E-Mail Security: Who's Reading Your Mail?

How secure is your e-mail? If you're like most people, you probably think your communications aren't of interest to anyone else, much less worth the attention of an eavesdropper.

But consider for a moment how often you send financial data, research, and other sensitive business information

Regular e-mail travels in plain-text format across any number of third-party computer systems, which means that e-mail is exposed to anyone who cares to look at it. In addition, you could accidentally send a private e-mail to the wrong person, or someone could even forge your online identity and send a message with your name on it.

Secure e-mail can prevent these problems. Secure messages are encrypted on the sender's computer system, and they remain encoded until they arrive on the recipient's desktop. Secure e-mail uses authentication systems to prove who sent the message and to check the identity of the recipient. And ideally, a secure e-mail system should be no more difficult to use than regular, unencrypted e-mail.

Two e-mail encryption schemes, S/MIME (Secure Multipurpose Internet Mail Extension) and PGP (Pretty Good Privacy), have been available for years. Both systems can secure e-mail using unbreakable encryption systems. But they can also be somewhat confusing and difficult to use for nontechnical people, and many people won't use an e-mail security product that requires any additional time and effort.

Over the past two years, a new type of secure e-mail service has emerged. Companies such as HushMail.com, ZixMail, and Ensuredmail have products that combine strong encryption with easy-to-use services, allowing anyone to send and receive secure e-mail. The encryption process is hidden from users, making the services look just like regular e-mail accounts.

Here's how it works: A user composes a secure e-mail just like any other message; however, the content is scrambled using strong encryption and transferred over the Internet via a secure connection (similar to the connection you use when visiting an e-commerce site). Different services use different methods to alert someone that a secure e-mail is waiting for them. If a message is sent from one ZixMail member to another, for example, the recipient must enter their password to decode the message. If the recipient is not a ZixMail member, they receive a notice via regular e-mail with a URL linking to the secure ZixMail site, where they can register and view their message. HushMail.com, on the other hand, requires both parties to be members to exchange fully encrypted e-mail.

There are some differences between various secure e-mail services. ZixMail, for example, integrates with Microsoft Outlook and Lotus Notes, allowing users to view secure e-mail even when they're offline. HushMail.com offers a Web-based service similar to Yahoo! Mail or Hotmail; in order to view e-mail, users must be online and logged into the service via a secure connection. Some providers, including HushMail.com, offer both free basic service and premium subscription-based services, while ZixMail imposes a monthly service charge on all users.

Many privacy advocates make a simple argument in favor of secure e-mail: If you aren't willing to mail a postcard with information on it that everyone can see, why would you send it via plain-text e-mail? It's a good point, especially when so many people now use e-mail to communicate sensitive personal and business information. Considering how easy to use and effective secure e-mail can be, it could make good business sense to begin encrypting your company's e-mail.