3 Reasons Email Is Not Secure
Did you know that your email is about as secure as a kid's game of telephone? The only difference between email and telephone is that the communication between the sides (generally) doesn't break down.
How does email work?
You write an email in Gmail, Outlook, on your blackberry or iPhone. You hit send. It's there! Unfortunately, that message didn't just go directly from you to your sweetheart. It got relayed from you to your local DSL provider; from them to a central server; that server to some server in Nevada that routes emails; from that server in Nevada to another one in Idaho; that one in Idaho, over to Minnesota; and on and on until it gets to sweetie.
Here are a few reasons why email isn't secure:
1) Every relay gets a copy of your message
Just like our game of telephone, server 1 says "here's my message" to server 2. Once server 2 has the message, they say "got it," at which point server 1 is supposed to delete the message. Does it? You don't know.
That's the unlikely case of security issues - most providers are contractually obligated to ensure the normal flow. Here's another case: a hacker might be monitoring all emails coming through a relay point. That hacker might have a little filter running that looks for "social security" or "my credit card number is" or "2813 1327 0000 1234" and so on. All emails that match collect in a nice little document for him to sell to the highest bidder.
2) SSL security(?)
Oh, but you say, "I turned that SSL thingy on in my email! It says it's secure!"
From wikipedia: "While it [SMTP SSL] protects traffic from being sniffed during transmission, it is technically not encryption of e-mails because the content of messages is revealed to, and can be tampered with by, involved email relays. In other words, the encryption takes place between individual SMTP relays, not between the sender and the recipient."
What does that mean? It means that each relay makes the decision to support or not support the encryption. It's unlikely your email is getting from one end to the other completely encrypted.
Not only that, but if your accountant sends your tax documents to you to sign and they've got SSL enabled, but you don't, the best case scenario is: you're the problem. It has to de-encrypt the message before it gets to you if it didn't already do so on a relay.
3) Single point of failure
Yeah, we've all got a few email addresses, but they're often coming into one inbox whether in Outlook or on a mobile device. What happens when you lose your phone at a bar or have your laptop stolen? Your email (and other things) are now readily available for consumption.
This is a slightly different conversation than the first 2 reasons, but the reality is most hacks happen when someone figures out your password or gets access to one of your devices. Since we all use email so much, it's often the most easy/convenient thing we have at our fingertips. Do you have your devices configured to ask you for a password every time you want to view/check/send email? Probably not. That would be a pain in the neck.
In my next entry, I'll talk a little bit about alternatives. In the meantime...keep emailing! We all do!