Just how secure is email, anyway?

Email is ubiquitous and convenient, yet surprisingly not very secure. I'll look at why that is and when you should worry.

//

My business requires the emailing of some sensitive information on a regular basis. I have spoken with my boss and co-workers about all of us using an encrypted email system, but no one seems to think there is a significant threat or danger out there to require these extra steps in security. Can you offer any data to help me convince them that this is a good idea?

Actually, I don’t have hard data to say one way or the other. The risk varies too much on too many factors to really present data that’ll apply in any specific situation.

But we can definitely look at some of the specific factors.

Practical risk

Your scenario of confidential business-related information warrants some consideration, but I want to first discuss the more general case for the average email user.

To be blunt, my experience is that most people have an over-inflated sense of risk when it comes to threats and technologies that they don’t understand.

And to be sure, email and how messages make it from your computer to mine when you press “Send” is something that the average computer user not only doesn’t understand, but has no reason to understand.


Anyone who has access to the network, network equipment, mail servers, or PCs across which your email travels could potentially read your mail.

As a result, sometimes threats that should be of concern are overlooked and issues that are really no threat at all prevent people from using the technology to its fullest – or perhaps cause them to avoid it all together.

What is possible

It is possible to sniff and eavesdrop on email conversations.

It’s also not particularly easy, unless you’re on an open WiFi connection.

By default, the contents of email is not encrypted or obscured in any way. As it travels from your computer to your mail server to my mail server and finally to my PC, it’s stored in formats that are easily read by anyone who has access and cares to do so.

Let’s examine those two criteria in more detail.

Who has access to your email

Someone's Peeking!Anyone who has access to the network, network equipment, mail servers, or PCs across which your email travels could potentially read your mail. So just who are those people?

  • Anyone with access to your machine has several ways that they could examine your email conversations – from installing spyware of some sort to copying your mail folders to their remote location to simply opening up your mail program and reading your mail.
  • Malware is really a special case of someone having access to your machine. The concerns behind malicious compromise of your machine is that malware can gain access to more than just email. Even the act of simply typing your message could be recorded and examined if malware is present.
  • Other machines on your network may be able to see your email as it’s transmitted between your machine and your mail server when you send or receive. I say “may” because it depends on exactly how your network is configured. The most obvious case is an open (unencrypted) WiFi hotspot where any machine connected to the hotspot can see all of the data that’s being sent and received by the other machines on that same hotspot.
  • Your ISP can examine all of the data that you send and receive on the internet simply as a side effect of providing your connection to the internet.
  • Your email provider can examine your email simply as a side effect of providing your email service. Included in this would be your email provider’s own networking and hosting providers as well.
  • Your recipient’s email provider just like yours.
  • Your recipient’s ISP once again, just as your ISP can see everything you to, your recipient’s ISP can see everything they do.
  • Other machines on your recipient’s network have the same issues as the security and configuration of your own.
  • Malware on your recipient’s machine puts your conversation at risk just as much as if it were on your machine.
  • Anyone with access to your recipient’s machine naturally can do whatever the recipient could, and thus could read, copy, or otherwise access your email conversation.

This seems like a long list of entry points – points at which your email could be exposed to prying eyes.

Why you needn’t panic

When most people see the list above, they immediately focus on the items outside of their control.

I get constant comments that either imply or flat out accuse email providers and ISPs of maliciously reading email that they have no business reading.

In my opinion, that’s unwarranted paranoia speaking. These businesses are too busy to have the resources to do so, and too competitive with each other to allow something like that to happen in any systematic or organized way that might some day become public knowledge.

That’s not to say that there aren’t incidents of breaches from time to time – and formerly trusted employees have been fired or even jailed as a result. What I am saying is that these are the exceptions rather than the rule.

Nope, the real risk (if there is to be any) is at the points that you do control.

If there’s risk, it’s at the endpoints

I honestly believe that if there is going to be risk, the greatest risk to email privacy is at the sending and receiving endpoints.

In other words, the actions of malware on your machine, or someone walking up to it and poking around, or your own actions misdirecting an email message present a much greater risk than anything that might happen once the message is
in transit.

As a result, the most important thing that you can do to secure your email is to secure your computer and your own practices in dealing with your computer and the internet.

If there’s risk, that is.

You’re just not that interesting

I hate to break it to you, but by and large, you and I … well, we’re just not that interesting.

Even if people had an opportunity to read our email, they probably wouldn’t. in all likelihood, 99% of all email is incredibly boring unless you’re the sender or the intended recipient.

Even so-called “confidential” information isn’t shared much via email – simply avoid emailing things like social security numbers, passwords, credit card numbers, and the like, and you’ll be 99% protected right there. Heck, by now, it should be common knowledge that any email that asks you to reply in email with information that includes your password is almost certainly a phishing attempt. Sending that kind of information via email is simply a bad idea.

So don’t do it.

Everything else that you do in email is probably pretty boring stuff – I know mine is.

But what if you are interesting?

Your question included two very important words that might make things more … interesting: “business” and “sensitive information”.

Email privacy does start to make sense if you have legitimate reason to be concerned that your email might be intercepted, and/or if the cost of such an interception is unacceptably high.

So the first question that you need to ask yourself is, “Am I really a target?” Most people are not. Most business are not. Many might think they are, but in reality, no one cares. On the other hand, if you’re communicating on sensitive things that you know are the focus of possible industrial, political, or personal espionage then yes, you might have a legitimate concern.

The next question is, “What’s the downside of someone else seeing this?” Again, in most cases, the cost is negligible … a little embarrassment at most. If, on the other hand, that communication landing in the wrong hands could cause serious damage, then it’s also time to consider approaches.

And as a business, if there are legal ramifications to information leakage, or actual laws requiring a heightened level of privacy and security, then whether actually warranted or not, you may be required to take additional steps.

Then you have exactly two options:

  • Avoid email altogether
  • Encrypt

Alternatives to email

The most important aspect of an email alternative is that you control or understand the entire path that your sensitive information might take on its way from point A to point B.

My online brokerage is a good example. They do not email statements, but rather, they use email to notify me that a statement is available. I can then login securely to my account on their website and download my sensitive information.

Not only is the path a direct one – from their server to my PC – but it’s encrypted via https, so that even someone at my ISP who’s watching the data stream would be unable to decipher its contents.

They control their server, I control my PC, and the path between the two is obscured from any third-party prying eyes.

You could set up access-controlled shares on your company’s network or servers, or even go so far as to write a custom application that requires not only additional security to access the data, but could impose a higher level of obfuscation on the data as it traverses the internet.

Just make sure you have someone who is a security professional doing the work – security is easy to think that you got right when in fact, you did not.

Encryption

The most practical solution for most people, which you are trying to advocate for, is simply encrypting your data before it’s emailed.

The problem here is that encryption schemes for email are generally not as inter-operable as we’d like. If you can standardize on a solution that works for all of your senders and recipients, then your email problem is mostly solved. While some solutions are free, often they involve third-party software and periodic fees.

If you’re doing it on your own, and your correspondents may be running a different email client or perhaps even a different operating system, things get more difficult. Personally, I’ve not found a good solution that integrates well with various email clients. My approach instead is to send encrypted attachments. By that, I mean:

  • I write my message using a plain text editor or word processor and save it to disk
  • I use a tool to encrypt that file. Candidates are 7-zip (using ZIP format), AxCrypt, PGP/GPG and Truecrypt, although there may be other viable alternatives as well. ZIP files are perhaps the most easily interchanged, and current implementations privide good encryption.
  • I send the encrypted file as an attachment to my recipient.
  • I also send to the recipient – through a different channel – the password or whatever other information he will need to decrypt the file.

It is somewhat cumbersome, but if you can agree on an encryption tool, it works in almost all environments, and with any email client that can send  an attachment.

You’ll notice that encryption is a cornerstone of even the non-email solutions.

Skeptical?

If all this sounds like I’m skeptical … it’s because I am. In my opinion, most people who think they are targets are, in fact, not.

But what if you really are? If electronic communication is a necessity, then encryption, good encryption, is a must. Things can be a little more complex than we’d like, but if it’s important then you simply cannot ignore it.

It’s one more reason why truly secure information is often best handled in phone calls or in person meetings, rather than email.

A special note: open Wifi hotspots

The one place where the average person may well be at much more risk than they realize – is in open WiFi hotspots. It’s fairly easy for anyone there to “listen in” on the data flowing to and from your machine. There, you need to be encrypted one way or another. See How do I use an open WiFi hotspot safely? for the steps that you need to take if you use a public WiFi hotspot.

(This is an update to an article originally published November 13, 2005.)

There are 38 comments:

  1. Finn61 Reply

    I disagree with the tone of this response. Comparing email to online purchases is misleading. Almost all reputable online retailers will use encrypted HTTP to perform transactions over the web (usually your browser will notify you of this by displaying a padlock or similar icon when browsing a secure page). On the other hand email by default, is transmitted as plain text. Like most data on the internet it also passes through many networks and servers on the way from source to destination. It would be trivial for any one of these intermederies to automatically take a copy of all emails that contained credit card numbers. The fact that 99% of emails are boring is meaningless to a program searching for key words. As such I would advise your readers to always think before sending sensitive or financial information via email and follow your practice of encrypted attachments when required.

  2. Rick Reply

    There are email services available that use encrypted links by default. A list of providers and further discussion can be found at novo-ordo.com. While it is true, few people are targeted, I suspect the environment is becoming more hostile for the average Joe.

  3. Leo Reply

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    I don’t think so.

    Leo

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)

    iD8DBQFIKfNgCMEe9B/8oqERAtvJAJ9tMOQ/ZR5c94ps/s3MleIpj8RO9gCfbpST
    zspatixw/uu+i/BPrC5CarM=
    =XJ/5
    —–END PGP SIGNATURE—–

  4. monty Reply

    With all the hype now a days with hackers and systems being sabotaged and or comprimised i too was concerned with my companies safety and security when it comes to email information going over the airwaves. I did a lot of research into getting our own system and i found out pretty quickly that it can get very expensive and up into the 40-50k range to secure your emails with different sofisticated systems out there.Well i did my job and did more research i found a company that specializes in this market and saved thousands of dollars. the company is called http://www.global-datasolutions.com and we now have a pretty sofisticated system in place through them, using desktop PGP and we are also using the blackberry devices through them as well equipped with PGP.Its a pay as you go service and it includes unlimited world wide roaming/24-7 tech support/the blackberry device of your choice and best of all they customized the plans according to our own specific needs.
    if you need security go and check them out you will save tons of money.

  5. Frank Hughes Reply

    Yes, solutions can be expensive, but what is the cost when one of your associates in human resources sends your 15,000 employees’ SSN’s to the wrong address and it gets picked up by the media? Hosted off-site solution work, but add more critical components that must be safeguarded. If the hosting company has a leak, your customers still ascribe the blame to you.

    Consider options surround the choice to encrypt and whether to use a hosted solution very cautiously.

    Frank
    Strategic Data Management

  6. Tim Reply

    Are there any firm, researched statistics about this? To be meaningful, if would have to include incidents of hacking (say) per million, sub-divided by method of hacking.

  7. Bryan Reply

    Communicating through email is almost never safe. Unless you are using encryption (most do not) your data may be intercepted. Probalby not by some big time hacker, but more likely a wanna be hacker, 13 year old so called “script kid” who runs scripts that were prewritten to do such things. If you don’t want to go through the hassel of encrypting your email you can use a service which handles the messaging aspect for you such as www. PrivateInformationExchange.com.

  8. John Reply

    E-mail is easy to intercept even on wired networks. Ever hear of ARP Cache Poisoning, DNS spoofing, or ICMP redirect attacks?

    All of the above can be used to intercept any type of unencrypted communication on a wired network.

    Even if you trust people on your network, a compromised server on the recipients mail server network could be used to intercept email.

    Being paranoid about sending private data via email is a *good* thing and is not just for the people who wear tin foil hats.

    There are many attacks other than sniffing too.

    Do you trust that your recipient has a secure password on their email account, or that their computer is virus free?

    Twitter learned this one the hard way, see: http://news.softpedia.com/news/Social-Engineering-Used-to-Compromise-Twitter-117172.shtml

    Sorry Leo, but you are dead wrong. I’d strongly recommend that you retract this article. It is really dangerous to tell people that it is O.K. to send private data via e-mail.

  9. terry Kelleu Reply

    I agree with the others. the author has only considered one par of what constitutes a “risk”. In this case the liklihood of it happening.

    What he has not considered are the implications or severity of it happening. Brushing it aside under “Again, in most cases the cost is negligible … a little embarrassment at most.”

    “My business requires the emailing of some sensitive information on a regular basis. “

    This isn’t embarassment. It can lead to failed business, court cases, good knows what else. Anybody not implementing a simple email encryption procedure in these circumstances probably deserves everything they get.

  10. Esteve Reply

    It is true the most users or companies will net get attack, however, you’ll will not know when you are being attacked. Therefore, it is necessary to encrypt your sensitive data when sending email to outside of your organization (external parties). It is dangerous to say that post an article as such, because if you have an individual or acompany email messages got sniffed you became 100% vulnerable and therefore its too late for you and your data.

  11. Deana Reply

    I agree with the other responders here. Indeed you need to worry about the privacy and security of your email communications. All you need to do is turn on the television or read a newspaper to hear of yet another ISP or Email Provider being hacked. Most of these hackers haunt the social media with relentless patience until they find that person who things that online security efforts are for the paranoid. Please check out http://WWW.privacyharbor.com for an easy and low cost solution to your online identity, the prices range from free to just 9.95 and as a bonus, your storage and attachment sizes exceed the common email carriers by far.

  12. Tj Olish Reply

    E-mails are able to be intercepted – period.
    Tools are available and have been since mid 2009.
    A study was released in early 2009 that showed that the average age of hackers “targeting” small mortgage brokers is 14.
    The chances of 95% of the e-mails sent have no intrinsic value to anyone but the sender and receiver.
    The reality is that the vast majority of the intercepted e-mails fall into two buckets.
    1- the e-mails that are never identified as being intercepted. How do you really know?
    2- incidents of e-mails that were compromised and were identified, but never officially reported as being intercepted.
    But those who send Highly Regulated Content (HRC) over the open public internet need to take appropriate steps to protect that data as there are potential legal/financial/regulatory consequences in the event of a breach.
    Specific language is now in some business liability insurance policies that exclude any coverage for any electronic transmissions (e-mails).
    There are cost effective solutions out there that transfer the risks associated with a breach of data in “the cloud”. Just need to do some digging

  13. fittens Reply

    I learned the hard way that email is easily intercepted. My BF had issues with someone accessing his hotmail account and sending emails to family members. He asked a friend at a government agency to see if he could track down the person. In the midst of trying to find this person he looked at all the email addresses in my BF’s inbox. He dug up an email which put me in a very awkward position with my BF (no I wasn’t cheating). There is no other way he could have found this information out. He did this without breaking the law and without requiring a warrant. I’m waiting to hear from an expert in this field because I want to make sure nothing like this ever happens again. All that to say if you put it out there and it’s not encrypted it can come back and bite you in the backside.

  14. opolis Reply

    hello! – for the reasons described in the article above we have decided to launch opolis secure mail: http://www.opolis.eu – we thought that (i) there must be point-to-point encryption; and (ii) the sender must be in a position to decide what the recipient of a mail is allowed to do with it (eg forwarding, copying, printing). the service is for free. – also if you have any feedback, we appreciate this! – thanks!

  15. Angus Bradley Reply

    Internal email systems are often compromised by their administrators who find it easy and tempting to look at communication between their managers. There’s also the risks of misdirection, and the inability to revoke messages if you make a mistake.

    I sell http://www.safedrop.com to lots of government and legal clients, often people who have found out the risks of using email the hard way.

  16. schopper Reply

    I can only recommend to test Opolis Secure Mail. – The sender decides what the recipient is allowed to do with a sent message. For example a mail cannot be forwarded or printed without permission. And the sender can constantly monitor sent messages. Finally, all emails are fully encrypted …. – and all for free! What else can one wish?

  17. cmtost Reply

    I have read many of this authors columns and he is very naive and would be an easy target.

  18. Rhys Jaggar Reply

    I can tell you with absolute certainty that Gmail is NOT secure. There is a certain woman who wishes to destroy my life and lets me know, each time I change email address, that she knows I did so, courtesy of her links to the female mafia within the spyops part of UK plc. She then gets her friends to claim they’d like a drink hence asking for my email address, they don’t contact, but miraculously, a few months later, an email appears when I go to stay somewhere else – just ‘saying hi. I could list numerous more, but it would be just this and that different…….

    It’s endemic in business, trust me. You type anything on your PERSONAL PC at home and certain execs know about it, despite you not being connected to the internet. Trust me, you test it in ways that are truly humiliating……thing is, the UK media mafia are at it too………..

  19. Brent Faulk Reply

    It’s excellent to see that this issue is getting increased visibility. Many comments are dead on about the extreme vulnerabilities of traditional email. The reality is you don’t need to protect/encrypt all email, but you know that when it comes to sensitive information, you have to have something in place. It’s easier than you may think to do this. Check out http://www.neocertified.com

  20. Fred Habuckle Reply

    Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

  21. Jim Severs Reply

    I was asked to send an email to a person for a friend. Then I sent another email to the friend saying that I had sent the email to this person as requested. Within the hour I received an email from this person along with a copy of the message I sent to my friend. What happened and how can I protect my email from being seen by this person?

  22. Rar Reply

    “Leo, I was quite interested in the responses to your post, there are some paranoid nutters out there. I agree with you, intercepting emails is incredibly difficult. If you think otherwise please send me an application were I can type in an arbitrary email address and receive copies of the emails going to that address.

    Posted by: Fred Habuckle at October 4, 2010 5:49 AM”

    Fred – are you serious? It is clear to me you don’t know very much about the field of networks, IP packet transfer, or data security in IT. Magical ‘applications’ like that do not exist, applications are constructed of layers of architecture that extends beyond the GUI.

    Just because sniffing personal/business emails isn’t as simple as entering text in an application and waiting for the reply, doesn’t mean it’s ‘incredibly difficult.’

    But, having studied IT and worked in the industry for a few years now, I’ve almost given up trying to educate the end user of this. Until I see comments like Fred’s and articles like Leo.

    Leo – your article is misleading and above all ignorant. Sending emails is NOTHING like online transactions, which use HTTP/s, in-house or OOTB e-commerce security, MD5-or-other encryption. Email, largely unencrypted has none of this. A little embarrassment? Try … loss of business, reputation, personal life impacting on getting a future job or keeping our current one, ex-girlfriends/boyfriends being able to find where we are – anything…

    I could explain more about how an email is constructed, packets and how they are stolen and rerouted but as far as it goes – I’ll make this analagy, it’s as simple as intercepting a courier carrying an envelope, yanking it off him and then opening said envelope.

  23. Mark J Reply

    @Andrew
    Sendfilessecurely website may be a reliable website, but when it comes to encryption, the only really safe methods are peer reviewed open source encryption software. Otherwise, there could be vulnerabilities or even a back door. This article explains one of the most accepted methods of encrypting email.
    http://ask-leo.com/how_do_i_send_encrypted_email.html

  24. Dedic Reply

    Not sure, but I think it’s called “pgp” — hard to listen to an “expert” if he doesn’t know the right acronyms.

    GPG is the free/open source alterantive to PGP.

    Leo
    17-Apr-2012
  25. Mark J Reply

    @Dedic
    GPG is Gnu Privacy Guard, a free open source encryption which is compatible with PGP keys.

  26. Tiger Jackson Reply

    Leo, you are right about making the process simple and recently there are more services popping up that allow confidential communication between senders and recipients, some of which have been suggested already.

    I think the key to this is for the sender to be able to differentiate between whether an email is confidential and needs to be sent via a secure email service or whether you can send it via standard email with a small amount of inconvenience. I believe in both cases the service should be able to use standard email as a transport mechanism. http://www.digipostsecure.com is such a service but it is designed for business.
    TJ.

  27. Tom Abisalih Reply

    A couple of points and a recommendation:

    1. Depending on your industry, encrypting e.mail may be required by a state or federal regulator.

    2. If you’re doing business in Massachusetts, or doing business with clients/customers in Massachusetts 201 CMR 17 requires confidential information (as defined by the act) to be encrypted if sent by e.mail.

    I recommend Ziptr (see http://www.ziptr.com). I’ve been using it since it was in private beta and it just works – simply and easily! If you can use e.mail, you can use Ziptr. And it is free for individuals. They recently released Ziptr Biz with some nice compliance features for business users, too. Check it out!

    Good luck!

  28. Rick S Reply

    I know that my email can be read by somebody along the line but I don’t care. I hope they enjoy the jokes. If it’s really that private don’t send it unless you have protection.

  29. snert Reply

    Encrypting a message at one end and decrypting at the other doesn’t really take that much time and effort.
    You can change the encryption key through snail mail, which I think is pretty secure. You can even encode the snail mail if the Illuminatti is watching you.

  30. Robin Clay Reply

    I always regard e-mail as “private” as a postcard.

    Telephone calls ditto. Particularly where one is a mobile.

    Sometimes I have sent, say, a password, but in such a case I send it in two parts, un-announced, and then send a third saying, “I have sent you the password by e-mail – the first part is in my second e-mail, the second part is in the first e-mail”. An eaves-dropper would not be likely to keep either of the first two, and a “spybot” would miss them both – particularly where I give a number in text, say 4483, as “forty four, eighty three” or “double four, eighty three”.

  31. DDDes Reply

    Re Safety Or Not With E:mails~For Last Two Weeks My Long Time Reliable IncrediMail HYas Become All But Totally Dysfunctional In That The Moment I “Click Upon Fresh E:mails Within The Inbox I Am Presented With aq Dialog Asking >Do You Want To >OPEN or SAVE or CANCEL & Then If Select OPEN It Races Off To Mozilla Firefox Web Browzer & Sometimes Opens BUT Cannot Be Forwarded ???

  32. Stewart G Reply

    Friends were told that, despite their full contact list being hacked, their risk was minor to insignificant.
    I suggest they run Malwarebytes, Trend Micro HouseCall, Kaspersky Free or at least 2 of whatever they are not using. One does banking and other financial work on web – their bank and ISP said don’t worry – I’d worry – who’s right if there is such a thing?I’m already a subscriber of I’d get your book. I read the article = twice!

  33. LMac Reply

    Leo, I did read the article – twice. An employer has forged e-mails and e-mail contents – is there a way to prove they have been forged? I am certain they don’t encrypt. They have also said other e-mails proving that they have broken the law have been deleted and therefore cannot be supplied in a data subject access request. The corruption is widespread in the company. I am reporting them to the ICO, but can they do anything to the ghost copies on the main server? Will it show that they have deleted the ghost-copies? Going forward, is it possible to encrypt e-mail messages in hotmail.com, or do I need to change my e-mail provider to one that will allow encryption? Is it possible to encrypt messages at a job, without the employer’s permission?

  34. Mark J Reply

    @LMac
    I can’t answer the questions you ask, because I don’t know anything about the legalities of what you’re asking, but as to your question about encrypting messages on your work computer, I wouldn’t type anything on a work computer that I wouldn’t mind my employers reading. They have the capability of monitoring every keystroke you type on their computer. Knowing this is possible, I’d behave as if they were watching.

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise an comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.