E-Mail Privacy
By Ian Scott
Let’s carry on our discussion a bit, from last night regarding expectations of privacy. And in that context, let’s talk about e-mail. Most people I know that use e-mail, give no thought to who may read their messages before it arrives in the in-box of the intended recipient. E-mail seems so instantaneous, doesn’t it?
Lawyers send private and privilidged documents back and forth, lovers send little notes, and businesses will send information that should be confidential, all via e-mail and they all seem to have some expectation of privacy in their electronic communications. Absolutely nothing could be further from the truth, however.
I’m not sure who first said, “E-mail is about as private as a postcard.” And this statement is very true. What sort of information would you send to someone on a postcard?
Not only that, the U.S. courts have maintained that you should not have any expectation of privacy with your e-mail as well! In other words, at least in America, you have no constitutional right to expect private e-mail communications.
On my other blog, I wrote the following recently:
U.S. Courts Limit E-Mail Privacy
”
That subject line is probably a bit misleading. From my reading, it seems that the U.S. Court of Appeals for the 1st Circuit in Massachusetts has basically said you can’t expect any privacy in your email communications.
The Washington Post reports:
“The 2-to-1 decision by a panel of the U.S. Court of Appeals for the 1st Circuit in Massachusetts alarmed privacy advocates, who said it torpedoes any notion that e-mail enjoys the same protections as telephone conversations, or letters when they are sorted by mail carriers.
The court ruled that because e-mail is stored, even momentarily, in computers before it is routed to recipients, it is not subject to laws that apply to eavesdropping of telephone calls, which are continuously in transit. As a result, the majority said, companies or employers that own the computers are free to intercept messages before they are received by customers.
“This puts all of our electronic communication in jeopardy if this decision isn’t reversed.” said Jerry Berman, head of the Center for Democracy and Technology, a public interest policy group.”
I’ll say it’s in jeapardy! Time for you to start learning about GPG or PGP, if you ask me.
I’ve been using GPG for a long time now, and prefer to sign all my email and encrypt it whenever possible. It’s not that I’m paranoid about my communications or think anyone has any good reason to snoop or attempt to intercept email from me to any of those I may communicate with electronically, it’s just that I like my messages to be private.
E-mail without encryption is about as secure as a postcard. And much of my email contains information that I’d never write on the back of a postcard.
I was trying to explain this to my son the other day, and sent myself an email. Before I retrieved it from the server, I logged into the server and opened my email file in a text editor. Any email server administrator can do this to anyone’s email.
But not only can an email server admin. do this, anyone who can crack (hackers are good guys - it’s the crackers who wear black hats) into the server will also have the ability.
But getting back to the privacy issues - the expectation of privacy in the United States at least has now disappeared as far as your e-mail. According to the Washington Post article, one dissenting judge wrote that this decision “will have far-reaching effects on personal privacy and security.”
“Like several privacy advocates, the judge raised particular alarm over what the decision might mean for the ability of law-enforcement to monitor e-mail.
Based on the court’s ruling, law enforcement officers would need only a search warrant to gain access to e-mail before it reaches its recipient, instead of a wiretap order, which can be far harder to obtain.
The decision, Lipez said, “would undo decades of practice and precedent regarding the scope of the Wiretap Act and would essentially render the Act irrelevant to the protection of wire and electronic privacy.”
This is dangerous stuff.
Something else a lot of people don’t seem to realize is that email can be easily modified as well. Imagine you’re waiting for an e-mail from your lawyer as to whether or not you need to be attending court today. It’s a big case, worth something big (could be money or jail time). An entity that doesn’t want you appearing in court today could have someone attempt to crack the email server and modify the line the lawyer’s email from:
“Please be in court today.”
to:
“No need to be in court today.”
If the message was digitally signed, and you used GPG or PGP, you’d know immediately that the signature was not valid. There’d be a possibility the e-mail was tampered with and you could have a “heads-up” that something might not be quite right.
It’s really not that hard to do on some systems - especially older systems that haven’t been patched.
If you’re interested in learning more about GPG or PGP, let me know. I’m working on an outline for a class on teaching some basic privacy and encryption lessons. At first, GPG/PGP can be a bit confusing and probably one of the reasons why many don’t bother with it. But there are a number of great e-mail applications today that make the process pretty seemless without much user input required. But still, understanding some basics is important in order to ensure your security in your communications.
With this Court decision, you should be pretty motivated to learn a bit more on securing your communications anyhow.
If you already use PGP or GPG (I prefer GPG as it’s open source and free to use both for personal or business use) and want to communicate with me, my key ID is: 0×319CE936
My public key is available on the keyservers.”
Read more in: Privacy |