Today, dear readers, I want to focus on an online mystery I've been dealing with on & off for a while now and potentially solicit your help, since according to Google what is happening should not be happening. 

Long-time readers will know that I pay attention to data security and have a decent privacy routine: 2FA with an authenticator for my important accounts, loooooooong randomized passwords, and a privacy browser that blocks most trackers and regularly deletes cookies. Each of these has been the topic of prior newsletters. The latter is now a permanent post on my personal website. All that said, I have been flummoxed by an issue for a minute now.

I have had the same email address since using Gmail required an invite. My email address is my firstname.lastname@gmail.com. I signed up for it twenty-one years ago. But every once in a while I get emails about purchases or other random commerce that are sent to my firstnamelastname@gmail.com. You'll note that that second address has no period in the middle. 

But according to Google this should not be possible. 

According to Google’s Help Center, if you own firstname.lastname@gmail.com, you also own firstnamelastname@gmail.com. In fact, according to them, you own every permutation of that email address. Including something dumb like f.i.r.s.t.n.a.m.e.l.a.s.t.n.a.m.e@gmail.com. 

Here’s the language from Google’s Support page:

The periods/dots don’t matter in your Gmail.

So since 2005 no one should have been able to register my firstnamelastname@gmail.com. However, it appears at least two people have registered that email or think they have.

Notably, most websites don’t recognize this email “dot” thing when you sign up for an account and I may or may not have used that to serially get the introductory rate, over and over again for certain publications, signing up as a new user each time. It also allowed me to open a new [Redacted] Hotels account when I got locked out of my account last year.

Lest I digress and confess more.

The most recent incident involved somebody signing up for Spotify Premium. On or around June 19, I got an email sent to me addressed to firstnamelastname@gmail.com welcoming me to Spotify Premium. I don’t use Spotify (anymore). I don’t use it because a YouTube Premium subscription comes with YouTube Music for free (pro-tip).

The email included their billing zip code so I was able to determine they live in Ohio. Since the email came to my inbox, hypothetically I could have created an OTP to login in the account. I would have had full access to their data. I could cancel the Spotify Premium, sign them out of their devices, change their login method, or nuke their whole account.

This is a scammer, stalker, or bad actor’s dream.

Previously, I got an email on March 17 confirming an order from a website I have never heard of in my life called NorthStyle. In this instance, someone ordered size 8 Skechers slip-ons, and had them shipped to their address in Kentucky. 

On that occasion, I reached out to the shipper informing them they had the wrong Nathan Bowling but never got a reply. I never get one when I send an email about this name thing.

If I may digress for a moment, this is an exasperating aspect of our modern consumer model. Most of our commodities, consumables, and services come from giant tech corporations where it's nearly impossible to reach a human being. Imagine you had a problem with your Facebook or Google account. What phone number would you call? What's the 1-800 number for Amazon?  As long as everything is going well, it's not a problem but when things go sideways, you're potentially left with no recourse.

Because the shipping email for the Sketchers order had tracking info from FedEx, I saw the package’s full journey, the person’s address, and proof of delivery (see below).

This person lives in Kentucky and like the Spotify person, they believe their email address is my firstnamelastname@gmail.com. Or they mis-entered it when placing their orders, which seems really odd.

This uncertainty leaves me to wonder some very obvious questions: 

Am I a victim of identity theft? I don’t think so. I check my credit report pretty regularly.

Is someone logged into my email elsewhere? No, I occasionally log in to Google and verify what devices are logged into my account.  There are none I don’t recognize or have in my possession.

Should I change my Google password? I did so recently and logging into my account requires a 2FA code from my authenticator device.

Is Google full of -ish and did they issue an account to my fistnamelastname@gmail.com even though they say that’s impossible? They say “no” but what would you expect them to say? If you search this problem online you’ll see I am far from the only one experiencing it. On the other hand, when I recently sent a test email from another account to fistnamelastname@gmail.com it came to me.

Do these people really not know their own email addresses? That seems absurd but is seemingly the most likely answer. But what if it’s not?

Should I just nuke their accounts on sight when this happens as a friend suggested? This is a violation of the Computer Fraud and Abuse Act and I would never do that (or if I did, I'd keep it to myself).

If I am getting their emails, what if someone else gets an email from my brokerage or investment accounts? Not gonna lie, that one keeps me awake at night sometimes. 

I really don’t know what to think about all of this but I get anxious when it happens.

So, dear reader, I now turn to you. Is this a thing you’ve experienced? Hell, do you know my internet doppelgängers, the Nathan Bowlings in Ohio and Kentucky? 

As a datapoint, I texted the Kentucky one about this situation but he did not reply.  

As another datapoint, I checked and there are at least 93 Nathan Bowlings across the US.

Should I be more worried about this than I am or is this just a fact of our dumb digital life? 

I’d love to hear from you, especially if you have expertise or passion around cyber-security issues because low-key I don’t like any of this.

—

This week on the podcast I had a great conversation with HuffPost law & justice reporter Brandi Buchman. 

We talked about the pardoning of the sixteen hundred January 6 rioters and what that says about democracy in the US. That conversation is a continuation of a prior discussion with researcher Noelle Cook, from Hope’s IWL Podcast. Both are worth your time.