Staying signed in by default to email services poses serious privacy concerns for users accessing their email on a public or shared computer

PIPEDA Findings #2021-005

March 15, 2021

---

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

Description

The complainant alleged that the Yahoo! Canada setting whereby Yahoo Mail users, and in particular Rogers Yahoo Mail users, stayed signed in by default posed great privacy concerns for users accessing their email on a public or shared computer.

Takeaways

• Emails can contain highly sensitive personal information (health or financial information, intimate content, private opinions, sexual orientation, etc.), which if revealed, could cause grave harm to an individual’s reputation, finances (via identity theft) or even safety.
• Noting that emails may contain highly sensitive personal information, organizations must have robust safeguards against unauthorized access. Such safeguards would generally include a requirement that users opt-in to the setting.
• An organization that implements a “stay signed-in” feature should, among other things, provide users with prominent and clear language regarding the potential privacy implications of enabling the feature, including the potential for a subsequent user on the same device to gain unintended access to the users’ emails.

Report of findings

Overview

The complainant alleged that the Yahoo! Canada (“Yahoo”) setting whereby Yahoo Mail users (the “users”), and in particular Rogers Yahoo Mail users, stayed signed in by default posed great privacy concerns for users accessing their email on a public or shared computer.

At the outset of the investigation, we noted that Rogers Yahoo Mail customers agreed to Yahoo’s Terms of Service, and Yahoo was responsible for the mechanism by which Rogers Yahoo Mail users logged into their email accounts.

As a result, we focused our investigation on whether Yahoo was, via its “Stay signed in” setting: (i) adequately safeguarding against unauthorized third-party access to the content of users’, including Rogers Yahoo Mail users’, emails on a public or shared computer; and (ii) obtaining valid consent for its disclosure of personal information to others who subsequently access those emails.

Noting that emails may contain highly sensitive personal information, we would expect robust safeguards against unauthorized access. We did not accept Yahoo’s assertion that each reasonable person would understand the “Stay signed in” setting to be “on” by default, or that the additional safeguards it explained to our Office were adequate to mitigate the risk to a user who inadvertently stays signed in on a shared or public computer. In our view, therefore, Yahoo’s safeguards were not appropriate to the sensitivity of the information.

With respect to consent, we noted again that: (i) the information contained in emails can be highly sensitive; (ii) individuals would not reasonably expect that their account would be defaulted to “stay signed in”; and (iii) unauthorized access to the sensitive information in a user’s emails by a third party, particularly a family member or friend with whom they share a device (like on a home computer), could result in serious reputational damage, or worse. In our view, therefore, Yahoo was required to obtain express opt-in consent for its “Stay signed in” setting. We further noted that Yahoo did not make clear to the user that any person who subsequently visits Yahoo’s website on that device will be able to access all of the potentially sensitive information in the user’s emails, which could in turn cause the user potentially serious harms, such that the consent was not meaningful.

Following our recommendation, Yahoo committed to change the “Stay signed in” setting from opt-out to opt-in, and to display clear and prominent information to better inform users about the privacy implications of opting in to the setting. Accordingly, we find the complaint to be well-founded and conditionally resolved.

During the course of the investigation, we learned that Rogers had taken over authentication of Rogers Yahoo Mail users. We therefore engaged with Rogers who, while not a respondent in this investigation, agreed to make further commitments, detailed in this report, to ensure adequate privacy protection for Rogers Yahoo Mail users.

Complaint

1. The complainant alleged that Yahoo! Canada (“Yahoo”) contravened the Personal Information Protection and Electronic Documents Act (the ”Act”) by failing to implement security safeguards appropriate to the sensitivity of Rogers Yahoo Mail users’ (the “users”) account information. Specifically, the complainant alleged that when accessing a Rogers Yahoo Mail account (the “account”), the login setting was by default set to “Stay signed in” (the “setting”). The complainant contended that this feature posed great privacy concerns for users, particularly when using shared (or public-access) computers.
2. During the course of our investigation, we determined it appropriate to consider as well whether Yahoo was obtaining valid consent for its disclosure of personal information to third parties who access a user’s email account from a shared device, when the user has not opted out of the “Stay signed in” setting.

Background

3. Rogers Terms of Service (“TOS”) indicate that Rogers partners with Yahoo to provide Rogers internet customers with access to a collection of resources, including various communications tools and content (the “Yahoo! Services”). The TOS stated that the obligations of Rogers and Yahoo are several and not joint, with respect to Rogers internet Services and the Yahoo! Services; and that when a customer uses the Yahoo! Services, Yahoo!’s terms of service, guidelines and rules (“Yahoo! Terms”) apply^{Footnote 1}.
4. In the course of the investigation, Yahoo submitted that it applied the “Stay signed in” feature across all login entry points of its users, including those of Rogers Yahoo Mail. We therefore assessed the setting both via, and independent of, the Rogers login entry point.
5. The rationale Yahoo provided to our Office for a default “Stay signed in” setting was that it serves as a way to ameliorate the user experience and to create a convenient on-line experience.
6. The facts as stated below are based on: (i) evidence received by our Office from the complainant; (ii) evidence received by our Office from Yahoo; and (iii) our Office’s own independent testing, where we performed tests using the webmail login page and a Rogers Yahoo Mail test account.
7. Upon completion of our investigation, having found that Yahoo contravened Principles 4.3 (Consent) and 4.7 (Safeguards) of the Act, we issued a preliminary report of investigation to the respondent with certain recommendations. Yahoo informed us that during the course of our investigation, Rogers had taken over authentication of Rogers Yahoo Mail users. We engaged with Rogers to address certain of our recommendations within Rogers’ sphere of control. This report details the findings of our investigation, as well as Yahoo’s and Rogers’ commitments to address our recommendations.

Analysis

Issue 1: Safeguards against unauthorized disclosure

8. Principle 4.7 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Principle 4.7.1 further provides, in part, that the security safeguards shall protect personal information against theft, as well as unauthorized access, disclosure, copying, use, or modification.
9. Emails can contain highly sensitive personal information (health or financial information, intimate content, private opinions, sexual orientation, etc.), which if revealed, could cause grave harm to an individual’s reputation, finances (via identity theft) or even safety.
10. We would expect Yahoo to implement robust safeguards to protect against unauthorized access to such information.

Stay signed in

11. Yahoo asserted that its mail login portal includes what it characterized to be a clear and prominently displayed opt-out mechanism (i.e., the setting at issue in this complaint), whereby users can choose to uncheck the pre-checked “Stay signed in” box.
12. Yahoo further contended that the setting is consistent with industry standards, and that among the millions of internet users around the world, each reasonable person understands this functionality and, at all times, has the ability to control the setting.
13. First, we do not accept that the setting is clearly or prominently displayed during user sign-in. We noted that the Yahoo email sign-in process has two-steps (as displayed below). On the first login page, the user must simply enter their email address. On the second page, the user then enters their password to log in.

14. As identified above, it is only on the first page that the pre-checked “Stay signed in” setting appears, not when the user is actually entering their password to sign in. The setting is also displayed in small light grey and blue font, below the much more noticeable, large, bright blue “Next” button, which is in turn below the space where they must input information.
15. Furthermore, we cannot accept the respondent’s assertion that each reasonable person would understand this setting to be “on” by default. In our view, Yahoo must ensure users are aware, and have authorized, that when they exit the Yahoo website and close their browser, the next person to access the Yahoo website on the same device will have unfettered access to all the potentially sensitive information in their emails. While some users may be aware of this default setting, there will inevitably be many others, like the complainant, who do not notice it, such that access to their emails by the next person to visit Yahoo’s website on the device would be unauthorized.
16. Finally, we do not accept Yahoo’s contention that its default “Stay signed in” setting is an industry standard. We conducted research and testing in order to determine whether other major email providers applied similar settings to keep users logged in to their email accounts. Of the two major email service providers we tested, one offered an opt-in “stay signed in” option, whereas the other required users to actively log out before closing their browser, with no opt-in or opt-out option. This would appear to indicate that no such standard exists. In any case, even where a practice may be considered an industry standard, that would not render it compliant with the Act.

Additional safeguards

17. Yahoo explained that it employs the following additional measures to protect against users’ information being disclosed to a third party by virtue of a user staying signed in unintentionally:
    1. An algorithm that attempts to recognize public access computers, and deselect the “Stay signed in” setting for those computers;
    2. The ability to sign out from almost every Yahoo webpage through a universal header, which displays users’ signed-in state and provides the option to log out at any time, thus overriding the setting;
    3. A 14-day expiration period from the last login after which users will be asked to re-verify their password;
    4. The ability for users to invalidate any Yahoo Mail session on a device by accessing their account on a second device and changing their password therein; and
    5. Information for users on how to have a secure experience online, including with Yahoo, available at http://security.yahoo.com and more specifically in a section on that page regarding Using Shared Computers.
18. With respect to the algorithm referenced in paragraph 17(a), we conducted testing on several public access computers to assess the effectiveness of the algorithm - not once was the setting left deselected. Yahoo acknowledged that the algorithm did not always work as intended. There is also no reason to expect that such an algorithm would result in the deselection of the setting on a shared computer that was not “public access” (i.e., a device of a friend or one shared with family members, in which context the contents of emails may be even more sensitive).
19. With respect to the sign-out option referenced in paragraph 17(b), we observed that the universal Yahoo header only displays the user’s name. The log out option does not become apparent to the user unless they click on their name to reveal further options.
20. We did not test the 14-day session expiration period referenced in paragraph 17(c). That said, should this safeguard operate as intended, it is not clear how it prevents or mitigates the threat to privacy on a shared or public access computer, given that the threat of unauthorized access arises as soon as the user leaves the device unintentionally logged in to their email account.
21. While the complainant submitted that the password reset option explained in paragraph 17(d) did not work for her, at the time of our Office’s testing, this option functioned as described by Yahoo. That said, it is in our view, quite cumbersome, and would be available to a user only after they realized that they had remained logged in unintentionally, at which point their information could already have been exposed to unauthorized access.
22. Finally, with respect to the security information provided by Yahoo, as referenced in paragraph 17(e), we note that although available at the indicated website, there was no clear link or reference to that information during the sign-in process.
23. Furthermore, we note that the page on Using Shared Computers includes the following advice:

    Do not check the "Keep me signed in" box

    Many sites, including Yahoo, offer this remember option. When a computer keeps you signed in, it usually sets a persistent cookie on the computer that allows the website to identify you so you don't have to sign in. If you check this option, you'll remain signed in after you close your browser. This is a convenient option if you are the only who uses a computer, but if you share a computer, do not check this option.

24. This advice does not suggest “deselecting” the “Stay signed in” setting. Nor does it give any indication that the setting is already preselected. To the contrary, it would, in our view, leave users with the impression that it was not preselected, and that a positive action of “checking” was needed to be kept “signed in”.
25. Finally, we note that Yahoo Mail offered features not available to Rogers Yahoo Mail users, including: (i) a login history page; and (ii) the ability to sign out from another device remotely, should the user learn that they remain logged in on another device.
26. In light of the above, we are of the view that Yahoo’s safeguard practices were not appropriate to the sensitivity of the information at stake and as a result, do not meet the requirements of Principle 4.7 of PIPEDA.

Issue 2: Consent for the disclosure of personal information

27. Principle 4.3 requires knowledge and consent for the collection, use and disclosure of personal information.
28. When Yahoo provides a third party with access to a user’s emails on a shared or public device, this represents a disclosure of the user’s personal information. As outlined below, we determined that Yahoo failed to obtain valid consent for such disclosures.

Form of Consent

29. Principle 4.3.6 states, in part, that an organization should generally seek express consent when the information is likely to be considered sensitive. Principle 4.3.5 further states that on obtaining consent, the reasonable expectations of the individual are also relevant.
30. The OPC’s Guidelines for Obtaining Meaningful Consent^{Footnote 2} (“Guidelines”) further provide that organizations must generally obtain express consent when: (i) the information in question is sensitive; (ii) where the collection, use or disclosure is outside of the reasonable expectations of the individual; or (iii) it creates a meaningful residual risk of significant harm.
31. As detailed above (in paragraphs 9 and 15), in our view: (i) the information contained in emails can be highly sensitive; (ii) individuals would not reasonably expect that their account would be defaulted to “stay signed in” such that subsequent people to use the shared device could access all of the information in their emails; and (iii) unauthorized access to the sensitive information in a user’s emails by a third party, particularly a family member or friend with whom they share a device (like on a home computer), could result in serious reputational damage, or worse.
32. As such, in our view, Yahoo should obtain express opt-in consent before keeping users signed in.

Meaningfulness

33. Principle 4.3.2 states that organizations should make a reasonable effort to ensure that an individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Section 6.1 of PIPEDA further clarifies that the consent of an individual is only valid if it is reasonable to expect that an individual to whom the organization’s activities are directed would understand the nature, purpose and consequences of the collection, use or disclosure of the personal information to which they are consenting.
34. The Guidelines provide that to receive meaningful consent, organizations must allow individuals to quickly review key elements impacting their privacy decisions right up front as they are considering using the service or product on offer, making the purchase, or downloading the app, etc. For this purpose, organizations must generally put additional emphasis on certain key elements: (i) what personal information is being collected; (ii) to whom it will be disclosed; (iii) for what purposes; and (iv) what risk of harm and other consequences may result.
35. In our view, the language “stay signed in” does not provide users with the key information they need to make a meaningful decision regarding whether or not to agree to the setting. More specifically, it does not make clear to the user that any person who subsequently visits Yahoo’s website on that device will be able to access all of the potentially sensitive information in the user’s emails, which could in turn cause embarrassment, damage to their reputation, risk of identity theft or other negative consequences.
36. For the reasons outlined above, in our view, Yahoo is not obtaining meaningful consent from Yahoo Mail users for its disclosure of personal information to third parties who access the emails of a user who has been kept logged in to their Yahoo Mail account.

Recommendations

37. In our preliminary report, we recommended that Yahoo agree to the following measures to adequately mitigate against the risk of third parties accessing users’ personal information without their authorization or consent:
    1. implement an opt-in mechanism for staying signed in;
    2. provide prominent and clear information to inform the user of the potential privacy implications of staying signed in; and
    3. ensure that remote sign out and usage history features are enabled for Rogers Yahoo Mail, as for Yahoo users.
38. Ultimately, we recognize that remaining signed-in can be convenient and ameliorate the user’s experience, in certain circumstances. However, this does not relieve Yahoo of its obligation to ensure adequate safeguards and consent. We note that Yahoo need not obtain opt-in consent to keep users logged in each time the user logs in to their email account, as long as Yahoo provides a clear and prominent explanation, at the point of decision, that the user will remain logged in to their account for future visits, subject to an easily accessible opt-out option.

Response to recommendations

39. Yahoo committed to, within one month of the issuance of this report: (i) change its “stay signed in” setting from opt-out to opt-in; and (ii) add a “pop up” that will appear when a user moves their cursor over the “stay signed in” setting, reading ‘’Don’t use this option on a shared computer because your account will be available to others’’. Yahoo will also move the setting from the first page (username) of the sign-in process to the second page (password).
40. With regard to our third recommendation, Yahoo indicated during the course of our investigation, that Rogers had taken over authentication of Rogers Yahoo Mail service users, such that Yahoo does not have the ability to control authentication or display information about authentication events. Yahoo invited our Office to follow up directly with Rogers for implementation of this recommendation.
41. Our Office shared our preliminary report and recommendations with Rogers. While Rogers was not the subject of this investigation, we are pleased that it agreed to implement measures to address the concerns we detail in this report, for Rogers Yahoo Mail users. Specifically:
    1. Rogers indicated that the current Rogers Yahoo mail login process does not offer a “stay signed in” option, but committed that if it were to add such a setting in future, it would do so on an opt-in basis.
    2. Rogers further committed to, by April 2022, amend its Rogers Email Member Center so that users can see a log of the history of email sessions managed by Rogers. This page will also include instructions explaining how to change the user’s password as a way to force log-out of every session, should the user realize that they remain signed in on a public or shared device.

Conclusion

42. Our Office is satisfied that Yahoo’s proposed changes will bring the organization into compliance with PIPEDA. Therefore, our Office considers this complaint to be well-founded and conditionally resolved.
43. Our Office has a continuing interest in ensuring that Yahoo implements the measures needed to bring it into full compliance with the Act. As such, our Office will monitor to confirm the organization’s implementation of our recommendations.