Email Privacy

Much has been written about the implications of this court ruling about ISP's right to inspect email, including articles on various trade publication sites (e.g., ComputerWorld, NetworkWorldFusion, InfoWorld and eWeek), as well as in national press. Julian posted a well-reasoned analysis of this. I would be a bit more blunt: Get Over It, Everyone! Your unencrypted email was never private, and if you ever harbored the illusion that it was, I've got a bridge in Brooklyn that I want to sell you!!

OK, maybe I wouldn't go that far, but looking at the practical issue rather than at legal theories, the only thing that really protects the privacy of unencrypted email is the fact that the sheer volume of it overwhelms all but the most closely targeted snooping. Your ISP, and various upstream ISPs (that you have absolutely no control over at all) have a right and need to maintain their systems, and to do this they need to be able to examine files. Telcos do not need to listen in on conversations in order to maintain their systems, but ISPs sometimes do.

Maybe this ruling will have a good effect. Maybe it will get people to start using encryption. A lot of people complain that encryption is too hard to use, that PKI is difficult and confusing, etc., etc., ad nauseam. Once again, I say: Get Over It, Everybody! There is no part of life in which security and privacy are entirely simple and convenient. We carry keys, remember combinations, and deal with all sorts of different types of locks every day. It is so second-nature to us that we don't think about it -- until we lose a car key, forget a PIN, etc., but when that happens we don't blame the technology for being too complex. We blame ourselves. PKI and crypto can get better, but if they ever get to the point of being simple, foolproof, and totally transparent, they won't be secure.

I don't recall where I read it, but I've seen some criticisms of this ruling that went along the lines of "This is equivalent to saying the post office can read your snail mail." Well, guess what?... They can, in certain circumstances, do that. And no... I'm not talking about anything to do with the USA Patriot Act. I've had a case where an envelope that I sent was basically shredded by one of the post office's mail-handling machines, and since both the address and return address were unreadable as a result, someone at the post office examined the contents, found my address on an enclosed check, and sent it back to me in an official-looking envelope with a full explanation of what happened. And even if we accepted the premise that the post office shouldn't be allowed to look inside envelopes, that still doesn't guarantee that your mail will remain private. I once received a set of documents from an attorney, but those documents were not intended for me. The attorney's assistant had put them in the wrong envelope. In another case, I received a check with someone else's name on it -- from a brokerage house as the proceeds of closing out a bond fund that I had never owned. In those cases and in several other cases of receiving less sensitive mail, acting in a sense as postmaster for my own little post office, I opened the envelopes, identified the actual intended recipient and made sure that they received the contents. I've done that numerous times as postmaster of rhs.com, as well, for mis-addressed email.

Talking about mis-addressed mail to rhs.com brings up another example. Because "RHS" are the initials of several thousand high schools in the US, it turns out that a large number of young people use addresses in my domain as their "fake" addresses when registering on web sites, posting on Usenet, etc. In addition to the boatloads of annoying spam that I get because of this, I occasionally get personal email intended for specific young people. Sometimes very personal. Sometimes, the messsages are so personal, so revealing of private information about the sender, that I face the ethical dilemma of wondering whether or not to let the sender know that (a) the message was not received by the intended recipient, and (b) the message was read by a total stranger nearly three times their age... not to mention wondering whether to try to find the guidance counselor of the school that the sender attends.

I hope all of this reinforces the point that, no matter what the legal decisions may say, no matter whether Congress passes laws that overturn the current decision, no matter what anyone does: unencrypted email does not, can not, and will not ever have assurances of privacy.