Many people assume that e-mail provides a secure channel for both personal and professional communications. Indeed, e-mail accounts are secure to the extent that access is limited only to those who know the username and password for an account. However, privacy over personal e-mails is complicated by the technical process through which e-mails are delivered. Once an e-mail is sent, it stays on a server somewhere in the world before it is retrieved. The issue lies in the fact that international data sharing agreements are very different across jurisdictions – privacy rights vary accordingly so there is no guarantee that a sent e-mail will only be viewed by the intended recipient.
In the United States, the National Security Agency (NSA) has exploited this fact for their PRISM surveillance program. Under U.S. legislation, companies that assist the U.S. government in intelligence collection are immune from prosecution. The FISA Amendments Act of 2008 specifically authorizes intelligence agencies to “monitor the phone, email, and other communications of U.S. citizens for up to a week without obtaining a warrant” when one of the parties is outside the U.S.
In Canada, while the Federal Privacy Commissioner has remained quiet on the revelations in the U.S., a fundamental privacy concept voiced by Ontario Privacy Commissioner Ann Cavoukian is that “the state has no right to access the personal information of law-abiding citizens” furthermore, “individuals have a right to control who has access to their personal information.” Essentially, when the content of an individual’s electronic communications are viewed with no reasonable suspicion, privacy has been violated.
The issue of privacy in electronic communications is transnational in scope; intelligence agencies are ambiguous on their surveillance techniques so it cannot be definitively stated that U.S. agencies monitor the communications of Canadians. President Obama has said however that PRISM is being used to target foreigners, not residents of the United States.
The worrying trend in monitoring personal communications of individuals by a foreign government raises the possibility of increased usage of encryption services. It is a cumbersome process to have a fully encrypted end-to-end e-mail solution. With the high profile closure of secure e-mail service providers such as Lavabit, Tor Mail, and Silent Circle, there are few options for secure, end-to-end encryption. Some existing alternatives include Countermail based out of Sweden and NeoMail. Practically speaking however, these may not be suitable options for the typical consumer as these services require security keys to be exchanged in order to access messages or installation via CD-ROM and not through downloadable software from a website.
As the need for secure electronic communications increase exponentially, we’ll see more service providers rise to the occasion with solutions that are user-friendly and don’t require senders or receivers to be technically savvy. A great example of this is third party secure servers that can be used for sensitive documents. The receiver obtains a link to retrieve the file, and although not an end-to-end secure e-mail solution, such services, like Canada Post’s new ePost service, are easy to use and meet the benchmark for secure electronic document delivery where only the intended recipient can access the confidential content.