Sending Secure Email

Scenario: Making Sure Your Email is Secure and Private from You to Your Recipient

You're a researcher collaborating on a project with a colleague in a different country. Your research is highly confidential and will result in an important paper. You need to make sure no one except your colleague can see your preliminary results, but you need to discuss them and it's difficult to find a time slot when you're both awake, thanks to the difference in time zones.

You think a secure online exchange of information is your best option, but you want to be really sure that nobody else can intercept your data in transit across the network. NetFiles is useful for file exchange, but you want to have a private conversation as well, and in order to do that, you need to have end-to-end secure email.

What you can do

Unlike most physical mail sent through the post office, email doesn't automatically have an "envelope" to keep the contents private while it's being sent across the network. Instead, email is normally treated like a postcard: both the address of the recipient and the contents of the message are visible to everyone in the network as it's being handed from computer to computer.

CITES Express Email and other similar email programs do take advantage of password-securing mechanisms such as SSL, secure POP, and secure IMAP to protect your identity. However, these security measures protect only the connection between your computer and the email server.

These password-securing mechanisms are like using your own key to a post office box: you're the only person allowed to open the box and look at the messages inside it. But the box is still full of postcards that could have been seen in transit, before being delivered to your secure post office box. And you're still writing postcards that you send through the mail.

In order to keep your email secure all the way from your location to the recipient's location, you need the equivalent of an envelope. This envelope will keep the contents of your message private, but the outside of the envelope still publicly identifies the person to whom the email is being sent, so that the email can be sent to the right destination without requiring the "envelope" to be opened.

The most commonly used "envelope" for email is called PGP, which stands for Pretty Good Privacy. There are both freeware and commercially available solutions depending on your needs. If you want to understand more about how PGP works, the PGP Corporation has provided executive briefs and white papers explaining various aspects of the system. In essence, though, PGP creates a unique "lock" for each email "envelope" you write, and the lock can only be opened by a key belonging to the person who is the email's intended recipient.

PGP can be used with nearly any email system (including CITES Express Email), and with nearly any email client (including Outlook and Eudora). In order for a PGP-encrypted email exchange to work properly, you and your email partner should exchange your public keys, so that each of you can create mail that only opens in response to the other person's key. (NetFiles is a good way to securely exchange public keys.)

Using PGP to encrypt your email will ensure that the information you send is kept secret as it crosses the various networks between you and your colleague, and that only the two of you will be able to read the contents.