Lessons about email and instant messaging
So, I’ve been watching the unfolding scandal involving former CIA Director David Petraeus and Gen. John Allen. It’s like that car wreck on the other side of the road: You know you should only be interested in the facts and implications of the disaster, but you instinctively rubber neck to see the carnage. What a mess! And it’s a mess with potential national security implications. Which is not the topic of this posting.
Think about this for a moment: If the Director of the highly secretive CIA can have his emails vetted by the FBI, as well as the emails from an active four-star general and a couple civilians with none of them being aware of it, what does that mean for that emails you’ve sent?
Email messages and instant messages are not a secure nor are they a private medium for discussions. There are so many places where messages reside that can be either copied off or discovered within a legal context, that if someone wants to see your email or IMs, you have to assume they’ll be able to. The current move to using web-based email like Google and Yahoo offerings are even more difficult to hide. The government routinely requests access to their customer’s messages and gets that access. Even with encrypted emails, you might be compelled to provide the passcode to decrypt messages in a lawsuit or criminal investigation.
Yet, folks, even smart, savvy folks, get trapped by their messaging all the time. So, what to do?
- The old adage is: Do not put anything in a message that you’d like not to see on the front page of the NY Times. Now, that’s a little harsh and certainly, I’d not like any of my emails on the front page of the Times, but there isn’t anything I put in emails or IMs that would prevent me from surviving publication short of some embarrassment.
- Never, ever put sensitive data into an unencrypted message, like SSNs, banking information, etc. I’m constantly amazed at how many businesses will send out sensitive financial data in an unencrypted email that is only protected by a password. Word, Acrobat and others application password schemes are trivial to work around.
- Call records for both land-line and cellular phones are also discoverable, so be aware of that if you’re carrying on with your mistress (not that any of my readers would ever do such a thing :)), it’s discoverable.
- Encrypt all sensitive data and only leave the encrypted, sensitive data in the Cloud for as long as it’s needed. I use Truecrypt to create encrypted filesystem volumes that I can then use for sensitive data both on my computer and in the Cloud.
- I use Dropbox for short-term, sensitive data that I’m passing between some recipient and me. Be aware that though the security is pretty sound with Dropbox, the data itself isn’t encrypted on their servers. For a transient data access, the risk is probably acceptable, but for very sensitive data, put an encrypted volume in the Dropbox.
My guess is if you are a regular reader of these missives, you’re very aware of what I’m referring to and don’t need this reminder. However, your school or college aged kids are likely blindly putting stuff into their messages that will reappear in the future and almost certainly at the wrong time.
To paraphrase William Shakespeare: Don’t get hoisted by your own petard!