content top

Secrets On A Postcard

I am paranoid by nature. I lock my desk; I have a safe deposit box; my wireless router is password-protected; my passwords are, whenever possible, at least 12 characters long and randomly generated. I would never even dream of sending any important information on a postcard.

So why, I wonder, are my clients sending me their documents via unencrypted e-mail and why do they expect them back the same way?

E-mail is inherently insecure. The message content, as well as the attachment content, can be intercepted and read by anyone at any point along the transmission path. In addition, content can be altered and the recipient wouldn’t even know. And to make things even worse, the sender of a mail message can be easily faked.

This means that sending important or even sensitive information by e-mail has several strikes against it: (1) It can easily be read by people other than the recipient; (2) the recipient cannot be sure that the sender is really the person who appears as the sender in the e-mail; (3) the recipient does not know whether the content is really the original content or whether it has been altered in some way. Ergo, sending information via unencrypted e-mail is even worse than sending it on a postcard.

If the clients don’t care about this lack of security, why should I worry? As Gabi Zöttl pointed out in a recent blog post, secure transmission of documents and information not only protects clients, it protects translators as well. Whether I have signed a non-disclosure agreement or not, encryption of my e-mail communication may just be what saves me in case of a security breach.

I have been offering PGP encryption (for Mac here) for more than ten years (read the Wikipedia article on PGP), and as unbelievable as it sounds, in all this time none (zero) of my clients has asked for encryption of e-mail transmissions – despite insistence on sometimes very strict non-disclosure agreements and transmission of sometimes highly confidential material.

It is easy to believe that when I send e-mail to someone I have a discrete, isolated connection from me to that person and that I can safely send whatever I want through that connection. Unfortunately, reality it different. Encryption needs to have a much more prominent place among the tools of translators – not only to protect the integrity of the sent material, but also to protect the translator from claims of negligence.

Share

9 Responses to “Secrets On A Postcard”

  1. Michael, this is *such* a great post! It’s so true; regardless of the measures with which clients want their translators to comply (NDA, permanently delete documents from your hard drive, and shred the hard copies if you have them, etc.), no one seems particularly concerned about issues around e-mail, aside from the “delete this if you’re not the intended recipient” message in a signature file. And you’re right; I’ve worked on some corporate legal documents that involved big stuff, things that the company really, really wouldn’t have wanted to be leaked, but they’re always sent over regular (unsecure) e-mail!

  2. I have had a few clients insist on password security measures for files sent by e-mail. They are zipped and encrypted with a password applied. The passwords are generated according to a scheme arranged in advance which results in a different password with each transfer. Not the best system really, and subject to “psychological engineering” techniques, but it’s better than what most do. I think one reason that the PGP techniques may be declined is that many find them arcane and intimidating. There is a lot of talk in the business world about security and encryption, but very little real implementation.

  3. Michael says:

    To lead by example, I have added my public key to this blog (see navigation bar below banner) – not that there is anything encryptable going on here.

    @Corinne: What comes into play, I think, is (a) a totally misplaced trust into the Internet; and (b) a culture of fixing potentially dangerous situations by labeling them as dangerous to protect oneself against lawsuits instead of mitigating the danger. The disclaimers you mention (Margaret Marks has been writing about them several times here and here) may well help in case of a lawsuit, but once it has come to such a suit, the proverbial cat has long since been let out of the bag. The important thing is to protect the confidential content, not to jockey for a better standing after the fact.

    @Kevin: I am encouraged to hear that you had clients who asked for encryption – in whatever form. You are correct when you say that the PGP approach is not the most intuitive. The (free) PGP distribution available from the link in my post is actually quite easy to install and to integrate into e-mail clients such as Outlook. They have come a long way from the command line PGP of years ago. The for-money version may even be more user-friendly – but that’s speculation on my part, I have never given it a try.

  4. Ok, I tried to leave along comment but it got blocked by your spam filter :-). Here’s a short one. For people who use Gmail:
    Encrypt Your Gmail Messages With FireGPG

  5. Michael says:

    Sorry, Roberto. I tried without success to find your message in the spam folder. The onslaught of comment spam is so gigantic that I have set my spam control to very strict. Since the last time I cleaned out the spam folder, another 146.000 spam comments have accumulated…

    Re FireGPG: Thank you for pointing out how to encrypt Gmail messages with the industrial-strength PGP technology.

  6. modes says:

    You should also try Voltage SecureMail from the Voltage Security Network (VSN). It leverages Identity-Based Ecnryption and can use an email address as the public key – so no more looking up and managing them. Also, you can send to anyone, even if they don’t have any software. It works seamlessly with exisitng environments, so is super simple for both parties. More at http://www.voltage.com/vsn/index.htm

  7. Eve Bodeux says:

    I have a few comments: 1) is the vast volumes of email itself a barrier to email being intercepted? Meaning, unless someone is specifically targeting you from some outside knowledge they have about your communications, isn’t it statistically unlikely they’d pick out your communications to review, out of the millions and millions of emails sent every day? (But, as you say, if they do pick you, you are at high risk.) 2) I do have some clients who are concerned with security and they make me use secured FTP site with WinScp – and not email at all. Thanks, Michael!

  8. Michael says:

    Eve, secure FTP is an alternative for document exchange. Many FTP clients, such as my favorite FileZilla, offer this transfer mode. If it satisfies your client, great. And that is actually my main point: I don’t know how likely it is that e-mail is intercepted. What I know is that confidentiality is enough of a concern to many clients that they draw up lengthy documents demanding all sorts of precautionary measures and threatening punitive action. Given that, not encrypting e-mail traffic leaves a big hole and translators vulnerable to claims.

  9. Michael says:

    Looking back at this post from January of 2014, anybody still sending confidential material via unencrypted e-mail must have lived in an isolated cave for the last 12 months. Believe me, there is no satisfaction in seeing one’s paranoia come true.

Trackbacks/Pingbacks

  1. Link: a great post on e-mail security issues « Thoughts On Translation - [...] you have any interest in computer security issues, make sure to read Michael Wahlster’s post Secrets on a Postcard,…

Leave a Reply

Your email address will not be published. Required fields are marked *