Regain security
Regain email privacy & security

Part #3 of the Data Liberation series

Is there ever time in the day to reconsider your online security? I mean, really consider it?

Take the most common access point for communication in the 21st century – email. Yes, you read that right. It’s still email. Email is the root of online authentication for people worldwide, not only allowing them a “safe place” to recover lost account credentials, but also facilitating properly secured communications with the use of PGP signed and encrypted email. But is your email storage secure?

The woes of web mail

The “problem” with email is that its ubiquity spawned, some years ago, the explosion of “free” web mail services. All the big players provide it. These services are advertising-supported. In other words, the cost of providing such services are met by revenue generated from scanning your email and providing “relevant” adverts within your browser to click on. Each click is tracked and the advertiser billed accordingly.

An issue here, then, is that your email is scanned. All your emails are read by an indexing process which scours every single nugget of information. What information could that include? How could it be used? How about this little list for starters:

  • the date & time
  • the sender’s name and email address
  • their computer’s name
  • their network (i.e. their email provider, their ISP, any intervening mail routers)
  • their probable native language
  • their approximate location when sending the message (obtained from their original IP address)
  • your approximate location when reading the email (based on your IP address)
  • yours and their exact locations if using any location service

That’s not all

If the sender is using the same “free” web-mail service as you:

  • if they use a calendar in that service, what they were doing when they emailed you (giving an insight into the sender’s thought processes…)
  • if they maintain a contact list / address book in that web-mail service, that service may “know” you are a friend or family member of the sender
  • in this case, it will also know their friends – and your friends – and any shared friends too.  It can start to build up a map of contacts – who knows who and possibly why.
  • Knowing “who knows who” means those related contacts’ web-mail services can be interrogated for commonalities, such as shared events (in a calendar), shared interests via a social network, and so on.

Web cam

There are yet more ways your data can be exposed. If they are not using the same “free” web-mail service, but are using another service which they log into using their web mail service’s credentials:

  • that web-mail service provider could poll the other services to see what data you are sending (e.g. what you are posting) to those services
  • it can map any correspondence to or from your contact via its services even when not in relation to your email – e.g. It can expose a contact’s movements, their communications and interests in a given time-frame.
  • they can even be exposed by their use of related services from that provider. For example, new photos into a flickr or instagram account which is public, can be mapped back from their date, time and location to the IP address that was used to query location services.

Finally, a crucial problem with all online services is that there is no guarantee your data is actually deleted when you choose to delete it.  After hitting “delete” through a web site, this could simply flag the email to be removed from your visible account and stored in MegaWebCorp’s vault of “deleted” email, remaining there forever.  Or until needed…

This is the risk of putting data into another provider’s hands – what gets uploaded or stored in your name, stays there in your name, forever. What goes up, sometimes stays up.

Resolving the privacy crisis

Coming back to email, then, the first priority for someone who wants to maintain some privacy with respect to their life activity needs first to remove the source of indexing from MegaWebCorp’s database – the link between all things you do, your email address.

When the email address is removed from the purview of MegaWebCorp’s systems, your online activity can start to become your business – not the advertiser’s.

Getting your own address is simple.  You can register a domain name with any of numerous providers around the world and sign up for a low-cost hosting plan.  For any person who values their privacy and the sanctity of anonymity, this is a small hurdle to overcome.

For the gain in privacy you can achieve by hosting your own web site, the price attached to a “free” web-mail account may seem rather high.

Bootnote

ArsTechnica has an interesting article published yesterday (30 March 2014) on “metadata as surveillance” .