Email Privacy - Remedies

Remedies

To provide a reasonable level of privacy, all routers in the email pathway, and all connections between them, must be secured. This is done through data encryption, which translates the email's contents into incomprehensible text that, if designed correctly, can be decrypted only by the recipient. An industry-wide push toward regular encryption of email correspondence is slow in the making. However, there are certain standards that are already in place which some services have begun to employ.

There are two basic techniques for providing such secure connections. The electronic envelope technique involves encrypting the message directly using a secure encryption standard such as OpenPGP (Public key infrastructure), S/MIME. These encryption methods are often a user-level responsibility, even though Enterprise versions of OpenPGP exist. The usage of OpenPGP requires the exchange of encryption keys. Even if an encrypted email is intercepted and accessed, its contents are meaningless without the decryption key. There are also examples of secure messaging solutions available built on purely symmetric keys for encryption. These methods are also sometimes tied with authorization in the form of authentication. Authentication just means that each user must prove who he is by using either a password, biometric (such as a fingerprint), or other standard authentication means.

The second approach is to send an open message to the recipient which does not have to contain any sensitive content but which announces a message waiting for the recipient on the sender's secure mail facility. The recipient then follows a link to the sender's secure website where the recipient must log in with a username and password before being allowed to view the message. Some solutions combine the approaches, and allow for offline reading.

Both approaches, and their related techniques, come with advantages and disadvantages and it is today generally considered that the setup of choice varies depending on the target market and application. PKI based encryption methodologies have limits in efficiency in how to engage secure messaging between two parties, as creation and delegation of certificates are needed prior to communication. Methods of utilizing non-PKI based encryption bring in challenges in a successful and secure key-exchange. Having the sensitive content shipped with the email delimits the senders possibilities to make the content unavailable, or control when in time the content should be available for consumption. If on the other hand, the sensitive information is not shipped with the MIME stream and the sender is hosting the information on a web-server, it requires the recipient to be online to be able to read it.

At the ISP level, a further level of protection can be implemented by encrypting the communication between servers themselves, usually employing an encryption standard called Transport Layer Security (TLS). It is coupled with Simple Authentication and Security Layer (SASL), which confirms the target router's identity. This ensures that unintended servers don't end up with a copy of the email, which happens frequently in the course of normal correspondence. This method is the only method that is completely transparent to end-users and does not require the creation of individual certificates for each user. Gmail adopted TLS on outgoing mail in October 2011. Other major webmail providers such as Yahoo! and Hotmail have yet to announce any plan to adopt TLS on outgoing mail.

Although some ISPs have implemented secure sending methods, users have been slow to adopt the habit, citing the esoteric nature of the encryption process. Without user participation, email is only protected intermittently from intrusion.

A non-technical approach employed by some users is to make tapping and analysis of their email impractical via email jamming.