Protecting your e-mail

December 11, 2001

E-mail messages are the electronic equivalent of postcards dropped in the mailbox and delivered to the recipient's home or office: Other people, aside from sender and recipient, can read the message.

They include co-workers and family members who have access to your computer; mail-system administrators; employers who know that, legally, on-the-job e-mail is company property; and unethical workers at your Internet Service Provider.

Privacy can be especially important for certain kinds of personal and business e-mail.

More patients and physicians, for instance, are using e-mail to communicate about confidential medical problems. Millions of people are e-mailing stockbrokers, attorneys, financial advisers and banks. Business people use e-mail for all kinds of communications that could be damaging in the hands of competitors.

The solution for anyone concerned about e-mail privacy is simple: Stop sending e-mail postcards; instead, put sensitive messages into a thick electronic "envelope" that prevents snoops from reading the contents.

That means using software to encrypt, or encode, e-mail messages, electronically scrambling them so only the recipient can read the contents.

The most widely used encryption program, Pretty Good Privacy (PGP), may sound too good to be true.

PGP is available for personal, non-commercial use without charge from http://web.mit.edu/network/pgp.html. Just go to the site and follow the instructions for downloading the program to your computer.

PGP not only is free, but is regarded as the most powerful encryption software generally available outside the government. William Crowell, deputy director of the National Security Agency, noted in 1997 testimony to Congress:

"If all the personal computers in the world were put to work on a single PGP-encrypted message, it would take an estimated 12 million times the age of the universe, on average, to break a single message."

PGP does more than ensure the privacy of e-mail. Privacy means that only the intended recipient of a message can read the contents. It also provides authentication of messages. Authentication ensures that the individual whose name is on a message actually sent it, and that the contents have not been changed by someone who intercepted the message.

Phillip Zimmermann, one of the legendary figures in computer science, developed Pretty Good Privacy in 1991. He now is chief cryptographer for Hush Communications, a telecommunications security firm based in Dublin, Ireland.

Zimmermann made the program available to individuals without charge over the Internet. It quickly became the world's most widely used e-mail encryption software. Many people who use e-mail at home, and many business e-mailers, however, are totally unaware of PGP.

When you install PGP, the program generates two "keys" - cryptographic keys used to "lock" and "open" e-mail messages. A key is a piece of data - usually a large random number - that tells a program to encrypt, or scramble, a message in a distinctive way.

One is a "public key" that you make available to everyone via a PGP computer on the Internet. People who want to send you a secure e-mail use the public key to lock their message. The other is a "private key" that you keep secret, so only you can open messages.

The private key also creates a digital signature on the message, which the recipient can check by using the sender's public key. It proves that the sender was the true originator of the message, and that the message has not been changed.

Both sender and recipient must have PGP software on their computer for the encoding and decoding to work.

If you're concerned about e-mail privacy and authenticity, give PGP or other e-mail privacy software a try.

For news and information about Toledo visit http://www.toledoblade.com/. E-mail mwoods@nationalpress.com. Distributed by Scripps Howard News Service.