Who's Reading Your Email?

Article by Simon Bennett, IT Director, Law firm Tarlo Lyons

Email. For most of us this has been the killer application of the Internet age. Forget mobile computing, plasma screens, writable DVD's, and Bluetooth gizmos. The one thing that has significantly changed the world is email. Modern business would find it very hard to if not impossible to function without it. The ease in which documents can be sent from one side of the world to the other, in a clear format that can then be saved, and edited and retransmitted has changed the way we communicate. The fact that viruses and spam have found the ideal medium and instantly accessible audience to transport their unpleasant payload is testament to the runaway success of email. There is, however, one small problem. Nothing that is sent on email is private.

Some experts liken email to sending confidential information through the post on a postcard. It can be read by the assistant in the postroom, and then the postman. At the post office dozens of people could read it. Once it gets to your house your family could read it. Literally hundreds of people could have read what's on the postcard before you, its intended recipient, gets to read it. Confidential information that we are going to post is usually put in an envelope to protect it from prying eyes. We may even mark it 'Private and Confidential'and post it recorded delivery or entrust it to a courier to further ensure its contents are only read by the person for who it is intended. Like writing on the postcard, we don't give email the same level of protection. For example in 1999 an online bookseller that also operated an ISP service was charged with intercepted emails from Amazon.com during 1998 with a view to gaining a competitive advantage. The company was found guilty and fined.

If you think other people potentially reading your email is bad it gets worse. Email messages give no proof of who they are from. Like the postcard analogy they can intercepted and read, but then modified and sent on. The address can be faked so it would seem you are getting emails from someone who isn't actually sending you anything. This happened to a Scottish law firm last year where an email purporting to come from a senior partner of the firm and sent to thousands of recipients, suggested they would bend the rules to ensure that litigation was successful. This is spoofing and is very easy to do with a few tools readily available on the Internet. In one click of a mouse reputations can be destroyed.

So this is what happens when email leaves your organisation, but internal email between staff is still secure right? Unfortunately not. If you leave your PC unattended can you be sure that someone hasn't just sat at your desk and read your email or the network administrator isn't intercepting every email that passes across your email server?

How do we protect ourselves from these threats, or more importantly why don't we? To answer the latter question first I believe it's a combination of complacency and misunderstanding. Most of us probably thought our emails were relatively secure and even if we didn't we had never had a problem so we continued as we always have. If you take the rise in spam and email viruses over the last few years as an example most companies and quite a number of private individuals now have protection, but it wasn't always this way. Only when the problem directly affected those concerned did they take action. The problem with email security, or lack of it, is that your emails are probably being read without your knowledge right now, but as this is not obviously affecting the way you work. When your firms salary information is posted on the Internet, or when you are sued by a client for breach of confidentiality then it could be too late.

So how do we protect ourselves?   Well without going into too much technical detail there are two types of encryption for email.   These are S/MIME and PGP and there is very little to choose between them.   The main (non-technical) difference between them is that S/MIME tends to be integrated into an email package and PGP is usually integrated into a stand-alone product.   This is an important difference.   S/MIME tries to be seamless with the particular email package it is installed with which could allow it to be compromised by an outside source (e.g. an email could be made to appear it had been decrypted when in actual fact it had not).   As PGP is stand alone it is independent of the email client and requires the user to physically decrypt the email therefore removing the possibility of compromise.

There are also two concepts to understand.   One is the difference between a digital signature and data encryption, and the other the idea of public and private keys.

Basically a digital signature authenticates the identity of the sender of an email or the author of a document.   This way you can be sure that an email definitely came from the person who appears to have sent it.   Encryption is the process of turning a document or messages into unintelligible text decryption would then convert it back to its original form.

Public and private keys are slightly more complex. These are used to encrypt and decrypt a message or file. Usually the public key is used to encrypt and the private key to decrypt. The best way of getting to grips with this is to imagine a box with two keys. Key A opens the box and Key B locks the box. I make lots of copies of Key B and hand them out to all my contacts. It doesn't matter who gets a copy of Key B, because all it can do is lock the box it can't open it. When you want to send me some information you put it in the box and lock it with Key B. As only Key A can open the box the contents are safe on its journey to me. I can then open the box with the only copy of Key A. This is how public and private keys operate with the public key the equivalent of Key B and the private key equivalent to Key A.

One product that stands out is FileAssurity Open PGP by ArticSoft. FileAssurity Open PGP makes encryption simple to use. Apart from understanding the two concepts above there is nothing to it. Files and emails can be encrypted, digitally signed and securely deleted. The product is independent of any email platform and works just as well with instant messenger. The product comes in three parts, a key manager to generate and import public and private keys, a secure text editor to encrypt text, and functionality to encrypt files on your PC. I set the program up on my office PC and my home PC a week ago and have been successfully sending secure emails between my office and home email accounts. The first thing to do is to generate a key pair (public and private keys). The software package can do this for you, or you can import a commercially generated key pair, for example from Thawte or Verisign. The public key must then be sent to the person from whom you wish to receive encrypted information. The sender encrypts information by typing or pasting it into the Secure Text Editor where it can be emailed directly though whichever email client you are using. Files can be encrypted by right clicking the file and selecting protect. Once the encrypted text is received it can be decrypted by pasting it into the Secure Text Editor, or files can be decrypted simply by double clicking them. Overall it's very simple to use.

One area of using PGP that is of concern is how do you control the use of encryption. It's not only the overhead of managing everyone's keystore, but that fact that encrypted information is being sent out in the name of the organisation. This is of particular interest to law firms where the partners are potentially personally liable for all communication by the law firm. ArticSoft provide a Central Administrator program to centrally generate and store employee keys so they can be easily revoked and overridden if necessary. For example if an employee were to leave then any encrypted data they had would be able to be decrypted centrally if necessary. The Central Administrator can also set policies to manage what employees can do. For example an employee can be prevented from creating their own keys and be forced to use a key centrally generated on their behalf. Finally the system can revoke access to the ArticSoft program if it is not connected to the central database at a set interval. This is particularly useful if a laptop is lost or stolen.

We send over 31 billion email messages worldwide everyday and most of these are relatively easy to intercept and read. This is now the biggest threat to business communication as most organisations have the risk of spam and viruses under control.   The main problem here is complacency as the damage caused by the interception or modification of business email does not have the obvious repercussions of a major virus outbreak.   However, it can be just as serious with loss of credibility, leaking of sensitive information, and possible blackmail.

Simon Bennett is the IT Director for Tarlo Lyons, the London law firm focussed on delivering commercial solutions for technology driven business.   He has an extensive background in evaluating and selecting computer applications and products in support of legal and forensic services.