Securing E-Mail Is Your Job
Should businesses and consumers be able to expect ISPs and businesses they deal with not to snoop into their communications and Internet use?
Earlier this month, the U.S. Court of Appeals in Boston answered no by affirming an earlier ruling dismissing charges against an executive whose company provided e-mail services to book dealers. The executive had been accused of violating federal wiretapping laws when he told his employees to create an application to read incoming e-mail from Amazon.com.
In upholding the dismissal in a 2-1 vote, the appeals court reasoned that "because [e-mail] is stored on servers before being routed to recipients it does not enjoy the same eavesdropping protections as telephone conversations." And the ruling implies that while the federal wiretapping laws were created to give greater protection, those protections are afforded only to oral and wire communications. E-mail is a different matter.
In writing for the majority Opinion, Judge Juan Torruella declared, "We observe, as most courts have, that the language may be out of step with the technological realities of computer crimes. However, it is not the province of this court to graft meaning onto the statute where Congress has plainly spoken."
It is unquestionable that laws written for radically less capable, longer-lived technologies are not always adequate to the needs of today. Federal wiretapping laws are a prime example of ordinances that have been outpaced by the technology they were supposed to regulate. This is a situation Congress should remedy quickly.
Nothing changes the fact that e-mail is an inherently insecure medium. There is no question that it is good business for an ISP or corporation to state upfront what it plans to do with your information and for it to attempt to provide what it has promised to the best of its capability. But keep this in mind: You can demand commitments of privacy from ISPs, but any ISP promise is little more than a false assurance of privacy. There are too many other parties in the e-mail chain that you dont know and with whom you have no ability to bargain and against whom you have no recourse.
Phil Zimmermann, author of PGP (Pretty Good Privacy), compares the use of unencrypted e-mail to sending personal messages on postcards: There cant be any expectation of privacy when thats done. Passwords should not be sent in the clear in e-mail messages and likewise for credit card numbers and other sensitive information.
The ruling is a wake-up call to enterprises to secure sensitive e-mail. Companies concerned about privacy should use encryption or alternate models such as secure internal corporate portal forums, technology for which is available from a multitude of vendors. They should also implement security tools for instant messaging technologies or use secure corporate chat tools. A company is only as secure as its weakest link. Securing your communications will ensure your e-mail is not that link.
eWEEK is interested in your Opinion. Send your comments to eWEEK@ziffdavis.com.