There is and always has been an inherent tension between an individual’s right to data privacy and wider security concerns. This is unlikely to change, although the priority may shift depending on the geopolitical or security context. The important thing is to strike the right balance. Encryption sits at the heart of data privacy, and as the recent news shows, the debate about encryption is a heated one.
Can anyone doubt that making products more secure makes the world a safer place? I don’t think so. And we can applaud the efforts of Apple and WhatsApp to protect the privacy of their users’ data by introducing end-to-end encryption into their instant messaging services.
Their actions mean that e-mail is now the most insecure form of digital communication. Free e-mail services transmit messages across networks in plain text and users have no guarantee that their data is stored safely.
Not surprisingly, e-mail is one of the primary vectors for cyberattack. It enables malicious actors to gain access to companies’ networks and to users’ information and their money.
The content of e-mails are themselves a target for attackers. Kaspersky Lab regularly encounters attacks that target e-mail databases. We see more and more Chinese-speaking actors attacking companies with the aim of accessing their e-mails. And one of the most recent and certainly the largest example of data exfiltration — the “Panama Papers” — is also believed to have come about following the breach of an e-mail server last year. It’s frighteningly easy for attackers to get their hands on messages in plain text.
End-to-end encryption will prevent attacks such as those known as “man in the middle”, where a malicious actor intercepts the e-mail between the user and a server. But somehow that level of protection is rarely provided.
Encrypting e-mail by default is hard. There are tools and plug-ins that an experienced user can use, but you need a certain level of computer knowledge to properly install and use encrypted mail. The majority of Internet users don’t have such skills. There are some free encrypted e-mail services on the market like ProtonMail, but unless these services have a billion users, they will not become a global solution to the problem of insecure e-mail.
E-mail is the communication method most in need of encryption — and the sooner the better. The solution needs to come from the top e-mail software developers such as for Microsoft. WhatsApp got it right: encrypt everything, for one billion users, in one go. E-mail, it’s your turn now.
- Aleks Gostev is chief security expert, GReAT, Kaspersky Lab
