According to a recent study, more than 269 billion emails are sent every single day with over 2.6 billion people using email, creating 5.3 billion email accounts – so email ranks among the most widely used, yet most vulnerable formats for electronic communications.
Users demand privacy online and information security surrounding email communications is critical for most professions, yet email technology is still stuck in the 1970s and 1980s. SMTP (Simple Mail Transfer Protocol), which handles the sending of mail from client to mail server and between mail servers was originally designed for use in the Advanced Research Projects Agency Network (ARPANET) by and between users who either had security clearance or otherwise worked for the government, so additional layers of security for the nascent messaging technology was an afterthought and deemed largely unnecessary. Fast forward 40 years and we read daily of the inherent insecurity of email communications.
Between 2015 and 2017, there were 6,789 data breaches globally that amounted to 886.5 million compromised records. In 2016, Yahoo disclosed one of the biggest data breaches in history with three billion user accounts affected.
Perhaps the most high profile example of an email security breach came in March 2016, when former White House Chief of Staff to President Bill Clinton and Hillary Clinton’s U.S. Presidential Campaign Chairman John Podesta received an email from a user falsely posing as Google (with a Google-related address), notifying Podesta that his password had been compromised by someone in the Ukraine and providing a link to change the address.
Podesta forwarded the email to his IT team who erroneously confirmed the authenticity of the email and provided separate instructions to change his email to include two-factor authentication. Unfortunately, Podesta used the original “phishing” link, which hackers used to subsequently steal his login and password information and access his email records.
The result was a devastating breach and disclosure of 50,000 emails, many of which were private and confidential and may have contributed to Clinton’s decline in the polls, which coincided to the disclosures by WikiLeaks of emails related to the hack.
Legal, financial, and insurance companies rely on internal privacy control features to maintain corporate/client confidentiality (regulatory compliance, GDPR, MiFID II); health care companies must ensure HIPAA compliance with a full audit trail; government agencies require military-grade encryption and a secure, permission-based architecture. To each market, there is a specific need for improved electronic communications security.
Because there is generally no encryption, no authentication and no data integrity built into the e-mail programming we use every day, it is weak and at risk. Once an email is sent, users lose control over that message. Confidential messages, attachments and files can be easily copied and forwarded without the knowledge of the original sender. How can a user prevent tampering and ensure the integrity of the original message?
There is a pressing need to send confidential information online in a simple yet familiar way that provides the sender complete control over a secure, blockchain-audited record of interactions.
A blockchain is a continuously growing list of records, called “blocks,” which are linked and secured using cryptography. By design, blockchains are resistant to modification of data. A blockchain can serve as an open, publicly-distributed ledger that records transactions between multiple parties efficiently and in a verifiable and permanent way.
We are seeing new blockchain-based technologies from innovative companies, such as Envilope, that are changing how people send, store and receive email. Envilope’s system offers HIPAA-compliant forced TLS email delivery, object level 2 Factor Authentication (2FA), sharded and encrypted GDPR-compliant storage, decentralized peer-to-peer communications, a file distribution mechanism that encrypts files offline with asymmetric encryption, IP address lockdown, unusual activity monitoring, hardware authentication, and more. “Envilope is a UK Government-Approved, fully working virtual envelope with military-grade encryption in which you can lock an email, digital media, secure message, or any other form of content that can be sent electronically,” says Mark Allardyce, Founder and Group Chairman of Envilope.
Transport Layer Security (TLS) helps solve for the issue of insecure plain text email transmissions by offering encryption technology for messages while it is “in transit” from one secure email server to another. TLS helps prevent eavesdropping on email as it is carried between email servers that have enabled TLS protections for email. TLS is required between all the servers that handle the message, including hops between internal and external servers.
Emerging technology makes it possible to only deliver messages to email servers that have this highest level of email security enabled. Since not all email servers are configured or able to accept TLS connections, this feature is called Forced TLS.
When a message is sent using the Forced TLS connection, if the TLS handshake cannot be established, or if the target server is not configured to accept only Forced TLS connections, it is now possible to prevent delivery of the message and notify the sender that intervention is required regarding the recipient’s email server. This is one of several ways to better protect electronic communications.
The world’s attention is increasingly focused on data privacy. The European Union’s General Data Protection Regulation (GDPR), went into effect on May 25, 2018, setting out detailed requirements for companies and organizations on collecting, storing and managing personal data and establishing significant fines for non-compliance. The main purpose of the new regulation is to protect citizens of the European Union from privacy violations that may occur during a data breach.
As companies look to shore up their privacy policies, procedures and information security practices; and individuals, still shaken by the data privacy scandals that beset Yahoo and Facebook, look to companies to better protect their personal data and confidential communications, we should continue to see new innovations toward greater information security and privacy. Blockchain technology may hold the answer.