I never thought I would see the day where executives and major public figures would be proud of their techno-luddite status. Scratch that. Not proud, but grateful. In a story in today’s New York Times, several senators and other public figures are quoted about how they have given up their personal email accounts, or have begun scrubbing their sent folders, thanks to the recent series of leaks from the mailboxes of the DNC and Colin Powell.
Senator Lindsey Graham said, “I haven’t worried about an email being hacked since I’ve never sent one. I’m, like, ahead of my time.” Senator Chuck Schumer is noted for still using a flip phone. And of course there are the email-related stories that doggedly follow one of our presidential candidates around. All of a sudden, it is cool to be more disconnected. Especially ironic, given today is also the day millions will flock to the nearest Apple Store and buy a phone that doesn’t have a headphone jack. (Shelly Palmer’s rant on this is pure pleasure.)
The hacked emails seem to be genuine, at least according to press reports and the impact they have had with the shake up of the DNC leadership. But they have also had the effect that others in the public eye are reconsidering the contents of their own message store.
I have even learned a new acronym: LDL, for let’s discuss live. Meaning, “too hot to talk about in email.”
So let’s all just take a deep breath and look calmly at a few simple rules for your own email usage going forward. First off, yes, emails can be compromised. Don’t say anything there that you wouldn’t want anyone else to read. While you may not think you are a target or of any interest, you have no control over where that message might end up. You might want to walk down the hall for a quick FTF meeting, or even pick up the phone. Think about the 80’s.
Second, if you are very worried, start using encryption, and make sure it covers the complete path end-to-end. There are several instant messaging platforms that are easy to use (Network World did a recent review comparing them, and I have written reviews of encrypted email products for them as well). Yeah, I know, encryption is a pain, but the current crop of products is actually pretty easy to deploy and use. Having said that, hardly anyone sends me encrypted emails, ever.
Third, take a moment to review your password collection for your communications products, including your IMs, email accounts, voice mails and VoIP products. If you use the same password for more than one of these tools, take a day and install LastPass or some other password manager and start treating these passwords more seriously. Do it this weekend.
Finally, don’t hide behind your personal accounts such as Facebook or a non-corporate email address. Those are just as much at risk, as one network anchor realized who hurriedly deleted his Gmail account that was cited in the Times story. Everything is discoverable and vulnerable these days.
E mail is like sending a post card through the mail. Everyone can see what is on the card or in an e mail. There is no encryption built in to traditional e mail. It will not keep your messages private.
Standard e mail doesn’t verify the identity of the sender. Sure, you may have some checks to block spam and see that certain domains or IPs cannot send to you, but is sam@domain.com really the sam you know?
Standard e mail also has no real assurance that what you sent was actually received at the other end and even if it was received, if the person it was intended for was actually there to read it. There are some tricks that marketers can use to determine whether a mail actually got through or got read, but they aren’t built in to standard e mail and people don’t use them for person to person communication. Even without anti-spam, which can ditch your message just because it thinks you are a malefactor, e mail may not get through and you have no real way of knowing if your message went to digital heaven. Even if you *do* get a message back that your e mail was not received at the far end for some reason, it may take you many days to get that message back. My record is 45 days to hear a message was undeliverable.
Standard e mail is nowhere near real time. Mail is sent when the server is programmed and able to sent it. If you get your e mail to the server at the beginning of its 5 minute scanning window, your e mail won’t go out for 5 minutes. If the server is very busy, your e mail will sit in the queue until it can be processed in order. Anti-spam systems are even designed to grey list servers and tell them they are too busy to take their mail, forcing them to retry later. Spammers don’t tend to do this, but legitimate senders will retry. Still, that can delay a message. E mail is *not* designed to be a real time thing.
But….the most dangerous thing about e mail is its convenience. It is really easy to send one, but once you hit send, you cannot bring it back. And, you can e mail a whole lot of people something quite easily. That is not necessarily a good thing. A good rule of thumb is that anything that requires significant back and forth discussion or has an emotional or financial (because finances tend to be emotional!) content, then it is probably a good idea to pick up the phone.
When reading e mail, especially on mailing lists, it is wise to assume that people have your best interests at heart and read what they write with that idea in mind. And, if they do happen to cross the line, the delete key is often better than a response. As the saying goes, “Better to have someone think you are a fool than to open your mouth and remove all doubt.”
And….e mail can live forever…. I can tell you to be careful what you write, but I know you will say things in e mail you wouldn’t want to hang around forever.
We tend to get complacent dealing with dangerous things like cars and e mails. We do it all the time, and they aren’t a problem, right? Well….it is best to remind ourselves every once in a while to think about our own safety.
I wrote a post titled “We are missing the point about Email” at: https://medium.com/@kidehen/we-are-missing-the-point-about-email-aa99928aada6#.nxle5miez.
Fundamentally, we have dysfunctional Email Apps. that make conflation of identity and intent the norm. End result, it is artificially difficult for end-user users to send signed and/or encrypted email.
Current practices by Email App. vendors should be rendered illegal due to the fact that they are actually depriving end-users of a fundamental right to privacy without 3rd party intervention.
Sorry, Mr. Idehen. Under US law their are few privacy protections and when using someone else’s resources, like your company computer or link to the Internet, there can be “no expectation of privacy.”
E mail (and most of the backbone protocols and applications in use today) were not built with security in mind. They were built to be scalable and reliable, but not secure or private. At the time they were built, everyone knew everyone else and the Internet was very small. Security isn’t just about keeping your information private. It is about being able to communicate and do work as well. That part has worked out well and e mail has been a phenomenal success.
While there are ways to communicate more privately *and* to have more confidence that the person you are talking to is the one you mean to be talking to (identity), it cannot be done using standard e mail protocols. You must supplement the system with something both clients can understand and deal with or, more commonly, use a secure intermediate storage and transfer only directions on how to access the information as in web site pickup of secure communications.
These security methods take a lot of training, effort, money, and grief. They are really not worth it for most communications, even if we would like them to be private. You could also protect yourself from being tracked by cameras around town with a hoodie and a mask, but that probably won’t be much fun, either.
Tony Stirk,
Re., “Sorry, Mr. Idehen. Under US law there are few privacy protections and when using someone else’s resources, like your company computer or link to the Internet, there can be “no expectation of privacy.”
I am not referring to privacy at that level. I am simply referring to the fact that the current crop of Email Applications (locally installed or hosted) have devolved. Fundamentally, they are all pegged to a centralized Certificate Authority network (useful when the Intention relates to eCommerce) which prevents users from being able to achieve the following:
[1] Send Digitally Signed emails using X.509 Certificates (Digital Identity Cards) that are self-signed or signed by a Certificate Authority that isn’t part of the CA network
[2] Digitally encrypt emails using X.509 Certificates of the mail receiver that are also self-signed or signed by a CA that isn’t part of the CA network.
I am simply stating the fact that no allowing an end-user the privileges outlined above has to be illegal, as it is deliberately taking away choice for myopic reasons.
A software user should be presented with options rather than a “big brother” approach where product vendors presume (incorrectly) that they know best.
That’s it. Take away this silliness and we will take a major step forward with regards to privacy.
BTW — I haven’t given up on privacy at all. This problem is utterly solvable 🙂