Email Cannot Be 100% Secure

https://www.scientificamerican.com/article/its-time-to-admit-that-e-mail-will-never-be-100-percent-secure/?WT.mc_id=SA_TECH_20161227
Hillary Clinton lost the election in November, and a major reason was probably because of one of humankind’s most flawed creations: e-mail.

She was dogged, of course, by her use of a private server during her tenure as secretary of state. But her campaign was also weakened by a steady stream of hacked e-mails, not always flattering, especially those of the Democratic National Committee and of her campaign chair, John Podesta.

Those weren’t the first damaging e-mail leaks in history, of course. You may remember “Climategate,” the 2009 leak of climate scientists’ e-mails, which, according to critics, revealed a conspiracy to exaggerate the climate crisis. Or the 2014 hack that made e-mails and other documents from Sony Pictures Entertainment public, with devastating personal, professional and corporate consequences. Multimillion-dollar movies were canceled, a top executive lost her job and relationships were shattered.

And then there was LinkedIn, hacked in 2012 (165 million customer records accessed), Evernote in 2013 (50 million), Target in 2013 (110 million), Home Depot in 2014 (56 million credit cards; 53 million e-mail addresses), my employer, Yahoo, in 2014 (500 million), Anthem in 2015 (80 million).

Since 2005, corporate systems have been breached more than 5,100 times, involving nearly a billion records. And the breaches are getting bigger and more frequent. For years experts have been giving the same advice for keeping our digital lives secure: Use complex passwords. Change them often. Don’t use the same password for more than one service. Some of us do that; most of us don’t. But you know what? It doesn’t matter.

In almost every hacking case, it didn’t matter if your password was “password” or “k&1!#_qw<>[email protected]!j”—your data were swiped. You were a good little password soldier, and you got hacked anyway. These big corporate hacks don’t necessarily come about from bad guys guessing our passwords.

The Target hack, for example, relied on malware that recorded customers’ swipes in the stores’ credit-card readers. The 2014 leak of Hollywood starlets’ nude photos was the product of a phishing scam. (The hacker sent the actresses phony “account problem” e-mails; when they clicked the link to fix the problem, they landed on a fake login site—and thereby provided their passwords to the hacker.) Staffers for both Podesta and the DNC lost their passwords to phishing scammers, too.

Having good, long, complex passwords wouldn’t have helped in any of those cases. Dear reader: It’s time to admit it. We’ve lost this battle. We should accept that data breaches aren’t shocking aberrations anymore—they’re the new normal. The age of reliable security is gone. We need to adjust our thinking. E-mail will never be completely secure for everybody. Go ahead, get started on the stages of grasping this new reality: denial, anger, bargaining, depression, acceptance.

Actually e-mail was never intended to be secure. Most messages are sent as plain, easily readable, unencrypted text from your sending device to your e-mail service (Gmail or whatever), to your recipients’ e-mail services, and from there to their devices. Encryption is a rare, partial and inconvenient solution.

There are ways to communicate securely, of course. You could use, for example, an encrypted chat program such as Cryptocat, ChatSecure or PQ Chat. But that approach isn’t the solution, because the same app has to be on both ends of the conversation. As a result, those chat programs will never be as universal as e-mail.

There are “unhackable” services, too, with names like Tutanota and Posteo. But there’s a charge to use them—so once again, they’ll never become universal. If you’re not a celebrity or politician, your greatest source of protection is your own obscurity. Frankly, the hackers are generally uninterested in getting into the e-mail of nobodies. So there’s that consolation.

No matter who you are, the only surefire advice is to heed the joke that’s been popping up online lately: “Dance like no one is watching. E-mail like it’s going to be read aloud in a deposition.”

Share and Enjoy

  • Facebook
  • Twitter
  • LinkedIn
  • Add to favorites
  • Email
  • RSS
  • Print
  • Google
  • Google Plus