Many years ago I was a consultant for a company who decided they
wanted to perform a security audit of their computer systems. One of the components of
their system that I was requested to check out was email. My client wanted
to determine if their email was secure.
It took me all of a minute to determine that their email was totally and
completely insecure. Fortunately for them, this was in the days before it
was common for company computer systems to be directly connected to the
internet, because their email messages were stored in plain text in a well
known system location. In fact, not only were the email messages stored in a
completely insecure manner, but deleted messages were not actually deleted
until an administrator purged them - and since they didn't have anyone doing
that there was a complete record of company emails going back years in the
past.
I had spent about thirty minutes on this part of the audit so far and was
ready to move on when one of the email messages caught my eye. It was a
particularly juicy romantic message from one employee to another. Well,
romantic is not the right word - highly x-rated would be more like it.
Curious, I continued looking through the emails (off the clock, of course,
since I had already accomplished my mission as regards email) to see what
else was stored in the single message file.
I stayed up all night long, highly amused at what I saw that day. Believe
me, I read some serious blackmail material (if I was that kind of person).
Lots of office romance, some flirting, X-rated messages and other similar
things. I remember one particularly scandalous series of hundreds of emails
going back and forth between one man and a woman (both single) recounting
their relationship for years. Every date, every x-rated encounter was
written up in long, detailed messages. This was very entertaining stuff
indeed.
After a few hours I got bored and stopped reading. I was tempted to keep a
copy of the email data but resisted. That was not part of my mission.
Fortunately, it was also not part of my job to report on indiscretions
committed by various employees. My job was to find and fix any insecurities,
and that's exactly what I did... I erased the file and set up an automatic
purge to permanently delete old emails. At the time that was the best that I
could do.
I learned a very important lesson that day - email is not private. Not by
any means.
Not much has changed in the intervening years. In fact, email messages are
generally not encrypted in any way. In fact, I have never received an
encrypted email and I've only sent a few in my entire life.
Just so you completely understand, a normal email message is NOT the
equivalent of a letter send through the normal mail. In that case, you write
your note on a piece of paper, put it in an envelope and drop it into the
mail. As far as email is concerned, a better analogy is of a postcard. Your
messages are "written" on the electronic equivalent of postcards.
What does this mean to you? Anyone can look at your message. Quite
literally, anyone.
Let's look at the process to illustrate how and when an email message could
be read by another person.
1) You write the email using your email client. The client may create that
email as a text file in a temporary folder on your hard drive. If someone
looked at your hard drive they could find the email. And it's not any better
if you use a web based email client such as Hotmail. These leave files in
the Temporary Internet Folder, which can easily be recovered. Remember that
the next time you read your emails at work...
2) You do type in the email address to which an email is sent. You could
accidentally type in the wrong address. Worse yet, if you have distribution
or mailing lists, you could accidentally type in one of those, which may
cause an email to inadvertently be sent to the wrong person or people. For
example, if there was a "Joe S Smith" and a "Joe M Smith" at your company
with very close email addresses, you could easily send to the wrong person.
3) The email gets sent to your SMTP server (this is the system which accepts
your email message and forwards along towards the destination). At this
point, the message could, in theory, be read by someone tapping your phone
(or cable) connection. It's not likely (unless you are a spy or something)
but it's possible (and not all that hard).
If you are at work, well, the email probably gets sent to your SMTP server
through something called a proxy server (the computer which manages the
connections to the internet). If so, a copy of the email could be stored on
the proxy server. In theory, this could be examined by someone who had
access to that server.
If you happen to send the email from your companies own email system, it is
highly likely (especially in larger companies) that the email will be
examined by context checking software. This is looking for curse words,
sexual harassment, resumes and any other inappropriate content. Any emails
found which violate company policy may be directly routed to personnel.
4) Okay, the email gets delivered to the SMTP server which it is stored,
still as a simple plain text file, until it is sent to the next SMTP server.
You see, emails never go directly from your outbox to someone's inbox. They
move from server to server until they find their way to their destination.
Each server keeps a copy of the email until it is forwarded to the next one.
5) SMTP servers are computer programs and they can be programmed to do
malicious or unusual things. For example, a law enforcement agency could, in
theory, program an SMTP server to make a copy of any emails directed to a
particular person, and send those copies to their office.
A hacker could, in theory, program an SMTP server (or examine messages
coming across the wire) to look for series of characters that looked like
credit card numbers (they are pretty obvious). These email messages could be
directed to the hacker's own mailbox, thus giving him a steady supply of
income.
6) At any of these SMTP servers, the email could be examined by anyone who
has access to the email system. The internet "wire" could also be "tapped"
and the email message captured on the fly (this is highly unlikely but it is
possible).
7) Since software is simply a series of rules created by human beings, it is
possible for an SMTP server to misunderstand how to route your email. Thus,
a message could be sent to the wrong recipient (this has happened to me a
few times) or to the wrong SMTP server.
8) There is no guarantee that the person who receives a message is actually
the person who is the intended recipient. Someone else could be using their
email client, for example, or an SMTP server may have misdirected the email
to the wrong inbox. In this case it works exactly like the post office - the
mailperson puts the mail in your mail slot, but he does not guarantee that
you will be the one who picks up the mail.
And since most emails are just text, they can be read by whoever happens to
receive them without any problems.
9) Naturally, once an email is receive it is stored on the hard drive of the
recipient. They are usually stored in text files (for normal emails) or in
the Temporary Internet Folder (for web based emails).
10) Of course, once someone does receive an email he or she is free to
forward that email onto just about anyone, starting the whole process over
again.
11) At any point in this entire scenario, the email message can be backed up
or archived. In this case, it can be recovered later and delivered to the
wrong person.
So please, the next time you send those highly personal messages remember
that they can be read by anyone. You have no way to know where these things
wind up or how long they will last. The could pop up anywhere at anytime
with a vengeance.
About the Author
Richard Lowe Jr. is the webmaster of Internet Tips And Secrets
at http://www.internet-tips.net - Visit our website any time to read
over 1,000 complete FREE articles about how to improve your
internet profits, enjoyment and knowledge.