MLB Opening Day WWDC 2023 Dates Meta Quest Pro Hands-On Amazon Pharmacy Coupons iOS 16.4 Trick for Better Sound Narcan Nasal Spray 7 Foods for Better Sleep VR Is Revolutionizing Therapy
Want CNET to notify you of price drops and the latest stories?
No, thank you

Gmail delivery errors divulge confidential information

Having a common Gmail address is like a magnet for e-mail intended for people with similar names.

In the last two weeks, my Gmail account has received messages from the Methacton School District in Eagleville, PA, referring to the upcoming "Body Worlds Exhibition at the Franklin Institute," from a headhunter about an opening for a National Sales Manager at a manufacturer of "Quality Central Heating Appliances," and from the Mystery Guild about changes in the service's delivery policies.

I've never been to Eagleville--though it sounds like a lovely place. I have absolutely no interest in being anybody's sales manager. And despite my affection for the works of Raymond Chandler and Dashiell Hammett, I've never been a member of the Mystery Guild.

All three messages were intended for people with names much like mine. These and the other misdirected e-mails are merely the price I pay for having a common Gmail address. They're usually just annoyances that I delete immediately without opening. But sometimes, the messages divulge confidential information the intended recipients certainly don't want in the hands of strangers, whatever their names may be.

About two months ago, my Gmail account received a message from a law firm intended for someone with a name similar to mine. The message clearly included information that should not be disclosed to strangers. I can't provide many details about the message because I deleted it almost immediately.

But first, I replied to the sender to let them know the message was misdirected. The firm apologized but also made it very clear that I was to delete the message and not to divulge its contents. I'm no lawyer, but the implication was that my failure to do so made me liable.

A bank sues Google for info on a Gmail account
Last September, Elinor Mills reported in her InSecurity Complex blog that a bank in Colorado sued to force Google to deactivate a Gmail account to which one of the bank's employees inadvertently sent confidential information about 1,300 bank customers. Google initially balked at assisting the bank in determining whether the message had been opened and ensuring that it was deleted.

The case was quickly resolved — the message was never opened and was confirmed to be deleted — but not before the account in question was deactivated by court order and an innocent victim lost access. The threat of being similarly victimized came home this week when I started receiving messages from the Apple Store confirming an order placed by someone whose name is similar to mine.

Included in the messages were details about the order, including product prices, shipping and billing addresses, and Federal Express tracking numbers. When possible, I respond to the misdirected messages to let the sender know the person is not at this address. But many such messages — including order confirmations such as this — are sent from addresses that don't allow replies.

In any event, most of the misguided e-mails are the result of some like-named soul entering the wrong address in some online form.

Looking to Google for guidance
I searched Gmail Help for guidance, but the only information it offered referred to addresses using dots (periods) in the name, which leads to misdelivery of mail. "Google Employee" Iris posted on the Gmail Help forum instructions for determining whether someone is forwarding mail to the account. In a nutshell, open the message, click the down arrow next to Reply, click Show original, and look for "X-Forwarded-For" in the header.

Other posters to that forum thread report problems related to their Gmail accounts receiving e-mail intended for someone else. The "advice" usually boils down to contacting the sender to let them know the message was sent to an errant address. But this opens up a whole can of worms.

From a spammer's perspective, the reply confirms the address as live. I prefer to treat all misdirected messages as a form of spam and delete them unopened--unless I need to open one to determine that it's not intended for me or to ensure it doesn't contain sensitive information that could get me in trouble just for receiving it.

After all, I certainly don't want any banks shutting down my Gmail account because one of their employees doesn't know how to use e-mail safely.