Lockdown.co.uk - The Home Computer Security Centre

LockDown is the source for security information and resources for the home computer user.

Private emails should always be encrypted

A paranoid opinion

Many people falsely assume that emails can only be read by the sender and the recipient. This article aims to dispel that myth and to make people more aware of the dangers of sending sensitive information by email.

I quite often talk to people, regular users of email, who trust the technology absolutely. They're so used to sending a message to somebody across the world and receiving a reply within minutes that they give no thought to who might be reading what they send.

The Postcard Analogy

This analogy is rather tired by now, but it's true nonetheless and it does help get the point across that email by it's very nature, just isn't secure. Just like a postcard, an email is sent without an envelope - so anyone who sees the email can read it. Just as your postman has the opportunity to read postcards from Costa del Sol, Paris and Los Angeles, your ISP also has a chance to read your email.

It's worse than that

Imagine Jane is on holiday and she writes a postcard to her boyfriend in Cambridge and drops it into the nearest postbox. When the postman collects the letters from the postbox, he makes a copy of Janes' postcard before putting in his sack. As he drops his sack off at the sorting office another copy Janes' private message is taken. When the card arrives in England another sorting office makes a copy before passing it on to postman Pete who makes a duplicate to show his wife. Finally the postcard arrives safe with Fred, he hides it behind the clock so that when his sister visits she won't find out his girlfriend likes an all over tan. OK, that doesn't really happen with postcards, but it does happen with emails.

Is it really as bad as that?

Perhaps. When you send an email it takes a route from sender to recipient that may pass through a number of systems, certainly it must pass through at least two systems, more often it passes through lots of systems under the control of different people. You may well trust your local ISP to keep your email private, just as you'll likely trust your local postman not to read your postcards. But can you trust operators of systems along the emails route to maintain your privacy? How secure are their systems? Do ISP's along the route of your email have checks in place to stop unscrupulous employees collecting credit card numbers from emails that pass through their system?

Friday 10th July 2009 03:01