I often find there is always this misunderstanding when it comes to the security of email. The term, secure email, is often over used and often mistaken for something it’s not. Many email services use this as a selling point, and don’t really explain what it really means.
To use some simple analogies, I hope to show you that secure email really isn’t secure. Email was never really designed for secure communications between sender and receiver and the technology behind it doesn’t really support the protocols to make it secure either. In recent years, email providers have taken steps to help improve security, but it has created a false sense of security for its users.
Normal Email: In its simplest form, email is like a sending a post card in the mail from your favorite vacation spot. As the postcard travels through the mail system, any mail person can see the front of the post card, and read the short note to your family back home. Your name and the names of your family are known to everyone. Email acts the same way, regular emails bounce from mail server to mail server until it arrives at its destination. Those emails can be read, copied, or scanned by anyone as they go from server to server. Additionally, email being sent from your computer to the mail server is done so as if you gave that post card to a stranger to put it the mailbox for you. Who knows who saw that post card and took whatever information they wanted.
Secure Email: As before, email is readable by anyone, the only thing different is that post card is only secure as you drive it your self to the post office for them to deliver to the recipient. This email follows the same transportation protocols as the normal (insecure) email as it leaves the ‘post office’, or in this case, an email server. Many email services like Gmail, Yahoo, and Hotmail, offer such ‘security’ but that is often as far as it goes. Anyone can read that email once it leaves the mail server, this is particularly true when sending from Gmail to yahoo for example. One exception to this, however, is if you are sending email from one Gmail user to another Gmail user. In theory the email stays in the same email server, it just goes from one email box to the other without being relayed through other email services. Though, once that person receives that email, there is no stopping them from forwarding it on to anyone else, or any other email service, which then its anyone’s game.
Encrypted Email: This is the most secure and private form of emailing. It is also the most complicated and troublesome from a management perspective and can be often clunky and clumsy. In essence, encrypted email in its simplest understanding is taking that post card, writing your message in a different language and then putting it in a bank envelope that obfuscates the text on the post card. The only thing legible is the to and from email address and the subject of that email. As the email is sent, no one can copy, scan, or read the email as it gets relayed through mail servers. The recipient can only open the envelope and decipher the language you chose. Regardless of whether or not your email is connecting securely, your message is secure because it is encrypted and only you and your recipient can read it.
These analogies break down to some extent as they don’t explain the complete technical aspects of these technologies. But I hope you get the idea.
In recent months, services like Gmail have committed to sending emails securely from one email server to the next in a secure and encrypted way much like how your computer connects to this website, amazon.com, or your banking website, so those listening in on the internet can’t understand or see the email in plain text. While this is great in the advancement of general privacy, these companies can still read or scan those emails to generate revenue through advertising, or hand the data over to third parties. Layering on your own encryption provides additional benefits to completely removing those opportunities from anyone seeing what you are emailing, whether it be a family update with pictures of your kids, or important financial or health information.
There are some great tools and services out there that help provide protection. In some future posts, I’ll cover those tools and provide some recommendations. What is, if you have any, your concerns with email security? Do you use anything today to ensure your email is safe?