Secure my email - why? (detailed)

Kristian Fiskerstrand's blog

Authentication/Digital signatures

Digital signatures provide a means to verify that the sender is whom he or she claims to be. It is very easy to forge from-addresses, something you might have noticed related to viruses spreading and spam coming into your mailbox from senders you are certain didn't send it.

Say Alice sent an email to her executive, Bob, claiming to be Charlie. She included some comments that made Bob react against Charlie. Charlie got a reprimande or lost his job. This is a situation that could be avoided by integrating digital signatures in the solution.

Legal requirement

You might be obliged by law to provide a means for secure communications. At least three laws might be relevant

HIPAA

Health Insurance Portability and Accountability Act
http://hipaa.org

Using internet and email as electronic communication has been growing extremely fast during our decade, which demands new standards to secure transmission of information. The American Health Insurance Portability and Accountability Act is a set of rules with recommendations and requirements for entities such as health plans, doctors, hospitals and other health care providers. This regulation challenges all entities to be able to assure that all patients' account handling, billing and medical records should be protected.

The statement of the general Rule of section 164.306 requires all covered entities to secure transmission security which includes two specifications, integrity control that ensure electronically transmission security and encryption. “The purpose of this final rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.” Extracted from: Health Insurance Reform: Security Standards; Final Rule.

The Gramm-Leach-Bliley act

The Gramm-Leach-Bliley Act consists of regulations developed for financial institutions, it is also known as the Financial Modernization Act 1999. This federal law enables the United States to control financial institutions and the manner in which they handle and process private information of individuals. The Privacy Rules apply to financial institutions and their activities. Affected institutions could also be non bank companies that deal with lending, brokering, auditing, transferring or safeguarding money, preparing return of tax payment, providing financial advice and credit, providing residential real estate settlement services, collecting consumer debts, and more. The Act consists of Privacy obligation policy which emphasizes protection of non-public personal information.

Moreover it also regulates how financial institutions should handle administration, technical and physical safeguards.

For more information regarding GLB, please visit: banking.senate.gov

GLB Act:
Extract from regulation Sec. 6801. Protection of nonpublic personal information (b) Financial institutions safeguards In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards - (1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.

Sarbanes-Oxley Act

The Sarbanes-Oxley Act was brought into action on July 30, 2002 and affects financial practice and corporate governance regulations. This Act was founded "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws".

This Act applies to:

This Act is focused on corporate governance and reporting practices of public companies. It also impacts private firms that one day might become public.

To find out more you can visit: http://www.sec.gov/spotlight/sarbanes-oxley.htm.

Industrial Espionage

The European Parliament conducted an investigation against the Echelon-system in a periode between 1999 and 2004, the final report might be read at http://cryptome.org/echelon-ep-fin.htm. But what is this echelon thing? Quoting: http://fly.hiwaay.net/~pspoole/echelon.html

In the greatest surveillance effort ever established, the US National Security Agency (NSA) has created a global spy system, codename ECHELON, which captures and analyzes virtually every phone call, fax, email and telex message sent anywhere in the world. ECHELON is controlled by the NSA and is operated in conjunction with the Government Communications Head Quarters (GCHQ) of England, the Communications Security Establishment (CSE) of Canada, the Australian Defense Security Directorate (DSD), and the General Communications Security Bureau (GCSB) of New Zealand. These organizations are bound together under a secret 1948 agreement, UKUSA, whose terms and text remain under wraps even today.

The ECHELON system is fairly simple in design: position intercept stations all over the world to capture all satellite, microwave, cellular and fiber-optic communications traffic, and then process this information through the massive computer capabilities of the NSA, including advanced voice recognition and optical character recognition (OCR) programs, and look for code words or phrases (known as the ECHELON "Dictionary") that will prompt the computers to flag the message for recording and transcribing for future analysis. Intelligence analysts at each of the respective "listening stations" maintain separate keyword lists for them to analyze any conversation or document flagged by the system, which is then forwarded to the respective intelligence agency headquarters that requested the intercept.

Now, many will probably say that its not a problem that the government surveilance them, as they have nothing to hide. If you just had this thought, please read the final report. Chapter 10.7. Published cases include some reading material for you. One case worth to mention is one of Airbus versus Boeing in 1994. Where NSA obtained "Information on an order for aircraft concluded between Airbus and the Saudi Arabian national airline" using the means of "Interception of faxes and telephone calls between the negotiating parties" with the goal of "Forwarding of information to Airbus's US competitors, Boeing and McDonnell-Douglas", which resulted in "The Americans won the contract (US$ 6 bn)"

Next »