Envelopes, postcards and e-mail privacy

by Sean McGrath

September 20, 2004 —

How does e-mail work? I compose an e-mail in my e-mail client and press
the send button. Then what? For most non-technologists I suspect some
sort of Pony Express or postman metaphor takes hold at that point:

'The message has been, um, posted. You know, like paper
mail only faster. I don't know what goes on after I press the
send button and I don't particularly want to know.'

The inner workings of e-mail transmission are simply not interesting to
non-specialists. Like high sewerage sanitation in New York or the
manufacturing process of hamburgers, most of us do not want to know what
goes on under the hood. It just works, we use it, that is it.

Until of course, something happens that causes us to gingerly peek under
the hood at what is really going on. In the world of e-mail, such an
event is bubbling up at the moment. I speak of the privacy concerns that
have been raised by Google's new Gmail system[1]. Gmail, if you are not
familiar with it, is a web based e-mail client with a jaw-dropping
account capacity of 1000 megabytes. It is free - at least at the moment.
1 GIG of e-mail - free.

There are two catches. Firstly, you cannot just sign up. You have to be
invited by someone who already has an account - a fiendishly brilliant
marketing device. The second catch - if it is a catch - is the one that
concerns us here. Gmail places targeted advertising on the screen
alongside your e-mail.

The critical phrase here is 'targeted'. Google is using its smarts in
text analysis to get software to select adverts that may be of interest
to you based on the contents of your e-mail.

To anyone who has never looked under the hood at how e-mail actually
works, this may raise concerns about invasions of privacy. Applications
intercepting my personal e-mail and reading it? Not on my watch!

However, if you look under the hood at how e-mail actually works, you
will find that e-mails spend a lot of their time sloshing around the
pipes and buffers of the Internet and Intranets in plain view of anyone
or anything with access to those pipes and buffers.

For example, ff you send me an e-mail, how many hops would you say that
e-mail goes through on its travels? How many store-and-forward
repositories are involved, each of which hold a copy of the e-mail in
plain text format? Do you use a Web based e-mail client? How many people
working at the service provider have access to the e-mail repositories?
Do you send e-mails from a mobile device? How many people in your
service provider potentially have access to your e-mails as a result?

Let's move beyond e-mail for a moment. Do you use Instant Messaging? All
messages going to and fro between the popular IM systems are stored - at
least temporarily - in a repository. Who is reading your IMs? Do you
send text messages? As they are routed from SMSC to SMSC, who has access
to them?

Simply put, if you are sending unencrypted e-mails you should treat them
as being about as private as a postcard. No more. To my mind, the
question is not whether Gmail raises privacy concerns. The question is,
does Gmail raise any extra privacy concerns over and above the
gargantuan ones that already exist in the global e-mail system.

Gmail uses software to detect patterns in e-mail text and fires up
adverts as a result. Is what it is doing any more worrying than
server-side spam filters that perform analogous text processing to weed
out spam?

If the thought of targeted adverts causes your mental model to drift to
one in which a service provider steams open the envelopes of your
e-mails to see what is inside, think again. You sent a postcard. There
is no envelope.

If some of this article raises concerns for you about the privacy of
your correspondence. I suggest you take a look at S/MIME [2]

[1] http://gmail.google.com/
[2] http://www.dartmouth.edu/~pkilab/pages/Using_SMIME_e-mail.html

ITworld