and Walmart to target email to current users
- A new header element, developed with Facebook, called the Require Recipient Valid Since (RRVS) protocol
Despite these efforts, some users still reported receiving emails that included personally identifiable information after recycled user IDs were released in August.
Though the percentage of these types of emails was very small -- small-enough so that Yahoo! would be able to reach out to many of the accounts, individually -- Yahoo! is taking another step to reduce security risk: a new “Not My Email” button.
Set to roll out within a day or two, the “Not My Email” button will give owners of newly-claimed emails the ability to return messages that were not for them. It will be accessible from the Actions tab in Yahoo! inboxes.
Photo acquired by TechCrunch.
The “Not My Email” button will help ‘train’ Yahoo! inboxes which email belongs to the new user instead of the previous Yahoo! ID owner. (This button is similar to the ‘This Isn’t Me’ button suggested here in Kelly Molloy’s humorous blog post.)
This new feature will assuredly improve the email experience for the user. However, it will not necessarily make it more secure because it relies on the honesty of the new user to tell Yahoo! the received email is not for him/her.
To help keep Yahoo! users secure, senders should consider using the Require-Recipient-Valid-Since protocol: a header element that ‘asks’ Yahoo! for the age of the account before delivering a message. (Senders should only insert this header in mail sent to Yahoo!.) For more about this header, see this Return Path blog post.
Senders should also follow these recommendations to keep their list free of any recycled addresses.
Through this recycled Yahoo! IDs initiative, the company has taken a bold step to improve their users’ experience. I will be interested to see how others not only follow suit, but seek to implement features such as “Not My Email” to combat similar concerns with security and usability.