Slate's Bizbox
webhead: Inside the Internet.

E-Mail for ParanoidsHow to send and receive secure e-mail.

By Dan Simon
Posted Tuesday, April 30, 2002, at 4:37 PM ET
Illustration by Robert Neubecker

Who hasn't cut short a private conversation in a public place to avoid being overheard? Or asked a stranger on the phone to send them something in writing on a formal letterhead because they don't trust the caller's identity? But what about your e-mail—is it safe from eavesdropping or misrepresentation? Can you make it safer? And if so, how?

The privacy of ordinary e-mail is protected, to some extent, by the law. The Electronic Communications Privacy Act and some state statutes criminalize snooping through somebody else's e-mail. But there are a couple of big exceptions. First of all, if you're using your employer's computer or e-mail system, the law gives your employer full rights to read every line. So, if you're worried about keeping your personal e-mail confidential, your very first step should be to stop sending and receiving it via your office account. Second, the courts can subpoena your e-mail from your server, or even issue the equivalent of a wiretap order to read it surreptitiously as it comes and goes, something the new antiterrorist Patriot Act makes easier than ever. And if a policeman or snoop intercepts your e-mail and reads it as it flows along the Internet, you may have a hard time finding out about it.

E-mail is also laughably easy to forge, as Slate recently discovered. E-mail systems generally take incoming e-mail messages at their word. If you send an e-mail server a message that says it's from gwbush@whitehouse.gov, the server will happily give it that return address.

To keep the snoops at bay, you'll have to pick your e-mail provider carefully. The top free Web-based e-mail services, such as Hotmail and Yahoo, don't protect your e-mail as it prances across the Internet in readable form from your computer to their servers and from their servers to the recipient. Dialup services such as AOL let you pass your e-mail directly to them over a telephone line, so if your line isn't tapped, AOL can keep your e-mail pretty secure. But once your e-mail leaves AOL and hits the Internet on the way to its destination, it's bare naked, too.

One solution is to subscribe to one of the services that protect e-mail in transit. Mailsafe, SecureNym, KeptPrivate, and Swissmail, for example, will protect the conversation between your computer and their servers using SSL (the same encryption technology used by e-commerce Web sites to protect customers' credit card numbers over the Internet). As long as you and your correspondents select the same SSL-based service, your e-mail exchanges are readable only on your computer, your correspondents', and the service's e-mail server.

If one of those correspondents doesn't want to spend the $2-to-$5 a month it costs for SSL-wrapped e-mail, Mailsafe and KeptPrivate offer an alternative—an e-mailed Web link that, when clicked, displays your message on your correspondent's browser as a Web page (with a "reply" button). The message page and reply are both SSL protected and require your correspondent to type a password before he can read the message. (You'll have to find a secure way to give him the password.)

But if you don't trust even SSL-based e-mail services, you can still pass secure e-mail back and forth if you're willing to take the trouble. First, you need to generate and exchange "public keys." A public key is a special kind of encryption key: It allows you to encrypt a message but not to decrypt it. Decrypting it requires the "private key" that goes along with the public one. E-mail programs that support the standard "S/MIME" format for encrypted e-mail (Microsoft Outlook is one) allow you to generate a public key and associated private key and e-mail the public key to whomever you want. (You keep the private key to yourself.) When you receive someone's public key, your e-mail program "imports" the key, so that it can use the key to encrypt e-mail that only the holder of the associated private key can decrypt.

Of course, if you're worried about somebody eavesdropping on your e-mail, then maybe they can tamper with it, too—say, by substituting their own public key for yours, so that they can read e-mail intended for you. So, you'd better check after the exchange (say, by telephone) to make sure you received each other's keys correctly. Your e-mail program should be able to tell you what your public key is; since it's a very long number, it's easier to verify the key's "hash value" (a kind of abbreviation, sometimes called a "thumbprint" or "fingerprint") instead.

Once you've generated and exchanged public keys, your e-mail software should allow you to exchange encrypted e-mail. You can also "digitally sign" your e-mail, attaching a special tag to it that requires your private key to compute, but that anyone with your public key can recognize. The tag identifies you as the message's true sender.

When you receive a digitally signed e-mail from your correspondent, your software checks the tag using his public key (provided you've imported it) to verify that it's really from him. If the e-mail is also encrypted using your public key, then your software uses your private key to decrypt it and display it to you. Usually, your private key is stored on your computer encrypted with your password, so that if your computer is stolen (or seized), your e-mail is still safe (assuming you picked a hard-to-guess password—and surprisingly many people don't).

Because your private key is stored on your computer, you'll have to take it with you if you want to read it anywhere else. Not that you should be reading your secret e-mail on anybody else's computer anyway—chances are you'll leave traces of it behind that can be recovered. Then again, you're probably leaving traces of your message behind on your own computer. (And how safe is your computer from viruses, worms, and other attacks that could expose your secret e-mail to your enemies?)

If you lose your decryption key—say, your disk drive crashes or you forget your password—that key is irretrievably gone and so is all your encrypted e-mail. You could keep a backup copy of your key, of course, and write down your password somewhere, just to be safe, but that just gives snoopers a chance to find all the pieces, put them together, and start reading.

You're probably asking yourself at this point if you even need secure e-mail. One simple test is to ask yourself, "If this were on paper, would I shred it before throwing it away?" Businesses handling highly confidential documents, for example, should consider secure e-mail a sensible precaution. But do you bother to shred your personal mail? If you're a spy, definitely. If you've already been burned by an e-mail snoop or found your e-mail subpoenaed in a court case, probably. Or, if you're paranoid. But if you're paranoid, you're not really going to trust my advice, are you?

Print This ArticlePRINTDiscuss this in The FrayDISCUSSEmail to a FriendE-MAIL
Share on FacebookPost to MySpace!Share with MixxDigg ThisShare with RedditShare with del.icio.usShare with FurlShare with Ma.gnolia.comShare with SphereShare with Stumble Upon
Dan Simon is a cryptographer and computer security researcher at Microsoft Research. His blog is www.icouldbewrong.blogspot.com.
Illustration by Robert Neubecker.
Join the Fray: our reader discussion forum
What did you think of this article?
POST A MESSAGE | READ MESSAGES

Notes From The Fray Editor:

There was a predictable quota of enjoyable posts about Government agencies, email, and the threat to our liberties: try here, from American Male, and here from Willie. Libertarian started a good thread with a post memorably entitled "Bend over and kiss your privacy goodbye." He said "I don't want some liberal coming back and calling me a conspiracy nut." They didn't directly, but we have our suspicions about some posts from Dale A: he expressed concern about "computer chips in electric blankets. They're networked to government computers thru the electric grid"; told us about his website for Luddites ("curiously, response has been rather poor so far"); and suggested "it would be simpler and more straight forward if everyone were preconvicted of a crime at age 18 so if they needed to arrest you for something they could."

HWR says "If you have nothing to hide, why fear it?", but this was by no means a widespread view. Many readers said of course they never thought email—or any other form of communication--was private anyway, though a few people thought Federal Express was a safe channel. Stainless Steel says "Americans should not be such big mouths!"--his or her post was called "The alternative! 34 cents and counting." Tom said "I cannot imagine how pitiful one's life would have to be to purposely try to intercept and read someone else's email," then got into a hilariously rude exchange with a poster who said those views were ironic "considering that you have done nothing but step into my conversations with other Slate posters." Continuing with this narcissist theme (it's not about email, it's about us) we at Paranoia Central particularly enjoyed the first two posts below.

Reader Comments From The Fray:

Really want security? Try this. Fill your e-mail with the kind of ridiculous nonsense, boring drivel, and utter stupidity that makes up 75% of the postings on this site. No one will bother to read your e-mail more than once.

--Mike

(To find or answer this post, click here.)


If you participate in a discussion board or internet forum/chat room, could you potentially be identified? How much does anyone potentially know about you when you participate in discussions on the internet? With John Ashcroft around, we should all be concerned.

--Robert

(To find or answer this post, click here.)


I wish that our Government would spend more time reading Osama's email and less time reading ours! Osama and his buddies have been on the net for years. They send coded messages back and forth, pictures, phony records, passports, etc. Osama uses a satellite phone that communicates through an American satellite that we put up in space. Yet we can't seem to find him, intercept his calls, or read his e-mails.

On the other hand the FBI has a system called Carnivore that looks for keywords in your e-mail. They will probably read this one because the words Osama, FBI, American, and government are used. So they spend their time and our money reading our e-mails and the bad guys use our technology against us with impunity!

--Testing

(To find or answer this post, click here.)

(5/1)

Washington Post
The Washington Post
OPINIONS
Topic A: Obama's Speech
| Pundits and diplomats respond.
Robinson: Sunshine in BerlinToles: The World ?'s ObamaTelnaes: Meanwhile, McCain