This blog post reflects only my opinion about encryption and the protection of sensitive personal information. It is not reflective of anyone else’s views and is only how I interpret the state of the industry. And it may be wrong. Read on at your own discretion.
The other day, I was talking to a financial institution and they sent me an email, but it was one of those “secure” emails. If you haven’t seen them before, they send you an email to your regular email account. You then have to click the link, login to the site and possibly create a new username/password, and then the service exchanges messages with you that way.
So here’s the flow, it starts with me getting the following message in my inbox:
I click the link, sign up for a new account, reply in that portal, etc. When the bank replies, I get an email notification saying that I got a reply and then I have to login again. Every communication goes down this route.
This is quite common in the industry. Email is not considered secure, so banks and health care industry do not exchange sensitive data with you over normal channels. Instead, you have to use a secure messaging app which forces you, as a user, to go offsite and create a new account. This is common in the email security industry, and I think it has been pointed out as a drawback to the overall user experience. I know that the above was inconvenient for me. Some applications will send you an encrypted blob attachment but you still need to sign into a portal to read it.
If I send my bank an email, they don’t email me back directly with a response. Instead, they send me an email saying “Please login to the website and check your feedback there.” That’s where they already send all my statements and tax forms. When I login to my bank and check the private messaging portal, frequently they don’t say anything there either. Instead, they send me a letter in the postal mail.
I can understand why banks and health care companies don’t send email. It can be an insecure platform; banks and health care are highly regulated and they don’t want anyone snooping on anything in transit.
So I was wondering if it would be possible to instead rely upon TLS as the solution? TLS encrypts something in transit and it is easy to figure out if a message was received over TLS. Here’s a Twitter notification sent to me, Gmail lets me know with a red lock in the rendering pane that it wasn’t sent over an encrypted connection.
Okay, so that’s on the receiving side. What about the sending side? Gmail tells me that too, they keep track of who can receive email over TLS and bubble up that information at compose time:
So, in theory, we can see it’s possible to detect if a recipient can receive over email (at least Google can do it). But it’s not just Google, either. The IETF recently published a draft called SMTP Strict Transport Security which proposes a standard to indicate whether or not the domain can receive email over TLS and whether or not it can be enforced. Thus, in theory, that could be used for a sender to decide how to send a message to a user. If the user can receive over TLS (by checking the necessary records in DNS), then send over regular email. If they can’t (or we don’t know if they can), then send using secure email apps or postal mail. This way, at least some of the user base will have the best experience.
So would that work?
No.
Why not?
Remember that banks and health care companies are highly regulated to protect highly sensitive data. When a bank or health care company sends you a message using a secure messaging application, the platform they are using (i.e., the corporation providing the messaging service) has entered into an agreement with the bank or health care company to similarly protect that data. Thus, the secure messaging app has said “I understand that you are highly regulated and I agree to also protect this data, meeting certain requirements.” The company owning the app says that, or the bank builds their own web platform and control it all themselves.
Services like outlook.com, Office 365, and Gmail have not entered into that same agreement with the health care companies. Yes, they can send and receive data securely, but they have not agreed to the same restrictions around protecting that particular user’s data while the data is at rest. You may argue that these services do a good job of encrypting data at rest (maybe) but the fact remains that email providers are not under the same constraints. So while a user may want to view data using their regular email account, the bank doesn’t have an agreement with Microsoft or Google or whoever to let them manage that data indefinitely.
So much for that.
So while I would like a better user experience, it doesn’t look like it will happen if we just rely upon TLS.