News and Media

RIWI Op-Ed in Huffington Post: Your confidential emails aren’t as secure as you think

By Neil Seeman and co-authored by Bob Seeman | Originally posted in the Huffington Post
Pity Amy Pascal, co-chairman of Sony Pictures Entertainment. An anonymous group calling itself Guardians of Peace exposed her thousands of emails to the world.
Ms. Pascal is a member of a large club of senior executives, many of whom are anonymous. Perhaps due to embarrassment, they have not stepped forward to admit to a demonstrable and dangerous truth: email is not secure.
Email is like mailing a postcard — anyone with physical access to it along the way can read it.
Many older people cannot understand why younger people use social networks to publish so much personal information for so many to easily access permanently.
At the same time, however, older people regularly transmit confidential information by email. Astonishingly, even lawyers, accountants, political leaders and financial professionals transmit highly confidential information by email.
Just like a postcard, an email passes through a lot of different people’s easy access. However, far less secure than a postcard, an email can live and be searchable forever. At least a postcard can be easily discarded or permanently destroyed after being read.
Very few people understand how email works. Most people think that email works similar to accessing a website. A website’s information goes nonstop directly from the website’s computer to your computer’s screen. Websites work this way; email does not.
The average email is fully stored and searchable on an average of about six computers, sometimes many more: your own computer, your company’s email computer (more commonly referred to as a “server”), your company’s Internet service provider’s computer, the email destination user’s Internet service provider’s computer, the email destination user’s company’s computer, and the destination user’s computer.
Your or the recipient’s employer generally need no permission to access your email. Government authorities can obtain legal authorization to access your email from any of these computers.
Others have actual access without legal access, including the just out-of-college wizards running the IT departments that handle many of these computers. Others who can physically access data transmission, but not the email stored on the email computers, can deploy readily available and simple-to-install email sniffers. A Google search on “email sniffers” reveals a staggering 8.4 million hits.
A person in the IT department at a company is able to know more about what is going on at the company than the CEO. The penalty for snooping on a colleague’s emails, if detected, is generally no stricter than dismissal. Companies want to maintain their reputation, and therefore rarely would involve the police. The full extent of email snooping is hard to know. Amy Pascal is not alone.
Then there are outside hackers, unauthorized people who want to access your personal email or your company’s email. The hacker’s motivation may include financial gain, industrial espionage, government intelligence, personal animosity or simply the challenge.
All the information found on almost all computers is fully accessible via passwords. Just like you are probably lazy with your passwords, others are too. Common passwords, easily found by a hacker’s computer trying millions of passwords in a short time, are used. People use the same password for different computers and websites. People write a password down and leave it easily accessible, perhaps even on a sticky note attached to a computer screen.
People will reveal their password to colleagues — or to those purporting to be colleagues, often by telephone. There are still scams initiated overseas by crooks pretending to be from the IT department who “need” your password to “fix a virus.” To make matters worse, hackers can use an email sniffer which copies email while the email is in transit between computers.
Computer storage used to be scarce, and, therefore, email was only kept for a relatively short time before being discarded and overwritten by new email. However, now, storage is so cheap and abundant that many companies keep all emails for years, perhaps forever. Even the storage on your own computer may be so large that even if you purposely “delete” all your “send and received” emails, they may not be fully overwritten, and thus no longer be recoverable, for years. Deleting an email or a file does not generally remove the document — it is more like whiting out a chapter name in a book’s table of contents, the chapter just no longer seems to be there, but it still is.
That your emails reside on so many computers is not the only reason for concern. It is that they reside and can remain there for years. Most companies back up their email computers regularly. Often those backups are maintained for years. If they are not destroyed, they live on forever.
Anyone who gains access to a vast store of emails can easily Google them to find the emails of most interest to them.
The next time that you think how foolish younger people may be sharing all that private information on social networks, remember that the ‘confidential’ email that you sent earlier in the day is far less confidential than mailing a postcard.