Email - Mobile Phone - Privacy and Security - Technology - Hands

Email is Insecure – Stop Using it for Sensitive Communications

Intro

Email is the primary means of sending messages and documents for many people. Unfortunately, email was never designed to be private or secure. Over time, we’ve developed several tools and techniques to help make it more secure. But at the end of the day, no matter how uncomfortable it makes us feel, email is inherently insecure. Just ask the US military. Millions of military emails are going to Mali (.ml TLD) rather than the military (.mil domain) due to mundane typos. We go into detail about why email is insecure and go over real-world and personal examples.

Some of the items discussed:

  1. Typos causing emails to go to the wrong recipient
  2. Unencrypted emails and email providers
  3. Emails being encrypted in transit in only some circumstances
  4. Security issues and data breaches with common email services (Outlook/Exchange, Yahoo)
  5. Email providers reading users’ emails
  6. Email metadata not being encrypted
  7. Law enforcement and Internal Revenue Service (IRS) reading emails without a warrant
  8. Limitations of encrypted email providers (Proton Mail, Tutanota)

Podcast

1
00:00:00,000 –> 00:00:14,320
Hey everybody, welcome back to the Bigger Insights Privacy & Security podcast where we’ll help

2
00:00:14,320 –> 00:00:16,720
you live a more private and secure life.

3
00:00:16,720 –> 00:00:21,440
In this episode, we’re going to explain to you how insecure email is and why you should

4
00:00:21,440 –> 00:00:27,240
stop using it for sensitive communications or transmitting sensitive files.

5
00:00:27,240 –> 00:00:33,720
I’ve spent years of my life red-pilling myself on privacy and security matters.

6
00:00:33,720 –> 00:00:38,800
That certainly has its benefits, but one of the downsides is at times I start to lose

7
00:00:38,800 –> 00:00:45,120
touch with the beliefs and misconceptions of those who have yet to be red-pilled as well.

8
00:00:45,120 –> 00:00:51,380
One of those things which really stands out to me is email security or lack thereof.

9
00:00:51,380 –> 00:00:56,360
My motivation for making this episode is that I’ve gotten into many arguments with

10
00:00:56,360 –> 00:01:02,280
people and organizations over the last several years who still think it’s a good idea to

11
00:01:02,280 –> 00:01:04,280
email sensitive data.

12
00:01:04,280 –> 00:01:10,000
I’m not just talking about friends and family. I’m talking about lawyers, accountants, and

13
00:01:10,000 –> 00:01:15,000
other professionals who have some of your most sensitive data, yet they seem to have

14
00:01:15,000 –> 00:01:20,720
no clue as to how dangerous it can be to send this data through email.

15
00:01:20,720 –> 00:01:25,800
Early on in my privacy and security journey, one of the things that I found most shocking

16
00:01:25,800 –> 00:01:30,680
was how insecure our communications protocols actually are.

17
00:01:30,680 –> 00:01:37,400
Fax: Unencrypted. Voice calls: Unencrypted. SMS: Unencrypted.

18
00:01:37,400 –> 00:01:41,680
Email can be encrypted, but sometimes it’s not, and we’ll talk about that in a little

19
00:01:41,680 –> 00:01:44,080
bit more detail later in this episode.

20
00:01:44,080 –> 00:01:49,440
I was so shocked to learn these things that I was almost in denial about it because encryption

21
00:01:49,440 –> 00:01:52,560
has been around literally for millennia.

22
00:01:52,560 –> 00:01:58,680
How could these protocols, which we rely so heavily on, be so incredibly insecure?

23
00:01:58,680 –> 00:02:01,280
This just didn’t make any sense to me.

24
00:02:01,280 –> 00:02:05,400
You know, when you’re staring at your phone, you don’t see what’s going on beneath the

25
00:02:05,400 –> 00:02:06,840
user interface.

26
00:02:06,840 –> 00:02:11,040
You don’t see what data is being collected and who gets access to that.

27
00:02:11,040 –> 00:02:17,680
When you send an email, you look in the interface and you see two parties: you and the recipient.

28
00:02:17,680 –> 00:02:19,880
No one’s looking over your shoulder.

29
00:02:19,880 –> 00:02:24,640
No one’s watching you type your message, so you must be safe, right?

30
00:02:24,640 –> 00:02:28,200
These things give us a false sense of security.

31
00:02:28,200 –> 00:02:33,480
If you’re very young, privacy and security may come somewhat naturally to you because

32
00:02:33,480 –> 00:02:38,080
things like data breaches and scandals are pretty much the norm now.

33
00:02:38,080 –> 00:02:44,120
But from our experience, people in their 30s and beyond are having a really difficult time,

34
00:02:44,120 –> 00:02:50,720
like I did, seeing and accepting how insecure and vulnerable their sensitive communications

35
00:02:50,720 –> 00:02:52,920
and data really are.

36
00:02:52,920 –> 00:02:58,800
I think the reason for that is because if you grew up before the internet was as ingrained

37
00:02:58,800 –> 00:03:05,600
in everyday life as it is today, you’re just not used to relying on objects, systems, and

38
00:03:05,600 –> 00:03:11,560
organizations that are actively surveilling you and pursuing interests that are opposing

39
00:03:11,560 –> 00:03:13,040
to yours.

40
00:03:13,040 –> 00:03:17,600
When you watched TV, it wasn’t reporting your viewing habits to anyone.

41
00:03:17,600 –> 00:03:20,160
When you played a video game, same thing.

42
00:03:20,160 –> 00:03:25,200
When you spoke to someone on the phone, there always was the risk that it could be tapped

43
00:03:25,200 –> 00:03:29,720
and that was common knowledge, but it was understood that that was largely reserved

44
00:03:29,720 –> 00:03:35,880
for people being investigated for serious crimes – not done in automated bulk like we

45
00:03:35,880 –> 00:03:37,360
see today.

46
00:03:37,360 –> 00:03:42,320
When you drove your car, it wasn’t reporting your location history and other sensitive data

47
00:03:42,320 –> 00:03:46,160
back to the manufacturer. But times have changed.

48
00:03:46,160 –> 00:03:51,800
So if this describes you, you may have developed a false sense of security or failed to develop

49
00:03:51,800 –> 00:03:56,720
the skepticism that you need to protect yourself in today’s environment.

50
00:03:56,720 –> 00:04:01,640
The first thing that you need to understand about email is that it was never designed

51
00:04:01,640 –> 00:04:04,040
to be private or secure.

52
00:04:04,040 –> 00:04:06,120
That’s your first red flag.

53
00:04:06,120 –> 00:04:11,200
In a past life, I did some software engineering work on a medical device project.

54
00:04:11,200 –> 00:04:17,600
If you’re not familiar with that process, it’s pretty intensive with regard to FDA regulations.

55
00:04:17,600 –> 00:04:22,400
I had to read a lot of FDA documentation, but one of the things that stuck out to me

56
00:04:22,400 –> 00:04:26,600
the most was in regard to unit and integration testing.

57
00:04:26,600 –> 00:04:31,920
The FDA makes it very clear in their documentation that the software should be written from the

58
00:04:31,920 –> 00:04:38,080
ground up with proper unit and integration testing as opposed to tacking these on at

59
00:04:38,080 –> 00:04:40,160
the end of the lifecycle.

60
00:04:40,160 –> 00:04:45,440
This struck a chord with me because I’ve worked on projects where people essentially wrote

61
00:04:45,440 –> 00:04:51,440
a bunch of trash code with the intention of forcing it into compliance by spamming it

62
00:04:51,440 –> 00:04:53,240
with automated tests.

63
00:04:53,240 –> 00:04:58,840
And I can tell you, along with the FDA, that’s a terrible idea and a losing battle.

64
00:04:58,840 –> 00:05:03,600
There are many reasons for that, but one of those is that it’s very difficult to force

65
00:05:03,600 –> 00:05:10,240
a large piece of software or a specification to address a major change that it wasn’t

66
00:05:10,240 –> 00:05:11,800
designed for.

67
00:05:11,800 –> 00:05:18,000
So let me repeat: Email was not designed to be private or secure.

68
00:05:18,000 –> 00:05:27,960
Over time, we’ve developed some band-aid solutions like TLS, PGP, DKIM, DMARC, SPF, 2FA/MFA, and so

69
00:05:27,960 –> 00:05:32,240
on, but there’s still a lot of fundamental issues.

70
00:05:32,240 –> 00:05:37,840
Your second red flag is that some organizations that handle sensitive data don’t use email

71
00:05:37,840 –> 00:05:40,120
to transmit said data.

72
00:05:40,120 –> 00:05:46,040
Doctors don’t use email to send and receive your medical data, or at least they shouldn’t.

73
00:05:46,040 –> 00:05:48,520
They use things like MyChart, don’t they?

74
00:05:48,520 –> 00:05:49,920
Yes, they do.

75
00:05:49,920 –> 00:05:51,920
And there’s a reason for that.

76
00:05:51,920 –> 00:05:53,840
Email is insecure.

77
00:05:53,840 –> 00:05:55,600
What about your bank?

78
00:05:55,600 –> 00:06:00,240
Chances are they use some kind of secure email service, which isn’t really email, they just

79
00:06:00,240 –> 00:06:01,400
call it that.

80
00:06:01,400 –> 00:06:06,120
I’ve seen them use things called ZixMail or something like that, and a service called

81
00:06:06,120 –> 00:06:08,480
Secure Document Exchange.

82
00:06:08,480 –> 00:06:13,200
Just the other day, I was collecting data on what income tax rates are in the local

83
00:06:13,200 –> 00:06:15,680
jurisdictions around Cincinnati.

84
00:06:15,680 –> 00:06:20,440
One of the encouraging things I saw was that a good number of them use one of these secure

85
00:06:20,440 –> 00:06:26,240
email services, and one of them even went so far as to warn people to not email their

86
00:06:26,240 –> 00:06:30,640
tax documents to them for security reasons.

87
00:06:30,640 –> 00:06:36,800
So if you’re a lawyer, accountant, banker, or other person who handles sensitive data,

88
00:06:36,800 –> 00:06:40,040
you should join the party and use something more secure.

89
00:06:40,040 –> 00:06:44,040
All right, now let’s get into more detailed issues.

90
00:06:44,040 –> 00:06:50,880
One is a lack of control as to who can send email to whom and who can receive email from

91
00:06:50,880 –> 00:06:51,880
whom.

92
00:06:51,880 –> 00:06:58,080
So when you draft an email, you can type anything you want in the To field and hit send.

93
00:06:58,080 –> 00:07:01,200
What happens next? You just have to wait and see.

94
00:07:01,200 –> 00:07:06,800
So what happens, for example, if you make a typo when you’re typing an email address?

95
00:07:06,800 –> 00:07:08,800
This actually happened to me once.

96
00:07:08,800 –> 00:07:14,120
I was dealing with a financial entity once and found out that they sent at least one

97
00:07:14,120 –> 00:07:20,120
email of mine to the wrong email address because they left a letter out of my name.

98
00:07:20,120 –> 00:07:24,680
And given my luck, that was a valid email address that someone else had.

99
00:07:24,680 –> 00:07:29,120
So he received my email and I don’t even know what it contained.

100
00:07:29,120 –> 00:07:31,840
Man, that really made my blood boil.

101
00:07:31,840 –> 00:07:36,800
So get this, there’s a story going around in the privacy and security circles about

102
00:07:36,800 –> 00:07:42,880
the vast quantities of email that’s intended to go to the US military that are actually

103
00:07:42,880 –> 00:07:49,480
going to the wrong domain because people are typing x@example.ml, which is the country

104
00:07:49,480 –> 00:07:55,360
of Mali, as opposed to .mil, which is the US military.

105
00:07:55,360 –> 00:08:00,560
When this happens, if you’re lucky, the server that receives that mail will reject it and

106
00:08:00,560 –> 00:08:05,480
send it back to the sender as undeliverable, but sometimes that doesn’t happen for a couple

107
00:08:05,480 –> 00:08:06,480
of reasons.

108
00:08:06,480 –> 00:08:11,320
1. You make a typo, which results in a valid email address.

109
00:08:11,320 –> 00:08:13,120
So it does get delivered.

110
00:08:13,120 –> 00:08:15,240
This is what happened to me.

111
00:08:15,240 –> 00:08:21,760
2. The other scenario is that whoever controls the other domain has a catch-all system in

112
00:08:21,760 –> 00:08:28,040
place that will retain all email sent to it, even if the address is invalid.

113
00:08:28,040 –> 00:08:30,680
If you have a domain, you can do this.

114
00:08:30,680 –> 00:08:36,400
You can set up a catch-all rule that keeps all emails sent to your domain, even if that

115
00:08:36,400 –> 00:08:38,360
address doesn’t exist.

116
00:08:38,360 –> 00:08:45,600
So for example, if you send an email to starboy98@biggerinsights.com, we could catch that

117
00:08:45,600 –> 00:08:48,960
even though that address doesn’t exist.

118
00:08:48,960 –> 00:08:53,600
Regarding this issue with the military, that might not sound like a big deal, but get this:

119
00:08:53,600 –> 00:08:59,680
There have literally been millions of emails sent to Mali rather than the US military

120
00:08:59,680 –> 00:09:02,800
because of this one typo issue.

121
00:09:02,800 –> 00:09:08,920
Among these lines, there are also typo-squatters out there that reserve domains and email addresses

122
00:09:08,920 –> 00:09:14,520
that are similar to their target to try to catch emails or web traffic that someone sends

123
00:09:14,520 –> 00:09:17,720
to the wrong address due to a typo.

124
00:09:17,720 –> 00:09:26,280
So for example, someone could register fecesbook.com and create addresses like mark@fecesbook.com

125
00:09:26,280 –> 00:09:31,280
and things like that to try to catch emails intended to be sent to the Zuck.

126
00:09:31,280 –> 00:09:33,320
This is a very serious issue.

127
00:09:33,320 –> 00:09:38,200
So one of the things that we recommend that people do is double-check that email addresses

128
00:09:38,200 –> 00:09:44,840
are correct when entering them into a contact system or a password manager, then use those

129
00:09:44,840 –> 00:09:49,960
systems directly rather than manually typing out people’s email addresses.

130
00:09:49,960 –> 00:09:55,960
I almost never type a website address or an email address manually for this reason.

131
00:09:55,960 –> 00:09:58,880
Oh, and one more tip on this issue:

132
00:09:58,880 –> 00:10:04,040
When someone gives you an email address, take it literally or ask them to confirm with you

133
00:10:04,040 –> 00:10:09,960
before just unilaterally deciding that it’s wrong and send an email to something else.

134
00:10:09,960 –> 00:10:12,840
I’ve had this happen to me multiple times.

135
00:10:12,840 –> 00:10:19,160
So I literally have hundreds of email addresses I use, which are mostly aliases. But some

136
00:10:19,160 –> 00:10:25,600
of them have intentional typos in them or names that are similar to mine but different.

137
00:10:25,600 –> 00:10:31,600
And multiple times I’ve run into issues where the lady at the front desk sees that and overrides

138
00:10:31,600 –> 00:10:36,640
what I’m telling her my email addresses and try to correct it for me.

139
00:10:36,640 –> 00:10:38,680
That really grinds my gears.

140
00:10:38,680 –> 00:10:39,680
Don’t do that.

141
00:10:39,680 –> 00:10:42,600
If someone gives you an email address, use it.

142
00:10:42,600 –> 00:10:45,200
If they gave you the wrong one, that’s on them.

143
00:10:45,200 –> 00:10:50,720
But if they gave you the right one and you use a wrong one anyway, that’s on you.

144
00:10:50,720 –> 00:10:56,240
And by the way, this is especially problematic if you’re using a common domain/service like Gmail

145
00:10:56,240 –> 00:11:02,800
Outlook or Yahoo, because let’s say, for example, that your name is Meghan. You know, some people

146
00:11:02,800 –> 00:11:05,800
spell that with an H and some without.

147
00:11:05,800 –> 00:11:12,200
So if you’re meghan@gmail.com, I can basically guarantee you that someone

148
00:11:12,200 –> 00:11:16,640
else is megan@gmail.com.

149
00:11:16,640 –> 00:11:22,360
So if you tell someone your email is “Meghan at gmail.com”, and they don’t type that H,

150
00:11:22,360 –> 00:11:25,520
their email is going to go to that other person.

151
00:11:25,520 –> 00:11:29,560
Regarding this whole military email issue, we think this is pretty ridiculous.

152
00:11:29,560 –> 00:11:34,680
We’re actually planning on doing a whole episode on military privacy and security.

153
00:11:34,680 –> 00:11:39,960
But a little teaser for that is that the military shouldn’t be using email almost across the

154
00:11:39,960 –> 00:11:41,080
board.

155
00:11:41,080 –> 00:11:47,520
There are so many ways to send text and files to each other. Why use legacy technology with

156
00:11:47,520 –> 00:11:52,040
garbage security? It’s a national security liability.

157
00:11:52,040 –> 00:11:56,800
Now what they would probably say to that is that they have certain safeguards in place,

158
00:11:56,800 –> 00:11:59,320
but that only works one way.

159
00:11:59,320 –> 00:12:01,320
Email is a two-way concern.

160
00:12:01,320 –> 00:12:06,280
So if someone from the military asks Bigger Insights to email them something sensitive,

161
00:12:06,280 –> 00:12:11,160
whatever protections they have in place don’t apply because they wouldn’t prevent us, for

162
00:12:11,160 –> 00:12:16,280
example, from accidentally sending that email to the wrong address.

163
00:12:16,280 –> 00:12:21,200
Now let’s briefly talk about email metadata and PGP.

164
00:12:21,200 –> 00:12:26,160
Emails are constructed in two basic parts: The header and the body.

165
00:12:26,160 –> 00:12:32,960
The body is the message and the header contains the metadata like the sender, recipient, subject,

166
00:12:32,960 –> 00:12:37,920
date, time, IP address, security records (e.g. SPF, DKIM, DMARC), and so on.

167
00:12:37,920 –> 00:12:43,360
With PGP and most other email encryption schemes, the issue there is that they encrypted the

168
00:12:43,360 –> 00:12:47,480
body of the email, but not the header or the subject.

169
00:12:47,480 –> 00:12:49,120
That’s a huge deal.

170
00:12:49,120 –> 00:12:54,200
So in this case, someone who sees your encrypted email can’t read the message, but they can

171
00:12:54,200 –> 00:13:00,760
see who is talking to whom, which by itself can be damning in some circumstances.

172
00:13:00,760 –> 00:13:03,760
The subject line can also be a major concern.

173
00:13:03,760 –> 00:13:08,320
Have you ever seen those people who write basically the whole message in the subject

174
00:13:08,320 –> 00:13:09,320
line?

175
00:13:09,320 –> 00:13:12,600
Well, keep in mind that that’s usually not encrypted.

176
00:13:12,600 –> 00:13:18,080
Scroll through your email inbox sometime and read all the subject lines and the senders

177
00:13:18,080 –> 00:13:22,880
from someone else’s perspective, like an advertiser, for example.

178
00:13:22,880 –> 00:13:27,240
What could someone like that infer about you from this information?

179
00:13:27,240 –> 00:13:29,440
Probably a lot more than you’d think.

180
00:13:29,440 –> 00:13:35,800
The lesson here is that your emails, to and from, have a lot of metadata that can be seen

181
00:13:35,800 –> 00:13:37,560
by third-parties.

182
00:13:37,560 –> 00:13:42,680
So at a minimum, be careful about how much sensitive information you put in the subject

183
00:13:42,680 –> 00:13:44,280
line.

184
00:13:44,280 –> 00:13:50,280
Another and perhaps the biggest issue with email is how it’s implemented by your provider

185
00:13:50,280 –> 00:13:53,280
and the providers of your contacts.

186
00:13:53,280 –> 00:14:00,440
Are you or your contacts using Gmail, Outlook, or Live or whatever Microsoft’s garbage is?

187
00:14:00,440 –> 00:14:04,120
After all these years, I still can’t figure out what Live is supposed to be.

188
00:14:04,120 –> 00:14:05,120
What about Yahoo?

189
00:14:05,120 –> 00:14:10,680
Well, I’ve got bad news for you because believe it or not, these companies, their employees

190
00:14:10,680 –> 00:14:17,720
and in some cases, even some of their contractors can and do read through people’s emails.

191
00:14:17,720 –> 00:14:19,800
That might be your emails.

192
00:14:19,800 –> 00:14:23,640
For your experience, of course, they just want to make sure that you’re enjoying your

193
00:14:23,640 –> 00:14:26,920
email experience. Nothing to see here.

194
00:14:26,920 –> 00:14:28,320
That’s not a joke.

195
00:14:28,320 –> 00:14:31,320
This isn’t April Fools if not I wish it was.

196
00:14:31,320 –> 00:14:36,800
The emails that are sitting in your inbox are not only read and analyzed by the automated

197
00:14:36,800 –> 00:14:42,840
systems that these companies employ, but their staff may be reading them with their own eyeballs

198
00:14:42,840 –> 00:14:44,280
as well.

199
00:14:44,280 –> 00:14:49,560
There was a story a while ago where Microsoft admitted to reading through the emails in a

200
00:14:49,560 –> 00:14:52,120
journalist’s Hotmail account.

201
00:14:52,120 –> 00:14:58,440
What happened here was that a Microsoft employee leaked confidential information to the journalist,

202
00:14:58,440 –> 00:15:02,360
but Microsoft couldn’t figure out who the leak was coming from.

203
00:15:02,360 –> 00:15:06,920
When they realized that the journalist was using Hotmail, they just started going through

204
00:15:06,920 –> 00:15:10,200
his emails to figure out who the leak was.

205
00:15:10,200 –> 00:15:15,240
When Microsoft admitted to this in public, people were understandably pretty shocked

206
00:15:15,240 –> 00:15:16,760
about this.

207
00:15:16,760 –> 00:15:21,720
People were surprised that Microsoft would stoop this low, but I get the impression that

208
00:15:21,720 –> 00:15:25,480
some people were shocked that this was even possible.

209
00:15:25,480 –> 00:15:30,760
And I can’t remember exactly what they said, but Microsoft had this response that basically

210
00:15:30,760 –> 00:15:37,000
said something like, “Well, yeah. When you use our email service, those emails are basically

211
00:15:37,000 –> 00:15:40,400
our property and we can do whatever we want with them.

212
00:15:40,400 –> 00:15:43,320
You did read the terms of service, right?”

213
00:15:43,320 –> 00:15:46,080
Which you know, this just goes back to the whole.

214
00:15:46,080 –> 00:15:49,760
“There is no cloud only someone else’s computer” thing.

215
00:15:49,760 –> 00:15:55,240
If you’re going to F around and store your emails on Microsoft’s or Google servers, you’re

216
00:15:55,240 –> 00:15:59,800
going to find out because they have full access to all of that data.

217
00:15:59,800 –> 00:16:00,800
All right?

218
00:16:00,800 –> 00:16:02,960
Are we all on the same page now?

219
00:16:02,960 –> 00:16:08,840
And this is a big deal because it’s just one of those classic privacy conundrums that devolves

220
00:16:08,840 –> 00:16:11,520
to the lowest common denominator.

221
00:16:11,520 –> 00:16:16,320
You can have the most private and secure email service in the world, but that’ll only do

222
00:16:16,320 –> 00:16:22,320
you so much good if your contacts are using Gmail, Outlook, and related services.

223
00:16:22,320 –> 00:16:27,360
Even if you choose not to email them, you can’t stop them from revealing information

224
00:16:27,360 –> 00:16:30,880
about you just by them emailing you.

225
00:16:30,880 –> 00:16:35,560
And I hate to say it, but I’ve noticed that a lot of businesses are using Gmail these

226
00:16:35,560 –> 00:16:36,560
days.

227
00:16:36,560 –> 00:16:37,680
That’s pretty terrifying

228
00:16:37,680 –> 00:16:44,200
if you think about it. Is your lawyer or accountant storing your most sensitive data in Google?

229
00:16:44,200 –> 00:16:46,480
It gives me chills just thinking about it.

230
00:16:46,480 –> 00:16:48,480
All right, let’s continue.

231
00:16:48,480 –> 00:16:52,960
And let me blow your mind with something really bizarre about email.

232
00:16:52,960 –> 00:16:59,800
Most legacy technologies like email, SMS, phone calls, even packets and certain internet

233
00:16:59,800 –> 00:17:02,640
protocols rely on trust.

234
00:17:02,640 –> 00:17:07,280
They rely on the sender being honest about who they say they are.

235
00:17:07,280 –> 00:17:11,760
Have you ever received a text message from your own number?

236
00:17:11,760 –> 00:17:16,800
These technologies basically allow people to just make up who their message is coming

237
00:17:16,800 –> 00:17:17,800
from.

238
00:17:17,800 –> 00:17:23,400
So I could send you an email right now and just say that it’s from @apple.com.

239
00:17:23,400 –> 00:17:28,760
Just like how when you’re addressing a physical letter, you could put 1600 Pennsylvania Avenue

240
00:17:28,760 –> 00:17:34,240
on it as the return address to make it look like it came from the Cocaine House, I mean

241
00:17:34,240 –> 00:17:35,400
the White House.

242
00:17:35,400 –> 00:17:40,280
I’ve actually received some pretty legitimate looking phishing emails claiming to be from

243
00:17:40,280 –> 00:17:46,400
facebook.com. To the average person who doesn’t know how to look into the message source to

244
00:17:46,400 –> 00:17:52,160
verify if it actually came from facebook.com, or if it was just spoofed, they would probably

245
00:17:52,160 –> 00:17:53,640
believe it.

246
00:17:53,640 –> 00:17:59,440
Now why don’t email clients warn you when you receive an email that’s clearly spoofed?

247
00:17:59,440 –> 00:18:03,000
I have no idea, but that’s just the way she goes.

248
00:18:03,000 –> 00:18:05,320
And we can help you with that, by the way.

249
00:18:05,320 –> 00:18:10,040
We do things like sit down with our clients and show them how to spot phishing attacks

250
00:18:10,040 –> 00:18:15,240
and verify where messages are coming from, and we can help you with that as well.

251
00:18:15,240 –> 00:18:18,960
Just go to biggerinsights.com and fill out the short form at the bottom of the page if

252
00:18:18,960 –> 00:18:21,840
you’re interested in a consultation.

253
00:18:21,840 –> 00:18:25,040
Now let’s talk about unauthorized access.

254
00:18:25,040 –> 00:18:31,960
I realize this is anecdotal, but I receive reports of Outlook having stability and security

255
00:18:31,960 –> 00:18:35,720
issues on what seems to be a weekly basis.

256
00:18:35,720 –> 00:18:42,560
It’s pretty terrifying to see that virtually all of our government, banks, military, police,

257
00:18:42,560 –> 00:18:47,640
and other critical infrastructure rely on this dumpster fire, but that’s also just the

258
00:18:47,640 –> 00:18:49,040
way she goes.

259
00:18:49,040 –> 00:18:56,000
But seriously though, Outlook had such a serious issue a year or two ago that the FBI actually

260
00:18:56,000 –> 00:19:02,360
sought to receive the authority to hack into basically everyone’s Exchange servers to address

261
00:19:02,360 –> 00:19:04,160
this security issue.

262
00:19:04,160 –> 00:19:06,160
It was that bad.

263
00:19:06,160 –> 00:19:09,360
So that’s just one of those issues, unfortunately.

264
00:19:09,360 –> 00:19:14,360
You know, you could be Kevin Mitnick, may he rest in peace, and still suffer from this

265
00:19:14,360 –> 00:19:19,800
because it’s completely out of your control and in the hands of a company that’s much

266
00:19:19,800 –> 00:19:24,800
more concerned about video games and turning Windows into adware.

267
00:19:24,800 –> 00:19:27,440
Yahoo is another great example.

268
00:19:27,440 –> 00:19:34,200
They reported two separate data breaches in 2016 that occurred back in 2014.

269
00:19:34,200 –> 00:19:39,600
So not only were hundreds of millions of Yahoo users affected by this, but they weren’t even

270
00:19:39,600 –> 00:19:42,920
notified for one to two years.

271
00:19:42,920 –> 00:19:49,200
Then in 2017, Yahoo disclosed that all three billion user accounts were affected by a

272
00:19:49,200 –> 00:19:53,840
data breach that went all the way back to 2013.

273
00:19:53,840 –> 00:19:59,240
Also by the way, one of those security incidents compromised security questions.

274
00:19:59,240 –> 00:20:03,880
So be careful how you answer those because they do get caught up in data breaches and

275
00:20:03,880 –> 00:20:06,520
passed around the internet sometimes.

276
00:20:06,520 –> 00:20:09,760
On the flip side of this is your security.

277
00:20:09,760 –> 00:20:13,720
Email hacks aren’t as common as they used to be, but they still happen.

278
00:20:13,720 –> 00:20:18,560
I’m guessing that most of the one or two of you who actually listen to this podcast have

279
00:20:18,560 –> 00:20:23,760
pretty decent security practices, which if you don’t go ahead and contact us.

280
00:20:23,760 –> 00:20:27,280
But again, this boils down to the lowest common denominator.

281
00:20:27,280 –> 00:20:29,240
What about everyone else?

282
00:20:29,240 –> 00:20:30,900
What about grandma?

283
00:20:30,900 –> 00:20:33,560
What about your spouse or children?

284
00:20:33,560 –> 00:20:35,040
What about your employer?

285
00:20:35,040 –> 00:20:41,000
Are they emailing your IDs, Social Security Number (SSN), and other sensitive data around?

286
00:20:41,000 –> 00:20:42,000
Probably.

287
00:20:42,000 –> 00:20:45,120
Does your accountant have good security measures in place?

288
00:20:45,120 –> 00:20:50,240
What if their account gets hacked and they’ve been emailing your returns and other documents?

289
00:20:50,240 –> 00:20:52,040
What does that mean for you?

290
00:20:52,040 –> 00:20:53,120
You’re screwed.

291
00:20:53,120 –> 00:20:54,600
That’s what that means.

292
00:20:54,600 –> 00:20:56,200
So just keep that in mind.

293
00:20:56,200 –> 00:21:01,520
You need to not only avoid emailing sensitive conversations and documents, but do everything

294
00:21:01,520 –> 00:21:08,960
you can to prevent bankers, accountants, lawyers, employers, and others from emailing your sensitive

295
00:21:08,960 –> 00:21:10,640
data around as well.

296
00:21:10,640 –> 00:21:11,640
All right.

297
00:21:11,640 –> 00:21:14,000
Now let’s talk about encryption.

298
00:21:14,000 –> 00:21:19,160
Most emails are encrypted during transit, but sometimes that isn’t the case.

299
00:21:19,160 –> 00:21:24,080
If you use Gmail, you’ve probably seen that little red padlock trying to warn you that

300
00:21:24,080 –> 00:21:27,780
someone that you’re emailing doesn’t support encryption.

301
00:21:27,780 –> 00:21:30,880
This is especially problematic in large groups.

302
00:21:30,880 –> 00:21:34,720
There’s always that one person with their email address that they received from their

303
00:21:34,720 –> 00:21:38,840
ISP 20 years ago that doesn’t support encryption.

304
00:21:38,840 –> 00:21:44,680
And when that happens, that compromises the security for everyone in that thread.

305
00:21:44,680 –> 00:21:49,920
As a society, we really ought to start talking to people like this and encourage them to

306
00:21:49,920 –> 00:21:52,200
fix these kinds of problems.

307
00:21:52,200 –> 00:21:57,120
You know, why should everyone else suffer because you refuse to use an email service

308
00:21:57,120 –> 00:21:59,000
with basic encryption?

309
00:21:59,000 –> 00:22:00,160
That’s not right.

310
00:22:00,160 –> 00:22:04,440
I would even go so far as to exclude them from any communication.

311
00:22:04,440 –> 00:22:08,960
There are people that I know that refuse to use anything but SMS.

312
00:22:08,960 –> 00:22:09,960
Well, guess what?

313
00:22:09,960 –> 00:22:12,280
I don’t text them. Anyway.

314
00:22:12,280 –> 00:22:19,120
So transport encryption is a problem that admittedly has been shrinking over time.

315
00:22:19,120 –> 00:22:21,720
But that’s only 1/3 of the issue.

316
00:22:21,720 –> 00:22:26,080
What about at the ends, meaning the sender and the recipient?

317
00:22:26,080 –> 00:22:31,080
When you send an email, a copy of that email is stored in your account.

318
00:22:31,080 –> 00:22:35,080
When the recipient receives it, they have a copy in their account.

319
00:22:35,080 –> 00:22:36,800
Are those encrypted?

320
00:22:36,800 –> 00:22:41,320
Like I was saying earlier, most of the mainstream email providers either don’t encrypt your

321
00:22:41,320 –> 00:22:46,800
emails in your account or they encrypt them with their keys, which means they can read

322
00:22:46,800 –> 00:22:49,520
your messages anytime they wish.

323
00:22:49,520 –> 00:22:55,000
There are some outliers like Proton Mail and Tutanota, which encrypt the emails in your

324
00:22:55,000 –> 00:22:59,360
account using your keys so that they can’t read them.

325
00:22:59,360 –> 00:23:02,960
But again, what about everyone else?

326
00:23:02,960 –> 00:23:03,960
We use Proton Mail.

327
00:23:03,960 –> 00:23:09,440
But when we email a Gmail user, that whole email thread is compromised because Google

328
00:23:09,440 –> 00:23:10,440
can read it.

329
00:23:10,440 –> 00:23:13,520
Now, I realize how this comes across.

330
00:23:13,520 –> 00:23:18,520
When we tell people that these companies can and do read people’s emails, they look at

331
00:23:18,520 –> 00:23:20,920
us like we’re wearing a tinfoil hat.

332
00:23:20,920 –> 00:23:22,560
But this is nothing new.

333
00:23:22,560 –> 00:23:27,840
You can read about this on Wikipedia or basically any legal blog.

334
00:23:27,840 –> 00:23:33,240
Companies use email contents for building profiles for targeted advertising.

335
00:23:33,240 –> 00:23:37,640
Emails are often used in litigation and divorce proceedings.

336
00:23:37,640 –> 00:23:41,280
That may not be news to anyone listening to this, but let me share something with you

337
00:23:41,280 –> 00:23:43,480
that might just blow your mind.

338
00:23:43,480 –> 00:23:51,080
In 2012, the ACLU sent a Freedom of Information Act (FOIA) request to the IRS seeking records about

339
00:23:51,080 –> 00:23:58,440
whether it gets a warrant before obtaining people’s emails, text messages, and other communications.

340
00:23:58,440 –> 00:24:02,080
What they received from the IRS was pretty disturbing.

341
00:24:02,080 –> 00:24:06,920
I’m going to read a few passages from an ACLU article about this.

342
00:24:06,920 –> 00:24:13,440
“The federal law that governs law enforcement access to emails, the Electronic Communications

343
00:24:13,440 –> 00:24:17,240
Privacy Act (ECPA), is hopelessly outdated.

344
00:24:17,240 –> 00:24:22,720
It draws a distinction between email that is stored on an email provider’s servers

345
00:24:22,720 –> 00:24:29,360
for 180 days or less and an email that is older or has been opened.

346
00:24:29,360 –> 00:24:31,760
The former requires a warrant.

347
00:24:31,760 –> 00:24:33,720
The latter does not.

348
00:24:33,720 –> 00:24:39,720
Luckily, the 4th Amendment still protects against unreasonable searches by the government.

349
00:24:39,720 –> 00:24:46,240
Accordingly, in 2010, the Sixth Circuit Court of Appeals decided in the United States v.

350
00:24:46,240 –> 00:24:52,160
Warshak that the government must obtain a probable cause warrant before compelling email providers

351
00:24:52,160 –> 00:24:54,000
to turn over messages.

352
00:24:54,000 –> 00:25:00,440
However, the IRS hasn’t told the public whether it is following Warshak everywhere in the

353
00:25:00,440 –> 00:25:04,480
country or only within the Sixth Circuit.

354
00:25:04,480 –> 00:25:11,200
The documents the ACLU obtained make clear that before Warshak, it was the policy of

355
00:25:11,200 –> 00:25:16,120
the IRS to read people’s email without getting a warrant.

356
00:25:16,120 –> 00:25:22,840
Not only that, but the IRS believed that the 4th Amendment did not apply to email at

357
00:25:22,840 –> 00:25:23,840
all.

358
00:25:23,840 –> 00:25:31,160
A 2009 Search Warrant Handbook from the IRS Criminal Tax Division’s Office of Chief Counsel

359
00:25:31,160 –> 00:25:37,320
baldly asserts that the 4th Amendment does not protect communications held in electronic

360
00:25:37,320 –> 00:25:43,760
storage such as in email messages stored on a server because internet users do not have

361
00:25:43,760 –> 00:25:47,800
a reasonable expectation of privacy in such communications.

362
00:25:47,800 –> 00:25:55,000
Again, in 2010, a presentation by the IRS Office of Chief Counsel asserts that the 4th

363
00:25:55,000 –> 00:26:02,320
Amendment does not protect emails stored on server and there is no privacy expectation

364
00:26:02,320 –> 00:26:04,000
in those emails.

365
00:26:04,000 –> 00:26:09,720
Other older documents corroborate that the IRS did not get warrants across the board.

366
00:26:09,720 –> 00:26:15,800
For example, the 2009 edition of the Internal Revenue Manual, the official compilation

367
00:26:15,800 –> 00:26:22,280
of IRS policies and procedures, explains that the government may obtain the contents of

368
00:26:22,280 –> 00:26:30,360
electronic communication that has been in storage for more than 180 days without a warrant.”

369
00:26:30,360 –> 00:26:32,120
That’s pretty disturbing.

370
00:26:32,120 –> 00:26:38,880
So basically, the IRS is of the opinion that it’s their right to read your emails without

371
00:26:38,880 –> 00:26:42,760
a warrant if they’re at least 180 days old.

372
00:26:42,760 –> 00:26:48,080
And of course, if the IRS can do this, one can conservatively expect that any other law

373
00:26:48,080 –> 00:26:50,360
enforcement agency could as well.

374
00:26:50,360 –> 00:26:56,560
All right, so hopefully by now, we’ve convinced you that in general, your emails are neither

375
00:26:56,560 –> 00:26:58,760
private nor secure.

376
00:26:58,760 –> 00:27:04,120
But some of you might be thinking, “Well, I’m safe because I use an encrypted email provider

377
00:27:04,120 –> 00:27:08,000
like Proton Mail or Tutinota.” And that’s great.

378
00:27:08,000 –> 00:27:10,600
And those are a step in the right direction.

379
00:27:10,600 –> 00:27:12,600
But we have some thoughts on that.

380
00:27:12,600 –> 00:27:18,920
No matter what provider you choose, there will always be some element of trust.

381
00:27:18,920 –> 00:27:24,240
For example, these companies encrypt your messages when they receive them from other

382
00:27:24,240 –> 00:27:25,240
providers.

383
00:27:25,240 –> 00:27:32,160
Obviously, the risk there is that they could either not do that or read or copy that message

384
00:27:32,160 –> 00:27:34,800
before they apply that encryption.

385
00:27:34,800 –> 00:27:39,800
We don’t think they are doing that, but again, you have to trust them on that.

386
00:27:39,800 –> 00:27:46,240
And don’t take that as me trying to give you some subtle hints or spread some kind of FUD.

387
00:27:46,240 –> 00:27:52,200
You need email, but there is always some degree of trust because of the inherent limitations

388
00:27:52,200 –> 00:27:53,680
of email.

389
00:27:53,680 –> 00:27:56,880
So choose the provider that you trust the most.

390
00:27:56,880 –> 00:28:00,720
All right, this is turning out to be longer than I was expecting,

391
00:28:00,720 –> 00:28:02,880
so I’m going to have to start wrapping this up.

392
00:28:02,880 –> 00:28:07,040
I was going to go over some tips for making email more secure, but that’s going to have

393
00:28:07,040 –> 00:28:12,760
to be a separate episode. That just goes to show you how insecure email is.

394
00:28:12,760 –> 00:28:17,480
We could keep going, but hopefully you understand now where we’re coming from.

395
00:28:17,480 –> 00:28:22,880
If you’d like more help with email privacy and security, consider becoming a Bigger Insights

396
00:28:22,880 –> 00:28:24,120
client.

397
00:28:24,120 –> 00:28:30,000
We help clients like you live more private and secure lives in one-on-one consulting

398
00:28:30,000 –> 00:28:31,360
sessions.

399
00:28:31,360 –> 00:28:36,240
If that sounds interesting to you, go to our website, biggerinsights.com, and fill out

400
00:28:36,240 –> 00:28:40,960
the short form at the bottom of the page so we can schedule your initial consultation.

401
00:28:40,960 –> 00:28:46,300
We are once again asking you to subscribe and share this podcast so we can help as many

402
00:28:46,300 –> 00:28:48,480
people as possible.

403
00:28:48,480 –> 00:28:54,600
This episode in particular is a message that many, many people need to hear, so go ahead

404
00:28:54,600 –> 00:28:55,680
and share it with them.

405
00:28:55,680 –> 00:28:57,920
It’ll cost you nothing.

406
00:28:57,920 –> 00:29:03,120
If you’ve found this episode helpful, please consider making a contribution.

407
00:29:03,120 –> 00:29:08,780
Running a business and a podcast is more expensive and time-consuming than you might realize,

408
00:29:08,780 –> 00:29:13,680
so if you like this content and can spare some coin, please consider helping us out

409
00:29:13,680 –> 00:29:15,880
so we can keep this going.

410
00:29:15,880 –> 00:29:22,160
We accept Monero (XMR), obviously, but also surveillance coins like Bitcoin (BTC) and Litecoin (LTC).

411
00:29:22,160 –> 00:29:24,880
I’ll put the wallet information in the description.

412
00:29:24,880 –> 00:29:27,600
All right, that’s it for this episode.

413
00:29:27,600 –> 00:29:29,360
Thanks for staying until the end.

414
00:29:29,360 –> 00:29:58,360
Be careful about how you use email and stay safe out there.

Support Us

We’re an ethical company that puts our community first. You won’t find us injecting targeted ads or trackers into our website, peddling sketchy products/services, or selling our visitors’ data to 3rd-parties. As a result, our visibility and resources are rather limited.

Please consider supporting us to help keep our mission going. There are several ways to make a difference – from cryptocurrency contributions to simply sharing our content. Every bit of support is greatly appreciated and helps us make the world a more private, secure, and prosperous place.

More Great Content

  • All
  • Finance
  • Privacy & Security
  • Technology
Finance - Budgeting - Financial Planning - Accounting - Asset Allocation - Taxable and Tax-favored Accounts - Cash Finance

Asset Location: Taxable vs. Tax-favored Accounts (401k, IRA, HSA)

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in an optimal way that helps you meet your financial goals. In the previous episode, we focused on asset location strategies for reducing taxes and simplifying your tax return. In this episode, we focus on asset location considerations ...
Continue →
Security - Software - Email - Computer Screen Privacy & Security

Email is Insecure – Here’s How to Improve Email Security

Email was never designed to be private or secure, so not surprisingly, it is neither private, nor secure. In the previous episode, we explained the reasons why as well as the risks inherent to email. However, email is so prevalent that it is unfortunately a necessary evil. In this episode, ...
Continue →
Planning - Concepting - Whiteboard - Tax Planning Tips - Asset Location - Asset Placement Finance

Asset Location: Reducing Taxes & Simplifying Your Tax Return

Asset Location (AKA Asset Placement) is a strategy for organizing your assets in such a way as to reduce tax burden, simplify your tax return, and manage risk. We discuss our Asset Location strategies, which includes specifics about tax treatment for growth stocks, dividend stocks, taxable bonds, real estate investment ...
Continue →
Drake - Bad Choice-Good Choice - Linux vs Windows macOS ChromeOS Technology

Linux Doesn’t Suck – Here’s Why Even Normies Should Use It

Linux has long been viewed as a science fair project for nerds. We explain why Linux doesn’t suck and why it's now usable even for normies. Some of the items discussed: Issues with Windows, ease of use, performance (efficient use of resources), hardware support, application support, OS licensing, concerns about ...
Continue →
Woman Shopping - Holding Shopping Bags - Retail - Spending Money Finance

What Does it Mean to be Able to Afford Something?

Most everyone will agree that you shouldn’t buy things that you can’t afford, yet so many do. Why is that? It seems to us that one of the reasons for this is because many don’t know what it means to be able to afford something. Spoiler alert – it doesn’t ...
Continue →
Cybersecurity - Privacy and Security - Virtual Private Network (VPN) Privacy & Security

Are Virtual Private Networks (VPNs) Useless Honeypot Scams?

You may have heard others in the privacy and security community call virtual private networks (VPNs) “useless”, “scams”, or “honeypots”, but is this actually the case? There are certainly a lot of sketchy VPNs and creators who shill them, but does that invalidate the thesis for using a VPN? We ...
Continue →
Scroll to Top