As I have discussed here before, anything you send in open (i.e. unencrypted) e-mail is effectively public domain the instant you hit the send button. This can be bad for a variety of reasons. For example, let’s suppose you have several subcontractors working for you and they are under NDA (non-disclosure agreement) with your firm. If you send a proprietary report or spreadsheet through open e-mail it could easily be argued that said report or spreadsheet is no longer proprietary and covered under your NDA simply because you sent it in unsecured e-mail. Similarly, if your subcontractors are sending your proprietary information via open e-mail, they may be in violation of an NDA for “using less than a reasonable standard of care” with your data.
I know many of you have your e-mail clients configured to automatically attach a confidentiality notice, otherwise known as a “lawyer blurb”, such as this:
Confidentiality Notice: This e-mail message and any included attachments contain information intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, any dissemination, publication or copying of this e-mail is strictly prohibited. The sender does not accept any responsibility for any loss, disruption or damage to your data or computer system that may occur while using data contained in, or transmitted with, this e-mail. If you have received this e-mail in error, please immediately notify us by return e-mail. Thank you.
at the bottom of every e-mail you send. While I am definitely not qualified to dispense legal advice, I can tell you that attaching the “blurb” to every e-mail will NOT stop someone in China or other parts of the world, outside the reach of the US legal system, from stealing your ideas and information! Moreover, it will likely have little or no impact on those in the US either, unless you actually catch them and file suit against them.
Bottom line: If you are sending things in e-mail that really need to have a “lawyer blurb” you had better use encryption too!
There are now two widely used system for e-mail encryption. The first is known as PGP, the second S/MIME. Some people will argue about the advantages and disadvantages of each method, but in my opinion both systems can be used to adequately protect your data from prying eyes. The biggest disadvantage of both systems is that they are incompatible with each other! That means if you are serious about using encryption, and you work with a variety of people across different companies, you will likely need to install both systems. Personally, I didn’t find this very difficult, but it has been my experience that setting up PGP or S/MIME can be a real stumbling block for many people and organizations. In fact, I would say that as a general rule it is very difficult to get people to use encrypted e-mail even if you are trying to help them protect their data!
As an example, I recently suggested to a potential client that they should use S/MIME because of terms in an NDA that we had signed. After several weeks of having their “corporate IT person” e-mail me questions and test e-mails, they were unable to get S/MIME to work properly. In frustration, I finally suggested to the engineer I was working with that we share proprietary files using Dropbox instead of using e-mail attachments. We limited e-mail to non-proprietary and simple “see the new file in Dropbox” messages. That worked out fine, but it left me convinced that e-mail encryption is harder for the average person and small business owner than I had initially thought.
The New Alternative
Late last year, a friend sent me a tip to look into a service known as Voltage Secure E-mail. The company offers an interesting twist on e-mail encryption that seems to get rid of some of the headaches and frustration of configuring encrypted e-mail using the traditional methods. I will outline how it all works below, but you can skip this and just try a demo by clicking here: Voltage SecureMail Cloud Free Trial.
The first thing that was obviously different about Voltage was that my friend was able to send me an encrypted e-mail without first exchanging a set of keys or certificates. This is an essential step with S/MIME and PGP and often the thing that causes the most confusion and problems.
The message that I had in my Thunderbird Inbox looked like this:
I clicked on the button “Read Message” and I was then directed to the Voltage web site and this message:
I went back to Thunderbird and forwarded the message per the instructions. Within a minute I received an e-mail with an SSL (https://) link shown here:
Clicking the link brought me to a page that looked like this:
I used Keypass password manager to generate a good password and created the account. I was then presented with this screen:
Sure enough within about a minute I had an e-mail in my Thunderbird Inbox like this:
Clicking the link enabled me to read the decrypted message in Firefox as shown here:
As you can see above, it was then easy to correspond with my friend using encrypted e-mail without going through the complicated process of buying, installing, generating and sharing S/MIME or PGP keys.
It strikes me that the Voltage SecureMail offers a number of advantages to S/MIME and PGP. If I had to send a lot of encrypted e-mails to a lot of different people on different systems, Voltage SecureMail is definitely the system to use. You immediately sidestep the long process of negotiating with each recipient about PGP versus S/MIME, and getting keys exchanged and installed properly. You eliminate worries about what e-mail client they use, since Voltage can run on any e-mail system – even G-mail for which S/MIME and PGP aren’t really options. If your friends or clients use Outlook, Voltage provides a downloadable plug-in that makes the process of using their system on that platform even easier and more seamless. (Note: I use Linux so I have NOT tested the plug-in. I would appreciate feed back here if any of you have tried it.)
Based on what I have seen so far, I would describe the sweet spots for the various secure e-mail strategies as follows:
- PGP – Best security for a small group, but more difficult to set-up and use. Lowest cost.
- S/MIME – Not quite as secure as PGP, but easier to install and use. Better for medium to large groups. Medium cost.
- Voltage SecureMail – Outstanding option for large and diverse groups. Easiest to configure and use. Highest cost.
Voltage SecureMail is offered on a subscription basis for $65 per year. Even though you can generate your own PGP keys for free or buy an S/MIME cert from Verisign for $19 per year, I think it’s still a good value because it gives you a hassle free way to communicate with anyone using secured e-mail. You won’t have to pester your clients or friends to adopt and use one of the other systems, and you won’t waste your time trying to talk them through all the set-up and configuration issues.
Ultimately, I don’t think Voltage will replace either PGP or S/MIME for my existing clients or even new ones where I’m doing a lot of encrypted e-mail. On the other hand, I think it’s a great option when I need to quickly send someone that I don’t normally communicate with a secure e-mail. It may even prove to be the right alternative for those clients who are otherwise resistant to adopting and using S/MIME or PGP.
Again, give it a try. Let me hear your feed back!