The Truthy Truths of Email

Written on April 23, 2008  |  by RP Mickler  |  Leave a Comment  | 

Many of my small business clients have some huge misconceptions about Internet email. I hear them so much that, I felt, revealing the “truthy-truths” about Internet email would make a great blog post. Here we go…

No, this doesn’t refer to the confidence of your Personal Information Manager (PIM), I’m talking about the security of email messages. Email offers no privacy or expectation for security. You see, Simple Mail Transfer Protocol (SMTP) is a plaintext protocol. It sends your message and everything in it across the Internet in open text. Anybody can read it so long as it’s travelling on the open wire.

If you use a traditional email system like Microsoft Outlook, the data is stored in a commonly-used format on your hard drive; in a *.pst file (or *.ost file for mobile laptops that synch against Exchange) which is easily read and the password protection – if even applied – easily broken. Most email applications just write out email as files, or, to a local database. Email is easily tracked to these files, easily exported, easily copied, restored, and managed. Email is easily seen on the wire as it moves between computer systems. Email is easily noted as it crosses barriers and gateways into networks. It’s like a billion people in a room all talking… some with cool keywords in the text like “password”, “pin”, “bank”, “account”, “code”, “security”, “username”… which make their conversations stick out like a sore thumb… and all you have to do is walk around and listen to what people are saying.

This one cracks me up. Email is never really deleted from the databases that collect them, not unless that a specific system command is passed to compact and compress the mail database (which, you understand, is not practiced by by 90-percent of the user community). In Outlook, this is a task to manage the PST directly and it then physically deletes the emails from the file. Still, even though this sounds good, all I need to do as an administrator is find a backup of this file that pre-dates the compaction point and I’m back in business. On server environments like Microsoft Exchange, truly deleting email isn’t performed, either, and compaction of the *.edb files is necessary to cleanse the system… again, a manual administrator task that is rarely accomplished. Once an email is downloaded or sent from your PIM, it’s pretty much always in your PIM.

Most states recognize the authority of the employer to protect their information assets, and, monitor the state of their email services. System administrators of corporate email systems have the legal right and responsibility to monitor email traffic and this doesn’t violate wiretapping laws like ECPA (the Federal Electronic Communications Privacy Act). Courts, states, and federal legislation have pretty much recognized that email is a moderated medium where there is no expectation of employee privacy. Now, this is different for private email systems like Gmail or Yahoo! – it would be a violation of ECPA for an employer to attempt to intercept and tap messages sent on their network by an employee through a private email system. This is why many AUP’s (Acceptable Use Policies) try to carve out personal use of email systems, for the same reason why we don’t allow employees to use the phone system for personal use. Same issue.

This is true. Email is an ever-increasing security risk that bloats space on our servers, serves as a tunnel underneath our firewalls, erodes bandwidth, and consumes processing time in filtering spam. It’s this Albatross hanging around our neck in IT and we hates it. We hates it. We absolutely hates it. The more we can limit email bloat the lower TCO (Total Cost of Ownership) we’ll have a tighter IT budget. Less support, less software licensing and renewals, less security issues, less troubleshooting. Heck, can we outsource the email problem entirely to contain expenses? YES!

However, I’ll tell you what we hates more: we hates Instant Messaging more and here’s why. All the same problems of email except no centralized defenses: a direct connection to the outside world to a desktop. Totally bypassing our firewalls and filters, anti-virus and anti-spam controls, and content controls. No local databases. Instant messaging is becoming even a scarier prospect to manage than email because we can’t control it, it is offered by 3rd parties whose communication is covered by ECPA, and we cannot control how it preserves messages over time.

I bring this up because, today, a client of mine wanted me to recover some emails from a PC that was used by a former employee. The employee was terminated in October 2007 and, craftily, she deleted all of her email from Outlook (a local *.pst container, not Exchange). I wish I had an opportunity to review my Truthy-Truths with her: it took me all of four minutes to recover the right file and connect her boss to all of her undeleted email. Well, at least I could have advised her to always use instant messaging – absolutely nothing I could have done there – and it would have served as a great lesson for managers to update their AUP’s to prohibit the use of 3rd party IM’s on company PC’s. SIGH Maybe somebody, somewhere, can learn from the experience…

R