Don't let children receive email messages from Gmail

When it comes to the question of whether an IP address is personal or not, Google seems to swing both ways.

In February, Google software engineer Alma Whitten wrote Are IP addresses personal? on the Google Public Policy blog. In the posting she said "... in most cases, an IP address without additional information cannot [identify you]."

But someone commenting on the posting pointed out that Gmail goes out of its way to hide the IP address of the sender of a Gmail-originated message. The item User IP addresses from the Gmail help says:

"Protecting our users' privacy is something we take very seriously. Personal information, including someone's exact location, can be gathered from someone's IP address, so Gmail doesn't reveal this information in outgoing mail headers. This prevents recipients from being able to track our users, or uncover what may be potentially sensitive personal information."

I verified this by examining the headers of a Gmail-originated message. The source IP address was 74.125.46.31 which, according to ip-adress.com is Google in Mountain View, California. In other places the email header identified the source computer as yw-out-2324.google.com. Nothing pointed to the actual IP address of the sender.

As someone pointed out, this anonymity makes Gmail a haven for bad guys. Anyone interested in sending threatening email messages or perhaps inappropriate messages to children, can hide behind Gmail.

If I was the parent of a small child, I wouldn't want them to receive any email from Gmail. Period.

Earthlink, my ISP, does let their customers define spam filters that can reject all messages from a domain such as gmail.com or google.com.

Yahoo Mail does not hide the originating IP address. If and when I do, I'll update this posting.

Someone I know in New York City recently said they were going on a trip to Switzerland. After a few days, they sent a Yahoo email message claiming to be from Switzerland. I had no reason to doubt them, but just for fun, I looked into the email header, got the source IP address and ran it through the services I wrote about last time. Sure enough, the message came from Switzerland.

I didn't test if Hotmail hides the true source IP address. If and when I do, I'll update this posting.

Update. September 16, 2008: According to Leo Notenboom Hotmail is inconsistent when it comes to including the source IP address, sometimes it does, sometimes it doesn't. He was nice enough to test it again today (thanks Leo) and reported that the true source IP address did appear in the email header of a message that originated from Hotmail.

Update. September 16, 2008: For more on this topic, see Harassment from a Gmail user.

See a summary of all my Defensive Computing postings.

[merelogic]

You can always report the email to google if it's so threatening maybe they'll send you the very important ip address.

[princezuda]

You fail to realize that Gmail has the IP addresses they just mask them. If anyone was to send a inapropiate email they would release their location. Gmail isn't anymore dangerous then any other email service.

[skillingssucks]

What a ridiculously sensationalist and alarmist article. [rolls eyes]

[rcrusoe]

If I was the parent of a small child, I wouldn't allow them to use an Internet attached computer unsupervised. Period.

[FaceOfED]

Assuming you are opening the on-line version of GMail, YaHoo! Mail, AOL Mail, or you-name-it Mail, the IP address from which the message is being sent is from the eMail provider, not your own. YaHoo! sends an internal, non-routable IP address (10.nnn.nnn.nnn) as a part of its header. Besides, if I'm SPAM'in or PORN'in, I'm probably working through one or more annonymous proxies to cover my tracks.

The best you can hope for [in this case] is to track it back to the eMail provider. and then let them ignore the problem.

[mhinnewyork]

As I wrote in the posting, there was a real IP address in the header of the Yahoo email message from Switzerland, not a 10 dot IP. Not all bad guys have the technical skill to deal with or understand proxies. Michael Horowitz

[skillingssucks]

You don't know what you're talking about. When sending from any web based provider (except) Gmail, the IP address of the sending computer is included.

[usualsuspect87]

If people would worry less about extreme cases of what might happen to their kids and more time properly raising them, we'd be a hell of a lot better off.

Too many parents are projecting irrational fear onto their children by worrying about this ridiculous stuff. Sure, I'm sorry to anyone that has been taken advantage of, but be smart. Teach your kid to be safe, not abstinent. Come on, you know the internet feels good.

[TommyGunn32]

"Anyone interested in sending threatening email messages or perhaps inappropriate messages to children, can hide behind Gmail."

Proposterous. Try to threaten a government official or child from Gmail, see how well it hides you for longer than 2 minutes. They're called logs. Everyone uses them. How long have you been in the industry?

I understand alarmist articles, but I don't think the writers of them understand that most people read the comments and realize they're a crock. Of course, with RSS feeds and the like, the writer's name is often overlooked or not remembered across multiple articles for any bad reputation to stick anyway.. Keep up the page view count.

[mhinnewyork]

I have been in the industry a very long time, but when you have to attack me it means you have no point of your own. Go read another blog, it's better for everyone. Michael Horowitz

[BIGELLOW]

The tile of the blog should be "Michael Horowitz plans to eventually own a computer one day." I mean really, where have you been? For one thing, this isn't new to Gmail. This type of practice has existed since Hotmail. Go after Microsoft if you want to. Secondly, it is standard practice. Web-based email means the email originates from the service provider, so the FROM ip address IS the service provider's IP address.

IP addresses, by themselves, can be used to determine geographical location (most of the time.) So, it SHOULD be masked or eliminated. However, enough information is contained in the header to be able to tell the SERVICE PROVIDER who this person is or where they are. If it really is a legal matter, submit the findings to the service provider and they will follow up... or go to the police and they will get this information from the service provider.

This information doesn't belong in the hands of so-called vigilantes or curious folks. It belongs in the hands of the police or those with the legal departments to follow up and respond to court requests.

By your logic, nobody should ever let their children SEND email from a regular ISP and should only send email from Gmail or something similar. The reasoning is, if you let your children send email through a regular ISP, their IP address could be known. The receiver could deduce where you live and stop by your house one day when your child is checking his/her email.

Fear mongering belongs in the movies, not in the media.

[mhinnewyork]

I have actually looked at the email headers and examined the visible IP addresses. You, obviously, have not. Michael Horowitz

[fdunn3]

Google wouldn't give you the time of day if you requested a sender's IP unless you are Law enforcement.

Google has gone bad.

[marine0352]

Those are some pretty large leaps of logic you made there. If this were Digg, I'd be burying this post.

[Katiemmm]

I don't understand the fuss really. Why not just give your child a kid email account and check the emails BEFORE they reach them? I personally use www.safensoundmail.com but there are others out there too.

[skwerlabusr]

Completely blocking all emails from a certain domain? Isn't that a little too far and protective? It would be such a hassle everytime someone tried to e-mail you (friends from school etc.) and they had to create another e-mail or use another email provider other than gmail just to send you something.