E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: Toronto Star

Posted on January 17, 2005

      In the era of paper and pen, keeping a message private was easy. You simply read the message, then ate it. Those with weak constitutions could burn or shred the document. Discretion in the digital world can be far more challenging.

      Many people don't know how to keep electronic messages private, judging by a recent lawsuit launched by Canadian Imperial Bank of Commerce against a group of employees who left to join the upstart firm Genuity Capital Markets. CIBC alleges some former employees used corporate resources, including the bank's e-mail system, to help form the firm. Some of the e-mail sent via Blackberry handheld devices has been entered into evidence. The Genuity people deny the allegations, but the case has left many executives wondering how to keep private conversations private.

      Experts in electronic security agree that the best way to secure digital messages is with encryption, be it a regular e-mail or a message sent with a Blackberry.

      Encryption is a process of "scrambling messages" using special keys, explains David Yach, senior vice-president of software at Research in Motion. The Waterloo company makes the Blackberry devices that countless executives use to swap messages.

      The keys used for encryption aren't like the grooved pieces of metal we use to secure our homes. Encryption keys, which are generated by software, are more like the secret rings that let children decode messages from their friends.

      With common encryption methods, each user has two keys. One of the keys is private and known only by the owner. The other is public. Say a broker wants to send his client a private message and both parties already own a set of keys. The broker writes his e-mail as usual, then scrambles the message using his public key. The client unscrambles the message using his private key.

      Unlike the secret decoder rings of childhood, encrypting or decrypting a message doesn't involve a lot of patience and reference tables. With e-mail software such as Microsoft Outlook, encrypting a message only requires a couple of clicks of the mouse.

      Once the correct clicks have been made and the message encrypted, it can be sent to the client over the Internet. The message is unintelligible in transit and to anyone except the client with the right key. When the message lands in the client's inbox, her e-mail software automatically deciphers the message using her private key.

      For most people, using encryption won't require learning new software, but they will have to obtain ad-on software that works with their existing e-mail software. Those already using well-known programs such as Microsoft Outlook can still use it to send and receive mail, as many encryption systems can be integrated with the software.

      Secure Multi-Purpose Internet Mail Extensions (S/MIME) is arguably the most common way to make e-mail messages private using encryption.

      If a broker sends his e-mail using S/MIME the message is not only encrypted but also sealed with a digital certificate. It authenticates the message so the recipient is assured the message has not been altered during its online travels.

      "Internet e-mail without security protection is much like sending a postcard over the Internet," said John Weigelt, chief security adviser for Microsoft Canada. "S/MIME is like putting an e-mail into an envelope and putting a wax seal on the back of it, so you could ensure it was sent from a particular individual."

      While S/MIME can be used with Microsoft products such as Outlook Express, the software giant has its own solution for keeping e-mail private, called the Windows Rights Management Service. This ad-on system lets the writer set parameters on who can read a message and when. Users can even set expiry dates on e-mail so it self-destructs.

      Another popular security system is called Pretty Good Privacy, or PGP. It works in much the same way as S/MIME - using a two-key system - and can be used with many different kinds of e-mail software. PGP and S/MIME are normally installed by corporate information technology workers across the company's entire computer network.

      Those who can't convince their company to set up such a privacy system, or wish to secure e-mail sent from their home computer, might want to try PGP Personal Desktop (http://www.pgp.com) software that is designed for such applications.

      Lone wolves might also want to try one of a handful of Web-based e-mail services, such as Hushmail, which provide an accessible means of sending secure e-mail. As with more traditional encryption systems, a free Hushmail account automates the scrambling and unscrambling process so that the user can concentrate on writing the e-mail instead of securing it. Ideally, both the sender and recipient should use Hushmail so that the e-mail resides on a single, encrypted server.

      Blackberry handheld devices, which are a bit like pagers with keyboards, add complexity to the security conundrum because they can send messages different ways: via e-mail or the Blackberry PIN system.

      Every e-mail message sent via a Blackberry is encrypted, but only while travelling outside of the corporate network. This encryption is used so a third party can't read the message if it is intercepted during its flight through the air to the wireless device. But the same message likely travels around in an unscrambled, readable form earlier on in its journey, as it is routed by the corporate e-mail server.

      Yach said companies that use S/MIME for regular corporate e-mail can use it on their Blackberrys, for end-to-end security. With S/MIME, the message remains scrambled throughout its journey, until it reaches your in-box.

      "It's appealing to those who are hyper-paranoid," he said.

      Research in Motion itself processes a large proportion of messages sent by Blackberry. Interestingly, Yach said the company doesn't keep copies.

      "We have the encrypted messages long enough to get them to your device, but then they are deleted," Yach said. "We certainly don't have any means of knowing what happened last week or month ago."

      A brokerage firm might, however. Some firms choose to keep copies of all transmissions that travel over the corporate network, including e-mail messages sent via Blackberry.

      Many consider Blackberry PIN messages more secure than e mail messages sent by Blackberry, because there are fewer links in the chain.

      PIN messages (so named because messages are addressed to a personal identification number) are sent directly from one Blackberry to another instead of going through e-mail servers.

      For total privacy, Yach said sender and recipient should delete PIN messages after they are read. Otherwise it will be saved in a readable format on the device and to their computer the next time the user backs up data.

      Mark Fabro, a senior manager with Bearingpoint Inc.'s security solutions practice, said the best rule of thumb is to avoid using corporate networks and devices for private business.

      As a security consultant Fabro said he'd never advise anyone to perform an unethical act, such as undermining an employer using secret messages sent from a corporate computer or Blackberry.

      Moreover, the scheme likely couldn't be kept a secret forever if you're using company resources.

      "There is no such thing as absolute security," Fabro said. "What has happened with this Genuity lawsuit is a fantastic wake-up call for the community at large."

      S/MIME and PGP both provide a very strong layer of added privacy for e-mail. It would take an unreasonable amount of time and resources for a company to decipher an encrypted message without the key.

      Legally, however, a company could make the argument that they have a right to an employee's key if it was stored on a corporate computer. With access to the keys all those private messages would be easily unlocked, read and possibly used in court.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.