We are using email more than ever. The growth of communications services such as WhatsApp, SnapChat, Telegram, Slack and others has not reduced the importance of email as a communication channel, particularly for sending or receiving important documents to or from businesses.
And while our inboxes might have started out full of spam and irrelevant messages, nowadays they are home to a treasure trove of personal and sensitive information – along with loads of spam too, of course. Somehow the spam never really went away.
One might hope that this personal information would be private. But, as you might have guessed, it isn’t! Email is one of the least secure and least private forms of online communication there is. Email is not popular because of its security; email is popular because of its universality – anyone can use it with anyone.
When email was invented, security was not a consideration. Emails hopped from server to server, leaving a trail of copies behind them. Security has improved since, much as it has for web browsing: when you access a mainstream website, you will see a small lock icon next to the address bar, indicating that you are accessing the site using a secure connection. These connections are encrypted and protected by ‘Transport Layer Security’, or ‘TLS’ for short. Although not yet quite so widespread, in a similar way the majority emails are now delivered using ‘TLS Email’. Properly implemented, TLS increases email security substantially, preventing servers ‘in the middle’ from accessing your emails. What it doesn’t do, however, is protect your emails in your or your contacts’ inboxes or ‘Sent Items’ folders after they are sent.
Why email is still not private
Free email services are free for a reason – in return for providing you functioning email, the email service provider gets access to all your email data, including all email content, any attachments, and the names of the sender and recipients. This personal data is very valuable – particularly for deciding when and which adverts and other content to show you – and so the email provider generates a profit from your free email account.
The result is that your ‘free’ email service comes at a cost – your privacy. Free email is not free at all, you are paying for it with your privacy.
Business email accounts, on the other hand, suffer from a different but related problem. In the case of business email, the service provider does not have access to your emails, but the business itself does. This might be OK if you are running your own business, but if you are an employee, less so.
Why should I worry about my email account?
Most email accounts are packed full of valuable, sensitive, private, and useful information – all available to your email service provider. This lack of privacy is sometimes handy, it means that we are more likely to see useful and tempting adverts. But other times it is a problem. There are certain things we want to keep private – like when we sign up to certain online services, or when we are receiving sensitive information (such as investment details, mortgage statements, health information and the like), or when we need to send confidential information (such as a photo of a passport or ID card).
Access to your information is why your email provider does not charge you for email. But hackers would like to access this information too. Personal email accounts are designed to be easy to use but are not necessarily well protected – unless you configure them properly (keep reading for tips on how to do this). And if hackers do get into your email account, they can use it to access other accounts, to intercept conversations – typically to attempt to fool you or your contacts into sending money to the wrong account, or to engage in blackmail. According to a survey last year, around 1 in 10 UK consumers think their identity was stolen at some point over the previous 12 months.
Risk is contagious
The other thing to remember is that emails are stored in both the sender’s email account and the recipients’ email accounts. So even if your email account is secure, your information is at risk if your contacts’ accounts are not. There are plenty of examples of both businesses and consumers losing money this way, where either the sender’s or the recipient’s email account gets hacked and other party ended up being affected. The only real way to protect against this is to use a secure email service such as StayPrivate.
The lack of legal protection
Whether you are based in the United States or not, you are likely to use a US provider for your personal email account. The level of privacy US email providers are legally required to deliver derives from the ‘reasonable expectation of privacy’ in the Fourth Amendment to the U.S. Constitution. And given the open nature of the email protocol, the expectation of privacy is low, and so the legal requirement is for little privacy too. This has provided the legal space to allow providers to offer email in return for mining your data.
It might also be worth noting that US email providers are also governed by the Electronic Communications Privacy Act (ECPA) and the Patriot Act. This result is that, as well as the provider having access to your data, your emails can be accessed by the US authorities via a simple subpoena.
Work email for employees
Most employers expect their employees to sign a computer and network usage policy. This usually specifies that business email is to be used for business purposes only and grants the employer the right to monitor your emails. These agreements effectively deprive employees of any reasonable expectation of privacy when using business email. And since employees are sending emails from the business email domain, this is not reasonable. Of course, employers, unlike law enforcement, do not have any technical obstacles preventing them from accessing and searching your emails.
Bear this in mind when using your business email and when sending to business users too. Do not embarrass yourself or your recipient by including any information which might compromise you, them, or anyone else.
Another problem with email is deletion, or more accurately, the lack of deletion. When you delete an email, you can no longer see it yourself. However, deleted emails are still stored on business email servers. Deleted emails may also be retained by free email providers – depending on whether they think it worth it (when you signed up for the personal email service you signed away the right to control your information). Since emails are digital, the cost of storage is small, so it is possible that emails can be kept for many years after being deleted.
But the good news is that there are things you can do to make email better. In fact, a lot better.
Six simple steps to help keep your emails secure:
- Use a strong password and do not re-use this password.
- Use 2-factor authentication.
- Keep software updated.
- Use private email for important emails.
- Check and double check the recipients’ email addresses are correct.
- Check that emails are from whom they say they are.
Use a strong password – ideally something made up of a combination of words and numbers. If you make a very complicated password you will need to store it in a password manager, but it’s more convenient if you can come up with a strong password that you can remember. One way of doing this is by using three random words and throwing in a couple of numbers, for example: ghost3light2sea.
The website https://haveibeenpwned.com/ enables you to check whether your email account has been hacked, and at https://haveibeenpwned.com/Passwords you can check whether any of your passwords have been leaked, too. Of course, this is not an exhaustive list, but if your password is present at least you know to change it. And if it’s not on the list, then that’s encouraging but certainly no guarantee.
Use 2-factor authentication – nearly all email services allow you to enable 2-factor authentication, using your phone number as the second factor. All you have to do is switch it on.
Keep software updated – much software these days is automatically updated, but it is still worth checking periodically to make sure that your operating system and browser are up-to-date, particularly on older devices.
Use private email for important emails – free email accounts simply do not offer enough privacy. Keep important, sensitive, or personal information safe by using a secure email service when signing up to services and when sending or receiving confidential information. A service such as StayPrivate is designed to work alongside your current email account rather than replacing it, allowing you to keep important email conversations separate from your main email account, which has the added benefit of keeping things organised too.
Check and double check the recipients’ email addresses are correct
This one might sound obvious, but make sure you are sending the email to the right people, and only the right people. Check and double-check the ‘to’, ‘cc’. and ‘bcc’ addresses, making sure, for example, that you are sending to a.n.other and not an.other.
And if you do realise you’ve sent the email to the wrong person, do something about it straightaway. Following up immediately asking the recipient to delete the email is generally recommended – if possible. One of our founders worked with someone who accidentally sent an email to her soon-to-be ex-boyfriend rather than her new guy – describing how the ex-boyfriend was ‘a loser’. There’s not much she could do about that, unfortunately, other than put a brave face on it.
Finally, check that emails are from who they say they are from
There is no need to check every email, of course, but make sure that important emails are from, for example, my email@example.com and not firstname.lastname@example.org. If you use a service such as StayPrivate, it will help alert you to this sort of thing.