Email security is in the news again with the latest Yahoo! hacking episode, but perhaps the headlines should really be reflecting the following.

Email is not secure.  It was never designed to be.

It seems counter-intuitive, but the biggest security risk to your emails is your own belief that they are and should be private and safe.

The truth is that many people with good security habits became victims of the Yahoo! debacle and something similar may happen again. Instead of feeling outraged at our providers, these scenarios should serve as a useful reminder of the nature of email and what we can do to protect ourselves.

The first step to more secure emails is educating yourself on some key facts about the nature of email:

  • Email messages are not generally encrypted.  This means that the content of your emails is in clear text that can easily be interpreted by software AND human beings.  This includes the email addresses used and referred to along with any sensitive information you include in your text.
  • Email messages are sent to intermediate computers before reaching your intended recipient.  This makes it easy for somebody to intercept and read messages should they be motivated to do so.
  • Your ISP (Internet Service Provider) may keep copies of your messages on their servers.  Many ISPs make copies of email messages before they are delivered and backups can remain on their server for months, even after you delete them from your mailbox.
  • Email messages are not anonymous.  Unless you are very tech savvy and take great pains to do so, your identity is stamped all over your emails from the header information to your IP address.

There will always be spammers and hackers and they will always find a way to circumvent security though the likelihood of you personally being an attractive target for such activity is slim.

Expecting your email system to be 100% bulletproof is unrealistic.  Email is no different to posted letters in that there are several weak points in the system where messages can be intercepted and read – but this is largely unlikely to happen.

There is, however, a big difference between sending a postcard and a tracked package.