Security

The insecurity of private email services

The Indian government wants to ban the use of Gmail for official use, due in part to leaks about NSA snooping, but the general insecurity of private email services makes this a sound policy.

According to a report in The Times of India, the Indian government is poised to issue a ban on the use of email services based in the United States, such as Gmail, for official government business. Instead, government employees are expected to use official resources provided by the National Informatics Centre.

This move appears to be largely a reaction to the documents disclosed by Edward Snowden, a former employee of the government contracting firm Booz Allen Hamilton, detailing the archival of data on the Internet such as emails and instant messages through the cooperation of companies such as Google, Microsoft, and Facebook.

Independent of the rationale behind this policy change, the policy change is a good decision—official government business shouldn't be taking place on private email services; namely, because private email services aren't particularly secure to begin with.

Reason #1: The Sarah Palin email hacking incident

On September 16, 2008, a college student hacked the Yahoo! account of (then) Alaska Governor Sarah Palin, who had been named as the running mate to John McCain in the 2008 Presidential Election. The hacker, later identified as David Kernell, posted the contents of the email account on the den of subversive activity known as "4chan".

The hack, as it was detailed, was incredibly simple. With the rise of the Internet, politicians are little more than celebrities without apparent artistic, musical, or acting talent (although, Karl Rove makes a surprisingly adept rapper). The fact remains that personal information about politicians, such as their birthday, postal code, and where they went to high school are all a matter of public information. As it happens, the bits of information required for Kernell to gain access to Palin's Yahoo! account were her date of birth, her postal code, and the place where she met her husband—as you might guess, it was indeed her high school.

This exploit would not have been possible if Palin had used the state-provided email service for the tasks which were being delegated to this account, as the password for such a state account would presumably require a call to someone in IT.

Though the biggest disclosure made in that hack was the existence of some clerical and scheduling information of official business, the fact remains that the account was hacked with extreme ease. In addition, the account hacked was one of six different accounts used by Sarah Palin during the span of her 966 days in office, according to the Sunlight Foundation. What has been recovered from those accounts through the hack by Kernell, as well as emails released as a matter of public record of state business, are viewable here.

Reason #2: You get what you pay for, or, caveat emptor

Over the last year, Microsoft has been attacking Google for its use of automated scanning of emails in order to deliver relevant advertisement, a practice that had been in place since the launch of Gmail in April 2004. The argument isn't completely without merit—this has been an issue with civil liberties groups from day one. However, Microsoft's complaint in this PR blitz rings hollow: the privacy policy of Outlook.com (and, for good measure, Yahoo) allow users' personal information to be collected and used for advertising purposes.

Microsoft's track record on data security has been rather spotty as well. Outlook.com, previously Hotmail, has been subject to a number of bafflingly incompetent high-profile security flaws, among them an incident in 1999 that permitted anybody to log in to any Hotmail account using the password "eh". In 2001, a similar exploit allowed users to retrieve emails from any other Hotmail account by modifying the URL to include the target's username and a message number. After disclosure, it took Microsoft three weeks to patch the issue. More recently, the migration this year from Hotmail to Outlook.com resulted in widespread outages, preventing users from accessing their email.

Yahoo's track record on data security is somewhat more competent, though some oversights have been made. In November 2012, a cross-site scripting exploit allowed hackers to gain access to user accounts and redirect users outside of Yahoo. A similar exploit was again identified in January 2013.

Searching for a proportional and appropriate response

Although there's likely little disadvantage to the switch being undertaken by the Indian government, it does very little to improve security against people with hacking abilities beyond your average 4chan user. Actual security measures, such as encrypting emails, would be far more effective at preventing emails from being read by persons other than the intended recipient.

In a perfect world, a better protocol than what we have presently (SMTP) could be created, which would have actual and effective security in identity and privacy. Until such time, many people are still trying to move a shipping container worth of information on the technical equivalent of a hastily assembled barge.


About

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware. James is currently a student at Wichita State University in Kansas.

Editor's Picks