A few days ago, a very good friend of mine and a colleague at Ethos (Gary Hunt) raised a very salient point to me about the privacy implications of me sending a contact database through as an attachment to an email. He felt that this raised the very important issue of educating people about privacy concerns as the email could potentially have been intercepted and the confidential details extracted during its journey.
His recommendation was that I uploaded the data to a secure server and my email point to that protected URL. Certainly something that I should have considered and well spotted, Gary!
He raised a point on how we should highlight these issues within Ethos and drive change with an organisation that comprises over 100 very senior people around the world who have their own businesses to focus on and where most of them are working for the organisation on a part time basis. Something that I have been thinking about this weekend. So I decided to put quill to paper.
Certainly the sending of emails with attachments containing confidential information across the internet and having them bounce through an unknown number of server nodes is worrying. If you are interested, read this short piece on an email’s journey to its recipient.
Common email providers require something called “a secure HTTPS connection” between your browser (eg Chrome) or client (eg Outlook) and their servers. A secure HTTPS connection basically adds encryption to your emails and essentially makes the email and any attachments unreadable by anyone as they travel to the main server. Google, for instance, made HTTPS mandatory for Gmail in 2014 and so all google emails (gmails) are encrypted between your computer and the google servers.
But there it all goes a bit screwy. The messages is securely delivered to the main email server but is then transmitted in the open (without encryption) from there on to the final server. The very last leg, that between the recipient’s email server and his PC is usually encrypted (unreadable) again. So what about the whole bit in the middle?
Well, as Gary pointed out, this is where the risk is. Although they seem to, emails don’t travel directly from the sending server to the receiving server. If I have a gmail account and was sending to a recipient with an Apple account, the email would be sent through a large number of servers as it makes its very quick way to the destination. The route it takes is dependent on lots of things including the amount of traffic on the internet and even the time of day. What’s more, the email would probably not go down the same route as last time. It heads east, west, north and south in a seemingly random manner till it gets to the right end server.
So Gary’s point is that it may bounce through a ‘naughty’ server that actually inspects the content of the email, sees that it contains a lot of confidential email addresses, names and phone numbers, harvests them and then sends the email back on its way as if nothing had happened. So quickly that no one will ever know. Till everyone starts getting the spam or, worse, someone suffers identify theft. You may have heard this referred to as a ‘Man in the Middle’ attack. I’m guessing you can understand why now.
Luckily there are some simple ways to get over this and the most common is to add a simple tool to your computer that adds a layer of encryption to the email before it leaves your system and cannot be unencrypted till it gets to the intended recipient’s system. The most common and best known of these tools is PGP and is available from various suppliers. There are lots of articles on the web around this technology and how you could use it so I won’t dally here as it’s not the main thrust of my blog.
Now here is the core of my personal evilness: I don’t use anything like PGP. It’s not a flagrant lack of concern for my contacts personal information, it’s just that these solutions need to be used by both the sending and receiving parties and there are very few people who use it and publish the necessary information to allow me to use it. It’s also really complicated to set up for anyone but technical geniuses.
Having written the last sentence, I paused and thought. I realise that it’s a pain-in-the-backside to implement and use encryption like PGP but was it my own laziness that was putting my contacts personal data at risk?
Possibly. And Gary’s suggestion to upload sensitive files to a secure server (we use Google Drive) and then direct people to a link there would dramatically reduce the risks of the content being seen by those it was not intended for. Given the nature of the contacts that we all have and the time we have invested in nurturing them it would be a shame if we betrayed their privacy though some stupidity and laziness that could have been avoided.
But the solution is not simple from a user perspective. It’s a multistep process that has a large and very unwelcome impact on my drive for productivity. Let’s look at the steps that I need to follow;Upload the contacts database from my laptop to Google drive
- Upload the contacts database from my laptop to Google drive
2. Click on the share icon
3. Click on the advanced share icon
4. Click on the default share link and change it to ‘Selected people can access’
5. Add each of those people to the list of people who can access the document and make sure they have edit permission
6. Unclick ‘Notify People’
7. Copy the sharing web address (URL)
8. Click done
9. Paste the copied URL into the email
Repeat for every file you want to share. Ouch.
There are a number of third party applications that will help in automating this process and, in my opinion, may well be worth the $5 a month that they cost. The trouble is that there are so many to chose from and I can’t seem to find the right solution. But I owe it to my contacts to find that solution.
Does anyone have a suggestion of one that is better than the rest?