Email Privacy - Risks To User

Risks To User

Email is vulnerable to both passive and active attacks. Passive threats include Release of message contents, and Traffic analysis while active threats include Modification of message contents, Masquerade, Replay, and Denial of Service (DoS). Actually, all the mentioned threats are applicable to the traditional email protocols :

• Disclosure of Information: Most emails are currently transmitted in the clear (not encrypted). By means of some available tools, persons other than the designated recipients can read the email contents.

• Traffic analysis: It is believed that some countries are routinely monitoring email messages as part of their surveillance. This is not just for counter-terrorism reasons but also to facilitate combat against industrial espionage and to carry out political eavesdropping. However, it is not devoted to the national agencies since there is a thriving business in providing commercial and criminal elements with the information within emails.

• Modification of messages: email contents can be modified during transport or storage. Here, the man-in-the-middle attack does not necessarily require the control of gateway since an attacker that resides on the same Local Area Network (LAN), can use an Address Resolution Protocol (ARP) spoofing tool such as "ettercap" to intercept or modify all the email packets going to and from the mail server or gateway.

• Masquerade: It is possible to send a message in the name of another person or organization.

• Replay of previous messages: Previous messages may be resent to other recipients. This may lead to loss, confusion, or damage to the reputation of an individual or organization. It can cause some damage if email is used for certain applications such as funds transferring, registration, and reservation.

• Spoofing: False messages may be inserted into mail system of another user. It can be accomplished from within a LAN, or from an external environment using Trojan horses.

• Denial of Service: It can put a mail system out of order by overloading it with mail shots. It can be carried out using Trojan horses or viruses sent to users within the contents of emails. It is also possible to block the user accounts by repeatedly entering wrong passwords in the login.

Because email connects through many routers and mail servers on its way to the recipient, it is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place emphasis on security; information is transferred in plain text, and mail servers regularly conduct unprotected backups of email that passes through. In effect, every email leaves a digital papertrail in its wake that can be easily inspected months or years later.

The email can be read by any cracker who gains access to an inadequately protected router. Some security professionals argue that email traffic is protected from such "casual" attack by security through obscurity – arguing that the vast numbers of emails make it difficult for an individual cracker to find, much less to exploit, any particular email. Others argue that with the increasing power of personal computers and the increasing sophistication and availability of data-mining software, such protections are at best temporary.

Intelligence agencies, using intelligent software, can screen the contents of email with relative ease. Although these methods have been decried by civil rights activists as an invasion of privacy, agencies such as the U.S. Federal Bureau of Investigation conduct screening operations regularly. A lawsuit filed by the American Civil Liberties Union and other organizations alleges that Verizon illegally gave the U.S. government unrestricted access to its entire internet traffic without a warrant and that AT&T had a similar arrangement with the National Security Agency. While the FBI and NSA maintain that all their activities were and are legal, Congress passed the FISA Amendments Act of 2008 (FAA) granting AT&T and Verizon immunity from prosecution.

Whistleblower and former National Security Agency (NSA) employee William Binney has reported that the NSA has collected over 20 trillion communications via interception, including many email communications, representing one aspect of the NSA warrantless surveillance controversy.

ISPs and mail service providers may also compromise email privacy because of commercial pressure. Many online email providers, such as Yahoo! Mail or Google's Gmail, display context-sensitive advertisements depending on what the user is reading. While the system is automated and typically protected from outside intrusion, industry leaders have expressed concern over such data mining.

Even with other security precautions in place, recipients can compromise email privacy by indiscrimate forwarding of email. This can reveal contact information (like email addresses, full names, and phone numbers), internal use only information (like building locations, corporate structure, and extension numbers), and confidential information (trade secrets and planning).

In the United States and some other countries lacking secrecy of correspondence laws, email exchanges sent over company computers are considered company property and are thus accessible by management. Employees in such jurisdictions are often explicitly advised that they may have no expectation of a right to privacy for messages sent or received over company equipment. This can become a privacy issue if employee and management expectations are mismatched.