Email ministry

Email marketing – many lessons here for non-profits.

Why email lists are still vital.

Ensuring your e-mail is truly private

Most governments now have the means to spy on electronic messages. The “cyberpolice” in repressive countries use it to spot and arrest political opponents and many Internet users have been thrown in prison for sending or even just forwarding an e-mail. A political dissident in the Maldives was given a 15-year jail sentence in 2002 for corresponding by e-mail with Amnesty International. An Internet user in Syria has been in prison since February 2003 for forwarding an e-mail newsletter.

So here are some tips on how to ensure your e-mails remain private.

Using the e-mail account supplied by your Internet service provider (ISP), such as AOL, Wanadoo or Free, or by a firm doesn’t guarantee any e-mail confidentiality. The owners of the networks your messages pass through can very easily intercept them. When the authorities in any country want to investigate Internet users, they usually go through their ISP to read their e-mail.

A “webmail” account (such as Yahoo! or Hotmail) is more secure because it doesn’t use the servers of a local ISP. To read webmail messages, you have to force your way in or intercept messages as they’re being transmitted, which is technically more difficult. Unfortunately this protection is only relative, since police experts or hackers can easily look at your webmail.

Encryption (writing protected by a code) is the main way to really ensure the privacy of your messages. There are two kinds.

Classic encryption

Ann and Michael want to exchange secret messages, so they agree on an encryption and decryption code and a key. Then they exchange messages using them.

The snag with this method is that if a third person intercepts the messages in which Ann and Michael exchange their key, that person can see it and use it, perhaps to send bogus e-mails to Ann and Michael. So Ann and Michael have to exchange their key when nobody else can see it, by meeting in person, for example.

Assymetric encryption

The best way to fix the problem is to use “asymmetric” encryption. Two keys are needed for this, one to encrypt, the other to decrypt. Details of the encrypting key (the “public key”) can be exchanged without risk over the Internet because it can’t be used to decrypt messages. The decrypting key (the “secret key”) must never be communicated.

With asymmetric encryption, Ann has her own pair of keys (a public key that she gives out and a secret one that she keeps). Ann sends her key to Michael, who uses it to encrypt his messages to her. Only Ann, with her secret key, can then decrypt Michael’s messages. Michael, with his own pair of keys, in turn sends his public key to Ann, who can then reply to his messages in complete privacy.

But since the public key is exchanged over the Internet without special protection, it’s best to check its validity with its owner. Each key has a “fingerprint” (a short string of characters), which it’s easy to communicate in person or over the phone.

An unverified key may be a false one issued by a third person with evil intent, making the encryption totally useless. The reliability of assymetric encryption depends entirely on protecting the secret key and checking the public key of the other person.

OpenPGP (Open Pretty Good Privacy) is the standard asymmetric encryption. The most popular software to create and use a pair of keys and manage the public keys of its correspondents is GnuPG (GNU Privacy Guard), which can be used both with mail programmes such as Thunderbird or Outlook, with webmail or with instant messaging.

  Download GnuPG