Gmail Reveals the Names of All Users

ihatespam writes "Have you ever wanted to know the name of admin@gmail.com? Now you can. Through a bug in Google calendars the names of all registered Gmail accounts are now readily available. All you need to find out the names of any gmail address is a Google calendar account yourself. Depending on your view this ranges from a harmless "feature" to a rather serious privacy violation. According to some reports, spammers are already exploiting this "feature"/bug to send personalized spam messages."

Is This Evil?

[abirdman]

But, does this constitute evil? So far so good. My gmail account is my real name anyway. I'll be looking out for the evil...

Re:This only punishes the foolish

[Anonymous Coward]

Gmail strips out punctuation. So email to First.Last@gmail.com goes to the same inbox as FirstLast@gmail.com

Re:This only punishes the foolish

[Dun Malg]

I know individuals with a hell of a lot of sense who would give their real names in such a situation.

So? Part of the reason for that is that full names in and of themselves are not really a security risk. I walk around all day in public with an ID badge that gives my first and last name. Big deal. Our names are our public identifiers.

Re:This only punishes the foolish

[hal9000(jr)]

for a small business owner, why not. I manage a few websites. Very, very small. Less than 20 people have write access. They wanted email. some users would use outlook or outlook express, others wanted a web mail front end. The email client the hosting service had was horrible so I hooked them up with a gmail hosted services. It works very, very nicely for them.

there are some cases where Google is a good alternative to other options.

Comment removed

[account_deleted]

Comment removed based on user account deletion

The *real* security risk...

[Peet42]

...is that this will allow Phishing scams aimed at GMail users to *seem* so much more plausible.

What? You expected humour?

Serious FERPA Violation

[Lord Byron II]

The Families Educational Rights and Privacy Act of 1974 allows a student at a university to require the university to not release their name to anyone. For example, if you check for my name at my school's phonebook, you'll find I'm not listed. If you call my registrar's office and ask for information on me, they'll tell you that they don't have a student by my name. You see, it's against the law for them to even confirm that I'm a student.

Since many schools have outsourced their email systems to Gmail, anyone can generate a full roster of student names through this trick. This could obviously result in many violations of FERPA.

Re:This only punishes the foolish

[Nightspirit]

Because it looks unprofessional (may be a pro or con depending on the business)
ie mike@mikesauto.com versus mike34534@hotmail.com

There is also the superficial sense of security. When I send email to Mike at his domain I'm pretty sure he is the only one reading it (although it very well could also be the isp, hosting domain, his sysadmin, and NSA). When I send email to hotmail or gmail, perhaps unfounded, I have the feeling that if they felt like it MS or google could be reading the emails and no-one would know it and/or a security breach could leak access to everyone's email.

Spam doesn't worry me, it's privacy.

[Spy der Mann]

This goes well beyond the scope of SPAM. Once they match your real name with your e-mail, they can start finding out what you do online, what sites/forums you visit, etc (Google knows everything).

I'm much more worried about ID thieves finding out about my life than about getting personalized spam.

Re:This only punishes the foolish

[pla]

there's been a steady conversion of addresses in my contact list to "@gmail.com". People are moving to GMail as their primary mail accounts

As have I - But that has no bearing on whether or not people give GMail their real names. I know I sure as hell didn't, despite using that account for a number of legitimate purposes, including professional contacts.

And as a bonus, anyone foolish enough to spam me under a name I give to a random website actually helps my spam filtering, because I never give my real name. If someone sends "Petrov L. Aster" (as just one example I might use for my Slashdot handle) a notice that he has an inheritance from a Nigerian uncle, that message doesn't even make it to my "once a month quick look through non-whitelisted garbage" folder - it meets a hard blacklist and goes straight to /dev/null.

Re:This only punishes the foolish

[billj04]

This actually is a security risk -- a lot of websites use your name as proof that their email is legitimate, and not originating from a phisher. For example, eBay's emails contain the following text at the top:

eBay sent this message to FULL NAME (account)
Your registered name is included to show this message originated from eBay. Learn more.

The "Learn more" link takes you to http://pages.ebay.com/help/confidence/name-userid-emails.html [ebay.com] which explains

Since people who send out spoof emails often don't have your first and last name as well as eBay User ID, receiving an email that contains this information should increase your confidence that the email was sent by eBay.

Re:Just last week at work...

[Dash Hash]

If you're talking about the ads displayed alongside your emails, Google never said they read the emails, just that their systems scan the emails for key words to make the ads relevant. That is quite a bit different from reading the actual email.

That being said, I still feel it is a bit too questionable, and a bit too close to actually reading them, so I generally only use the gmail address for non-important tasks.

Even so, bringing up the whole "Google reads your email!" line this late into the game is either a very bad troll, or just somebody trying to ride the wave of being over-emotional (or funny, but that is unlikely, I think).

There Is No "View" -- Outright Incompetence

[JonSimons]

The summary states, "Depending on your view this ranges from a harmless 'feature' to a rather serious privacy violation."

There is no view, this is absolutely an outright product of incompetence, oversight, and cluelessness. This is definitely a bug, even if Google touts it as a feature. We've seen this before, with Google calendar appointments/conference call numbers made publicy accessible via incompetence.

Inexcusable.

Re:This only punishes the foolish

[FiloEleven]

A better method for customizing your registered email address is to use "+" on the left side. "me+example.com@gmail.com" should be directed to "me@gmail.com" by their system. I say "should" simply because I've never tested the "+" feature with "."s in "it."
"

I"m sorry, I seem to have a quotation infesta""tion. The information"s correct, though.

Re:This only punishes the foolish

[Anonymous Coward]

Which is why I strip out the dot when registering to sites and the little filter that drops everything without the dots into my trash takes care of any resulting spam. :)

Just google being google

[Vampyre_Dark]

I've used about every service that they have had, and this is pretty much how everything they do works. You don't opt in for anything, you have to figure out how to eventually opt out.

You fumble through the options screen and finally find the right combination of checkboxes that doesn't throw your name out there, and let everyone see everything by default.

"Hey guess what users, we added this nice option that lets everyone see your real name, address, and link to a picture of your house on google maps. Don't worry, it's been already enabled for your convenience!"

Re:This only punishes the foolish

[Victor Antolini]

Citation is myself witnessing it, last time about 6 months ago. Google must have probably fixed it.

I've received e-mails sent to vincenzo.myaccount@gmail.com, ornella.myaccount@gmail.com and many others. I DONT own those accounts, how could you explain that?

I've got them right there on my inbox. And I personally know four people that saw the same thing. I've reported it to google two times in its time and so far I've received no reply.

Re:Privacy...

[Tim C]

In other news, purchasing cigarettes and alcohol require you to disclose your first and last name when you show your ID! Even worse, there are rumors that every time you make a purchase using anything other than cash you have to disclose your first and last name.

Perhaps in the US, but here in the UK you don't have to show ID to buy alcohol or tobacco unless you look like you might be under age. Even that's a relatively recent thing - 16 years ago I had no problem buying alcohol at 16 and 17 (age limit is 18 here - yes, I looked older than my age, but not that much older).

Additionally for the last couple of years paying by card has meant putting it in a card reader, the member of staff dealing with the transaction doesn't even have to see the card, let alone your name.

I'm not arguing that this bug is some horrible privacy violation. I'm just pointing out that people in different countries have different expectations regarding privacy, and Google provides a global service.

Re:Is it really that big of a deal?

[h4rm0ny]

Not to mention that my employers have started (without any process of considering implications whatsoever) started to use Google services for all their meeting arrangements, annual leave sheets, some internal email communications. I imagine some other places are doing the same. I wonder if it will get to the point where having your Google account suspended will be cause for a dismissal. At any rate, not everyone has the option of not using Google. I imagine the number of such people will increase.

That explains something

[Fallen Andy]

I have a gmail account which I don't use (at all) yet. Really puzzled me when some spam landed in it since I haven't quoted that address *anywhere*. This happened a couple of weeks ago. The *only* way spammers could get the address is if it leaked directly from Google. So what other stuff is being leaked buggily or sold on the side by maverick employees of Google eh?

Andy