Who Can Read Your E-Mail?

Let's say you have just finished a sensitive letter--one detailing company secrets or one giving the blow-by-blow account of an illicit romance, for example. And you're about to send it off by e-mail. A troubling thought occurs to you: Can someone eavesdrop on this e-mail?

Of course they can.

Ask Oliver North, who conducted much of Iran-contra via e-mail, no doubt patting himself on the back for not writing anything down on paper but unaware that White House e-mail traffic is archived electronically for years. Or ask Monica Lewinsky, who deleted e-mail from both her Pentagon mail account and her home computer pertaining to her affair with the president. She was unaware that there were backups on her work account, but she also didn't know that the standard Windows and Macintosh "delete file" functions leave the data intact. (They can be easily recovered with any of a number of commercial or public-domain disk utilities.)

But Ollie and Monica were using secret government computers. It's different when you're just using your office network, right? Absolutely. Because the North and Lewinsky investigations were instigated after long and costly bureaucratic processes. At your office your bosses don't have to fill out any forms. Almost every major U.S. corporation now has e-mail policies that allow it to monitor employees' electronic files. They can rifle through your electronic In box just for the fun of it or to protect the company's secrets or to defend themselves from potential lawsuits. Maybe the joke about the stripper, the elephant and the individual of a specified ethnic heritage is funny to you, but a judge may decide the punch line contributes to a hostile workplace environment and award an offended employee the marketing department's budget for the next three years.

(concluded on page 154)e-mail(continued from page 89)

What company wants to take that risk, when tools such as Mimesweeper are available? This software is designed to control network content and can invisibly screen all e-mail sent to, from and within a company for any key words or phrases your bosses define.

All intraoffice espionage is perfectly legal. The Electronic Communications Privacy Act extends our right to private communications into the digital frontier, but the courts have repeatedly determined that when you're using your company's computer on the company's network to send e-mail via the company's mail server, it's the company's mail, not yours, and legal protection doesn't apply. On the other hand, a company's liability remains. Amazon.com recently initiated an operation called Sweep and Keep, in which employees were awarded free lattes for seeking out and destroying old electronic mail. Once the sweep was completed, the company distributed a memo outlining its new "document creation" policy. It pointed out that some information simply shouldn't be committed to paper or e-mail.

Take heart, though: Your mail is relatively safe from that small percentage of the hacker community that have joined the dark side. A successful cracker typically depends on the unwitting assistance of someone on the inside (most likely, a systems manager who hasn't patched a well-publicized security hole in his company's network, or a user who hasn't changed his password since Duran Duran had a hit song). A magazine editor marveled at how one celebrated accused systems cracker managed to confront the editor about a proposed article on the hacker's exploits just 20 minutes after the editor wrote about the project via private e-mail. In truth, the prevailing opinion is that the nerd pulled this off not by sniffing the entire Internet for any mention of his name (an impossible feat) but by exploiting old passwords and weak systems and targeting major media outlets.

So what are you to do? If you want private e-mail to remain private, don't send it on your company's computers. Change your mail passwords often. Be aware that if you've set up your computer to send your account name and password automatically when you log on, anyone who can double-click on your mail program can paw through your mailbox. And always remember that e-mail goes everywhere at once. Just because you've deleted it from the system doesn't mean you've deleted it from the server or from the computers that maintain copies of the server's data.

If you want to take a more active defense, encrypt the text before pasting it into that mail message, using a commercial or freeware program that employs PGP, or Pretty Good Protection. PGP-encrypted text, is supposed to be so secure that if the government tried to unscramble it without the password, the job would keep their hardware tied up for years. And when you delete files that contain sensitive information, use a utility (such as BCWipe for Windows--free from www.jetico.com, and Burn for Macintosh--thenextwave.com) that overwrites the data with garbage before you erase them--the equivalent of spray-painting the paper black before tossing it out.

But nothing's more effective than acknowledging that electronic mail, even private mail, is not secure. You should never write anything in e-mail that you wouldn't put on a postcard.