June 29, 2006

Thinking about email security

Author: Joe 'Zonker' Brockmeier

With the National Security Agency (NSA) monitoring our phone calls, now might be a good time to think seriously about the security of our email as well. In particular, you might want to think about encrypting your email, and about whether it's safe in the hands of third-party providers like Yahoo!, Google, and Microsoft.

For many users, using encryption may seem like overkill, but Michael Lucas, author of PGP & GPG: Email for the Practical Paranoid, says that it's good to have the option whether you have something to hide or not. "It's simply something in my gut that says, 'I want the option to have privacy,' and I think a lot of people feel the same way."

Lucas's book does a fine job of explaining how to use GNU Privacy Guard and Pretty Good Privacy. However, using GPG or PGP is an additional step that many users might balk at having to take.

Even if you're convinced of the need to sign and/or encrypt messages, how do you bring your correspondents on board? Lucas says that you can start by just signing messages, and "if you keep at it, people will eventually start to realize you're serious, that this is important to you. Some of them will pick up on it, and a number of people you send a PGP signed message will reply with an encrypted message."

If you can persuade Windows-using friends and family to use encryption, Lucas recommends Mozilla Thunderbird as a replacement for Outlook and Outlook Express, saying that Microsoft "doesn't provide clear and open access to APIs you need to write a solid plugin [for encryption] ... not to mention that the people I help with their computers, once I hook them up with Thunderbird, they stop calling me [for support]."

The law and email

You might assume that the law protects the privacy of your email, and you'd be right -- to an extent. According to Lee Tien, senior staff attorney for the Electronic Frontier Foundation (EFF), "the law protects the transmission in much the same way it would a phone call.... There are strict rules against intercepting it, and the law requires the government to get a wiretap order in order to lawfully intercept an email."

But just because the government has to get a court order to look at your email, that doesn't mean that your ISP does. Tien pointed out that a contract with your ISP may give the provider the right to scan email, and that your privacy "can be waived in a terms of service (ToS) agreement."

Right now, most of the legal protection for email -- in the US, at any rate -- is derived from the Wiretap Act. Originally passed in 1968, the Act has been updated a few times, specifically in 1986 by the Electronic Communications Privacy Act (ECPA), but it still is not well-suited to dealing with email.

When wiretap laws were first written, they were designed to cover phone calls -- communication that was ephemeral. Unless the call was recorded, no trace of the actual conversation would be left behind. On the other hand, email can be stored in multiple locations, even after the message has reached its destination, and presents new opportunities for surveillance. A copy of a message may be stored on the sender's computer, his ISP's server, the recipient's ISP's server, and the recipient's computer, as well as backups for any of the machines it has traveled through.

The law is still being established when it comes to email. For example, it took four years for courts to decide that mail sent through a server is electronic communication and not "in storage" when it comes to the Wiretap Act.

The Councilman case that set that precedent is a good example why encryption and having control of your mail is a good idea. In this case, Interloc, a company that listed rare books, provided email services for its customers. Bradford Councilman, the vice president of Interloc, decided that the company should copy mail coming from Amazon.com to its customers. Mail sent from Amazon to customers was copied using a procmail script, so customers would receive the mail, and Councilman could also see a copy of the mail to try to use it for competitive purposes.

Initially, the courts decided that email wasn't private when it was in transit -- so messages sent through third-party servers were considered fair game for ISPs that wanted to snoop on customer communication. The First Circuit Court of Appeals overturned this, but the horse was well out of the barn at that point as far as Interloc's customers were concerned.

The bottom line is, if your email passes through or is stored on servers controlled by others, it's probably a good idea to consider encryption for any message you'd consider sensitive. It's also worth thinking about moving your email outside of third-party control.

It's also worth noting that encrypted messages only protect the content of the message. Headers and log files will still provide information about the time an email was sent, to whom it was sent, the subject of the email, attachments, and so forth. Using encryption, but sending a message through servers outside your control, means that someone with access to server logs can see who has sent and received messages, if not the content.

The perils of webmail

Webmail services like Yahoo! Mail, Gmail, and Hotmail are hugely popular. Many people use nothing but webmail, because it's a convenient way to access email from multiple locations. But Tien points out that it "introduces greater risk, because it's sitting there on another server."

It probably doesn't come as a shock that neither Lucas or Tien uses webmail himself, nor recommends it for others. Lucas points out that when you're using webmail, "someone else is responsible for your data, and has access to all of your data."

This not only means that your ISP could choose to read your email, but Tien pointed out that a third party could subpoena your ISP to get access to your communications as well.

Be sure to actually read any ToS document from your ISP or webmail provider, to verify what rights you may have signed over to your ISP, and what action the provider might take if subpoenaed to turn over mail stored on its server. As Lucas points out, "I would like to have the option to decide if handing over email or retaining it is worth the contempt of court charge." If a provider is faced with a court order, it's entirely possible that the ISP would turn over any requested materials without any attempt to fight a subpoena.

It's not impossible to make webmail a little more secure, if it's all that you have access to. Though most webmail clients have no facility for signing or encrypting your messages, Lucas points out that you can encrypt the message outside the client and send it as an attachment. "If you're using a Web interface where you type the message in clear text ... you're really putting a lot of faith and a lot of trust in the webmail provider."

Security and privacy are in your hands

While it's unlikely in most cases that someone is trying to monitor your correspondence via email, it's worth thinking about the level of risk that you're taking on when sending email in the clear or using a third party to store email.

The odds are, if you're just sending notes home to mom, encryption and managing your own mail might be overkill. Otherwise, it might be worth thinking about whether you want to leave your unencrypted email in the hands of others.

According to Lucas, "The important thing people should remember, even if they don't buy my book or use GPG at all, is that security is in their hands.... Ultimately, you own your privacy, you own your security."


  • Programming
Click Here!