You’ve Got Mail—And So Do We

I don’t believe in email.

I’m an old-fashioned girl.

I prefer calling and hanging up.”

—Sarah Jessica Parker

It is staggering to think just pervasive email is in our lives. In 2012, there were 2.2 billion email users worldwide, 144 billion email traffic worldwide per day, 68.8% of it spam, and of that, 51% was pharmaceutical spam. 425 million active Gmail accounts worldwide, making it the leading email service (Cook, 2013).

Not only is email everywhere, but it’s been around, in some for, for quite some time. Email was apparently born in 1965. The Massachusetts Institute of Technology created the Compatible Time-Sharing System (CTSS) in 1961, and in 1965, hundreds of users were using the system remotely and sharing data (Van Vleck, 2001).

Samuel Morse

Samuel Morse

However, one could really consider the first email to have been sent on May 24, 1844 by Samuel F.B. Morse, whose message “What hath God wrought?” was emailed from the Supreme Court in Washington, DC to Alfred Vail at the B&O Railroad in Baltimore. There does not seem to be a reply, so Morse’s email probably ended up in Vail’s spam folder (Norman, 2015).

You’ve Got Mail.

A pivotal year for email was 1989. In that year, the phrase “Welcome! You’ve Got Mail!” entered our lexicon. It was so ubiquitous that just saying those words would be synonymous with its creator, America Online (AOL). Nine years later, the phrase became a movie starring Tom Hanks and Meg Ryan (Lew, 2010).

The death of email has been ballyhooed almost as much as the death of publishing. However, email is just as popular as ever, even after discounting spam. There are three times as many email accounts as Twitter or Facebook accounts (although it is likely that people have several email accounts they don’t remember having or use several different ones depending on work, family, social requirements [it would be fair to say that the vast majority of people only have one Twitter or Facebook account if they have any]). Not only is email still popular, it gains in popularity. From 2011 to 2012, email volume rose 5.4% and 79% of people use their smartphones to check email compared to only 43% who use it to make phone calls (Eastman, 2013).

Along with the popularity and usefulness of email comes a dark side. As easy as it is to transmit birthday wishes to Grandpa in Sarasota and cookie recipes to Aunt Gwen in Fredericksburg it is just as easy to send threats from estranged spouses, solicitations from deposed Ugandan Cabinet officials, war and terrorist plots, embarrassing or incriminating information, or plain old computer viruses. And, this sort of thing has been around since Mr. Morse first spammed the B & O Railroad in 1844.

Confederate Email.

During the Civil War, the telegraph became a crucial tool of communication. It relayed battle plans and results back and forth from President Lincoln to his General of the Day and the Confederates were big fans, too. In December 1863, transmissions from Richmond were intercepted by Union telegraph forensicators and led to the capture of Confederate spies in New York and the confiscation of contraband and ammunition. This is an early example of network forensics, much like capturing packets today (Greeley, n.d.).

The problem with all this free-flowing information is that it can be intercepted, whether you’re a Confederate spy or not, or misdirected and the information contained within can be used against the sender or recipient. So, security is paramount for users but it must also be attainable by law enforcement in the event that email becomes evidence.

Authenticating emails is one problem. It’s not enough to say, “hey, I got an email from Mr. Green threatening me” and Mr. Green says “I didn’t write that.” In the 2012 Maryland case of Donati v. State, Mr. Donati threatened a bar and also sent harassing emails to the Montgomery County Police. He used different accounts, the same tone and followed up with phone calls, but denied writing the emails. The authorities were able to authenticate the emails circumstantially by verifying his IP address, finding paper in his house with the accounts written on it, plus the police responded to the emails, Mr. Donati was found to have been the author (Miller, 2014).

Of course, criminals don’t want to get caught and innocents don’t want their emails intercepted or used against them, and people want to be sure that the emails they send and receive are legitimate. Security measures have been in place for years but “email was not designed to with any privacy or security in mind,” says Geoff Duncan, writing for Digital Trends. Encrypting email poses many challenges, some which include that the message, and maybe the attachments, are encrypted by the metadata is not—which could be read and used to produce a trail of evidence, (Duncan, 2013).

Plug it in, plug it in.

Germany’s De-Mail purports to offer end-to-end encryption for its users. De-Mail. The purpose of De-Mail was to complement regular postal mail for legal documents. De-Mail has struggled to attract an audience, only securing 1 million users since its inception in 2012, which is far below the expected totals. Using OpenPGP, De-Mail offers its users a secure transmission of email from user to sender. However, the user needs to install a plugin to make it operational and that plugin is only available fro Firefox and Chrome, which excludes 60% of Germans who use other browsers, not to mention mobile apps and desktop mail clients (Balaganski, 2015).

It doesn’t look like Germany’s De-Mail encryption push will have much effect. Without mobile support in an increasingly mobile-only world, and with only 40% of the browser use supported and assuming people will even install the plugin if they are able, leaves the vast majority of people unencrypted (Craig, 2015).

Although email remains popular, and will be used for transmitting messages for quite some time, there are many other options depending on what it is you are transmitting. Several years ago, it was common to send all messages and small attachments via email. Just about everyone used it and understood it and didn’t worry about it. But, to send large files, email might not be the best option. Services such as TransferBigFiles, HighTail and WeTransfer are better options to send files that are several gigabytes in size, instead of attaching them to an email. Further, sending a text message is much easier than emailing someone with a short message. One benefit of emailing is that is creates a simple archive. It is easy to search through old emails when looking for something of re-download an attachment that was lost. But, if the information is encrypted, searching might not be as easy (“Searching Encrypted Emails, 2010.”).

Hello, I’m from the Government and I Want to Read Your Email.

I do not believe that De-Mail’s new encryption scheme will have much effect on network forensics. Unless it could be implemented for all users across all platforms and be easy to install and guaranteed to be installed, it won’t matter all that much. Of course, to ensure 100% compliance would require government mandates and government oversight over everyone’s email use in the interest of “making it safe for everyone.” I do not think the people will would accept that much government interference and would simply use other methods, such as those name earlier, to transmit information, making email the next MySpace.

 

References

Balaganski, A. (2015, March 10). De-Mail: Now with End-To-End Encryption? Retrieved March 26, 2015 from https://www.kuppingercole.com/blog/balaganski/de-mail-now-with-end-to-end-encryption

Cook, D. (2013, January 16). Internet 2012 in Numbers. Retrieved March 26, 2015 from http://royal.pingdom.com/2013/01/16/internet-2012-in-numbers/

Craig, C. (2015, March 13). German E-Government Serivce Gets OpenPGP-Based Plug-Ins But Their Impact Is Unlikely to be Widespread. Retrieved March 26, 2015 from http://www.infoworld.com/article/2895806/security/google-yahoo-openpgp-end-to-end-email-encryption.html

Duncan, G. (2013, August 24). Here’s Why Your Email is Insecure and Likely to Stay That Way. Retrieved March 26, 2015 from http://www.digitaltrends.com/mobile/can-email-ever-be-secure/

Eastman, H. (2013, July 7). Communication Changes With Technology, Social Media. Retrieved March 26, 2015 from http://universe.byu.edu/2013/07/07/1communication-changes-with-technology-social-media/

Greeley, A. (n.d.). The Military-Telegraph Service. Retrieved March 26, 2015 from http://www.civilwarsignals.org/pages/tele/telegreely/telegreely.html

Lew. A. (2010, May 24). You’ve Got … 25 Years! AOL Celebrates 25th Anniversary With Big Birthday Bash. Retrieved March 26, 2015 from http://corp.aol.com/2010/05/24/youve-got-25-years-aol-celebrates-25th-anniversary-with-bi/

Miller, R. (2014, February 18). How Do You Get an Email Into Evidence at Trial? | Donati v. State. Retrieved March 26, 2015 from http://www.marylandinjurylawyerblog.com/2014/02/get-email-evidence-trial-donati-v-state.html

Norman, J. (2015, March 25). Morse Transmits the First Message by Morse Code (May 24, 1844). Retrieved March 26, 2015 from http://www.historyofinformation.com/expanded.php?id=551

Searching Encrypted Emails in Outlook. (2010, December 2). Retrieved March 26, 2015 from http://superuser.com/questions/217757/searching-encrypted-emails-in-outlook

Van Vleck, T. (2001, February 1). The History of Electronic Mail. Retrieved March 26, 2015 from http://www.multicians.org/thvv/mail-history.html

This report was submitted as a response to a Discussion Prompt for the MS-Cybersecurity and Computer Forensics Program at Utica College.

By Jeff Macharyas, MS – Utica College