I don’t think they are. The latest tale of gloom and dome comes from this column in ITWorld, where the author says:
E-mail – wonderful as it is – can’t and shouldn’t be trusted, even if its encrypted six ways to Sunday and stored in a cloud-hosted server on the Island of Togo. Simply put: the days of secure e-mail are over.
Au contraire. I think if anything, the days of secure email are even more needed, and it is time that enterrprises started taking encrypting their messages by default more seriously.
Certainly, the news over the past month hasn’t been encouraging. Two email providers — Silent Circle and Lavabit – have shuttered their servers, rather than take any chances that their customers’ emails will end up in the bowels of the NSA’s Utah data center. And the service Groklaw, long a labor of love for a few journalists and lawyer whistleblowers, is also shutting down, rather than reveal any of its contributors. None of these organizations have been pressured by any government agency — yet.
Certainly, the news about the NSA has had a chilling effect on our industry. But this is nothing new: That link will take you to a New York Times magazine article published in 1983 and based on a book by David Burnham entitled, ”The Rise of the Computer State.” That was thirty years ago!
But one person’s gloom is anther’s opportunity. Mailpile is a new provider that is just getting started. They reached and then exceeded their IndieGoGo $100k funding goal within days and promise to have their service up and running early next year. We’ll see if that actually happens once all the hoopla dies down.
So should enterprise email managers just give up? I don’t think so. One good set of solutions can be found, ironically, in The Guardian, where they consolidate a lot of the NSA’s own advice into how to prepare your systems, as if you have already been compromised. At least they show a bit more understanding of the underlying encryption algorithms, something the general press has been severely lacking. And even more irony: Snowden’s early efforts to contact The Guardian were first ignored because the reporter couldn’t figure out how to decrypt his messages.
I come to the secure email biz from a long history of writing and testing various products. In 1998, I was the co-author of a book on enterprise email with Marshall Rose, who was one of the original authors of the Internet email protocols. Here is one of my early articles on secure email, written back then. Note the sad state of affairs with those early products. But things have gotten better, and many of the encryption tools are a lot easier to use.
If you want to hear more about my thoughts on secure email, you can view the recorded Google hangout on the topic. I will be with Doug McLean, who is a VP at McAfee Labs and formerly an executive with PGP Corporation. PGP was one of the original encrypted email providers and is still active in this space. Also part of the hangout is Steven Sprague, who is Wave System’s CEO. Wave makes a number of security products, including Scrambls, a browser plug-in that lets users control who sees content they post to the web and helps to encrypt the data.
Secure e mail is possible, but it can make communicating difficult. People get very excited when they find out that standard e mail is not secure, that it is not guaranteed to be delivered, that if delivered it may not be seen, and that it may take days to deliver, even without real problems on the Internet or spam causing issues.
Secure e mail implies encryption, but that means you have to speak the same language on both ends, and that can be difficult. Security implies confirmed delivery and viewing, confirmation of authenticity, unaltered contents, and visibility by the intended recipient only. That’s pretty tough to do. Impossible, however, is concealing much of the metadata. For example, even with encrypted messages, you will know when they got sent, who sent and received them, how big they were, method of encryption, etc.
Secure e mail is viable, but it has significant limitations.