We Need A Universal Standard For Sending Confidential Data Via Email

by 12th May 2012Security

I’ve recently been asked to supply information for various business contracts and personal information for security purposes, and one thing has has struck me in all of these dealings: in each case, email was the primary preference for providing that information. This isn’t much of a surprise, since email is allows almost instant communication, enabling individuals and companies to transfer information between each other without the increasing vagaries of the postal service. Providing such information by fax is also declining, as most individuals don’t have access to one, and companies ditch them in preference for email.

What stands out is the fact that of all the organisations involved, none was expecting that I would send them the information in a 256 bit AES encrypted zip file. In one case, the company had to get their IT department to relax their anti-virus rules to let the zip file through and then download a utility to decrypt it; and another luckily only had to download the utility. The third, was the most shocking of all: Disclosure Scotland, the equivalent of the Criminal Records Bureau in England, was unable to accept and decrypt the file.

The problem doesn’t all lie with the organisations on the receiving end: a comment I received back was that this was the first time anyone had actually sent them such information in an encrypted format. Email is an inherently insecure medium of communication: once it leaves your computer it can pass through any number of servers and countries before it reaches the end recipient. Consider that whilst I communicate with my email server using Transport Layer Security there is no guarantee that once it reaches my email server (which happens to be hosted in Germany) that it will be encrypted on the mail server, nor that at any point on the hops onward to the recipient, will the data be encrypted. Yet thousands of people are willing to have personal data and information sent by email daily. A couple of years ago, I received a quotation for house insurance from Bradford and Bingley which included my name, address, date of birth, and the amount for my quote. When I complained, I got an ill-educated and snotty response stating that the information was not considered "personal" under the Data Protection Act. Perhaps not, but collating all that information together in one email has certainly made it easier for someone to steal my online identity.

Where communication is not automated, and the interaction is between two human beings (albeit with a lot of technology in between), my preferred solution at the moment is to send all confidential data in a 256 bit AES encrypted zip file. Even this causes compatibility problems, since I am using a proprietary utility, Winzip to do this, and where organisations are restricted in terms of what software can be installed locally, this means that they can’t decrypt the file. For the most part it works, but as I have found, it is very hit and miss as to whether the recipient can view the information. In the end, I have resorted to snail mail to Disclosure Scotland.

So what is the solution? Pretty Good Privacy (PGP) has been around since 1991 when it was invented by Phil Zimmerman, but this relies on both the recipient providing a public key for the sender to encrypt the email or appended data with. For the average consumer (and indeed, typical organisation), PGP is not a straightforward and easy method for transmitting confidential data across the internet, although the security level of most PGP implementations is such that even government security agencies have trouble breaking the codes. This would also not work in the Bradford and Bingley example above, where Bradford and Bingley would have needed my public key to be provided first before they could send me an automated quote. Another similar implementation is S/MIME which requires an in-house or public Certificate Authority to provide a key.There is also the issue of viruses, worms and other attempts to hack into organisations. Where emails are encrypted, anti-virus utilities are unable to intercept and verify the contents until they are decrypted at the recipient’s end, requiring anti-virus to be implemented on each desktop. Then too, there is the question of webmail, and the implementation (or lack) of encryption utilities on the World Wide Web. I suspect that many organisations are unlikely to be willing to drop anti-virus scanning at a hardware level purely to allow the receipt of encrypted data.

There must, and has to be, a solution to this: at the very least, where the British government are mooting tracking our email movements (but somehow never looking at the contents), we must be looking to encrypt the contents of our emails to keep it safe from prying eyes, whether those of our own Big Brother state, rival companies, or a corrupt System Administrator on the lookout for opportunities to hack our bank accounts. I don’t have a solution for this, but I know what I want: automatic encryption and decryption in every email program available on every operating system, with 256 bit AES encryption, combined with a method of authenticating or rating the trust level of the incoming email using Bayesian principles. In effect, each email program would need to sandbox incoming encrypted emails and apply a trust level during decryption, only allowing through fully decrypted emails if they meet the expected trust level.

Until that standard emerges, I’m going to stick with encrypted zip files and "educating" misguided organisations about what constitutes personal or confidential information. Another option I’m looking at is placing such information in a Dropbox encrypted folder but at present, you don’t have the ability to restrict who gains access to a shared folder. Sharing a link to the data is possible, but anyone intercepting that email would have just as much access as the recipient. In the end, I just hope that such a standard emerges sooner rather than later.




Matthew is an IT specialist with more than 20 years experience in software development and project management. He has a wide range of interests, including international political theory; playing guitar; music; hiking, kayaking, and bouldering; and data privacy and ethics in IT.


Share this post