The Dangers of E-mail
E-mail was first thought of by Internet pioneers as a way to communicate, criticize, argue, and joke around. Its potential was quickly realized, as e-mail spread worldwide among the earliest Internet users as a medium for sharing ideas, collaborating on emerging privacy issues, and communicating in general. The fascination of e-mail quickly turned from a hacker's toy to an important means of information exchange. In fact, e-mail is one of the driving forces behind the growth of the Internet. Its quick, worldwide spread did not require too many changes to the core protocols. The security shortcomings of POP3 and SMTP were considered an acceptable risk by those responsible for setting up e-mail systems, and the risks were largely unknown to the vast public, who uses e-mail without fully understanding it. Today, the security shortcomings of e-mail have manifested themselves into several obvious dangers. Let's look at the major dangers that face e-mail users:
E-mail can be intercepted by a man-in-the-middle attack, where an unexpected third person reads and possibly modifies e-mail sent between two legitimate parties.
E-mail can threaten your privacy when government agencies or intercepting ISPs monitor and read the e-mail messages (as in the case of DCS-1000).
E-mail can be exploited by attackers who spoof (masquerade as) someone else's identity to gain information from trusting recipients.
E-mail can be exploited by spammers or advertising agencies by using a shotgun delivery approach to send a widespread message or sales pitch in bulk.
E-mail can be used to deliver threats to networks and computers, in the form of viruses, worms, and Trojans.
Man-in-the-Middle Attacks and Surveillance
A man-in-the-middle attack takes place when someone intercepts communications between two people. If Alice and Bob are communicating through e-mail, a man in the middle can, unbeknownst to them, intercept and either read or modify their e-mail. The concept is not at all different from a wiretap on a telephone. If someone places a wiretap on your telephone line, he can listen in on your phone conversations and record them. Wiretaps can even be taken a step further. Telephone conversations can be intercepted and modified before the receiving party gets it, creating misinformation. These same concepts can be applied to e-mail communications. Surveillance is just an outcome of the wiretap. If your e-mail can be intercepted, it can be monitored over time.
After the tragic events of September 11, 2001, the issue of wiretapping was quickly brought to the attention of the U.S. Congress. The arguments before this time were that people's privacy should be considered more important than wiretapping. In the past, law enforcement had to go through rigorous legal channels of gaining permission to set a wiretap. Of course, they could wiretap without permission, but the information they gained would not be usable in court. In the week following September 11, the Senate passed laws to allow law enforcement more freedom in wiretapping communications. In the heat of the moment, this seemed like a good idea. Many Americans agreed that giving up some privacy was a fair return for increased security.
Note
DCS-1000
The laws that were passed after September 11 applied to nearly all communications, including e-mail. The FBI has long possessed a controversial e-mail-capturing system they call DCS-1000 (originally called Carnivore). The DCS-1000 system is a computer that is installed on a network to monitor all e-mail traffic going across the network. It is designed to filter all of this e-mail traffic, so that it only captures and stores what is relevant. That is, if the FBI wants to collect e-mail communications between [email protected] and [email protected], it would configure DCS-1000 to filter all traffic, looking for these e-mail addresses. When it finds these e-mail addresses, it can capture an entire e-mail message and store it so that FBI agents can later look through it. This is a basic description of DCS-1000. It actually has a range of powerful functionality, including the ability to filter for keywords in e-mail subject lines. For more details, visit the FBI's Web site at http://www.fbi.gov/congress/congress00/kerr090600.htm. Many ISPs are now cooperating with the FBI because of the terrorist attacks. In the past, ISPs were reluctant to hand over user data.
The point here is not to scare you about DCS-1000—the media has already done a good job of that! DCS-1000 can actually serve as a useful tool in fighting crime and terrorism. The point is that you should be aware that your e-mail messages are susceptible to monitoring. Your e-mail is not private. Many tools similar to DCS-1000 exist, and the FBI is not the only group using them.
That's where e-mail encryption through tools such as PGP comes in handy. PGP can give you back your privacy. We will discuss in the following sections how you can use PGP to encrypt your e-mail.
Caution
 | Because of these security concerns, you should never send sensitive information via e-mail. You should not use e-mail to send payment information such as credit card numbers or bank accounts. Remember that unless you protect your e-mail with something such as PGP, your e-mail is readable by nearly anyone. |