The Internet Guys logo

By Jim Gerland and Mark Winer

Check out our bi-weekly Net perspective. Our goal is to make these columns useful for our readers whether they be novice or pro, while still offering a fun to read column. Feel free to let us know what Internet resources you find useful in your personal, educational, or business life - it might just end up in one of our columns!


Internet Privacy and Security
March 15, 1997

When you log into your office PC or dial-up to your local Internet Service Provider (ISP) from your comfortable chair at home you probably give little thought to privacy and security. After all, your email accounts are all password protected, right? To log on to America Online (when you don't get a busy signal) or your ISP you have to have a unique username and password, right? So why should you worry about privacy and security?

Because email isn't actually all that private. We certainly don't want to scare you but want to make you aware that potential abuses of this medium exist.

Email is a lot like a postcard. Messages are transported from machine to machine via the Internet just like the messages on the back of a postcard: open to be read by anyone who 'sees' the postcard. Email is not sent in a foreign (or encrypted) language.. The messages are sent as plain text (ASCII) which can be easily read by any kind of computer system. And current email protocols don't provide a way default to ensure privacy.

A little background: the Internet is a vast network of connected machines. This means that your email isn't being sent from your PC directly to your friend's PC in Topeka. There are many intermediary steps. It starts off on your local ISP's mail server. From there it goes to other (most likely many) computers on the Internet until it reaches your friends' mail server where they can be view it the next time they log-in. Along the way clever and curious system administrators or hackers can read your message. It's safe to assume that administrators and hackers on Bulletin Board Systems (BBS), college campus systems and commercial ISP's can read your email.

The best analogy we can give is to think of your email as a postcard that you drop in your corner mailbox. The next day your mail carrier picks it up and brings it to the nearest local post office. From there it is delivered to another post office where another postal carrier delivers it to your friends' residence. With no offense to the US Postal Service, at any (or all) points along the way any of the postal carriers can read the back of your post card. Or a dishonest person could 'steal' the mail along the way.

You may be wondering, "Doesn't my password protect me from someone reading my mail"? No. Most network administrators have the ability to view any files on their systems, including email. However, most don't use or abuse this privilege. Remember that password you had to enter when you first got your work or home email account? That password is usually stored in a giant password file so you have access to your 'private' account when you log in.

OK, so maybe we are going a bit overboard with this. After all, who would want to read your email. No one really cares about the vacation plans you are making with your brother in Little Rock. But what about that email you send to your co-worker about your boss? How do you feel knowing that the guy down the hall who drinks too much soda and eats too much pizza and just coincidentally takes care of all the computers in your company may be reading it? Or worse, that your boss is reading it? What if he was keeping track of all your personal email that you send and receive?

Maybe you delete all your email right away. Then it's gone, right? No. Many Internet and network administrators "archive" (store) incoming and outgoing email for many months. Believe it or not, if someone sues you they can subpoena AND read previous email sent and received. You may not have the records, but your network administrator might. Moral of the story: don't says things in email that you don't want known to other people.

Again, this isn't to frighten you away from using email. We've brought this to your attention so that you are aware of what could happen when you send email -- we want to make sure you know who may have access to your email and ways to protect yourself.

First, use common sense. If you have a gripe against your boss or another co-worker, don't send email. Even if your boss doesn't read your message it doesn't mean that the person you sent it to won't forward it to another staff member or every one on the staff -- or print it out and post it on the message board along with the daily soup specials in the cafeteria.

Second, encrypt your email if you think it is necessary. We bet that most of your email conversations don't need to be 'totally' private. However, when you do need to maintain strict privacy, there is a technological way to keep 'snoops' away from your email. It's called PGP (Pretty Good Privacy) email.

PGP is a software program which is freely available for commercial and non-commercial use. In fact, a security measure such as PGP can make your email more secure than a physical mail envelope. PGP is an encryption program that you can use to encode each mail message that you send. It is important to note that the person you are sending to must also have the PGP software installed so they can decrypt it when it arrives. But you can be almost certain that this encrypted email message will remain private.

To learn more about PGP mail see the FAQ (Frequently Asked Questions) (world.std.com/~franl/pgp/) or download a copy from MIT's Web site (web.mit.edu/network/pgp.html). For commercial use, go to ViaCrypt's version of PGP (www.pgp.com). For more information about PGP check the Usenet newsgroups alt.security.pgp and alt.privacy.anon-ver.

Finally, most abuses of email occur because people are irresponsible with their passwords. This includes writing passwords down so they aren't forgotten. We hope you haven't written them under your keyboard. Worse yet, creating a password that is easy to guess. Hmmmm... who doesn't use their spouse or child's' name or birthday as a password. Another mishap is telling someone else your password. Sure, we all worry about what happens to that important data if we die in a fiery car crash. To be blunt, who cares? You're dead. That's a job for your system administrator. As we mentioned before, he most definitely has access to any of your email.

The issue of privacy will only become more prevalent as the Internet is used for commerce. We didn't even touch on the issue of corporate secrets and corporate espionage. That is why we should all be more aware of what and who we are dealing with on the Information Highway.

Finally, we want to continue to help you utilize the Internet in your life. Let us know what you're interested in and we'll check it out. You can email us, edge@edgeglobal.com , or fax us, (716) 853-1350 and let us know what's happening on the Internet in WNY or any computing related activities you're involved with.