The history of email and email transport via SMTP go back to 1983 respectively with the appearance of the @ sign in 1971 – at these times computer networks were designed to connect trusted entities, be it open (universities) or closed (military). SMTP is good at preventing data loss, mail transfer agents must be really flawed if messages get lost. But, privacy has not been a topic. It should be:
You can’t control your content
Email is designed to send out data – receivers can forward content anywhere without the authors knowing where and with which modifications. This is opposed to file storage systems / portals where you can centrally store, control and modify data while granting controlled access to data or portions of data.
From corporate point of view: all emails to and from your employees might be replicated on their dedicated portable devices. Do you really know where they store them and what happens on those devices? Are you, for example, able to prevent malicious border controls?
You don’t encrypt your content
While there are good (S/Mime) or very good (PGP, GPG) ways to encrypt email, the percentage of encrypted email content is minimal. To make it worse: even if you encrypt your content, sensitive data will be transported unencrypted: the complete message header including data of all recipients, some history data, forwarding data, and the Subject: line. You might say, transport level encryption helps:
You can’t guarantee transport level encryption
Some email providers endorse transport level encryption, but if one of the mail hubs on the way of your email does not, the transport will be unencrypted.
You receive junk and worse
As your email address is distributed, you will receive junk email. In the best case, this only consumes bandwidht and will be filtered out by tools you and your provider have to manage. Or, you’ll receive worse – hoaxes, maliciously crafted emails copying the layout of some well known business partners that lure you to evil sites or that contain malicious content.
Privacy regulations
The bottom line is: privacy regulations in Europe, India forbid the unsolicited storage/disclosure of private data outside the respective privacy zones without consent. All emails disclose such data by design (addresses, IP addresses, provider data, Subject lines, non-encrypted email content).
EMail users do not have control over those data. They can’t predict whether, for example, European emails are stored and processed in the US before being read in Europe.
You can’t include private sensitive data or corporate secrets in email.
Alternatives for private IT
For the sharing of documents, pictures, movies, the alternative would be file sharing systems like nextcloud, company sharepoint, box, provider storage spaces. There are plenty, and many of them obey their regional privacy laws.
For Person-to-Person or Person-To-Group conversations, every messenger service is superior to email. Use Matrix. Use Signal. Use iChat. Even WhatsApp – at least you know that it is one company that collects your data and you know which one it is.
Alternatives for corporate IT
Same as above – you’ll already have centralized storage. You might want to introduce Wikis or bulletinBoards / discourse. You’ll need to decide for one messaging system, for mission-critical ventures it will be a selfhosted Matrix like the French governement does, else the SharePoint/Teams (or nextcloud/talk) combination, Slack, whatever is compatible with your security policy and the privacy laws in place. But, phase out Email. Yes, it hurts, but it seems:
Email is broken
- The only tolerable way of using email is within corporate boundaries or, depending, within provider boundaries.
- Always prefer webmail to local mail user agents.
- Never disclose personal data in Subject lines
- Never include sensitive private data or corporate secrets in unencrypted emails
- encrypt your email where possible – use S/Mime ,PGP
- use secure providers like Posteo, mailbox.org
- Try to keep your emails in one infrastructure
Schreibe einen Kommentar