What we write is not private even if it is never published or mailed [1]. Once we type, scan, or dictate information it is subject to being read by persons unknown to us. What is on our computer disks may be read locally and remotely. If we email a file it will likely be scanned and analyzed while in transit. Once the file arrives at its destination, as long as it is available to be read by the intended recipient it may also be available to others. The general conclusion is that Email is not private.

The General Loss of Privacy

Jeffrey Rosen says in his book The Unwanted Gaze that there was a time, in England, when the papers stored in a desk at home were considered private. Rosen shows by listing several high profile cases that courts no longer consider diaries that have never been shared to be private to the writer. Notes written on a computer, but never disclosed to anyone by the author can be captured by prosecutors and disclosed to the public, even if the person who wrote the notes is not "on trial."

President Clinton said, "Even Presidents have private lives." He is wrong. No one has a private life. Rosen claims that Brandeis and Warren worried about this loss of privacy more than 100 years ago, saying, "What is whispered in the closet shall be proclaimed from the housetops."

We agree with Rosen's warnings about the loss of privacy and its implications. However, our job in this article is to identify the ways that privacy is technically compromised rather than to argue the social implications.

The Email Process

Email is created as a file. Typically a Mail User Agent (MUA) is used to compose and to read messages which are then sent over the Internet. Older MUA's such as PINE [2] are accessed via a telnet session. When PINE is used, the file is stored on a time-shared machine in some central location where it is connected to the Internet. More modern MUA's run on the user's personal computer. Eudora by Qualcomm and Outlook by Microsoft are two popular MUA's.

Using Eudora or Outlook for example, the user composes and reads mail on her own PC. To send and/or to receive email, the PC connects via an ISP or private network to SMTP [3] or POP3 servers that handle the email transmission and reception. Email is stored for periods of time ranging from minutes to many days on these servers. Whenever email is stored it can be compromised in various ways.

Recently, ISP's have been offering NETMAIL [4] or WEBMAIL [5] to permit their customers to have access to email using browsers. Some ISP's do not expose their POP3 server to the Internet [6]. WEBmail via a browser is very similar to the use of PINE in that email is composed and stored on the modern equivalent of a time-shared machine. The user is certified by a login. The email file is stored at the ISP site on shared media. Some sites claim that the users password is encrypted and some say that the files are encrypted [7].

Email authors often have more than one machine, perhaps a desktop at home, a desktop in the office, and a laptop for the road. Lotus Notes and IMAP servers make it convenient for all of these machines to handle a single user's email. They allow email and other files, to be replicated. Replication is really duplication with some scheme for having all copies being synchronized. For instance, if the author starts an email on one machine and then wants to edit it on another, the system will attempt to provide the latest copy for editing. The replication process requires some cooperation from the user, but apparently the ritual is easy enough to learn that these systems are quite popular. The important point is that in these systems, as in the case with Netmail and WEBmail, the users files are stored on a shared media machine that is subject to being read by numerous schemes that we discuss in the next few paragraphs.

Once email is composed it is sent across the Internet, mostly in clear text, where it can be compromised by a variety of methods that we discuss below.

The Tools for Privacy Violation

Email privacy violation is a very easy process. We list some of the most obvious and perhaps for some of you the not so obvious methods in the next few paragraphs. What may surprise you is that there are tools that are being used by employers and could be used by crackers [8] that operate automatically to find targeted information from files and email.

Keystroke Monitoring

ZDNET [9] reported that some employers now insert keystroke monitors [10] as hidden tasks on user machines. These products were at first developed as ways of restoring keystrokes in the case of a system failure. Those who remember TECO an early text editor will remember that it was easy to wipe out all your work by typing a wrong command. The keystroke recorder saved many sleepless nights and probably a few careers.

Now keystroke recorders keep track of writing, WEB pages, programs used, etc. Rob Graham reports that keystroke loggers often find information that is embarrassing to individuals in companies [11].

The ZDNET article reports that Keystroke monitors can even be inserted into home machines via Trojan Horse type devices such as Back Orifice.

Email Sweeping

The popular figure that is often quoted is that over 80 percent of the damage caused to companies due to theft of company secrets is from its own employees. Furthermore, all cases of sexual harassment of interest to a company's HR department are from employees. A vehicle for exporting secrets and for sexual harassment is email. Mailsweeper by Content Technologies [12] is one of the products that is used to catch email violators.

Mailsweeper operates silently at the e-mail servers to scan outgoing and incoming email. Email with certain key words or phrases can be blocked or can be flagged. Flagged email is copied to some authority, often the HR department for review.

Stuck Queue Clearing

System managers report that the email processors get stuck on a regular basis. Many of us have this experience from time to time when someone sends us an unusually large file. When queues stick the system manager may have to look through the messages that are outgoing or incoming to find out what is wrong. In this case clear-text messages can be read.

Diversion

It is possible for the sendmail or POP3 server to be hacked such that email from all or some people is diverted. This is essentially a home brew Mailsweeper.

General Hacking

According to The Computer Security Institute (CSI) [13] report there are gangs of hackers who set off scripts or batch the scripts to break into machines. Any computer connected to the Internet will be attacked from time to time. As Rob Graham of Network Ice points out, firewalls are insufficient to prevent hackers from getting to a site. Site protection requires IDS or intrusion detection on every machine and a process of constant vigilance by system managers or owners.

The implications of the hacker potential means your email is vulnerable if:

• The authors copy of email is stored on an unprotected system
• The recipients copy of email is stored on an unprotected system

As an experiment we set up a Windows 2000 Professional system on a dial-up modem. This machine was then made into an Internet Connection Sharing system by following the simple instructions in the Windows manual. This machine was subjected to the scan [14] by www.grc.com . The resulting scan showed that the system resources were vulnerable to a hacker. We also know that it is possible to make configuration changes to reduce the system vulnerabilities. The point is that a simple set-up is vulnerable. If any system used by either the author or receiver of email is vulnerable, then the email messages are not private.

Court Required Disclosure

Most of us have heard of the high profile Microsoft case or of the flaps over email in the White House. Perhaps fewer of us recognized that a number of the emails that were disclosed in the Bill Clinton impeachment files were ones that were written but unsent by Monica Lewinsky. She was not on trial, yet the Starr prosecutors submitted to Congress, which published, writing that was on her computer disk, but that was never sent.

There are many instances in which disk drives or files are confiscated by authorities for search and whatever is encountered on these drives can be used without even legal protection. While we cannot reference search situations due to legal issues, the authors have positive information that files are searched on a regular basis.

Improving Email Privacy

There are techniques for improving email privacy. None of them are completely effective, but they do give you some measure of security. It may be important for you to be able to demonstrate in some cases that you at least used the best available practices in protecting your email. This paper contains a brief survey of how to improve email privacy. There are many more ways and products. For instance the Electronic Privacy Information Center (EPIC) Website lists a number of privacy tools [15].

Encryption

Encryption is a process that turns a text file into another file that can not be interpreted by the casual or even dedicated observer. Strong encryption should be good enough to hide a file against intruders until the end of the universe. Every once in a while, what is considered to be strong encryption is broken, but for most of us, encrypted email is orders of magnitude safer than clear text.

Encryption software is available for free from the MIT site http://web.mit.edu/network/pgp.html and is also available from McAfee, a business unit of Network Associates. Network Associates purchased Phil Zimmermann's company PGP Inc in 1997. PGP stands for Pretty Good Privacy. In a letter that is linked to the MIT site, Phil assures [16] us that the PGP team is dedicated to email privacy and has not even considered a back-door for government agencies.

Encryption prevents Mailsweeper or other diversion program from reading the content of email. As the headers are not encrypted it is still possible to capture email from certain senders or to certain receivers for further analysis, but the email itself will be difficult to read if PGP is used to encrypt the body of the text.

The problem with Encryption to date is that both the sender and the receiver have to install the programs and have to follow a ritual that is not quite natural. You cannot decide on the spur of the moment to send encrypted email to one of your colleagues unless you know that they have a PGP agent, an up to date Key Chain, and practice using these tools.

There are several problems with encryption:

• We mentioned the fact that the receiver must know in advance that some exchanges will be encrypted
• Email is not encrypted while being created. Furthermore, if the mail is going to be revised it needs to be stored in the unencrypted format unless the sender and receiver also uses file encryption.
• Email can still be read by authorities who require either the receiver or sender to provide keys.
• Key distribution is a problem even with Public Key Encryption

Keys and Do you trust me?

Once you decide to use encryption there are a number of choices to be made that complicate the process even as they make it more secure:

1. Public Key encryption solves the problem of the distribution of secret keys, but it creates other problems
• With Public Key Encryption, there is no need to be careful in the distribution of a secret key, but there has to be a way to distribute trusted Public Keys
• The issue is not keeping the Public Key a secret, but keeping it from being corrupted. There is a very good booklet [17] by Network Associates, a product line of McAfee that describes the issues of verifying Public Keys by the use of Signatures
• Signatures are testimonials by third parties, such as friends and colleagues that your key belongs to someone that they know. They are vouching for your identity and not your knowledge or beliefs.
2. There are several forms of Public Key Encryption that are add-ons to existing Mail User Agents (MUA). The user must select which of the various forms of Public Key and Secret Key encryption to use. Which to use depends upon the receiver, not the sender.
3. Most of us are used to passwords. Encryption packages introduce the concept of Pass Phrases, which is essentially a better password. A Pass Phrase is a series of words that is easy to remember for the author and hard to guess for the intruder.

MaAfee PGP and File Encryption

The McAfee PGP Personal Privacy product acknowledges the problem with email only encryption and with requiring the receiver to have PGP software. The problem is that the files are vulnerable to being read while they are on your own machine or the machine of the recipient, in spite of the fact that the messages were encrypted in transit.

• McAfee allows the user to encrypt files on the user's hard disk by the creation of an encrypted volume. This encrypted volume is actually a single file that looks like a disk "volume" when it is mounted for use. When this "volume" is not mounted, the data in the partition cannot be read except by someone with the proper pass phrase.
• McAfee also allows the user to create self-decrypting files that are much like self-extracting [18] compressed files, except the receiver has to have an agreed upon password for decryption.
• McAfee also offers PGPnet, a service that allows the traffic over the Internet to be encrypted such that non-encrypted collaboration tools can be used in a more secure manner. In other words, McAfee goes beyond email encryption.

Note that a file that cannot be read, can still be detected and deleted. The McAfee product is one solution to the privacy problem. However it is an extra burden on those who use it. If steps are missed either privacy is compromised or the files could be lost even to the author.

Disappearing Ink

Have you ever sent a note to someone with the instructions, "Tear this up after reading". They then read the note, put it into their briefcase or desk and proceed with life. The transient note has been archived and can later compromise either the reader or rhe writer.

Disappearing Ink has a product that causes email keys to have time-outs like Mission Impossible; this email self-destructs after a fixed interval. The concept is that the sender is in control because she gives the email a time-window for reading and after that it is "lights out." This scheme is not perfect.

• If the author of the email keeps a permanent copy then the file on the author's machine can be accessed by all the methods that we have discussed.
• If the recipient cuts the message from the transient copy and pastes it into a document file it is preserved for an unlimited period.
• There might be other ways of cracking the Disappearing Ink system that hackers will find.

However, even with these flaws the Disappearing Ink product certainly is a strong step in the right direction for privacy advocates.

Conclusions

In the general case email is not private. It can and is read by unintended humans and search engines for a variety of purposes including general searches for things that are "undesirable" in the eyes and minds of someone. There are three ways to improve email security:

• Don't create it. If you have something that is really private do not type it into any computer or write it down even in your diary.
• Encrypt it before you send it
• Encrypt it as you create it and keep it encrypted until it times out except for the transient periods of editing and reading

Encryption adds overhead to the process of creating and of reading email, and also requires discipline. If the encryption discipline is compromised the email can be lost or sent to the wrong parties.

Professor Netiva Caftori, Northeastern Illinois University
Mark Teicher, Corporate Security Officer, Network Ice
Steve Teicher, Treasurer of CPSR

Notes

[1] Rosen, J (2000), The Unwanted Gaze, Random House

[2] Program for Internet News and Email

[3] SMTP = Simple Mail Transport Protocol, POP3 -= Post Office Protocol 3

[4] netmail.att.net for Worldnet

[5] webmail.mapinet.net for MPINET

[6] Worldnet does not expose their POP3 server to the Internet

[7] However, at least two of the services also claim that their WEBmail service is experimental or beta level. One service transmits passwords in clear text, while another service uses encrypted passwords.

[8] Schwartau, Winn(2000), Cybershock, Thunder's Mouth Press, pg 41

[9] http://www.zdtv.com/zdtv/screensavers/answerstips/story/0,3656,2599761,00.html

[10] Invisible KeyLogger by Amecisco

[11] http://www.technologynews.net/support_docs/intrusion.htm

[12] http://www.contenttechnologies.com

[13] http://www.gocsi.com/prelea_000321.htm

[14] http://www.grc.com is the URL for the Gibson Research Corporation that has a service for testing the security of machines attached to the WEB

[15] http://www.epic.org/privacy/tools.html

[16] http://web.mit.edu/network/prz_statement.html

[17] Network Associates (1999), An Introduction to Cryptography , http://www.nai.com , 1999

[18] Self-extracting compressed files refers to files that are shipped with a self contained extraction tool. Similarly McAfee facilitates the transfer of encrypted files that contain a decryption tool.

What's inside...