Some envelopes covered in @ signs.

Your online identity is owned by your email provider

Many of the leading tech companies — including but not limited to Apple, Baidu, Google, Microsoft, and Yandex — offer free email services to their customers. Email was never designed to be your ubiquitous online identity. Nevertheless, it’s what most businesses and services use to fill that role today. Email service providers reap the benefits of a captive customer base.

Most people use the default email address suffix, e.g. @example.com, that their email provider offers. You choose your email address, and thus your email service provider, for life. Few give much thought to which email service provider to use and even fewer read their ever-changing terms of service and privacy policies.

Within a few years of signing up with an email service, you’ll use your email address to log in to hundreds of servers and for your personal and business correspondence. Even if you claim to not use email; we all use our email addresses every day.

You can get a new phone number and send it to the dozen or so people and companies that you want to have your new number. In many countries, you can even keep your phone number when you decide to switch to a new mobile carrier.

This is considerably more difficult with email because of the huge number of companies and services we want to have our updated email address. It takes a lot of time and effort to change your email address and it involves the risk of losing access to some critical service. There are so many of these services in our lives that we don’t even remember who they all are anymore!

Many services won’t even let you change the email address you’ve registered with them. If you live in the European Union, the General Data Protection Regulation (GDPR) guarantees you the right to update registered information such as your email address. The GDPR went into effect on May 2018, and many companies haven’t had the time to update their services to enable you to change your email address yet. This legal protection doesn’t extend to other regions either.

This creates an almost unique environment where businesses have complete control over their customer’s online identity and where customers can’t easily change their provider. Your email service provider knows everything you’ve purchased online, what apps and services you’ve signed up for, your interests, and your entire contact network. It gets a lot of this information through email notifications and receipts sent by other services as a convince for their customers.

This puts people at the mercy of the tech companies. It also exposes their personal data and identity to their whims of the same companies.

Imagine a free email provider who suddenly decided to start charging for their email service. Some people can’t afford to pay or don’t have access to a credit card to make the payment. Or imagine using an email address provided by your Internet Service Provider (ISP). They could abandon an unprofitable area and cut service to it. Hopefully, you’ll have another ISP to fall back on to keep your internet access. However, you would have to keep paying your old ISP who’s no longer willing to offer you services to retain access to your email address.

It’s completely within the rights of private companies to make these types of decisions. There would be negative press, of course, but the media’s attention in such matters quickly dissipates. Strong consumer protection and privacy regulations won’t help consumers in these situations.

People are locked into their email service provider because that’s how email addresses work. The current tech behemoths were partially built on the vendor lock-in that is inherent to services like email.

There isn’t a lot that regulating the email service providers could achieve to ensure people adequate freedoms and market competition. Email messages are required to go through the email server at their designated destination domain name. You can’t port your email address as you can with your phone number because the provider’s domain name is an essential part of the address and the delivery mechanism.

The only regulation I can think of that could make any impact is to require all public email service providers to offer free email forwarding services for the lifetime of the account holder. With a forwarding service, you can give your old email provider your new address and have them forward it for you. These services are often time-limited or require a subscription fee, however.

Email forwarding involves some technical challenges that ultimately lead to poorer customer experiences. Emails must travel through more servers which delays their delivery. These extra trips through different email servers strip the emails of information about the sending server which is critical to protect against spam and email forgery. It introduces more complexity to the delivery chain and reduces the chain’s security.

You can take some control over your own identity in the current email-based online ecosystem by renting a domain name and using it for your email address. That gives you the freedom to switch email providers more easily without having to change your email address. However, you still won’t own your identity as you don’t own the domain name you rent through your domain name registrar.

The only real solution is to rethink online identity and stop depending on email addresses. Email was designed in the 1960s and it was never intended to serve the identity management role it’s serving today.

There currently aren’t any widely-deployed alternatives that people can control themselves. All the alternatives for identity management are provided by and controlled through private companies. There are some discussions about self-sovereign identity solutions but these still lie far off in the future.

For now, people should stop and think carefully when choosing the @example.com part of their email address. It’s a decision you’re probably set to live with for life.