FREE GDPR Helpline
Call +44 (0) 208 133 2545
This question is as valid under the GDPR as it is under the data protection regime we have had for the last 22 years under the data protection directive (95/46/EC).
What makes this relevant now is the fact that the GDPR, more then the individual implementations of the directive, mandates security on all facets of data processing as well as the fact that companies have an obligation to register and show how they have secured that processing.
Since E-mail is used a lot to transfer personal data, e.g. in company messages to the data subjects themselves in order confirmations, it is only fair to see if the medium and how it is used actually lives up to the protection the GDPR mandates.
In the first of two posts I will go back in history and explain the origins of electronic mail, how to properly secure it and the reasons why e-mail has become such a ubiquitous form of communication and why it has become such a problem for data protection professionals.
Electronic mail or E-mail has been around longer then the world wide web, although most of us may think this is not the case simply because they came in contact with both of them at the same time. However if you look at the dates associated with the relevant RFC’s (request for comment, the defacto Internet Standards), you will notice that the simple mail transfer protocol (SMTP) was created in 1982 whilst the hypertext transfer protocol (HTTP), the basis for the world wide web, was created in 1996.
But what is electronic mail or E-mail precisely other then a protocol on how to transfer information between systems?
Effectively it’s just a text file which has a addressee, sender, date and subject and a body which holds the actual message.
The protocol adds to that an envelope stating only the sender and receiver addresses.
Since the Internet (or APRANET) was a closed network of government institutions, universities and some research institutions back in the early days, security was hardly an issue. Okay, except for a group of hackers from the Netherlands who managed to obtain internet access at weird times. This same group ended up founding the Internet Service Provider XS4All in 1994 when hacking became illegal.
The short answer: everyone who has access to the mail server or any mail server in-between your computer and the computer of the recipient.
The reason for this lies simply in the fact that electronic mail was nothing more then standard protocol sending text unencrypted between systems. As such nothing much has changed since 1982, mail may look more dynamic and may have some nice layout, but in the basic it is still the same text that is send onto the mail server and from there around the Internet to the intended recipient. All the included layout is just that.
Just compare your E-mail message to a standard postcard you may send home from your holiday address with a nice picture on the front and the recipients’ address and your personal message on the back.
Everyone handling that postcard on it’s way around the globe can read your personal message. E-mail essentially is the digital version of that picture postcard without the picture.
has nothing changed then? Well basically not really, that is for security of the mail messages themselves. What has changed, although not everywhere and certainly not on all connections, is that the connections between mail servers or between the mail server and your computer have become encrypted.
However, that will only protect your message confidentiality against miscreants trying to intercept your data between systems. On the mail servers and your computer, all data is still stored in the clear and therefore readable by anyone with access to that system.
Just think back to that picture postcard and imagine that at every postal center the cart is actually put into a box with all the other postcards. That box then is sealed before it is send on to the next postal center, which breaks the seal, opens it and the hole process starts all over again.
Between arriving at the postal distribution point and the sealing of the next transfer box, your postcard is readable again by everybody working in that specific location.
So let us stick with that postcard analogy and see how we can adequately secure that postcard on its way around the globe to your family and friends back home.
Now I know what you are thinking, come on that’s easy because I will just use and envelope and lick it shut before I will send it.
Besides the fact that at that time, at least in some instances, the postage you had to pay would increase, this is precisely what needs to be done when securing messages being send by E-mail as well.
Although using an digital envelope that you can digitally lick shut and upon arrival would clearly show if it was tempered with, is not very trivial.
The solution to secure E-mail messages is by using cryptographic keys and the accompanying system to make sure only the intended recipient can read the actual message.
However, besides the address of the intended recipient, you would also need to know the public key for that recipient to make sure that he or she is the only one able to decrypt the communication.
It would go too far to fully explain how this works in this post. As long as you understand that that public key is the glue that seals the envelope around the postcard shut and the corresponding private key the only one that can resolve that glue upon arrival.
Alternatively imagine a box around your postcard or package with a lock on it that has two keyholes or a keyhole as well as a numeric lock, the last one is used to lock the box whilst there is only one corresponding key to unlock that box and the recipient is the only person holding that key.
From a data protection perspective, sending personal data as clearly readable electronic postcards across the internet must be a nightmare scenario. yet, it doesn’t matter where you order something online, the first thing you will receive is just such a postcard stating everything you ordered including your name and in a lot of cases your address and the expected delivery date as well and mostly also what and how you paid for that order.
The fact, specifically in our 24/7 economy, E-mail is used for this is not really surprising. As I already wrote, using effective methods (aka that digital sealed envelope) to adequately secure messages to your customers is not particularly trivial.
Although you may ask yourself the question: isn’t there software available to do this? Yes of course there is and has been for about 20 years as well.
The usability of the software however had various degrees of easiness and maintaining all the relevant public keys at the company would probably take some knowledge, time and effort.
Why this was never done at a large scale has probably more to do with the fact that IT or information security was seen as difficult, cumbersome and frictionless access to data and systems became the norm for so far as it wasn’t already in the early days of the Internet.
A related problem is that also large files containing personal data of tens or maybe even hundreds of individuals are send using E-mail as well. In these cases the risks for data leakage and associated impact become much larger then your order confirmation E-mail.
Certainly if somebody sends a file containing data on several million citizens by E-mail to the wrong address, as happened in Sweden earlier this year.
And then we have the requirements on securing personal data which have been laid down by the European Union in the GDPR.
But more about that in the second post in this two post series.