Post-Snowden, Encryption Remains Your Best Friend

Let's start by assuming that if state agencies really want to carry out surveillance of your systems they will. All you can do is make it less worth their while trying.
|

Shortly after Edward Snowden spilled the beans on how US intelligence agencies routinely intercept electronic communications traffic it was announced that two US-based encrypted email services were to close apparently as a direct consequence. The decisions were motivated in part by conscience but also as an admission that it was not possible to guarantee customers the total privacy they might expect from using these services.

In Europe many companies have long suspected that all email traffic is at the mercy of the intelligence agencies not only from the USA but equally from any country whose processors it passes through along the way. The DACH (Germany, Austria and Switzerland) countries in particular are concerned about email filtering that takes place outside the region. They are thinking of stipulating that email traffic must be filtered within their borders. This will bring it into line with their rules on data storage which have for many years insisted must take place within their own legal jurisdiction. Europe's leading financial institutions in particular will only consider cloud email services that can assure them email filtering will comply with in-country laws. This is bad news for some of the world's biggest cloud email providers like Microsoft, Google and Amazon as they cannot guarantee data will be held in a specific territory.

At Sendmail we offer businesses multiple encryption options. And, in spite of all the headlines, our customers are happy to carry on using it. They want encryption as protection against cybercrime but, perhaps even more importantly, as a secure and convenient way to use email to send confidential, time-sensitive information like intellectual property or financial documents. In the words of Snowden himself, "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on."

Let's start by assuming that if state agencies really want to carry out surveillance of your systems they will. All you can do is make it less worth their while trying. Since the case for encryption is supported by major financial institutions and leading authorities on surveillance methods it's reasonably safe to conclude that it has to be worthwhile. On top of this the price of message encryption systems is falling. So the question is not so much whether you should encrypt your emails but how you choose to encrypt them.

For most confidential business communications, password protected zip files are inadequate. Any basic encryption technique that uses software on your Windows computer to compress messages sent via your local network takes just seconds to decrypt. You would be much safer on Linux than Windows. In fact don't rely on client-based encryption on your own computer, better to use industry standard techniques on your domain to encrypt your communications. Of course most of this is beyond the casual internet user but the fundamental truth is you're much better protected with encryption than without it.

In summary, the work of the intelligence agencies may have turned the internet into glorified spy network but their resources are finite and their focus is on identifying potential terrorists rather than everyday business. Just like a house burglar will leave the house with alarms and CCTV in favour of the one with the open window the best protection is to make surveillance of your systems as inconvenient as possible. In doing so you also increase your defence against cybercrime.

It's a question of numbers and encryption is your friend, a key to tipping the balance of probabilities in your favour.