Speaker Key: PB: Phil Brown, DW: David Whelan
PB: It’s Phil Brown and I’m here with David Whelan. Today we are going to talk about email encryption.
DW: Email encryption has always been something that is discussed by lawyers since it became a big part of how lawyers communicate with their clients and others. In 1999, the ABA came out with an email policy, maybe an ethics opinion, on whether lawyers needed to use encrypted email or not, and they decided in 1999 that they don’t.
I think part of that came about because encryption and email has been so difficult to do. This is because you can use whatever software you want to send email, and in order to use encryption, your client or the person on the other side (e.g. the judge), needs to be able to then decrypt that email. In order to do that, it often requires them to put software on their systems that they may not understand how to use.
PB: And that has always been, kind of, the weak link with email encryption - the person on the other end trying to figure out how to decrypt that email.
DW: Right. The basics with email have been in order to secure it, we have required everybody to have strong passwords, and so you should have strong passwords for your email accounts. Certainly, if you have an email server that is exposed to the Internet, and pretty much every email server is going to be, whether you are using Gmail, Bell, Rogers, your ISP, or you are using hosted Exchange, if someone else can get to it over the Web with a user name and password, then it needs to be a strong password to go with your user name. That should be the fundamental, the basic level of security that you have on your email.
PB: And we have talked about strong passwords before, but some of the basics would be to use spaces, punctuation, a combination of capitals and numbers, and even phrases. But the idea is that it should be more than just something like your home phone number.
DW: For sure, yes. The next step you can do if you want to encrypt some of the content that you are sending is to send an encrypted file. For example, I could send Phil an email saying, “This is a really cool document but I don’t want everybody else to see it.” I could then attach a PDF that has been encrypted, and he can decrypt the PDF on the other side. So the email itself is not encrypted but the contents are. That is one way to handle it.
And we have seen that happen. They call it encrypted email but it is not really encrypted mail. What you are doing is emailing or uploading a file to a server, encrypting the file on that server and then sending an email to the person who you want to send it to. That person can then go and download that file, and so it is not quite encrypted email, but it allows people to send encrypted information from one place to another.
And I think that has been the option for solos and smalls, certainly, or at least not big corporations where they could have encryption built into their entire email environment.
PB: You have talked about a recent LexisNexis survey, which basically said that very few lawyers are using email encryption.
DW: Right, yes, I think that is still the case. It is still beyond the general ability for people to figure out how to set it up at both ends. So even if the lawyer can figure it out, the problem is how to get the client to do it. The challenge, I think, becomes you having this thing called public and private key security or encryption, and it means that there is a piece of information that you have to have on your side, and a piece of information that the person has to have on the other side from you.
So you have your private key that you control yourself, and then the public key information has to be available to the person who is going to decrypt that email, and making that work usually meant having the same piece of software on both ends. So in the old days, you would have PGP (Pretty Good Privacy), and you would install the Pretty Good Privacy piece of software on your computer, the other person would install PGP, and then you could send emails and encrypt and decrypt that way, but it really was a very cumbersome environment.
PB: PGP has come a long way, but I can remember using PGP back in 2000. You used to compose your email as a text, cut and paste it, apply your private encryption key, and then you would paste the result back into the email and send it off to someone else. And they had to have your public encryption key on the other end, cut and paste that email into the program, and then essentially apply the key and decrypt whatever it was you were saying, which was never very earth shattering when I was sending them out. But that was the way it worked at the beginning. And it has come a long way since then, but there are a number of different programs now jumping into email encryption.
DW: Yes, and I think the difficulty in using encryption was what the friction was, which is why we see so few lawyers using encryption right now, unless it can be automated in a way that really gets it out of the face of the person who is sending the email and the person who is receiving it, then it is going to be a challenge. Do you want to talk a little bit about Virtru, which is one of the up-and-coming tools?
PB: Right, Virtru is free for single users, V I R T R U. Again, we are not suggesting people use any particular program and we are certainly not endorsing any. This is just one that I have been playing with and it is an iPhone app - I don’t believe there is an Android app for it, but you can also use it on a desktop. But the idea is that you can determine how long the life of that email is going to be, i.e. if you want it to expire in ten minutes, and people will not be able to read it after ten minutes; it vanishes from the server where it is resident. You can also determine if you want to call it back, and you can also protect it so that people cannot forward that email to anyone else.
It has a number of different options that are not available on regular email. And, as I say, there is an iPhone app and a desktop version. I have used the iPhone app for about a week now, and I would say at various times it does have trouble connecting to the server. This is fairly early days, it seems, for this particular program, and they are asking users for feedback to tell them how it is working or not working.
DW: One of the interesting things about Virtru – I have been testing it with Gmail, so far, because that is what the focus has been, and I think we will see that people who are using Google apps or Gmail will get the benefit of a lot of the change that is coming, because it is a big group of people, and so if someone is going to develop software, they might as well develop for Gmail.
But I liked that I could go into my Gmail account and send an email that was not encrypted, and then if I wanted to send an encrypted email, there was a little button at the top that I could toggle on. So I did not have to always send encrypted email when I was using my system - I could choose which emails needed to be encrypted and which couldn’t. That was a really nice benefit.
PB: And fairly simple for the person on the other end to decrypt that email.
DW: Right, yes, I liked how if the email account you are using is not set up for Virtru, you will get a link saying, “Create an account”, which is just clicking a link and setting up a user name and password. Then you can decrypt the email from the other person. Because of the way the system works, you are encrypting it on your end so you are the only person to have the keys to encrypt the email.
The email is then sent encrypted, and wherever you send it to, whether I send it to an Exchange server or a Google server or whatever, it is encrypted in that form so it cannot be exposed, even if someone is getting access to that server improperly. The other person has to decrypt it in order to see it, so it is a really secure way of transmitting it.
And I was wondering whether it was a little too secure, because if I am using Gmail, I am already using a secure connection, right? It’s “https://mail.google.com”, so I am on a secure connection there. But once it is sent, it is no longer encrypted, and I lose that bit, so it really stretches that encryption chain all the way across the life of that email.
PB: And with Gmail, you can claw back the email after you have sent it; probably does not work 100% of the time.
DW: Yes, I expect that if I sent something to a non-Gmail user, I may have a problem getting it back.
PB: And you are not able to prevent people from forwarding the email and things like that.
DW: Right, yes. I think what is interesting is that Google has already announced that it is going to have its own product which is called “End-to-End”, because the new language for computers and devices is to call them endpoints. So we are now going to be talking about sending from end to end, encrypted email, and so the Google work is currently under public scrutiny. They have opened it up so that anybody who wants to can comment on it. It is based on the open PGP standard. And I think once that has been implemented, we will see their kind of idea applied across all of the Google products, and probably appearing in other places as well.
PB: Outlook and Hushmail are a couple of other players in the world of encryption.
DW: Right, yes. Hushmail is unusual because they are the app, both the email client and the encryption tool, all in one. Again, going back to your early days of PGP where you had to create the text and then paste it over, Hushmail sort of does all that in one environment. And Outlook has the ability to encrypt from within the system, but again, you have got to be attached to an Exchange server that will support that encryption. If I am using Outlook, which I could have bought with my Microsoft Office suite, but I am using it with Bell, I will not necessarily be able to do encrypted email that way.
PB: Right, and some of these programs in their early days made you feel like you were extremely paranoid, because they would only display the email for the receiver one line at a time and things like that. It was almost like you had a special invisible ink spy pen that you were using to slowly decode that email; it would not show you the whole email at once. But we have come, sort of, a long way since then.
DW: Yes, and I think we really have to for it to work, and certainly with the NSA and Snowden discussions, everybody is much more focused on encryption, I think, than they ever have been. And to the extent that you receive an email and just press a button, or you send an email and by just pressing a button in order to encrypt or decrypt, I think that is the level it has to be for it to be in wide use, certainly by lawyers, but even by their clients.
PB: So lawyers and paralegals should know that email as a tool of communication is certainly vulnerable from a security standpoint. There are some different things they could do, including opting out of using email with a client, but also that encryption is here - you can use it now, and it is certainly going to get more sophisticated and more common, I think, going forward.
DW: Yes, I think that is a definite.
PB: That is our look at email encryption. Thanks, David.
DW: Thanks, Phil.