Before we get into the specific security issues facing email, lets generalize about the security concerns of all forms of communication. Those are:

• Confidentiality--keeping a message private and secret from others

• Authentication--verifying the identity of both the sender and receiver

• Integrity--ensuring that the message wasn't altered in transit

• Non-repudiation--preventing persons from denying they sent or received information

• Authorization--restricting access to information

Each of these concerns is present with all forms of communication, including letters sent through the U.S. mail. With letters, for example, there is the risk of confidentiality, which is protected by sealed envelopes and federal laws restricting the opening of the mails. A handwritten signature seeks to provide authentication and non-repudiation.

Because the mails have been in use for hundreds of years, these issues are of little concern today. But Internet email, still in its infancy, has the legal profession concerned about some of these issues. This especially becomes a concern if email is going to be used in electronic commerce.

Just what are the risks of email? Well, for example, some contracts with Internet Service Providers allow the ISP to read all of your email messages, if they so desire. And there's "sniffer" software that can look for certain messages on the Internet. Because Internet transmissions go across the Net in packets, sniffer software has its limitations. In addition, using it is probably a federal offense, but these limitations don't mean you shouldn't be aware of the problem.

None of these concerns are completely unique to email. Your overnight-mail service may reserve the right to look at your letters, and phones do get tapped. But we're generally aware of these concerns and have learned to deal with them or accept the risks as minimal. Email is different because it's new; as a result, the legislature and the courts haven't kept up with the technology, and we don't know exactly what they'll do when they get there.

But that hasn't stopped lawyers from trying to figure out the answers. Some attorneys contend that email sent across the Internet should be viewed the same as a postcard--it's there for anyone along the way to read. But this grossly overstates the risk, because most email messages are not complete while in transmission, being sent in "packets" of data over varying routes. Someone would have to make a very concerted effort to read an email message as it flew by at the speed of light.

Others compare using the Net to a cellular or cordless phone. Many state ethics boards have ruled that lawyers have no expectation of privacy for communications over such phones. But email, again, is different. Email is not broadcast, like a cellular or cordless phone, but is usually sent over the (presumably secure) phone lines.

So, is it just like a phone conversation, which is expected to be confidential? Well, again, not really. Email messages, because they are written, are recorded (generally for very short periods of time) on various Net computers, and thus can be intercepted for a longer period of time than a phone call.

There simply isn't any perfect analogy, which is what causes the uncertainty and risks. But the risks are not insurmountable or particularly difficult--just unique. And there is an irony, in all of this discussion about security. As is, the Internet may be less secure than normal paper routes of transmission. Yet, with the advent of new technology, email can be more secure than any other common form of communication.

WHAT'S THE SOLUTION?

The legal profession generally views various forms of encryption software as providing the solution. If "encryption" sounds high-tech, it is. If it sounds like something for spies rather than lawyers, it isn't. The legal profession is regularly using encryption technology today. In a few years, it will become as common as cell phones.

Go to Paul's Research Section