E-mail catches up to snail mail

May 15, 2001

At some unheralded moment in the past two years, the USA passed an important threshold: a majority of households now have e-mail.

And as it becomes increasingly ubiquitous, e-mail's uses increase. From dashing off a dinner-date reminder to sharing a thought with a family member, e-mail is being used more and more for legal, financial and medical purposes.

Problem is, without taking added precautions, e-mail is not secure enough to substitute for real mail in laying out legal strategies, preparing tax returns and applying for mortgages, experts say — though that hasn't slowed the migration.

"Most people are nervous about electronic mail security, but they send stuff anyway, even though it is a step worse than the Postal Service," says Joyce Graff, an analyst specializing in electronic mail with the Gartner Group. "At least with the Postal Service, if you tamper with the mail, there are clear repercussions. Reading somebody's e-mail is considered sport, and there are no visible penalties."

In this country, postal mail is considered almost sacrosanct. "Once a stamp goes on a sealed letter, the assumption is that the letter is intended to go into the mail stream. If there's a problem, we investigate it and bring charges, if warranted," says Dan Mihalko of the Postal Inspection Service. Even at your office, if you drop a letter into a box for the mailroom to deliver to a post office, it is protected under federal law, he says.

Not so for e-mail, which typically is no more secure than a postcard. Far from enjoying end-to-end protection, e-mail is subject to a variety of illegal as well as legal eavesdroppers. Hackers using popular "sniffer" devices can surreptitiously read contents of e-mail, while system administrators can do the same on a whim without detection. And under federal statute, your boss, your Internet provider and your e-mail service are authorized to read anything you send through their network.

Though tools (some free) are available to protect e-mail privacy, few users seem interested. "We remain a bit perverse about security in this country," Graff says. "We're not willing to spend a lot of money, time or effort, even when it's for our own basic preservation."

Your Internet service provider (ISP) has carte blanche under federal law to inspect the contents of e-mail, monitor browsing habits and preserve logs of activities — although none do so routinely (at least they don't acknowledge it).

"When you drop something in the postal box, you know that nobody, including the postal employee, is going to look at it," says Scott Charney, former computer crime section chief at the Justice Department. "When you send e-mail over an ISP, you have a similar protection from having the government look at it — but not the ISP.

"It would be completely impractical to run a business where you couldn't look at the data flow," adds Charney, now with the consulting firm PricewaterhouseCoopers.

Most ISPs have a "terms of service" contract, designed to be legally binding, setting out the circumstances under which online activities may be monitored or information provided to others. A violation would expose them to civil suits and costly court judgments.

America Online assures its 29 million subscribers that it will not monitor unless under court order or for matters of public safety. While AOL logs every e-mail and instant messaging session, company policy is to purge that data every 48 to 72 hours.

AOL says its network is designed so that no one has authority to monitor communications, even with a court order. And "AOL can satisfy law enforcement's needs without the need for" the FBI's controversial Net wiretapping device widely known as Carnivore, says John Ryan, AOL vice president and general counsel.

AOL says that when it is served with a court order, its fully automated process gathers just enough information. But the FBI makes the same claim about Carnivore.

Why trust a private ISP more than the FBI? "It's not a panacea," says David Sobel of the Electronic Privacy Information Center. "There are questions raised when the ISP does it, but at least you're not expanding access of the data to the FBI. And AOL has a relationship with the subscriber."

Indeed, most companies "are profoundly aware that people trust them provisionally and are prepared to jump to a competitor at the first sign of trouble," says Stewart Baker, a specialist in technology issues at the law firm of Steptoe & Johnson in Washington, D.C.

E-mail users, of course, can use software or services that will encrypt communications, storing and sending e-mail as a scrambled message, readable by only the intended recipient.

However, "no more than a few percent of all e-mail users bother with encryption," estimates Phil Zimmerman, creator of PGP (Pretty Good Privacy), the first consumer-friendly encryption software.

Even professionals who might benefit from encryption rarely use it. The American Bar Association adopted an ethics position in 1999 advising attorneys that they are under no obligation to use encryption to protect sensitive communications. In surveys, most lawyers say they don't use encryption.

"I use it religiously, when my clients ask me to," Baker says. "But what amazes me is how frequently they don't want to be bothered, even when I recommend it.. .. Even technology companies don't use encryption nearly as much as you would expect."

Meanwhile, corporations are exercising the authority to monitor employees' e-mail use to defend against abuses such as sexual harassment. About 47% of companies review e-mail, up from 38% in 1998, according to the American Management Association.

"When government wants to look at your e-mail, depending on what they can show a court, they may or may not be granted authority," says Marc Zwillinger, a former computer crime prosecutor now with the Kirkland & Ellis law firm in Washington, D.C. "Yet when an employer wants to look at your e-mail, they need nothing."

Zwillinger advises corporations they "must have a policy" detailing everyone's rights and duties. "I'm not comfortable saying that companies can do whatever they want. It has to be for the right reasons."