E-mail privacy

E-mail privacy

The protection of electronic mail from unauthorized access and inspection is known as electronic privacy. In countries with a constitutional guarantee of the secrecy of correspondence, e-mail is equated with letters and thus legally protected from all forms of eavesdropping.

In the United States, privacy of correspondence is derived from the Fourth Amendment to the United States Constitution and thus restricted by the requirement for a "reasonable expectation of privacy".

Need

The Internet is an expansive network of computers, much of which is unprotected against malicious attacks. From the time it is composed to the time it is read, e-mail travels along this unprotected Internet, perpetually exposed to electronic dangers.

Many users believe that e-mail privacy is inherent and guaranteed, psychologically equating it with postal mail. While e-mail is indeed conventionally secured by a password system, the one layer of protection is not secure, and generally insufficient to guarantee appreciable security.

Businesses are increasingly relying on electronic mail to correspond with clients and colleagues. As more sensitive information is transferred online, the need for e-mail privacy becomes more pressing.

Risks to user

Because e-mail connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of e-mail that passes through. In effect, every e-mail leaves a digital papertrail in its wake that can be easily inspected months or years later.

The e-mail can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue that e-mail traffic is protected from such "casual" attack by security through obscurity - arguing that the vast numbers of e-mails make it difficult for an individual cracker to find, much less to exploit, any particular e-mail. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary.

Intelligence agencies, using intelligent software, can screen the contents of e-mail with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy, agencies such as the U.S. Federal Bureau of Investigation conduct screening operations regularly.

ISPs and mail service providers may also compromise e-mail privacy because of commercial pressure. Many online e-mail providers, such as Yahoo! Mail or Google's Gmail, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining.

Even with other security precautions in place, recipients can compromise e-mail privacy by indiscrimate forwarding of e-mail. This can reveal contact information (like e-mail addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning).

In the United States and some other countries lacking secrecy of correspondence laws, e-mail exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.

Remedies

To provide a reasonable level of privacy, all routers in the e-mail pathway, and all connections between them, must be secured. This is done through data encryption, which translates the e-mail's contents into incomprehensible text that, if designed correctly, can be decrypted only by the recipient. An industry-wide push toward regular encryption of e-mail correspondence is slow in the making. However, there are certain standards that are already in place which some services have begun to employ.

There are two basic techniques for providing such secure connections. The first involves encrypting the message directly using a secure encryption standard such as OpenPGP (Public key infrastructure) or S/MIME. These encryption methods are often a user-level responsibility, even though Enterprise versions of OpenPGP exist. The usage of OpenPGP requires the exchange of encryption keys. Even if the encrypted emails are intercepted and accessed, its contents are meaningless without the encryption key.

This method is also sometimes tied with authentication. Authentication just means that each user must prove who they are by using either a password, biometric (such as a fingerprint), or other standard authentication means.

The second approach is to send an open message to the recipient which contains no sensitive content but which announces a message waiting for the recipient on the sender's secure mail facility. The recipient then follows a link to the sender's secure website where the recipient must log in with a username and password before being allowed to view the message.

At the ISP level, a further level of protection can be implemented by encrypting the communication between servers themselves, usually employing an encryption standard called Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the e-mail, which happens frequently in the course of normal correspondence.

Although many ISPs have implemented secure sending methods, users have been slow to adopt the habit, citing the esoteric nature of the encryption process. Without user participation, e-mail is only protected intermittently from intrusion.

ee also

* Anonymous remailer
* Cryptography
* CryptoHeaven
* Data privacy
* E-mail spoofing
* E-mail encryption
* Hushmail
* Internet privacy
* Lawdex
* Opportunistic encryption
* STARTTLS - opportunistic transport layer security.
* Secure communication
* Secure Messaging
* E-mail tracking
* Web bug
* Website spoofing
* Secure e-mail

External links

* [http://luxsci.com/extranet/articles/email-security.html The Case For Secure Email]
* [http://lawdex.com/docs/Smyth_v_Pillsbury.pdf Company email lacks reasonable expectation of privacy (Smyth v. Pillsbury)]
* [http://www.privacy.gov.au/internet/email/ Workplace e-mail privacy from the Office of the Privacy Commissioner (Australia)]
*
* [http://www.napoletano.net/front/node/352 "A contrario": Protect your email with GnuPG] -- A tutorial on email encryption prefaced with a discussion of email privacy]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Privacy Enhanced Mail — (PEM) ist ein Konzept, welches diverse Sicherheitsdienste (Vertraulichkeit, authentischer Datenursprung, Herkunftsbeweis) für den E Mail Verkehr definiert. PEM ist ein early proposal von der IETF. Hier sind die Zertifizierungsstellen hierarchisch …   Deutsch Wikipedia

  • Privacy-enhanced Electronic Mail — Privacy Enhanced Mail (PEM), is an early IETF proposal for securing email using public key cryptography. Although PEM became an IETF proposed standard it was never widely deployed or used. One reason for the lack of deployment was that the PEM… …   Wikipedia

  • Privacy-invasive software — is a category of computer software that ignores users’ privacy and that is distributed with a specific intent, often of a commercial nature. Three typical examples of privacy invasive software are adware, spyware and content hijacking programs.… …   Wikipedia

  • Mail Order Zombie — is an award winning zombie movie podcast.[1] In addition to featuring reviews of and commentary on zombie films, Mail Order Zombie, or MOZ, also features coverage of zombie and post apocalyptic literature; interviews with writers and filmmakers;… …   Wikipedia

  • Privacy and Security — acoustic snooping billion laughs biometrics bioprivacy black hole bot herder captcha chi …   New words

  • Mail — For other uses, see Mail (disambiguation). For electronic mail, see Email This article is about Postal services. For other uses, see Postal service (disambiguation). A collection of British pillar boxes at the Inkpen Post Box Museum, near Taunton …   Wikipedia

  • Mail order — Cover of a mail order catalogue for scientific equipment. Mail order is a term which describes the buying of goods or services by mail delivery. The buyer places an order for the desired products with the merchant through some remote method such… …   Wikipedia

  • Privacy Enhanced Mail — standard for electronic mail on the Internet which ensures privacy …   English contemporary dictionary

  • Privacy Enhanced Mail —    Abbreviated PEM. An e mail standard that uses a patented RSA encryption scheme to provide a confidential method of authentication.    PEM is little used due to the proprietary nature of the encryption scheme.    See also Secure MIME; RSA …   Dictionary of networking

  • Pretty Good Privacy — Original author(s) Phil Zimmermann Developer(s) Phil Zimmermann Initial release In 1991 Written in Multi language …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”