Time To Put Email In an Envelope

Scott Greenfield at Simple Justice has a long-running debate with the Volokh Conspiracy‘s Orin Kerr over how search and seizure laws should apply in the digital world. Briefly, Kerr advocates what he calls a “technology neutral” approach, in which we try to create a mapping between real world concepts and their digital analogs in order to apply centuries of real-world search and seizure jurisprudence to the digital world. Greenfield sees several problems with that:

Given that emails and other electronic communications are our future, and given that the means by which they are transmitted will never eliminate the involvement of third parties and the maintenance of copies on somebody’s equipment somewhere, are we satisfied to be arguing over the arrangement of deck chairs on the Titanic…?  Unless we develop a brand new approach to the future of communications, that does not rely on hard copy precedent and recognizes that people want to have a secure means of communication available to them in the future (and the future is a very long time), we’re watching the death of privacy in our own communications happen before our eyes.

This does not meet my reasonable expectation of privacy.  We need to rethink the approach, start to finish, to deal with the digital world and whether we will have any privacy whatsoever in our future communications.  How about a simple new rule: Emails are private communications and require a warrant upon probable cause as determined by a neutral magistrate?

I’m with Greenfield, mostly because I like the outcome of greater privacy. I think Kerr’s argument is going to win the day, however, because applying past law to present situations is what courts do. Radical change is the legislature’s job, and I just can’t see our current Congress giving a damn about our privacy.

To get an idea of the issues, check out Kerr’s lastest post on a sticky issue regarding just how and when people have Fourth Amendment rights in an email message: Eleventh Circuit Decision Largely Eliminates Fourth Amendment Protection in E-Mail.

I can’t help feeling, however, that there’s a technological issue both sides are missing. Kerr just barely mentions it in passing (emphasis mine):

The Fourth Amendment ordinarily protects postal mail and packages during delivery.  The same rule applies to both government postal mail and private delivery companies like UPS:  As soon as the sender drops off the mail in the mailbox, both the sender and recipient enjoy Fourth Amendment protection in the contents of the mail during delivery.  When the mail is delivered to the recipient, the sender loses his Fourth Amendment protection: The Fourth Amendment rights are transfered solely to the recipient.  In practice, this works pretty simply:  Each party has Fourth Amendment protection in the mail when they’re in possession of it, and both the sender and receiver have Fourth Amendment rights in the contents of the mail when the postal service or private mail carrier is holding the mail on their mutual behalf.

I should be clear that there are exceptions to these rules.  For example, if a person sends a letter in what the Postal Service used to call “Fourth Class” mail — that is, mail that the Postal Service reserves the right to open — then it is not protected by the Fourth Amendment.  See, e.g.,   Also, the Fourth Amendment protection only applies to the contents of the communication, not the outside.   But the basic approach has governed postal mail privacy for a long time.

The highlighted clause in the above paragraph is what I’m talking about. When we send postal mail, we consider the contents private, but we expect lots of people to see the outside of the envelope. Whe it comes to email, it’s usually considered to have an envelope too, in that information controlling the delivery — most prominently the recipient email address — is not generally considered part of the message.

The problem is that this division of an email message into envelope and letter is a fiction perpetrated by our email software. An email message in transit — whether held on a server traveling over a wire — is just an undifferentiated chunk of data. Once someone gets that data, both the envelope and the letter lay open to them. Unlike a real-world envelope, an email envelope doesn’t really protect anything.

In other words, as Phil Zimmerman has pointed out, email isn’t like sending a letter, it’s like sending a postcard. And who in their right mind would have any expectation of privacy in a postcard?

I believe that, regardless of the law, if we want privacy in our email, we’re going to have to start sending our email in envelopes that actually protect the contents. Such envelopes already exist, and they’ve been around for years. In fact, the aforementioned Phil Zimmerman invented one of the most famous ones. But for some reason, we hardly ever use them.

I’m talking, of course, about encrypting our email.

The whole issue of just how and when government agents can access copies of email in the hands of a third party would be far less important if all they could get out of it was a meaningless block of encrypted data.

There was a time when cryptographic software was complex and available only to the military and large corporations. But Phil Zimmerman changed all that when he released his PGP software, which featured near-military-grade encryption. Such high-quality encryption took a lot of computing power, so people were reluctant to use it. Since then, however, computing power has become dirt-cheap, and encryption has become commonplace on the internet. Every time you access a web URL that begins with “https:” your communication with that site is protected by some of the most secure encryption every created.

Yet, as a society, we don’t use encryption for email. I don’t understand it. And the fact that I don’t use it either doesn’t help me understand why it hasn’t caught on. I’ve had PGP on my computers for years, yet I doubt I’ve sent or received more than two dozen PGP-encrypted messages. And half of those were the equivalent of “I’ve just installed PGP, can you read this?”

Encryption can be a difficult technology, but we’ve solved so many other problems on the internet, so why is email encryption so hard? Why don’t more email clients support encryption? Google recently announced that they’ve turned on gmail encryption, but they’re just talking about communications between your browser and their data center; the end-to-end message is still in the clear. Why doesn’t Microsoft Outlook have built-in PGP encryption instead of a random collection of third-party certificates? Or if PGP isn’t the answer, why hasn’t a better answer emerged?

And why hasn’t more infrastructure emerged for distributing encryption keys? I have a PGP key, and you can send me encrypted email if you want. There’s a link to my public PGP key in the right-hand sidebar. But you’d have to have PGP installed, and you’d have to right-click and download the key and install it in your keyring. It’s weird: The HTML standard has a built-in tag to indicate an email address, but not a built-in way to pass along a public encryption key for that address.

I’d think a social networking site like Facebook would be great for distributing public keys, but the built-in profiles don’t include encryption keys. There’s a third-party application called Keystore that can hold a PGP key, but it has only 35 active users.

It’s a mystery to me. Why don’t more people encrypt their email? If it were up to me, everything I sent would be encrypted just on principle. But it’s not up to me, because most of the people I email haven’t given me their PGP keys. Maybe everybody else is in the same boat. But then nobody was on Facebook before everybody was on Facebook. Nobody was on Twitter until everybody was on Twitter.

Nobody encrypts their email until…it’s been almost 20 years now, so I don’t know.

7 Responses to Time To Put Email In an Envelope

  1. “But it’s not up to me, because most of the people I email haven’t given me their PGP keys.”

    Do you ever wonder why the other boys won’t play with you?

  2. Heh. But seriously, nobody gives me their PGP keys because nobody has PGP keys because nobody cares about encryption. Except maybe Mark Bennett — he has a PGP key — but even then I doubt he has much use for it.

  3. A really good email encryption option is Voltage SecureMail. It solves a lot of the usability challenges that existed with previous encryption technologies.

    Voltage SecureMail can easily send encrypted email to anyone.

    Voltage SecureMail has Outlook plug-ins or you can use a web interface for sending encrypted email. Messages are completely controlled by the sender and recipient in their sent folder and inbox. No messages are stored on servers.

    Recipients don’t need any special software to decrypt and read their messages, just a browser. And recipients don’t need to pay to read their email. In fact, they even get free support from Voltage. It’s much easier to use than PGP, S/MIME or other older solutions…and just as secure…which is probably why they can afford to offer free support to their customers and recipients…unlike those other solutions.

    It’s an ideal solution to help address state privacy regulations in Massachusetts and Nevada as well as the more general HIPAA, SOX, PCI requirements, etc.

    There is a free trial at: http://www.voltage.com/vsn

  4. It’s like living in paranoia Nirvana, handing out your PGP key to your secret friends. Do we really want to be reduced to that?

    No, which is why we should give everyone our PGP key, and everyone should encrypt everything all the time. That’s the point of the envelope analogy: Encrypting your email is no more paranoid than putting letters in envelopes.

  5. Duane, you sound a bit like a member of the Voltage sales staff. I don’t know enough about encryption issues to tell if Voltage is a good solution for anything, and I’m curious about how key distribution works if you can send mail to non-voltage users. Where do you get their key?

  6. Sorry for sounding salesy. I’ll try to be more educationy: You can think of Voltage as the next generation of PKI with their identity-based encryption algorithm (IBE). Key management is built into the model so keys can be generated and re-generated on demand. This means that your admin costs go way down and usability is great because you can send an encrypted message to anyone with an email address…recipients don’t need to do anything first (get a cert/PGP key, etc.) Ad-hoc (non-Voltage) recipients authenticate themselves to a key server and the key is generated for them in order for them to decrypt and read their email. IBE is even on track to become a standard (RFC 5091) and you can get a lot more detail at the Voltage website or try it out yourself to understand it’s simplicity…compared to technologies that have been around for YEARS and still haven’t been easy enough to use to gain widespread acceptance.

    Voltage seems to be getting a lot of traction with very large companies in a lot of industries. (probably sounding a little too marketingy again). Anyway, Voltage is definitely worth checking out.

Leave a reply