Net Q & A

How do I know if my e-mail is encrypted? If it is not how do I turn encryption on and off? 

Good question! As the U.S. Court of Appeals for the Ninth Circuit pointed out:

"[E]mail is easily intercepted, and transactions over the Internet are often less than secure. ... Whether we are surveilled by our government, by criminals, or by our neighbors, it is fair to say that never has our ability to shield our affairs from prying eyes been at such a low ebb. The availability and use of secure encryption may offer an opportunity to reclaim some portion of the privacy we have lost."

Bernstein v. Department of Justice, (9th Cir. 1999).

There are several different ways to encrypt files. Unless you affirmatively use one of them, assume your messages are not encrypted.

I'll summarize the main options below. Listing several different methods may make this seem more confusing than it really is, so remember, you will ordinarily select one method. I'm listing multiple options here to give you flexibility in choosing the one best suited to your situation, and so you will understand encrypted messages you may receive from others:

1. Microsoft Word, WordPerfect, PK Zip, Lotus 123 and many other programs can encrypt files, in some cases under menu choices like "Password." You encrypt the file on your machine, then send it as an e-mail attachment.

There are two problems with this approach:

   a. You have to send the recipient a password by some separate, secure delivery method. This approach is inconvenient. You may hear it referred to as the "private key," "one password," or "symmetric key" method.

   b. It is not a super secure method. Manufacturers of general-purpose software who include encryption features generally keep it weak, because they don't want to deal with complaints from people who have lost passwords. Therefore, these methods of encryption are usually pretty easy for people who know what they are doing to break.

Despite these problems, this could be an acceptable solution for some lawyers for most communications. It's a judgment call: how much security do you need?

2. There are a few symmetric key products on the market that are stronger than the encryption modules included in general purpose software. "PC Crypto" is one example. They also suffer from the inconvenience of having to share a password.

Some of this type of software does have one major advantage: they give you the option to send an encrypted message to someone who does not own the same type of software. You still have the inconvenience of having to communicate a password by some separate, secure communications channel, and, due to practical limits on how long the key can be, this method is not as secure as other methods. Further, some other programs, like recent versions of PGP, have adopted similar features, for their convenience.

3. A newer type of encryption software tries to combine high security with convenience. This type is known by several names, including "public key," "dual password," or "asymmetric key." The leading example is "PGP," or "Pretty Good Privacy."

This type of software is more convenient and easier to use in actual practice because you don't have to exchange a secret password. You encrypt a message using the recipient's "public key." This is a very long, unique number. Only the recipient can decrypt the message, because only they have a "private key" that complements the public key.

The mathematical theory behind this is complicated, but the beauty of it is that if you use good software, it hides the complexity. You only select the menu choices to do what you want.

Public key software has an additional advantage that no other type of encryption can match: digital signatures. It allows you to verify who sent a message, and that the message was not altered in transit.

Digital signatures provide a major advantage in commercial situations. Recent federal legislation provides that signatures cannot be denied legal effectiveness merely because they are not pen-and-ink. The revised UCC Article 9, taking effect July 1, 2001 in nearly all states, accommodates digital signatures by referring not to "signing" of "documents," but "authenticating" of "records." This vaguer wording is used so digital signatures will be covered. See http://article9.com.

For reasons explained in the "Tools to Protect Your E-mail" essay below, I recommend that most lawyers who need encryption use PGP. It is available free from MIT for personal, non-commercial use, and commercially from NAI, the manufacturer, and many vendors.

PGP is far from being the only public key product on the market. MS Outlook and Netscape Messenger both include a type of public key encryption based on "S/MIME." One drawback is that they require you to rent a public key from third party vendors. For example, in Outlook 2000, try menu choices Tools | Options | Security | Get a Digital ID. 

Many people will find this annoying, since other public key programs, including PGP, make it easy to create your own public key, at no charge.

4. Another category of software uses the S/MIME public key encryption that is built into web browsers to secure messages in transit. This is not really "e-mail" as we know it, but it is another method of exchanging messages. The details vary, but generally, the sender uploads e-mail to a secure web site, which sends an e-mail notification to the recipient. Hushmail, Zixmail and Tumbleweed are some vendors that use variations on this approach.

This method has the advantage that the recipient need not be using the same specialized encryption software. The system uses encryption software that is already included in web browsers, and nearly everyone already has web browser software installed. This method also offers a form of "return receipt," as the web site storing the message can verify when it was picked up. This method is probably less secure than some alternatives, and will often be more expensive.

5. Steganography uses software to hide a message inside a picture or sound file. The idea is to conceal the fact that an encrypted message is being sent. Steganos is an example.

More Information

1. I moderated a symposium on e-mail security for lawyers last fall for LLRX.com. One of the associated articles summarizes encryption options in more detail: Tools to Protect Your E-Mail.

2. Chapter 15 of my book, The Complete Internet Handbook for Lawyers, has a more detailed explanation of the concepts underlying both encryption and a related subject, digital signatures. It is available from many places, including Amazon.com.

Jerry Lawson