Private Email on the Internet

Author: Michael Miora
Published in Carolina Computer News, July 1997

Is There Private Internet Email?

Last month in this column, I discussed email and the trials and tribulations of one ISP. This month, I would like to focus on the issue of privacy: Can there be private email on the Internet even for the individual home user?

Recall that there are multiple servers involved in sending and receiving electronic mail. The originator’s SMTP (Simple Mail Transfer Protocol) server and the recipients POP (Point of Presence) server are the two end-points, but there could be many way stations along the way. The details of TCP/IP are beyond the scope of this article. It is important to say, however, that an electronic mail message traveling along the Internet passes through many nodes on its way from the origination point to the sender’s SMTP on to the recipient’s POP and eventually to the destination computer.

The path electronic mail traverses to get from its originating computer to its destination is a complex and public one. At each point or node along this path there are opportunities for security breaches. These paths and nodes are said to be "un-trusted" because a user cannot trust that these elements will provide good security.

In contrast to Internet email, there is the internal email used by many companies. Those email systems typically have trusted elements to them as well as un-trusted elements. One employee sending email to another employee at the same facility can usually be confident that the electronic mail is not subject to scrutiny by the Internet masses. (It is noteworthy, however, that many email systems do make all email available to an administrator and, hence, are not fully private.) Even in these corporate email systems, messages sent to other entities via Internet protocols are often not secure.

Fortunately, there is a way to make Internet email messages fairly impervious to compromise of content or integrity. To wit: make it impossible for anybody who intercepts the message to read it, and simultaneously make it possible for the recipient to validate that the apparent sender is the real sender. With most email systems in use today, this is fairly easy to accomplish. The answer is encryption, or more formally, end-to-end encryption (E³).

What Is Encryption?

Encryption is a technique for making information incomprehensible to anyone except an authorized user. An unauthorized attempt to read the message will reveal only apparent gibberish. An authorized attempt will require decrypting the message so that it is readable. The encryption and decryption processes work together using public and private keys so that any sender with your public key can send you an encrypted message that requires your private key to read it. The private key is never sent through any other user and never kept in an un-trusted environment. The public key is available to everyone, i.e. the public.

A discussion of Public Key Cryptography is a topic for a future column. For this month, the question is, "Can there be private mail on the Internet?" The answer is a resounding yes with two provisos: the encryption is used properly, and the cryptographic products (software and algorithms) are strong.

The Solution

There are many programs available that claim to provide good encryption. Professionals have not evaluated most of these and fewer still have been hailed as good implementations of public key cryptography. One of the most popular programs that provides good encryption is PGP, a freeware program for DOS and other platforms intended for non-commercial use. Many shareware front-end programs have been developed to ease the use of this powerful program. A recent upgrade to the freeware program is called PGPMail 4.5. This program takes the power of PGP, the ease of use of Windows-based programs, and the common MAPI interface for mail systems and rolls them into one easy-to-use system.

With the release of PGPMail 4.5, anyone can start sending and receiving secure (encrypted) electronic mail in just a few hours. If you are sending messages you would rather keep private, then you should be using an encryption program – PGPMail 4.5 is one of the best and easiest to use for the individual home user and for general commercial use.

After all, you don’t write your private letters on post cards, so why send your private email on the electronic equivalent of post cards? Use an envelope and seal it with encryption.