Is your e-mail private? No!

Nov 25
22:00

2002

Tim North

Tim North

  • Share this article on Facebook
  • Share this article on Twitter
  • Share this article on Linkedin

Consider the following three claims:1. Your e-mail is not private.2. Your e-mail might not be sent to the intended recipient.3. Your e-mail can continue to exist even after you delete it.The following article explains the truth of these alarmingstatements and why you should be concerned if you're sendingconfidential messages by e-mail.

mediaimage

1. The privacy problem

When you send an e-mail message from computer A to computer B itpasses through one or more machines (C,Is your e-mail private?  No! Articles D, E, etc.) on itsjourney. At each step along the way, an unscrupulous individualwith access to the intermediate machine has the opportunity toread -- or even alter -- your e-mail message.

Within a private intranet (i.e. a company network), such privacyviolations could occur if:

  • IT staff with access to the mail server were unscrupulous;
  • unauthorised personnel had access to the mail server (e.g. if someone walked away from the server without logging out); or
  • security measures designed to keep hackers out of the mail server were insufficient or were not enforced rigorously.

When e-mail is sent over the Internet (a public network) therisks become notably higher. If you send an e-mail message fromSydney to New York it may pass through half-a-dozen machines onits journey, each of which are subject to the risks mentionedabove. Thus the hazards accumulate with each extra machine thatthe message passes through.

2. The identity problem

Another risk with e-mail is that you really don't know who willreceive it. This happens because some people choose to forward(i.e. divert) their e-mail to another person or authorise anotherperson to read it for them. For example, if you send a message toa senior colleague, remember that this person's e-mail might beread by his or her secretary or stand-in. That can be awkward.

I know of a case where a manager sent an e-mail report to his CEOdescribing a clerical officer's poor performance. The CEO had,unfortunately, forwarded his e-mail to his acting secretary, whothat day happened to be (you guessed it) the clerical officer inquestion. The clerical officer read the critical report, and allmanner of morale problems ensued.

3. The deletion problem

A further privacy issue surrounding e-mail involves what happenswhen you delete an e-mail message. You might expect that deletingan e-mail message removes it irretrievably. This is often not thecase. though.

In fact, it's a tough job to delete every copy of a piece ofe-mail. There are many ways that a "deleted" e-mail message mightstill be accessible:

1. Daily or weekly backups of the mail server may still contain messages that were subsequently deleted.

2. When you delete an e-mail message, many e-mail programs simply move it to a trash folder, rather than actually deleting it. It's not until you select their "Empty the Trash" command (or similar) that the message is actually deleted.

3. Even after you empty your trash folder, many network-based e-mail programs still archive deleted messages for a period of time before deleting them. During this archival period (30-90 days is typical) the message could be available to unscrupulous or unauthorised individuals.

4. Even after a file is deleted from a computer's hard disk, the information is often still available until that portion of the disk's surface is overwritten with new information. During this period the deleted files could be available to unscrupulous individuals with physical access to the computer.

5. Even if you take steps to avoid all the potential problems above, remember that the e-mail message is probably still available on the PC of the person you sent it to (or who sent it to you).

4. Conclusions

The moral of this story is clear: e-mail is not a private medium.Don't send messages by e-mail unless you're comfortable assumingthat they may be read by people other than the intendedrecipients.

So next time you go to press that "Send" button, ask yourself "AmI okay with this being seen publicly?" If not, pick up thephone!

Categories: