• Email Insecurities
• Reasons for Concern
• PGP Encrypted Email
• Secure Webmail
• Portable and Desktop Freeware
  

Those of us who lived a reasonable portion of our lives before the internet are accustomed to the privacy of mail. Tampering with snail mail is a federal crime, and the privacy of our hard copy communications is a right we take for granted. Switching from real mailboxes to email accounts we expect the same privacy regarding our internet missives. We don't get it.

In your PC's email client, as you're writing, your message is still aboard your system and safe from view by internet snoops, assuming your system hasn't been compromised by trojan software. When it leaves your desk it's open for viewing by anyone with access to the email server. The most likely place for an unencrypted email to be intercepted is the junction between the email server and the internet at large -- the bottleneck through which everything in your area passes. On a company level there will be an equivalent junction open to the scrutiny of able IT techs and executives, and at the community junction government programs like Carnivore and Omnivore lurk, scanning for suspicious language that will require the attention of a real human.

Intermediate server systems store the messages temporarily if the destination server is busy. While banks, online retail outlets, and all reputable internet entities which gather personal information from their customers do operate on secure servers, many email providers do not. At every stage your message could be intercepted.

Once in the recipient's email account inbox, the security of that message depends on the security level of the owner's password. The most common password is still "password." Depending on the competency of your email contacts is unwise.

Legally there has been pressure from governmental entities to reduce the privacy of internet e-mail rather than protect it. The original condition of the system allowed convenient governmental supervision of all communications, something which would never have happened voluntarily but is difficult to change now that it has happened accidentally. What's in an email that you should be concerned about? Your identity, in the form of an IP number; your location; and considerable personal information mine-able from the settings you've chosen and from your message. Even if you send a blank page, these identifying tags precede it.

Arguments for not worrying about this include the fact that most of your personal email communications are not important, only friendly. If anybody does intercept them, it won't matter much--and who would care enough to look? If you've not been doing anything wrong, why should you worry?

Have you ever been critical of someone for whom you worked? a company or an individual? and you've dropped a few remarks privately in an email to someone you trust who uses a company email address? The next time you have a performance review, those emails may be in a stack on your boss's desk. It's perfectly legal. If you email messages you wouldn't carbon copy to your boss, you have reason to be concerned.

Have you ever needed to report a safety issue where you work and feared reprisals if you did? Probably there's a convenient company email address for that and a copy of any report you make to corporate headquarters will go directly to your boss's desk. Your privacy is assured, officially. Your name may be expunged from the message, but your IP will not. Think you can do it anonymously with an online name and webmail? Anonymous email is illegal in the U.S. -- all email is traceable to a real person. You can send a letter without a return address, but not an email.

All these things have happened either to me or to people I know in recent years, and they could happen to you. Even if you never have those problems, you should be outraged that they exist. Big Brother is watching. Heck, even Little Brother is watching. If the email message you are writing is one you'd put in a sealed envelope but not on a postcard where your mailman and anyone else down the line could read it, you should be concerned about email security.

The same technology that made our private communications open to the public view can lock that door again. Email encryption software is so efficient that without the key file recovering the message may take hundreds of years. Using encryption within your email client takes extra work on your part and an equivalent effort by those who receive your encrypted emails and documents. Since most recipients on your list won't go through those steps and don't already have encryption systems compatible with yours, most of the time you'll be speaking in the open anyway. But, with the encryption option available you can make critical information exchanged between you and a few important contacts sealed. Even on open email servers, the message cannot be read. Before it leaves your system, the email is encrypted; the email is not decrypted until it reaches the destination and the recipient orders it to unravel.

Email encryption under the PGP (Pretty Good Privacy) standard or one of the several open source equivalents requires key pairs, one public and one private. Understanding how PGP encryption key pairs work isn't necessary to using them. Outlook Express includes PGP support, and If you use a different open source email client, like Thunderbird or Claws, plug-in Enigmail -- an equivalent to PGP which operates through the free key server from GnuGP. While not easy to do, this is not beyond the reach of anyone who can set up their own email client. If you need to download your email provider's software to make your account work, you may be over matched by this task. Even though it's a step by step task, the procedure was written by programmers who think everyone knows this already. Ferreting out the actual steps from the information supplied is an afternoon's work for anyone who isn't an IT tech.

For business communications Enigmail or its equivalent is worth the investment of time and trouble. For everyday communications, it's awkward.

For the person who only occasionally needs the privacy of secure email, like most of us, more convenient options abound in the form of free secure web based email services. Though not one hundred per cent protected, many free email providers offer secure webmail accounts with encryption and practical security features like protection against copy & paste and quick shredding of outdated files. If based in the same country where you reside, their vaults are not sacrosanct, and should the government have legal reason to look at your files they will be opened. Determined civilian spies might be able to crack some of these systems at the server junction, but ordinary users will not. These secure email services offer a level of security which for most of us is adequate for private communications.

Years ago my favorite was Ziplip, a company which intended to bring private communications to everyone for free. With many excellent security features and a convenient interface, it seemed like the place to occasionally go when I needed a private conversation. Unfortunately, Ziplip's free service isn't there any more -- at least not where I can find it.

Perfectly Private secure server encrypted email endures, however. With a three week inactivity limit on free accounts, either you'll use this one all the time or you'll be setting up a new account with them every time you need their services. Setting up a new account really does take under a minute. If the recipient of your message also uses PP or Hushmail, PP's email security is solid. The encrypted email message never leaves their secure email server until the recipient eyeballs the information. If the message travels outside the protected zone, it moves on an SSL server, with the same level of security applied to credit card transactions online. Signing up requires no personal information. All you have to do is pick an unused name for your email address and generate a password.

Although Hushmail received criticism for allowing the Canadian government to access a couple of customer's accounts, if you've done nothing that will justify legal scrutiny this secure email service will eliminate most security problems. While their basic encrypted webmail service is free, secure desktop service requires a small yearly fee. Plugins are available for major email clients including Outlook Express and Thunderbird.

Within a corporate server sending encrypted emails may do nothing more than bring down wrath upon you. If it isn't company business, the company can argue that you're stealing company time. Should you try it, you might put your job at risk. If you have legitimate business reasons for a private communications channel on the intranet, consider Crypto Anywhere. CA must be installed by both users, but can be installed to a portable drive and used on any PC with a compatible operating system. CA generates its own key pairs, one of which will have to be exchanged with your confidant. The free version allows message text but no attachments. Bypassing the usual email server is possible -- when I tested it at home, that didn't work. The fault may be mine and I haven't quite given up.

If you are more concerned about encrypting a document than sending a secure message, IOPUS is a freeware desktop program which creates an encrypted email attachment. A password will be required to decipher it at the recipient's end. With IOPUS the encrypted attachment may be screened out by the anti-virus software at either end, and if so, permissions will have to be granted for the document to go through. Unless you use some secure messaging system to transmit the password separately, there's no point to all this. In the open message you might ask a question to which only the recipient knows the answer, and make that the secret password for the encrypted document. Security depends on the quality of the password ultimately, although in transit the attachment is encrypted and unreadable. Reading the message depends on a password the recipient can figure out, so a string of 86 random characters might be as solid as a bank vault but impractical in actual use.

Let's face it, we are the underdog here. Big Brother and Little Brother have all the advantages, but privacy is still our personal right even though it may have already been permanently lost at the corporate level. There are still ways for law abiding citizens to speak in private, and there are legitimate reasons for wanting to do that. Claiming this privilege requires some extra work on your part, and whoever you speak to will also need to put on the Cone of Silence. Is it worth the trouble?

Use this test:  this week, email a carbon copy of every message you write to everyone in your address book. If that doesn't bother you, you don't need secure email. If everything you say could safely and comfortably be expressed on the back of an open postcard, you're fine with the  ordinary email and no precautions are needed.

Otherwise, invest some time in setting up a simple private email system. No one has rights unless they're used.