04 Nov 2016

Will Email Best Practices Decide the Presidential Election?

This year’s election cycle has put a HUGE spotlight on email. From Hillary’s ongoing email saga and FBI Director Comey’s late “October Surprise” to the alleged Russian hacking and leaking of Democratic National Committee (DNC) emails, the general public is now aware of just how easy it is for one’s email content to be used against oneself.

Email is indeed everywhere, and the incredible convenience email affords makes it irresistible to use for just about everything: off-the-cuff remarks, venting frustration, discussing executive strategies, and communicating internal and external business matters, for example.

Yet, this same willingness to put substantive thoughts into email can come back to bite oneself in two important ways. And as Americans prepare to vote for their next president, whichever way they might be leaning, it is important to understand these email issues in the context of technology available to just about everyone.

Email Privacy

When email is sent and stored in plain text, it is incredibly easy to intercept or compromise the message contents. Hillary Clinton came under intense state and public scrutiny for her decision to use a private email server for security (and probably convenience) reasons. The widespread criticism and fallout over this issue is perhaps justified, considering how easy it would have been for hackers or foreign intelligence agents to access her email and compromise important state business.

Now, imagine for a moment that Hillary had used an email encryption service such as RMail with her private server, encrypting every outbound email from endpoint to endpoint (as with RMail’s executive mode email encryption). Doing this would not only have demonstrated responsible stewardship of the classified information in Hillary’s charge, but it may also have made it extremely difficult for anyone, including the FBI, to obtain the actual message content in the tens of thousands of emails Clinton was compelled to turn in. (Read about how impractical, if not quite impossible, largescale encryption cracking is.)

Email Authenticity

When Wikileaks exposed what the whistleblowing website claimed were hacked emails from Democratic National Committee (DNC) insiders, purporting to illustrate among other things, a corrupt Democratic party and rigged Democratic primary, the general public automatically assumed the authenticity of the published emails. But why?

The reality is that standard email does not provide a certifiable record of authenticity. The supposed DNC emails could have been falsified – fiction created by outsiders hoping to influence the outcome of the US elections. There surely are sufficient incentives for someone to be willing to create fake emails. The technology to do so is certainly available.

Consider the following capabilities available to anyone using a Microsoft Office full installation:

  1. Go back in time: If you miss a deadline and want an email to appear in the recipient’s inbox with the sent time showing hours earlier, you can simply set your computer clock to a few hours early, and send your email. The email sent time will magically appear in the recipient’s inbox hours earlier – perhaps ahead of your missed sending deadline.
  2. Change what you said: If you need to alter the history of what you sent, after sending, you can simply go to the “Sent” folder, open the specific message, click “Actions” then “Edit Message” and edit the message. Save. Close. The message you sent has now been forever changed. If this were printed to PDF or paper later, one would not be able to detect that it had been changed.
  3. Change what they said: If you look at the often used reply or reply-all process, you should be aware that one can easily start to edit prior comments early in the history of the communication, that will carry forward for all future replies to the email thread — after a while, that altered history will become part of the back-and-forth record — and if later printed to PDF or paper, it would take a forensic expert with access to all prior emails and perhaps computers to try to figure out what was actually said by whom and when.
  4. Send an email “from” someone else: If you really want to play a practical joke with email, you can go to your account settings and change your “From” address to that of a friend. Then, send an email to a group of friends with an outrageous comment. The entire group of friends receiving the email will see that it has come from someone else in the group (not from you). And, no matter how much the named sender disclaims having sent the email, without a forensic expert analysis, the group will never understand how it could not have been that person.
  5. Change the record of what you received. If you need to alter the history of the email content you received, after receiving it, you can simply go to the “Inbox” folder, open the specific message, click “Actions” then “Edit Message”, edit the message. Save. Close. The message you received has now been forever changed. If this were printed to PDF or paper later, one would not be able to detect that it had been changed.

Each of the above techniques can be performed easily without being detected. To be clear, there are legitimate business reasons why you might need to send email from an alias, or edit email content if using email as a collaboration medium.

Of course, the point of describing these techniques is not to promote their use for nefarious ends; rather, it is to illustrate that standard email, by itself, is not a verifiable record. The next time you see a copy or transcript of an email in the news, or in a dispute proceeding, it might be useful to consider how easy it would have been to alter the email contents, given the incentives or stakes.

Sending important email as an RMail® Registered Email™ message provides the sender with a verifiable record of timestamp, content, and delivery – regardless of any recipient actions. Consider this a way to have the upper hand — proof with high evidential weight. You can even record replies in an email thread, using RMail’s Register Reply™ feature.