« Your grandmother is smarter than you think | Main | Reintermediation »

The long tail of the bit bucket

Hot_Air_Balloon_Shadow.jpgBecause I've been writing about the internet for a long time, I have a trail of partially used email addresses following me around. One of the most prominent of these is @skeptic.demon.co.uk, which dates to 1993, when I wrote one of the very first articles published in Britain about how to use the internet. This week, I discovered that Demon has been rejecting my password, for how long I'm not sure. Since 1993, however, Demon has been sold several times, and the last person I knew to call who worked there left at least five years ago. The last time this happened, I was told it would never happen again, but that was at least one owner ago, and who knows what code someone tweaked? Wikipedia provides the likely explanation, that the Demon Internet service was wound down last year to migrate customers to Vodafone products. I had, because of that previous experience, migrated the important things that still used one of those addresses to the domain I started using in 2003, but now it was clearly time to migrate the rest. Pause to mourn the passing of one of the UK Internet's most significant early ISPs.

demoninternet.jpegIt took most of a day. And yet: I recommend it as an exercise. Most people, granted, don't have all these old email addresses. But I bet most people do have old accounts they've forgotten about or have at least a few sites they signed up for with addresses they've forgotten about. I found accounts so old they had *dictionary words* as passwords because in 1995, when they were created, we weren't all so worried about that. Changing those was probably worth the time the whole thing took.

Sites vary enormously in how they process these requests. The good ones - however inconvenient it may be - ask for confirmation of the change. Facebook, for example, sent a confirmation email with a one-time code I had to type in to confirm the newly added up-to-date email address. Once that was done, it was simple to set that as the primary address and delete the other. Ideally, for really good security, you'd want a confirmation sent to the old email address, but there's an obvious problem with that. At the other end of the spectrum, the UK railway ticket seller TheTrainline was happy to change both email and password in one pass, and if they sent a confirmation email I didn't see it. In many cases, I found that I had actually changed the email address back in 2012. At a few sites, changes failed for reasons I couldn't determine.

But email archives are only a partial guide. Probably every web user of more than a few years' standing has accounts they've forgotten about: media sites that require logins just to read one article; retail sites that require an account for a single purchase, or sometimes even just to find out the delivery charge. I would never see email from these accounts because I typically used an address directed straight to the spam bucket. When I eventually thought to look at one of the internet's older media sites, for example, I discovered I'd given it an AOL address, which should tell you something about how long ago I created it. And herein lies one advantage of a standard password for sites you don't care about: you can successfully guess it. So now: do I want the New York Times to have a functioning email address for me, or do I want all the tracking they do of what I read to be diverted to a decoy?

And then I remembered there are all those old press directories...and...

The point about this very boring task is that except in unusual circumstances most of us never bother to audit the many dozens of accounts we accrue. Most discussions of online privacy focus on the major players who amass vast quantities of detail about all of us, but few of us think about the long tail of our data exhaust that's made up of forgotten, aging bits and pieces. My guess is that is plenty of revelatory, though possibly misleading, information there for anyone who cared to assemble it. Worse, the older it is the more likely it is to date to a more innocent moment when we knew less about how intently we were being watched.

Under the data protection laws - which will continue to apply in the UK for the most pragmatic of reasons no matter what the country's EU membership status is - we have the right to delete or view the data that's held about us. Probably more of us should use these rights - but the first requirement is knowing what accounts we have and who, after mergers, bankruptcies, and acquisitions, owns the data now. Have I Been Pwned? can help identify forgotten accounts if they've been hacked (using it reminded me of several more languishing examples). But if you've lost access to the associated email address and can't remember the password you may not be able to do much more than make a note that once upon a time, in a universe far, far away, you briefly flirted with MySpace.

Illustrations: Balloon shadow (source: Wikimedia Commons, public domain); Demon Internet logo.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)