Why It Will Be Difficult to Create Secure E-mailby
Two major secure e-mail services shut down earlier this month, with the people who run them claiming that e-mail inherently lacks privacy, and to keep operating would give their clients a false sense of security.
On Friday afternoon one of the companies, Silent Circle, posted further explanation of its argument. Basically it comes down to this: While it may be possible to encrypt the contents of e-mail to prevent someone else from reading it, there is no way for an e-mail provider to secure the information about who is communicating with whom. Over the past few months it has become clear that this information may be as desirable as the content of the messages themselves.
This has always been a potential vulnerability with e-mail, but one that was difficult to exploit until relatively recently, wrote Louis Kowolowski, SIlent Circle’s technical operations manager, on the company’s blog:
In the past, securing the body of the message was sufficient. The tools and techniques used for snooping were not on a large enough scale to allow the metadata to be useful. With the tapping of backbone internet providers, interested parties can now see all traffic on the internet. The days where it was possible for two people to have a truly private conversation over e-mail, if they ever existed, are long over.
There are two technical issues that lead to this insecurity. The first is that encrypted messages are sent by the recipient and the sender exchanging encryption keys–tools that scramble a message and allow only the intended recipient to unscramble it. To do this, both parties need to be online whenever a message is sent. This is not how people use e-mail. Second, current technical standards for e-mail require that some information remain unencrypted, such as the identity of the people communicating, the time messages were sent, and the subject. “So, a PGP-encrypted message with the subject line ‘Pricing info for blasting caps’ may be sort of ridiculous,” writes Kowolowski.
There are some situations where this matters and others where it does not. E-mail can be secured if the only goal is to make sure no one can intercept sensitive information being passed along over it. One example is a company trying to protect its intellectual property. The parties aren’t worried about someone finding out they are in communication with one another. In other instances, such as activists organizing political activity, a record of who is communicating could be just as important as what they’re saying. In an analysis earlier this summer, for instance, an associate professor of sociology at Duke showed how simple information about which American dissidents were involved in which organizations during the 1700s could have led the British to Paul Revere’s door before he had a chance to ride.
There is widespread agreement among security experts that digital privacy is much more complicated in the wake of recent discloses about the National Security Agency’s surveillance practices. Some believe that the challenges will simply serve as a way to spark innovation to solve those issues. But doing so with e-mail will likely require a change in the way that all links of the e-mail chain work. A single provider can’t make its communications secure, argues Kowolowski. It would take all of them.