Easy Encryption for Email – Not an Oxymoron
Sending highly confidential or personal information via unencrypted email is like sending a postcard. There are many places that postcard goes before it reaches its recipient – and can be read by anyone along the way. Regular email is sent via plain text, and if you watch Google’s “Story of Send” you can see how many touch points a Gmail message has from the time you hit “send” to the time it gets to your recipient. Email can be intercepted by sniffers or read while saved on remote servers. And that is just the beginning.
Your “deleted” messages are likely sitting on at least two backup servers, messages can be modified in transit, and your email address can be spoofed to send malware messages that appear to be from you. Despite all of this in 1999 the ABA issued a formal opinion (99-413) that states
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.
Most people didn’t read further to note that the opinion stated in conclusion that:
when the lawyer reasonably believes that confidential client information being transmitted is so highly sensitive that extraordinary measures to protect the transmission are warranted, the lawyer should consult the client as to whether another mode of transmission.
In the 14 years since this opinion was issued much has changed. Data breach notification laws are on the books in the US and Canada, the ABA has issued Formal Opinion 11-459 “Duty to Protect the Confidentiality of Email Communication with One’s Client” and jurisdictions all over North America have issued guidance on “cloud” computing. So, why are lawyers not increasingly using email encryption? One simple reason – it is too complicated.
Traditional email encryption often requires either a public key/private key setup and is often applied at the server or gateway level. The end user – your client – must be party to this system and possibly install software or other meet other requirements. For large firms with corporate clients this is not an unusual setup. However, for solo or small firms who are working with consumer clients there are much easier on-the-fly email encryption tools that can be used to send individual emails vial encryption with very little disruption or technical setup.
Following are three easy email encryption tools I’ve tested.
Send (www.sendinc.com) is one such tool. Email sent via Send is encrypted in transit, in storage, and only can be decrypted by the recipient once she has a (free) Send account. First you will need to create a username and password. Then you can use the free plugin for MS Outlook, or you can go to the Send website to send an encrypted email. Compose your email and (in MS Outlook) click “Send Secure” instead of the regular “send” button. Once you’ve sent the message your client (or the recipient) will receive an email with a link. Clicking on the link will prompt the recipient to create his/her own username and password. Once that is accomplished the recipient can open the link and read the message. The recipient can also send a secure reply. This product is free for senders and recipients, but with a few caveats. It is free for limited use – 20 recipients per day. Another drawback (or benefit) to the free account for the sender is that the email expires in 7 days for the recipient, who would need to use the “save as PDF” option to keep a copy of the email. Also, HTML will be stripped from messages send via a free account, so the recipient only receives plain text. The Pro account, at $5 for a single user per month, increases message size, has unlimited message retention (but with self-destruct dates that can be set by the sender), and other perks.
Another, similar tool is called Enlocked (www.enlocked.com) . Enlocked offers more options to generate an encrypted email than Send, with extensions for Chrome, Firefox and Safari for web-based email like Gmail or Yahoo, an Outlook plugin and apps for your Android or iPhone. If those options don’t have you covered you can use their website. The free plan lets you send only 10 secure messages per month, though for $10 per month you can send up to 100. All plans provide unlimited free reading of secured email. Like Send the recipient will need to create a username and password to access the message, at which point it will decrypt automatically. Enlocked points out that they only have access to the email when it is encrypted or decrypted on their servers, then it is deleted from their servers entirely. With Enlocked you can see if someone has read your secured message by looking at your sent mail and clicking on “who read my message?”
If having an audit trail along with encryption, including registered e-receipts, time stamps and more appeals then check out RPost’s SecuREmail (www.rpost.com) service which bundles email encryption with their proof of delivery service and now even electronic signatures. Rpost’s SecuREMail works with Outlook, Apple, Android, BlackBerry, webmail, LotusNotes and more. RPost’s tools are not free, with a cost of about $129 per year for a solo. Once installed SecuREmail adds a button to MS Outlook much like Enlocked and Send. However, click on the button to realize there are lot of options to consider in addition to encryption. You can add “side notes” for cc or bcc recipients, invoke an eContract, and send large attachments via LargeMail transfer service. You can also automatically convert attachments to PDF, password protect the PDF, add a client/matter number, and authenticate the email with a digital seal. All these options can be set as a standard default configuration, or invoked when necessary. As you can tell, it will behoove you to get a little training with the representatives at RPost to make sure you are getting the most out of this sophisticated tool.
The user experience itself differs from the other two products mentioned. If you do not predefine a password with your client/recipient then the user will receive an email with a system generated password, then another email with a PDF attachment. The PDF attachment contains the text of the encrypted email you sent and the user will need to have the password from the previous email to open it. The recipient opens the PDF and can click on “secure reply – click here” to respond via the same encryption process. Fortunately all these emails to the recipient have clear instructions, but it would probably be best to establish a password with a client in advance for ease of use. Also, between all the read receipts, instructions, email attachments, the system generates quite a number of emails. You can adjust your settings to reduce the messages.
Obviously these are but a few of the options available, and you should examine your work flow and habits, what platform and programs you use to send email, and test a few options with your staff or an unsuspecting family member to make sure everything works the way you expect it to. That said, the above email encryption options are easy to use for the sender and recipient, and offer a much better level of security, privacy, and confidentiality than an unencrypted email.
These are all genuinely good things, and something of the sort should be in every lawyer’s toolbox.
They do have limits, though:
1. Who you communicate with, when and in some cases the subject lines are not encoded, but instead are visible at each hop along the way between you and the recipient. They’re used in routing the mail.
This means that if you are communicating with someone who is being watched by the police or a security agency, the agency will be aware you’re communicating in code with them.
The implications are unpleasant, and this has recently triggered the public shutdown of two different services in the U.S. and Canada, lavabit and Silent Circle email (the rest of Silent Circle is still up).
2. A court order in the country where the company operates can result in your mail being decrypted, as you send your key/password/passphrase to the company’s servers.
If you wish to avoid that, you need to have a program on your computer/phone that does the encryption locally. PGP and Silent Circle are two programs that work that way.
My advice: have three categories:
unclassified — things you’d send on a postcard
mildly confidential — things you’d send in a sealed letter
secret — things you’d hand-deliver.
For confidential and unclass, use a free-to-read secure email service. For secret, use PGP or the equivalent.
I’ve never been very impressed by the analogy of email to a postcard. No one casually handles email the way a post office sorter (pre-automation) or a letter carrier handles a postcard. Email is transmitted in unintelligible packets and reassembled at the destination. So one would have to intercept it as it is sent or once it is received, at the ISP or in the system of the addressee.
Such interception is possible, of course, but it’s more like a wiretap than like reading a postcard. Someone would have to install and operate a packet-sniffer or equivalent. So some degree of expectation of privacy is reasonable.
However, the law society rules do require lawyers to think about whether more confidentiality is required, and to discuss the issue with the clients. That raises questions of informed consent – assuming the lawyer knows enough to do so, does the client know enough to respond adequately?
As David points out, there is a difference between confidentiality of content and confidentiality of the fact of the communication. If only the former is essential, one can encrypt a document by a number of methods and send it by plaintext email. If the latter is needed, then some other system will be needed. PGP is (so far as I know) free.
One needs some kind of threat/risk analysis: who is likely to want to know either element (contents or fact of communications), and what resources do they have to find out? OTOH consider the recent warnings about high-powered industrial espionage (often international) that targets law firms because they are less likely to have secure communications and document storage systems than their clients. It’s not just about email, and in my view, not primarily about email.
Do you need to protect the communications against competitors or against national security services? The resources of the latter are usually greater, and it may not be worthwhile trying to beat them.
I find the evaluation of these services fails to assess several important security aspects such as user authentication, ease of use and what kind of restrictions/limitations are imposed on guest users. Adding a “send secure” button to Outlook is a recipe for an attacker to launch a “phishing” attack, how is the sender of the secure e-mail authenticated? Typically this type of software significantly restricts the guest user’s functional capability, e.g. one way secure communication, reply only capabilities. It also fails to discuss the bottleneck of having to “uniqueize” passwords that need to be conveyed to the recipient to open their message
A late update: in the discussion of shutting down web sites and email services, several people recommended “mykolab.com”, which includes a web client.
It is described at https://kolabsys.com/news/no-foreign-data-reeves-privacy-respecting-email-service-mykolabcom-launched
It’s at least good enough for confidential material, and may be good enough for things you’d normally hand-carry.