Explain why email is an insecure form of data transmission.
July 30, 2014 11:38 AM   Subscribe

Let's say I need to send some personal data (e.g., full name, DOB, SSN, address history, etc.). I already know I should never transmit that information via email, but why? What are the risks, and where and when do they occur? At what point(s) during transmission is the info in that email in danger? Hit me with every worse-case scenario you can think of.

I need to be able to explain this to people without a lot of technical knowledge, so I will award you 10,000 bonus points if you can explain the risks to me like I'm five years old.

Thanks in advance!
posted by schooley to Technology (18 answers total) 8 users marked this as a favorite
Any person who runs one of the dozen computers between your laptop and your doctor's laptop can read that information. Everyone from the barista who's in charge of the coffee shop wifi, to the system admins who run the server farms that millions of emails pass through every day. Email is like sending a postcard. Anyone who's part of that delivery can read it.
posted by Jairus at 11:46 AM on July 30, 2014 [4 favorites]

I can't answer the technical side, but a low tech response is that the information in your inbox (both sent and incoming) is only as secure as your email account and the email account to which you've sent that information. If your email account (or the receiver!) gets hacked, they have all of that information. I mean, though, birthdays, really hard to hide from your email records, and ditto for full names. I have had to sent my SSN through email (for a base security clearance, oddly enough) in the past and I have actually tried to go back and make sure those emails are deleted at least on my end.
posted by jetlagaddict at 11:46 AM on July 30, 2014

It's like passing an unfolded note in class. Except you don't know which kids in class are going to be passing it. All the computers between you and the recipient can read everything that is sent. Any computer that says "Sure, I'll send it to your friend" has the potential to get the message.
posted by Brent Parker at 11:47 AM on July 30, 2014 [2 favorites]

Email is as secure as a post card. Works the same way.

An email doesn't go from your computer directly to another person's computer. It gets passed from server to server (in a clearly readable form) - and those servers may choose to retain a copy for later - until it is delivered to the server of the recipient.

Also, since the messages are passed between servers in, basically, clear text, so anyone who has access to the network between the servers can also see those messages and retain them.
posted by Pogo_Fuzzybutt at 11:47 AM on July 30, 2014 [1 favorite]

You ask about transmission, but also think about that email once it has arrived in the recipient's inbox. They can do whatever they want with it, forward it to whomever, disseminate it far and wide...

Google "embarrassing emails that went viral" and you'll come up with a lot of examples to use with your audience. They'll do a good job of showing how emails aren't secure at all.
posted by Leontine at 12:20 PM on July 30, 2014

At what point(s) during transmission is the info in that email in danger? Hit me with every worse-case scenario you can think of.

In a page linked to in a recent FPP there was mention of a computer virus that took unsent drafts of emails and sent them to random addresses from your contact list.

If you compose an email through a web-based interface, some of those transmit every character you type immediately up to the server for spellcheckery and other purposes. In that scenario, an attacker intercepting your network traffic could obtain the content of an email you never even saved a draft of or previewed.

Those sorts of intercepts are presumably recorded and archived - even encrypted network traffic may get recorded in the hopes that greater computing power available at some point in the future will be capable of decrypting it - and so if the content of any such archive is leaked, in the future the content of all emails in it (and everything everyone has ever done on the internet, perhaps helpfully organized and indexed by Watson-type artificial intelligence software to highlight the interesting and lurid bits) may essentially become Google-able public knowledge. (As something of a parallel, this journalist made an FOIA request and discovered that the United States Customs and Border Protection agency had in its records the plain-text credit card numbers from every time he had bought a plane ticket going back to 2005.)

And of course, even in a local client like Microsoft Outlook, if your computer is infected with a keylogging malware or virus everything you type is recorded. A hidden camera or other surveillance techniques can observe you writing an email, even through walls / without direct line-of-sight.

(As pointed out above, the same sorts of vulnerabilities are present for the person and device which receives the email and numerous intervening computers as well.)
posted by XMLicious at 12:35 PM on July 30, 2014 [1 favorite]

Look at a "raw" email ("Show original" in gmail, for example). Every line that starts "Received:" represents one machine that held that email as plaintext, and could have taken a copy of it.
posted by Leon at 12:50 PM on July 30, 2014

The email is in danger when it's on your computer, when it's on the sending email server, when it's on the wire between the sending server and the receiving server, when it's on the receiving server and when it's on the recipients computer.
posted by dgeiser13 at 3:03 PM on July 30, 2014

The above answers are excellent; I especially like the explanation that e-mail is no more secure than a postcard that anyone handling it can read, and probably less so because you have no real foreknowledge what route your email will take through the internet. Moreover, it is trivial for anyone who sees that mail to make a copy of it en-route.

Another approach to explaining would be to compare it to alternatives. For instance, sending that sort of information over a secure connection to a website means that you only need to trust that your computer and your recipient's computer isn't compromised, that your recipient is who they say they are (which a browser verifies by using a special kind of certificate that requires proof they are who they say they are to be issued), and that your recipient will handle the information you provide properly. Anyone else that might see the data on its way to the recipient would only see encrypted gibberish. (Note that there are technically other risks here because encryption and cryptosystems are hard to implement right, but in general this is true.)

Or, via the phone network. Since it is a private network, only the phone company (or someone authorized by them) could potentially listen in on your phone call. Phonecalls are also transient, and barring a government-ordered wiretap or recording by you or your recipient, the contents of your call aren't generally going to be recorded anywhere. It requires you to place a lot of trust in your phone company and your government (which is a tall order post-Snowden), but unknown third parties will generally have a tough time getting at your phone call.
posted by Aleyn at 4:46 PM on July 30, 2014

Some of the replies are missing a point. Servers which relay internet information do not store it; they relay it. A tap is possible, but servers are typically configured to accept data and then pass it on per the instructions in the packet headers. They don't grab it and store it. (The NSA does.)

The vulnerabilities are typically in email storage by the sender (the sent mail folder), and by the recipient (the inbox and from there other folders), but most conspicuously over the airwaves. If you are connected via WiFi, your data can be intercepted en route without you knowing it.

Firewalls help with the storage vulnerability. SSL helps with the WiFi vulnerability.
posted by yclipse at 5:01 PM on July 30, 2014

In my albeit limited experience with email server software that involves relaying, I seem to have come across many misconfigurations, improper filesystem permissions, bad logging practices, and other circumstances that leave copies of emails that were spooled to disk lying around in plain text files. Presumably even if everything's functioning as intended there are a variety of ways that your emails can end up in a server's backup tapes.
posted by XMLicious at 5:42 PM on July 30, 2014

Best answer: The postcard analogy is apt, except imagine that every time the postcard goes from one place to another, it has to be copied, have the copy put in the new place, and have the original burned. (yclipse is right that servers that relay internet information typically don't "store" it. They hold a copy in memory just long enough to get it out the door and on its way.)

So you write a postcard, photocopy it and put the copy in the mailbox. Your mailman can't just take it, so your mailbox photocopies it and hands them the copy, and burns what it has. Then the mailman copies it and puts the copy in the mail truck. Then they copy the postcard to put it in the mail sorting facility, and they copy it to put it on other trucks, who copy it to send it to other mail sorting facilities, and so on until eventually, a copy gets to your recipient's mailbox, and then your recipient.

Every step of the way, each mailman, mailbox, truck, etc. burns what they have after copying it and delivering the copy. If they didn't, they'd quickly be buried under a mountain of postcards. That is, unless someone convinces them to look for, say, a credit card number on one of these postcards, and if they find one, to make two copies. Or, if they have bad instructions, (someone said to "blern" the postcards, maybe) so they just leave some laying about.

There are varying degrees of difficulty in convincing these people to do something other than burn after reading. Typically, once the mailman gets it, they have a pretty solid work ethic and resistance to trickery. They're also not holding onto postcards for long, so if they are tricked, it's only what they have on hand for the duration of the trickery that's at stake. But - they can also have bad managers, who don't tell them the right way to do their job.

So there's potential danger all along the mail route. The most major danger will be where the postcard sits the longest though - your mailbox, and your recipient's mailbox. Because it's there for longer, and because you and your recipient aren't as good at security as the mail sorting facilities. But there's room for mistakes and trickery all over, and each step of the way, the message is just sitting there for whoever's around to look at.
posted by mrgoat at 5:51 PM on July 30, 2014 [1 favorite]

Servers which relay internet information do not store it; they relay it. A tap is possible, but servers are typically configured to accept data and then pass it on per the instructions in the packet headers.

We usually refer to such things as routers, not servers, and even then, it isn't uncommon for mail servers to write messages to disk before relaying it on down the line, and it isn't uncommon for those disks to be backed up to another location/medium, and those backups may not be well secured.

The truth is that these days, a good chunk of mail these days is transferred over the open internet in a secure fashion. Mail clients communicate over SSL secured POP/IMAP for retrieving and filing mail and SSL encrypted SMTP for sending mail. Moreover, when an SMTP server receives mail from an email client, it will often use SSL when delivering it to the destination mail server. If email makes more hops that that, then they usually take place within the networks of the originating or receiving organizations, not the wild internet.

Even so, I still wouldn't consider email to be secure though. While most people operating mail servers probably have the option for SSL enabled to secure the sending and receiving of messages, most will probably also receive and send mail from remote machines that aren't using SSL (or don't have trusted certificates), so you can't really be sure that someone in the chain between you and the sender or recipient hasn't exposed the mail to relatively unsophisticated snooping.

And then there is the fact that when it is sitting on a mailserver, it is like a postcard in a mailroom. Your mailbox has a lock on it, but that is no guarantee that someone with access to the backside of all the boxes can't/won't read it without detection.
posted by Good Brain at 7:20 PM on July 30, 2014 [1 favorite]

The simplest answer is that emails are not encrypted when they're passed from server to server (unless you encrypted it yourself and your recipient will decrypt it), so it would be easy to read it at any of the points it passes through.

This is in contrast to something like Skype, where the messages are always encrypted before being sent and automatically decrypted on the receiving end. This doesn't mean that Skype is completely secure, but for someone to illicitly read your Skype messages they would need to find and exploit some kind of flaw or weakness in Skype or would need Microsoft's cooperation.
posted by duoshao at 7:22 PM on July 30, 2014

STARTTLS is a method of encrypting both server-to-server and client-to-server SMTP traffic. I don't know how pervasive its use is but its application to SMTP was standardized twelve years ago.
posted by XMLicious at 8:06 PM on July 30, 2014

The SMTP protocol was first apparently proposed in 1982 and has only seen minor revisions ever since. It supports neither encryption or server authentication. On top of that, any email can "lie" about who sent it, and the only defende we have against this spoofing is laughable spam traps .
posted by Yowser at 1:31 AM on July 31, 2014

As far as I can tell that's completely incorrect. Both cryptographic signatures and encryption of the message contents appear to have been standardized in 1995, but of course no one bothers; a guy I worked with loved to evade security requirements to encrypt email by setting up an encrypted VPN between the servers involved and claiming that was equivalent to encrypted email. Browsing through the configuration of some mail server packages I've come across settings to enable the server cryptographically signing messages on top of the sender's signature too as it relays, but I don't know whether that's standard-based.

The core SMTP standard hasn't changed much because it was well-designed and properly decoupled from everything else. That's why, for example, you can have POP or IMAP or whatever you want as a standard for mailboxes and changing that doesn't break anything having to do with the transfer of the mail messages themselves.
posted by XMLicious at 3:43 PM on July 31, 2014

Response by poster: Y'all, these answers were all super helpful! Thank you!
posted by schooley at 6:01 AM on August 6, 2014

« Older What to look for in a used windsurfing board and...   |   Please suggest a practical bis cas blazer Newer »
This thread is closed to new comments.