E-mail privacy
Encyclopedia
The protection of email
from unauthorized access and inspection is known as electronic privacy. In countries with a constitutional guarantee of the secrecy of correspondence
, email is equated with letters and thus legally protected from all forms of eavesdropping
.
In the United States
, privacy of correspondence is derived from the Fourth Amendment to the United States Constitution
and thus restricted by the requirement for a "reasonable expectation of privacy".
In the member states of the Council of Europe
the privacy of correspondence is guaranteed explicitly by Article 8 of the European Convention on Human Rights
. No public authority can interfere with the exercise of this right except "as is in accordance with the law and is necessary in a democratic society". Article 8 limits the allowed derogations to the following grounds only: "in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".
is an expansive network of computers, much of which is unprotected against malicious attacks. From the time it is composed to the time it is read, email travels along this unprotected Internet, perpetually exposed to electronic dangers.
Many users believe that email privacy is inherent and guaranteed, psychologically equating it with postal mail. While email is indeed conventionally secured by a password system, the one layer of protection is not secure, and generally insufficient to guarantee appreciable security.
Businesses are increasingly relying on electronic mail to correspond with clients and colleagues. As more sensitive information is transferred online, the need for email privacy becomes more pressing.
email is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional email protocols :
Because email connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of email that passes through. In effect, every email leaves a digital papertrail in its wake that can be easily inspected months or years later.
The email can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue that email traffic is protected from such "casual" attack by security through obscurity
- arguing that the vast numbers of emails make it difficult for an individual cracker to find, much less to exploit, any particular email. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary.
Intelligence agencies
, using intelligent software, can screen the contents of email with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy
, agencies such as the U.S. Federal Bureau of Investigation
conduct screening operations regularly. A lawsuit filed by the American Civil Liberties Union and other organizations alleges that Verizon illegally gave the U.S. government unrestricted access to its entire internet traffic without a warrant and that AT&T had a similar arrangement with the National Security Agency. While the FBI and NSA maintain that all their activities were and are legal, Congress passed the FISA Amendments Act of 2008 (FAA) granting AT&T and Verizon immunity from prosecution.
ISPs and mail service providers may also compromise email privacy because of commercial pressure. Many online email providers, such as Yahoo! Mail
or Google's Gmail
, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining.
Even with other security precautions in place, recipients can compromise email privacy by indiscrimate forwarding of email. This can reveal contact information (like email addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning).
In the United States and some other countries lacking secrecy of correspondence
laws, email exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.
, and become just another database record. This means that a subpoena
instead of a warrant
is all that's needed to force email providers such as Google's Gmail to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.
There are two basic techniques for providing such secure connections. The electronic envelope
technique involves encrypting the message directly using a secure encryption standard such as OpenPGP (Public key infrastructure
), S/MIME
. These encryption methods are often a user-level responsibility, even though Enterprise versions of OpenPGP exist. The usage of OpenPGP requires the exchange of encryption keys. Even if the encrypted emails are intercepted and accessed, its contents are meaningless without the encryption key. There are also examples of secure messaging solutions available built on purely symmetric keys for encryption. These methods are also sometimes tied with authorization in the form of authentication. Authentication just means that each user must prove who they are by using either a password, biometric (such as a fingerprint), or other standard authentication means.
The second approach is to send an open message to the recipient which does not have to contain any sensitive content but which announces a message waiting for the recipient on the sender's secure mail facility. The recipient then follows a link to the sender's secure website where the recipient must log in with a username and password before being allowed to view the message. Some solutions combine the approaches, and allow for offline reading.
Both approaches, and their related techniques, come with advantages and disadvantages and it is today generally considered that the setup of choice varies depending on the target market and application. PKI based encryption methodologies have limits in efficiency in how to engage secure messaging between two parties, as creation and delegation of certificates are needed prior to communication. Methods of utilizing non-PKI based encryption bring in challenges in a successful and secure key-exchange. Having the sensitive content shipped with the email delimits the senders possibilities to make the content unavailable, or control when in time the content should be available for consumption. If on the other hand, the sensitive information is not shipped with the MIME stream and the sender is hosting the information on a web-server, it requires the recipient to be online to be able to read it.
At the ISP level, a further level of protection can be implemented by encrypting the communication between servers themselves, usually employing an encryption standard called Transport Layer Security
(TLS). It is coupled with Simple Authentication and Security Layer
(SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method is the only method that is completely transparent to end-users and does not require the creation of individual certificates for each user. Gmail adopted TLS on outgoing mail in October 2011. Other major webmail providers such as Yahoo! and Hotmail have yet to announce any plan to adopt TLS on outgoing mail.
Although some ISPs have implemented secure sending methods, users have been slow to adopt the habit, citing the esoteric nature of the encryption process. Without user participation, email is only protected intermittently from intrusion.
A non-technical approach employed by some users is to make tapping and analysis of their email impractical via email jamming.
Email
Electronic mail, commonly known as email or e-mail, is a method of exchanging digital messages from an author to one or more recipients. Modern email operates across the Internet or other computer networks. Some early email systems required that the author and the recipient both be online at the...
from unauthorized access and inspection is known as electronic privacy. In countries with a constitutional guarantee of the secrecy of correspondence
Secrecy of correspondence
The secrecy of correspondence ) or literally translated as secrecy of letters, is a fundamental legal principle enshrined in the constitutions of several European countries. It guarantees that the content of sealed letters is never revealed and letters in transit are not opened by government...
, email is equated with letters and thus legally protected from all forms of eavesdropping
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...
.
In the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, privacy of correspondence is derived from the Fourth Amendment to the United States Constitution
Fourth Amendment to the United States Constitution
The Fourth Amendment to the United States Constitution is the part of the Bill of Rights which guards against unreasonable searches and seizures, along with requiring any warrant to be judicially sanctioned and supported by probable cause...
and thus restricted by the requirement for a "reasonable expectation of privacy".
In the member states of the Council of Europe
Council of Europe
The Council of Europe is an international organisation promoting co-operation between all countries of Europe in the areas of legal standards, human rights, democratic development, the rule of law and cultural co-operation...
the privacy of correspondence is guaranteed explicitly by Article 8 of the European Convention on Human Rights
European Convention on Human Rights
The Convention for the Protection of Human Rights and Fundamental Freedoms is an international treaty to protect human rights and fundamental freedoms in Europe. Drafted in 1950 by the then newly formed Council of Europe, the convention entered into force on 3 September 1953...
. No public authority can interfere with the exercise of this right except "as is in accordance with the law and is necessary in a democratic society". Article 8 limits the allowed derogations to the following grounds only: "in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others".
Need
The InternetInternet
The Internet is a global system of interconnected computer networks that use the standard Internet protocol suite to serve billions of users worldwide...
is an expansive network of computers, much of which is unprotected against malicious attacks. From the time it is composed to the time it is read, email travels along this unprotected Internet, perpetually exposed to electronic dangers.
Many users believe that email privacy is inherent and guaranteed, psychologically equating it with postal mail. While email is indeed conventionally secured by a password system, the one layer of protection is not secure, and generally insufficient to guarantee appreciable security.
Businesses are increasingly relying on electronic mail to correspond with clients and colleagues. As more sensitive information is transferred online, the need for email privacy becomes more pressing.
Risks to user
- Disclosure of Information: Most of emails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the email contents.
- Traffic analysis: It is believed that some countries are routinely monitoring email messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within emails.
- Modification of messages: email contents can be modified during transport or storage. Here, the man-in-the-middle attackMan-in-the-middle attackIn cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the email packets going to and from the mail server or gateway.
- Masquerade: It is possible to send a message in the name of another person or organization.
- Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if email is used for certain applications such as funds transferring, registration, and reservation.
- Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses.
- Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of emails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login.
Because email connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of email that passes through. In effect, every email leaves a digital papertrail in its wake that can be easily inspected months or years later.
The email can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue that email traffic is protected from such "casual" attack by security through obscurity
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
- arguing that the vast numbers of emails make it difficult for an individual cracker to find, much less to exploit, any particular email. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary.
Intelligence agencies
Intelligence agency
An intelligence agency is a governmental agency that is devoted to information gathering for purposes of national security and defence. Means of information gathering may include espionage, communication interception, cryptanalysis, cooperation with other institutions, and evaluation of public...
, using intelligent software, can screen the contents of email with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy
Invasion of privacy
United States privacy law embodies several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information,...
, agencies such as the U.S. Federal Bureau of Investigation
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
conduct screening operations regularly. A lawsuit filed by the American Civil Liberties Union and other organizations alleges that Verizon illegally gave the U.S. government unrestricted access to its entire internet traffic without a warrant and that AT&T had a similar arrangement with the National Security Agency. While the FBI and NSA maintain that all their activities were and are legal, Congress passed the FISA Amendments Act of 2008 (FAA) granting AT&T and Verizon immunity from prosecution.
ISPs and mail service providers may also compromise email privacy because of commercial pressure. Many online email providers, such as Yahoo! Mail
Yahoo! Mail
Yahoo! Mail is a web mail service provided by Yahoo!. It was inaugurated in 1997, and, according to comScore, Yahoo! Mail was the second largest web-based email service with 273.1 million users as of November 2010....
or Google's Gmail
Gmail
Gmail is a free, advertising-supported email service provided by Google. Users may access Gmail as secure webmail, as well via POP3 or IMAP protocols. Gmail was launched as an invitation-only beta release on April 1, 2004 and it became available to the general public on February 7, 2007, though...
, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining.
Even with other security precautions in place, recipients can compromise email privacy by indiscrimate forwarding of email. This can reveal contact information (like email addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning).
In the United States and some other countries lacking secrecy of correspondence
Secrecy of correspondence
The secrecy of correspondence ) or literally translated as secrecy of letters, is a fundamental legal principle enshrined in the constitutions of several European countries. It guarantees that the content of sealed letters is never revealed and letters in transit are not opened by government...
laws, email exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.
Privacy issues
After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy ActElectronic Communications Privacy Act
The Electronic Communications Privacy Act is a United States law.- Overview :The “electronic communication” means any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or...
, and become just another database record. This means that a subpoena
Subpoena
A subpoena is a writ by a government agency, most often a court, that has authority to compel testimony by a witness or production of evidence under a penalty for failure. There are two common types of subpoena:...
instead of a warrant
Warrant (law)
Most often, the term warrant refers to a specific type of authorization; a writ issued by a competent officer, usually a judge or magistrate, which permits an otherwise illegal act that would violate individual rights and affords the person executing the writ protection from damages if the act is...
is all that's needed to force email providers such as Google's Gmail to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries.
Remedies
To provide a reasonable level of privacy, all routers in the email pathway, and all connections between them, must be secured. This is done through data encryption, which translates the email's contents into incomprehensible text that, if designed correctly, can be decrypted only by the recipient. An industry-wide push toward regular encryption of email correspondence is slow in the making. However, there are certain standards that are already in place which some services have begun to employ.There are two basic techniques for providing such secure connections. The electronic envelope
Electronic envelope
An electronic envelope or e-envelope is almost like a postal Envelope in function. Where a paper Envelope privately encloses its contents like a mail message, so an Electronic envelope privately encloses its contents like an e-mail message. Currently, e-mail not enclosed in an electronic envelope...
technique involves encrypting the message directly using a secure encryption standard such as OpenPGP (Public key infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
), S/MIME
S/MIME
S/MIME is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs. S/MIME was originally developed by RSA Data Security Inc...
. These encryption methods are often a user-level responsibility, even though Enterprise versions of OpenPGP exist. The usage of OpenPGP requires the exchange of encryption keys. Even if the encrypted emails are intercepted and accessed, its contents are meaningless without the encryption key. There are also examples of secure messaging solutions available built on purely symmetric keys for encryption. These methods are also sometimes tied with authorization in the form of authentication. Authentication just means that each user must prove who they are by using either a password, biometric (such as a fingerprint), or other standard authentication means.
The second approach is to send an open message to the recipient which does not have to contain any sensitive content but which announces a message waiting for the recipient on the sender's secure mail facility. The recipient then follows a link to the sender's secure website where the recipient must log in with a username and password before being allowed to view the message. Some solutions combine the approaches, and allow for offline reading.
Both approaches, and their related techniques, come with advantages and disadvantages and it is today generally considered that the setup of choice varies depending on the target market and application. PKI based encryption methodologies have limits in efficiency in how to engage secure messaging between two parties, as creation and delegation of certificates are needed prior to communication. Methods of utilizing non-PKI based encryption bring in challenges in a successful and secure key-exchange. Having the sensitive content shipped with the email delimits the senders possibilities to make the content unavailable, or control when in time the content should be available for consumption. If on the other hand, the sensitive information is not shipped with the MIME stream and the sender is hosting the information on a web-server, it requires the recipient to be online to be able to read it.
At the ISP level, a further level of protection can be implemented by encrypting the communication between servers themselves, usually employing an encryption standard called Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS). It is coupled with Simple Authentication and Security Layer
Simple Authentication and Security Layer
Simple Authentication and Security Layer is a framework for authentication and data security in Internet protocols. It decouples authentication mechanisms from application protocols, in theory allowing any authentication mechanism supported by SASL to be used in any application protocol that uses...
(SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method is the only method that is completely transparent to end-users and does not require the creation of individual certificates for each user. Gmail adopted TLS on outgoing mail in October 2011. Other major webmail providers such as Yahoo! and Hotmail have yet to announce any plan to adopt TLS on outgoing mail.
Although some ISPs have implemented secure sending methods, users have been slow to adopt the habit, citing the esoteric nature of the encryption process. Without user participation, email is only protected intermittently from intrusion.
A non-technical approach employed by some users is to make tapping and analysis of their email impractical via email jamming.
See also
- Anonymous remailerAnonymous remailerAn anonymous remailer is a server computer which receives messages with embedded instructions on where to send them next, and which forwards them without revealing where they originally came from...
- CryptographyCryptographyCryptography is the practice and study of techniques for secure communication in the presence of third parties...
- Data privacyData privacyInformation privacy, or data privacy is the relationship between collection and dissemination of data, technology, the public expectation of privacy, and the legal and political issues surrounding them....
- Email encryption
- Email spoofing
- email tracking
- EnigmailEnigmailEnigmail is an extension for the Mozilla Application Suite, SeaMonkey internet suite and Mozilla Thunderbird that provides public key e-mail encryption and signing. Enigmail works under Microsoft Windows, Unix-like, and Mac OS operating systems...
- Thunderbird plug-in - Firegpg - Firefox extension
- GPGMailGPGMailGPGMail is an extension for Apple Mail that provides public key e-mail encryption and signing. GPGMail works under Mac OS and the actual cryptographic functionality is handled by GNU Privacy Guard....
- OS X Mail plug-in - Industrial espionageIndustrial espionageIndustrial espionage, economic espionage or corporate espionage is a form of espionage conducted for commercial purposes instead of purely national security purposes...
- Internet privacyInternet privacyInternet privacy involves the right or mandate of personal privacy concerning the storing, repurposing, providing to third-parties, and displaying of information pertaining to oneself via the Internet. Privacy can entail both Personally Identifying Information or non-PII information such as a...
- Java Anon ProxyJava Anon ProxyJava Anon Proxy, also known as JAP or JonDonym, is a proxy system designed to allow browsing the Web with revocable pseudonymity. It was originally developed as part of a project of the Technische Universität Dresden, the Universität Regensburg and Privacy Commissioner of Schleswig-Holstein...
- a proxyProxy serverIn computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
system designed to allow browsing the WebWorld Wide WebThe World Wide Web is a system of interlinked hypertext documents accessed via the Internet...
with revocable pseudonymityPseudonymityPseudonymity is a word derived from pseudonym, meaning 'false name', and anonymity, meaning unknown or undeclared source, describing a state of disguised identity. The pseudonym identifies a holder, that is, one or more human beings who possess but do not disclose their true names...
. - LawdexLawdexLawdex is a legal-support site specializing in the secure exchange of private documents within the participants of the legal, medical, and insurance industries...
- Opportunistic encryptionOpportunistic encryptionOpportunistic Encryption refers to any system that, when connecting to another system, attempts to encrypt the communications channel otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.Opportunistic encryption can be used to...
- Secure communicationSecure communicationWhen two entities are communicating and do not want a third party to listen in, they need to communicate in a way not susceptible to eavesdropping or interception. This is known as communicating in a secure manner or secure communication...
- Secure email
- Secure MessagingSecure messagingSecure messaging is a server based approach to protect sensitive data when sent beyond the corporate borders and provides compliance with industry regulations such as HIPAA, GLBA and SOX...
- STARTTLSSTARTTLSSTARTTLS is an extension to plain text communication protocols, which offers a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication....
- opportunistic transport layer security. - United States v. CouncilmanUnited States v. CouncilmanUS v. Councilman was a criminal case involving interception of e-mail while in temporary storage en route to its final destination. Earlier rulings in the case had raised concerns about the privacy of e-mail and the effectiveness of the Electronic Communications Privacy Act of 1986...
- Web bugWeb bugA web bug is an object that is embedded in a web page or e-mail and is usually invisible to the user but allows checking that a user has viewed the page or e-mail. One common use is in e-mail tracking. Alternative names are web beacon, tracking bug, and tag or page tag...
- Website spoofingWebsite spoofingWebsite spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organisation. Another meaning for spoof is fake websites. Normally, the spoof website will adopt the design of the target website and...
External links
- The Case For Secure Email
- Company email lacks reasonable expectation of privacy (Smyth v. Pillsbury)
- Workplace e-mail privacy from the Office of the Privacy Commissioner (Australia)
- A contrario: Protect your email with GnuPG -- A tutorial on email encryption prefaced with a discussion of email privacy]
- "Investigating Employees' E-Mail Use", Morning EditionMorning EditionMorning Edition is an American radio news program produced and distributed by National Public Radio . It airs weekday mornings and runs for two hours, and many stations repeat one or both hours. The show feeds live from 05:00 to 09:00 ET, with feeds and updates as required until noon...
, National Public Radio, June 18, 2008