This election year may well be the year of the email controversy.
From Colin Powell’s emails to Hillary Clinton’s private server to the Democratic National Committee’s email leak to Donald Trump openly encouraging Russian hackers, it’s easy to see that even those with likely the tightest security measures in place are still victim to break-ins.
The average American might look at these presumed-to-be-private emails and wonder — just how safe is email?
“I will put it this way: I would purposefully write a note to my sweetie, but I would not be willing to put an X-rated picture in it,” Herb Lin, a cybersecurity expert at Stanford University, tells me.
Of course, your vulnerability on email as an individual varies; it would be inaccurate to say email is less secure than speaking on the phone. It just depends who you are.
But when it comes to emails, there are certain realities about the technology we should be aware of: There are a lot of easy, nontechnical ways to hack into your email login information. Ultimately email technology is old and complicated, which opens it up to vulnerabilities.
There are certain easy — and some not-so-easy — precautions you can take. The good news is that there is a movement toward making email more secure, but until then, don’t send your X-rated photos, credit card numbers, or Social Security number — at least if you care about your privacy and identity theft.
Email servers are really complicated and prone to security flaws
Behind every email address is an email server. That’s a computer located in a data center somewhere that receives email on your behalf and holds on to it until you’re ready to read it. The decentralized nature of email means that anyone, from big companies like Google to hobbyists in their basement, can set up and run an email server.
This is what Hillary Clinton did — she set up a server in her home in Chappaqua, New York. By running her own server, Clinton may have made it easier for her to use her beloved BlackBerry, and she may have been trying to make it harder for third parties to gain access to her emails using subpoenas or Freedom of Information Act requests.
But by choosing to run her own server, she opened herself up to some serious security risks.
By nature, mail servers are really complicated technology — they are prone to flaws that can be exploitable, Justin Cappos, a computer science professor at NYU's Tandon School of Engineering, said.
They are also incredibly difficult to set up. Ars Technica explains how to set up a private server, with a warning:
If you screw up and your server is compromised or used as spam relay, your domain will almost certainly wind up on blacklists. Your ability to send and receive e-mail will be diminished or perhaps even eliminated altogether. And totally scrubbing yourself from the multitude of e-mail blacklists is about as difficult as trying to get off of the TSA's No Fly list.
You have been warned.
For average Americans, it’s usually safer to just go with the big mail providers like Gmail or Apple, both Cappos and Lin said. “Some mail servers are set up really poorly [and] because they are complicated, there are lots of issues,” Cappos said.
“Gmail is pretty secure. Are they invulnerable? No,” Lin said. That’s a big takeaway —nothing is invulnerable. As the Ars Technica article notes, going with Google or Apple means that you don’t have control over who is overseeing the transfer of your emails between different mail servers or if your data has been compromised.
And that’s talking about servers — which are fundamentally more difficult and technical systems to hack. Lin categorizes most hacking we experience as “nontechnical.” In other words, it’s people trying to trick you into clicking on bad links that steal your information or log in to your account by simply guessing the password.
Hackers often try to trick email users with seemingly familiar addresses — for example, a trusted email address with one character different — sending “poisoned” links. Click on the link, and it can take you to a page that can steal more information, running malicious software. That’s incredibly common and incredibly “easy,” Lin said.
And, as Dr. Zinaida Benenson, a researcher from University of Erlangen-Nuremberg, found, people are easily fooled by this kind of email phishing. PC Magazine reported Benenson’s findings:
Based on these results, Benenson concluded that just about anybody could be induced to click a dangerous link using one of several techniques. Addressing the victim by name, crafting the message to induce curiosity, spoofing a known sender, matching message content to the victim's recent experience—these are the tried and true techniques.
Email is also a very old technology
Email technology is old.
“It's the oldest still-recognizable component of the Internet, with its modern incarnation having coalesced out of several different decades-old messaging technologies including ARPANET node-to-node messaging in the early 1970s,” Ars Technica senior editor Lee Hutchinson writes.
And because it’s old, certain security developments haven’t caught up to it yet — most notably, encryption. When used correctly, encryption — which we see in iMessages or texts through apps like WhatsApp — scrambles messages in a way that prevents anyone but the intended recipient from unscrambling them. But when it comes to email, almost all mail servers operate in plain text.
“It’s like if the mailman only delivered postcards instead of envelopes,” Cappos said. You could see how this could be a problem, if you have a corrupt mailman or someone pretending to mailman who is really a malicious identity thief.
There are some solutions to this, like using a GPG — which would encrypt your email before sending, requiring the recipient to be able to decrypt the message — but tools like this are hardly accessible, Cappos said.
The good news is that there has been a big push toward encryption, Cappos said. As for now, however, the software is just “old and entrenched,” he said.
For now, just be careful
For average email users, there are certain accessible and commonsense ways to make communication more secure.
“When I send my credit number, I use two different channels,” Lin said. For example, he will send the first 12 digits over email and the phone in the last four.
It’s the same idea as using two-factor authentication on your logins — where you not only have a username and password but also are sent a text with an addition code to plug in at login. Here is a video on how to works:
But at the end of the day, different people have different habits or concerns when it comes to privacy.
“Personally, I will speak much more candidly on the phone,” Cappos said. “[With email] you are producing a written log of whatever you say — really whoever runs the server can see what you are saying.”
This is not so say that phone conversations are completely foolproof; there’s wiretapping, after all.
But then again, no form of communication is completely secure.
“I could make Colin Powell’s thoughts completely secure; I would just put a piece of duct tape over his mouth,” Lin said. “And that is completely useless.”