Security discover

The insecurity of private email services

The Indian government wants to ban the use of Gmail for official use, due in part to leaks about NSA snooping, but the general insecurity of private email services makes this a sound policy.

According to a report in The Times of India, the Indian government is poised to issue a ban on the use of email services based in the United States, such as Gmail, for official government business. Instead, government employees are expected to use official resources provided by the National Informatics Centre.

This move appears to be largely a reaction to the documents disclosed by Edward Snowden, a former employee of the government contracting firm Booz Allen Hamilton, detailing the archival of data on the Internet such as emails and instant messages through the cooperation of companies such as Google, Microsoft, and Facebook.

Independent of the rationale behind this policy change, the policy change is a good decision—official government business shouldn’t be taking place on private email services; namely, because private email services aren’t particularly secure to begin with.

Reason #1: The Sarah Palin email hacking incident

On September 16, 2008, a college student hacked the Yahoo! account of (then) Alaska Governor Sarah Palin, who had been named as the running mate to John McCain in the 2008 Presidential Election. The hacker, later identified as David Kernell, posted the contents of the email account on the den of subversive activity known as “4chan”.

The hack, as it was detailed, was incredibly simple. With the rise of the Internet, politicians are little more than celebrities without apparent artistic, musical, or acting talent (although, Karl Rove makes a surprisingly adept rapper). The fact remains that personal information about politicians, such as their birthday, postal code, and where they went to high school are all a matter of public information. As it happens, the bits of information required for Kernell to gain access to Palin’s Yahoo! account were her date of birth, her postal code, and the place where she met her husband—as you might guess, it was indeed her high school.

This exploit would not have been possible if Palin had used the state-provided email service for the tasks which were being delegated to this account, as the password for such a state account would presumably require a call to someone in IT.

Though the biggest disclosure made in that hack was the existence of some clerical and scheduling information of official business, the fact remains that the account was hacked with extreme ease. In addition, the account hacked was one of six different accounts used by Sarah Palin during the span of her 966 days in office, according to the Sunlight Foundation. What has been recovered from those accounts through the hack by Kernell, as well as emails released as a matter of public record of state business, are viewable here.

Reason #2: You get what you pay for, or, caveat emptor

Over the last year, Microsoft has been attacking Google for its use of automated scanning of emails in order to deliver relevant advertisement, a practice that had been in place since the launch of Gmail in April 2004. The argument isn’t completely without merit—this has been an issue with civil liberties groups from day one. However, Microsoft’s complaint in this PR blitz rings hollow: the privacy policy of Outlook.com (and, for good measure, Yahoo) allow users’ personal information to be collected and used for advertising purposes.

Microsoft’s track record on data security has been rather spotty as well. Outlook.com, previously Hotmail, has been subject to a number of bafflingly incompetent high-profile security flaws, among them an incident in 1999 that permitted anybody to log in to any Hotmail account using the password “eh”. In 2001, a similar exploit allowed users to retrieve emails from any other Hotmail account by modifying the URL to include the target’s username and a message number. After disclosure, it took Microsoft three weeks to patch the issue. More recently, the migration this year from Hotmail to Outlook.com resulted in widespread outages, preventing users from accessing their email.

Yahoo’s track record on data security is somewhat more competent, though some oversights have been made. In November 2012, a cross-site scripting exploit allowed hackers to gain access to user accounts and redirect users outside of Yahoo. A similar exploit was again identified in January 2013.

Searching for a proportional and appropriate response

Although there’s likely little disadvantage to the switch being undertaken by the Indian government, it does very little to improve security against people with hacking abilities beyond your average 4chan user. Actual security measures, such as encrypting emails, would be far more effective at preventing emails from being read by persons other than the intended recipient.

In a perfect world, a better protocol than what we have presently (SMTP) could be created, which would have actual and effective security in identity and privacy. Until such time, many people are still trying to move a shipping container worth of information on the technical equivalent of a hastily assembled barge.


About

James A. Sanders is an experienced Java programmer specializing in SaaS design and virtualizing legacy programs for use on modern hardware. James is currently an Education major at Wichita State University in Wichita, Kansas.

16 comments
Brian Godfrey
Brian Godfrey

Handy article, but weird analogy at the end there about the barge.  Most barges can haul lots of shipping containers at a time.  :-)

 How about "moving their slop in a paper bucket"?  Kinda gets at the inevitable disaster that awaits if they keep doing it...

monsuco
monsuco

I'm not entirely sure we should blame Mrs. Palin's e-mail hacking on Yahoo!. She used an insecure password, one that could be figured out using publicly available information about her life.

This was just strategic guessing more than true "hacking". The attacker didn't exploit vulnerabilities in the software, he exploited vulnerabilities in the user.

Myrna Taylor
Myrna Taylor

I think you shouldn't send out anything in writing that you may wish you could take back later. You can't!

Saud Hassan Kazia
Saud Hassan Kazia

I wouldn't deal with any company that is cheap enough not to own a paid domain and email service

mslizny
mslizny

Free services on the Internet must be making their money with something - why should we be surprised that they are selling our information?  Does anything in their terms of agreement suggest that they will not?

I pay for Internet services I want to have control over - web hosting and some email accounts, for example.  I use a free blogging site, can I complain that they have advertising next to my words?  Yahoo and AOL place ads next to my messages, and why not?  I have not paid anything for their services myself.


Michael Kassner
Michael Kassner

I do not recall hearing the term private email services before, what are you referring to exactly?  

And, you may want to rethink your statements about SMTP. It's been known for a long time and verified by the Guardian that Microsoft and other SMTP providers have been working with the NSA: 

"Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption, according to top-secret documents obtained by the Guardian."


JamesAltonSanders
JamesAltonSanders

@Michael Kassner"Private" here refers to services provided by private corporations, as in this example, Google and Microsoft, in contrast to "Public" referring to Government-owned.

I'm utterly confused by your criticism of my statements on SMTP, as I'm criticizing SMTP for being outdated and insecure.

wizard57m-cnet
wizard57m-cnet moderator

James,

You possibly could have used a better terminology to describe India's government email recommendations.  The use of "private email services" is throwing readers off in your article.  In many IT peoples' minds, private email is owned, setup and administered internally to the entity.  So this equates to the government recommending NOT to use government owned email services.  A more appropriate term would have been "publicly accessible email services".  One of the quirks of the English language is a term in common use in one area can have entirely different meaning in a different setting.  Not everyone can pick up on the subtle differences, where in your usage "private" means "owned by private businesses", not by the government, our "public servants".

JamesAltonSanders
JamesAltonSanders

@Michael Kassner @JamesAltonSanders The distinction I'm making is common parlance to business reporting, I'm not doing anything particularly new here. This is about Government employees using their workplace-provided email as intended.