It seems the bottomline is still that if it’s online it’s not secure by default, no matter what it is. Email is in the main unuseable for just about anything that matters. In terms of taking “reasonable precautions” to keep our data private we now communicate through MS Teams. Of course MS have everything and those whom they share it with, but the rest of the world is locked out. The same goes for any eco system. Apple touts it’s great privacy setup, but Apple themselves are of course not included, they can access everything and use it.
If you want your data private, you either have to do it yourself (there’s a minefield) or use systems with a smaller area of attack, so a phone call is better than an email.
Digitally signed and/or encrypted email isn’t reasonably secure? I don’t use teams, but know slack/Cisco WebEx both support encryption with customer managed keys. Slacks implantation is meh, but Cisco’s is legit. I really don’t like teams. It’s awful…
It is of course, but many people I need to email don’t have it or know how to set it up. Having said that, there is still plenty of information that is sent with an encrypted email that is not encrypted, from IPs, subject, headers etc, hence the start of this thread about Protonmail logging this data. In that respect even encryption doesn’t encrypt all the data. In the end this just leads to headaches in email. I still get government emails with 100 recipients in the TO: field .
That was my experience with PGP back a ways - theoretically super-secure, but enough friction getting it set up that it was beyond what most people were willing to do. And that’s the thing - none of the encryption stuff works unless everybody involved is on board.
Right. I understand the technology. If it’s a question of being “reasonably secure” I think it’s fine for most. Shouldn’t be emailing at all if your security requirements call for hiding metadata.
The problem is that “reasonably secure” is a GDPR requirement for all personal and sensitive information. Unencrypted emails are not classed as reasonably secure. Personal information could be as simple as a full name and calendar appointment with location.
So when they wrote GDPR, did they submit a new email standard to the IETF? Are there no more email providers operating in the EU? I’m sure the intent of GDPR wasn’t to hamper commerce. That makes ZERO sense…
Not necessary. It’s a simple statement that unencrypted email is deemed insecure. The onus is on the organisation. As the email can sit in plain text on any number of servers for any amount of time, it’s more like a postcard then letter and not reasonably secure. The organisation needs to ensure reasonable security.
So how old is GDPR? And what behaviors have changed specifically related to email since GDPR became law?
Even Gmail makes a best effort to use TLS if the receiving server accepts it. There are methods to “secure email”.
If “reasonably secure” is, as you say, a “requirement” how come we haven’t seen a broad shift in how email is handled in GDPR countries? Can I send or receive and email from the EU if my server isn’t configured to use TLS? If I can, then something doesn’t add up…
I’m not a lawyer (but I do manage information security for my organization): The notion of “reasonable security” is highly dependant on context and even unencrypted email can be considered reasonably secure under some circumstances. What’s considered reasonable is highly dependant on purpose, sensitivity of information, and “reasonable” expectation of privacy.
Great point. I’m no attorney either. But I do know that if “reasonable security” was the requirement as it was stated above, we’d have seen a widespread shift in behavior (even if minimal) on the part of providers/employers.
The challenge is the shifting sands of what is deemed reasonably secure. In the UK all local councils have to encrypt their email. This doesn’t actually bear out in practice, but is the recommended procedure. It’s only tested when there is unauthorised access to information, and then the practice is measured by the policy. I work in the charity sector and have had a number of conversations with the Information Commissioner’s Office (ICO). They also recommend encryption. Let’s be clear this is about personal and sensitive information. However, in some places that’s just about every piece of information. If someone asks you for a colleague’s phone number that’s personal information, or address, etc. Minutes of a meeting could easily contain this information. If your dealing with clients and donors it might be all your data.
I am seeing a shift. As I mentioned we’ve moved from email to MS Teams. Organisations are moving to MS encrypted email, Slack, dedicated closed cloud systems and the like. It’s probably SMEs that are more effected as they don’t have the finances for some of these services.
So which is it? You say that it’s required, and then you say it’s recommended. Your original argument is that email is not reasonably secure, therefore it’s required. No one is arguing that email is the best, or most secure means of communicating. But, email can be “secured”.
Services like Teams, Slack, etc can’t keep data encrypted and integrate with other web services. It’s a platform play. You could argue that encrypted/secure email is more secure than a messaging service that has 3rd party integrations.
The fact remains that we haven’t seen a dramatic shift in email behavior since the inception of GDPR.
One more thing. Wasn’t trying to be a jerk. If my tone seems harsh that wasn’t my intent, and I apologize. I could “argue” about this stuff for hours….
Both. One is policy for councils, the other is a recommendation from the ICO. The council policy is implementing the ICO recommendation as ultimately the ICO will be the one’s who fine organisations.
You can do voice and video calls in Signal. It’s not my jam but seems okay, in my limited experience. The privacy claims are similar to those of messaging.
.