Email, by its very design, cannot be a truly secure system, so let’s stop trying to make “secure” email systems. In order for email to work, headers (recipients, subjects, from) need to be sent in the clear so that servers can route the email to the correct server — think of this data like the information on the outside of an envelope that you mail to someone. That’s all “publicly” readable information — and telling.
Email, once sent, is bouncing around an awful lot, perhaps the most simple route being:
- From sender computer to sender email server
- From sender email server to receiver server
- From receiver server to receiver computer
In this very basic setup, that’s four places that your actual message is being stored, and three transmission legs. If any one of those points is not secure, then neither is the message. If any one of those legs is out of your control, then the encryption can be circumvented. And even if all those points were secure the NSA could still tell who was sending what message to whom (and what its subject was).
Above I linked to the rather damning analysis of “PRISM in the 18th Century”, the gist of which is (as written by Jason Kottke):
In a clever article, Kieran Healy uses only the membership lists of various Boston-area organizations in the late 1770s to find out quite a lot about who might be the leaders of the nascent revolutionary cell. Even with this simple analysis, Paul Revere’s name pops out of the data.
So even if you can hide the contents of your communications, the very information of who you are communicating with, how often, and when, is damning in itself.
So why is everyone so wrapped up in securing this current email system? My guess is because it’s what we have, but that’s like trying to find a faster horse, instead of inventing the car. We now need to invent the car, so to speak.
We need a secure, decentralized, communication system.
I look at the current email system in much the same way that Napster was designed at its peak: A system brought down by its own design. The centralization killed it. BitTorrent, on the other hand, is decentralized and much harder — perhaps even impossible — to shut down because there is no central switch to kill the whole the system.
Essentially we need the BitTorrent of email systems. I don’t mean sending messages over BitTorrent, I mean a modern system designed from the ground up for secure communications. There are systems out there that do this, for example Silent Circle’s text messaging system, which was designed to be secure from the outset (and allows file sharing). But Silent Circle’s system is proprietary. We need an open, standards-based system that tools can be built around for secure correspondence.
I don’t know how such a system would work, but it seems to me that trying to secure email is futile. Instead we should work to create a new secure communication system that, perhaps insecurely, is still backwards compatible with our current email systems.
Let’s not worry about making email secure. Instead, let’s make a new, entirely secure, system that just happens to work with the existing email infrastructure (albeit in an insecure manner).