The constant challenge for IT professionals and security experts is to balance security and usability. If the most secure system is too complicated or cumbersome to use, people will circumvent it. Once the official or corporate system is circumvented, security has devolved from professional (IT executive) to amateur (end user).
Former Secretary of State Hillary Clinton’s use of a personal email system purportedly set up in her house by a colleague is a perfect, high profile example of this – but certainly not an isolated example.
In 2003, the United States Government Accountability Office (GAO), the auditor of the US Federal Government and an arm of the US Congress, began using RMail® --- RPost’s Registered Email® service with functions to track opening, prove delivery, encrypt for privacy, and e-sign. A key reason they selected RMail technology was that it operated from within the native end user email interface --- with functions simple and intuitive for the sender and recipient. In other words, RMail offers convenience Secretary Clinton would surely have appreciated.
IT professionals often underestimate just how simple the user experience must be for widespread adoption. Receiving a link in an email forcing the recipient to set up an account to access an email is not simple enough. Nor is exchanging digital certificates and saving them to a device.
When the recipient says to the sender, “just send the darn thing,” because they get frustrated with the more secure process, the sender often just sends it, frustrated that they are frustrating the recipient with some policy or process IT has put in place.
If it is not simple to use, people will circumvent the process; and they do – even those who know they shouldn’t, like the US Secretary of State.
If the Secretary had known that she could simply install RMail right into the US Department of State email interface, purchasing from AT&T’s government procurement IT schedule (GSA schedule), she would have had security and accountability with simplicity --- and would not have been compelled to circumvent the process.
A summary of common secure messaging systems follows; the best method for security and simplicity for users is the “True Direct Delivery” method employed in RMail services.
1. Public Key Exchange – Secure but Complex for Many.
This is provided with the Department of State email. Certainly it is secure, but apparently too complex for many when communicating with parties who are external to the system, including the Office of the Secretary. This involves exchanging public encryption keys among your contacts (PKI Digital Certificates) and using Microsoft Outlook on your desktop computer. This “strong crypto system” has proven to be too cumbersome for most to use. One has to purchase and install these certificates, manage the expiration, ensure your recipients have a copy of your public key, and you theirs, and make sure all are using a compatible email program such as Microsoft Outlook desktop software.
2. Secure Store and Forward - “Man in the Middle” Problems.”
Systems that store your message content in the middle, and send a link to the recipients to download the content, are often used by consumers (and some companies) not understanding their most sensitive information is being stored on a third party server with unknown data security and message purge practices (which may differ from their stated policies). Further, the recipient is often forced to create an account to access the message and this is often a cumbersome process that has to be re-done each time they forget the password they used to access a particular message (ugh). Finally, there is no protection from unknown recipient endpoint security or lack thereof. So store and forward systems are not considered “strong crypto systems.”
Note, some systems that wrap your email in an encrypted HTML file before sending, often purport themselves to be “direct delivery,” but leave out the important point that the process of decrypting, is often sending the data back to the server in the middle. That server storing the decrypted message and displaying it in a web browser still has the same Man in the Middle storage purge concerns. Further, there is no protection from unknown recipient endpoint security or lack thereof. So it’s better than simple Secure Store and Forward, but still retains the Man in the Middle issues, and not considered a “strong crypto system.”
3. True Direct Delivery – RMail Method and the Best Method.
Systems that wrap the message in an encrypted PDF file are “strong crypto systems” as (a) the message content is not stored in the middle, (b) content is truly delivered to the recipients’ desktops encrypted, AND (c) the content remains encrypted at the recipient endpoint to prevent potential disclosure regardless of the recipient endpoint security. This is RPost’s RMail encryption method, and we’ve made it easy to use and implement for both the sender and recipient (for both compliance and personal privacy).
RPost has been offering secure electronic messaging services for more than 10 years and is a winner of the World Mail Award for best in security.
In the United Kingdom, insurance brokers' concerns about sending important correspondence by email are easing, thanks to RPost and The British Insurance Brokers' Association. BIBA, the UK's leading general insurance intermediary organization with just under 2,000 regulated firms, has just endorsed RMail™ Registered Email™ in order to provide insurers and brokers with measurable tools that reduce cost, risk and transaction cycle time. BIBA chose RMail, as catalyst for the insurance inudstry to eliminate paper and move to fully protected, legally verifiable electronic delivery of important administrative correspondence. This secure, cost-effective alternative to post or couriers is an ideal service for brokers looking to speed up critical communications while demonstrating compliance. BIBA members can also enjoy a reduced rate on a simple pay-as-yougo (PAYG) no risk model, ideal for all business sizes, offered by UK distributor, Mailsoft.
Read the official BIBA announcement, here.
With RMail for Gmail, Millions of Users Can Now Send Registered Email Messages from their Gmail Compose Interface
Stockholm, Sweden, and Los Angeles, CA —September 23, 2014– Today, RPost announced the availability of its heavily-anticipated RMail extension for Gmail for national postal operators worldwide. RMail® for Gmail creates an easy method for national postal operators to build themselves into the digital world. With RMail for Gmail, millions of users can now send Registered Email messages from Gmail with just one extra click; sending postal-branded Registered Email messages for legal track and prove capabilities, e-signatures, and secure encryption.
Five national postal operators in Europe, Africa and the Americas will be the first to have RMail for Gmail implemented for their citizens, with more countries expected to follow-suit. The Postal Corporation of Kenya will be among the first postal operators to promote this exciting capability to millions of Gmail users in Africa, for example. This RMail functionality extends the postal network to one of the largest digital communications platforms.
RMail for Gmail includes the ability to send Registered Email messages via a high value delivery network with options to track and prove delivery, encrypt content, sign documents electronically, and convert attachments to PDF format.
“We continue to innovate with our partners to ensure the Registered Email functionality is only a click-away from wherever users currently send email,” comments RPost CEO Zafar Khan. “RPost solutions are now built into the largest electronic messaging platforms.”
RPost invented the Registered Email® technology in 2000. Today, RPost’s Registered Email® service is the worldwide standard for email proof. Individuals want the power of proof when sending sensitive or important business messages, such as cancellations, complaints, and acceptance of terms; to avoid any potential disputes about an email communication, or as a deterrent to the common excuse: “I never got the email, please resend.” RMail empowers Gmail users with proof of who said what when, who received what when, who agreed to what when, with email.
By partnering with RPost, postal operators are just one click away from extending their services to the digital space and allowing millions of email users to access an all-in-one electronic postal platform for messages, documents, files, collaboration and more, from users’ existing email addresses.
You can register and start using RMail for Gmail at www.rpost.com/gmail
RPost has set the global standard for email delivery proof, encryption, and e-signatures with its patented Registered Email® technology. RPost services enable email users to track, prove, sign, encrypt, and collaborate across desktop, mobile, and web platforms. RPost services speed contract execution, increase data privacy and compliance, and reduce risk with court-admissible records. Founded in 2000, RPost operates from six global business centers, is in use in countries throughout the world, within governments and Fortune Global 500 companies, and has been endorsed and marketed by influential bar associations throughout the United States. Winner of the World Mail Award for Security, RPost holds 50+ patents worldwide. For more information, please visit www.rpost.com.
The Leahy–Smith America Invents Act (AIA), signed into law in 2011, has created new opportunities for those accused of patent infringement to challenge the validity of granted patents, with the institution of new "post-grant" proceedings.
Today, the validity of RPost patents have been challenged by companies, including Symantec, Swiss Post, Experian, EBay, Epsilon, and Constant Contact. These companies instituted requests for post grant reviews, including Ex-parte Re-examinations, Inter Partes Reviews, and Covered Business Method Reviews.
To date, eight of RPost's US patents upheld their validity after post-grant reviews conducted by the United States Patent and Trademark Office and its Patent Trial and Appeal Board.
These RPost patents include US 8,224,913, US 8,209,389, US 8,161,104, US 6,182,219, US 6,571,334, US 7,966,372, US 8,504,628, and US 8,468,199 claims 1-8. These patents broadly provide RPost exclusive rights to claimed technologies to track and prove delivery, content delivered, opening, replies, and more; for electronic messages.
RPost practices its inventions.
What is a patent? In short, a patent is a government granted exclusive right to a specified technology in exchange for early disclosure sufficient to teach the world how to build the invention.
Why is this area of the law important? Lawmakers believe that early detailed disclosure of inventions will to spur further marketplace innovations, as many technologies are incremental advancements. More innovation will spur a more robust and advanced economy.
Inventors must make an early decision --- voluntarily disclose the invention to potential new competitors and the world, or maintain the invention as a trade secret. To provide incentive to inventors to disclose their inventions early --- to facilitate others innovating on top of these inventions --- the government offers the opportunity for a 20 year exclusive right to that technology if, after much review, it is deemed to be a true technological invention, and is determined to be, after a worldwide review of other inventions and disclosures, an original invention.
Specifically, the patent discloses the invention, and then describes the elements of the invention that the inventor believes are the unique, technological invention. These become the claimed exclusive real property right owned by the inventor. A patent is real property; technology property that is defined as a “claim".
RPost today has more than fifty patents granted in 22 countries with hundreds of “claims”. Some examples of RPost patent claims -- exclusive technology owned by RPost -- are systems and methods of authenticating delivery and opening of electronic messages, systems for encrypting email, recording recipient replies to received documents and messages, and more. Examples follow of claims that upheld validity after post-grant reviews:
US 8,161,104 Claim 27. A system for transmitting a message from an originating processor to a recipient processor in an electronic mail system and providing an indication that the message was opened by the recipient processor, comprising: a server in electronic communication in the electronic mail system, the server receiving the message from the originating processor and adding a link to the message before transmitting the message and link to the recipient processor, the link being configured to execute automatically when the message is opened at the recipient processor to control the server to provide an indication at the server that the message has been opened at the recipient processor; and wherein the server constructs authenticatible information related to the message; and wherein the server transmits the indication of the opening of the message at the recipient processor and the authenticatible information to the originating processor.
US 8,468,199 Claim 1. A method of transmitting a message from a sender to a recipient through a server displaced from the recipient, the steps at the server comprising: receiving the message at the server from the sender; transmitting the message to the recipient; receiving at the server at least a portion of a data transport protocol dialog generated during transmission of the message from the server to the recipient; and receiving at the server from the recipient an indication of the failure to deliver the message to the recipient; forming at the server a first information from the at least a portion of the data transport protocol dialog and the indication of the failure to deliver the message by the recipient; and transmitting, before any authentication of the message, a copy of the first information to the sender from the server.
US 8,504,628 Claim 30. A system for transmitting a message from a sender to a recipient, comprising: a server configured to receive a message from a sender, the server being remote from a recipient of the message, the server also being programmable using software commands to determine if there is a particular indication present in the message that identifies the message as requiring special processing before the message is transmitted to the recipient, to transmit the message from the server to the recipient through a first route if the message lacks the particular indication, and to process the message in accordance with the particular indication if the particular indication is present.
All service providers (such as lawyers, doctors, accountants, financial advisors, etc.) who believe their communications with clients are private -- and in some situations, privileged -- should take note. Conversely, all clients who believe their communications with trusted service providers are private should also take note.
If you believe the revelations reported by The Guardian after a recent July 17th interview with NSA whistleblower Edward Snowden, you should consider encrypting all such communications.
Here’s a summary of what Snowden said in his interview with The Guardian, along with Snowden’s original quotes:
1. Your data collected by the government will likely be stored forever. "Because of the advance of technology, storage becomes cheaper and cheaper year after year and when our ability to store data outpaces the expense of creating that data, we end up with things that are no longer held for short-term periods, they’re held for long-term periods and then they’re held for a longer term period. At the NSA for example, we store data for five years on individuals. And that’s before getting a waiver to extend that even further."
2. The government believes it needs to be able to intercept all communication and therefore discourages use of message-level encryption, which makes mass collection more challenging. "And the government is saying that we need to be able to intercept all of these communications … And because of this they don’t like the adoption of encryption. They say encryption that protects individuals’ privacies, encryption that protects the public’s privacy broadly as opposed to specific individuals, encryption by default, is dangerous because they lose this midpoint communication, this midpoint collection." Further, "The reality is every communication comes from an originating point and it ends up at a destination point. And these two points are computers, they’re devices, they’re cell phones or laptops and they can be hacked. They can be exploited, which gives law enforcement agencies and intelligence agencies direct access to those systems to be able to read those communications."
3. Lawyers and other service providers have obligations to maintain client confidentiality – but without encryption, they cannot. "Lawyers are in the same position. And investigators. And doctors. It’s a constantly increasing list and one that we’re not even aware of today. I would say lawyers, doctors, investigators, possibly even accountants. Anyone who has an obligation to protect the privacy interests of their clients is facing a new and challenging world and we need new professional training and new professional standards to make sure that we have mechanisms to ensure that the average member of our society can have a reasonable measure of faith in the skills of all the members of these professions."
As Snowden suggests, the NSA has your information -- and lots of it. And they will likely have it forever. But, can it be obtained by others? And, if it is obtained by others, can it be publicly exposed or even used against you?
Assuming you are not a national security threat, it has yet to be seen whether a simple Freedom of Information Act request would compel the NSA to return to you your records, location information, conversations, and email that the NSA has collected. It will be interesting to see whether such a request would be successful. This has already been tested successfully in Germany with subpoena to T-Mobile of one’s personal stored metadata, which can then be used to map one's location history to Google maps. (Check out this interactive map for yourself.)
In a developing storyline here in the United States, we will get to see whether Congress can obtain information on US citizens to hold against them in proceedings. CBS News recently reported, "The House Armed Services Committee has come up with a creative approach to look for emails from embattled former Internal Revenue Service (IRS) official Lois Lerner that were apparently lost in a computer crash."
"They're asking the National Security Agency (NSA) and the Defense Department. The panel approved a resolution Wednesday authored by Rep. Steve Stockman, R-Texas, that directs the Secretary of Defense to send the House of Representatives 'copies of any electronic communication in the possession of the Secretary, the Director of the National Security Agency, or any office that reports to the Secretary or the Director that was transmitted to or from any electronic mail account(s) used by former Internal Revenue Service Exempt Organizations Division Director Lois Lerner at any time between January 1, 2009, and April 30, 2011.'"
If we are to believe what has been reported, the bottom line is:
1. Your information is being collected.
2. Your collected information is stored for a long time, and may be accessible through public requests for information.
3. Encryption works to keep correspondence private, but only if used; and only if messages themselves are encrypted, even at the endpoint.
4. Your service provider (lawyer, doctor, accountant, financial planner) may not understand or care enough to protect you by encrypting your private correspondence. If you are not encrypting your correspondence to them or you are not insisting that they encrypt correspondence with you, your correspondence will not be private.
RPost's encryption service uses "True Direct Delivery," a proprietary method of encrypted mail delivery whereby the message is encrypted in a secure PDF wrapper, delivered directly to the recipient (without being stored in the middle), and stays in an encrypted format in the recipient’s mailbox or on any recipient mail servers. Endpoint security is a critical requirement of message privacy, as entities such as the NSA have shown in recent years.
Learn more about RPost’s encryption service at http://www.rpost.com/esecurity.
- Now is the Time for Secure Emails, Digital Signatures and Electronic Contracts – A Legal Perspective
- RPost Services Support Compliance with New FDA Guidelines on 21 CFR Part 11
- Amended Texas Rule Allows Lawyers to Serve Court Documents by Email
- Conflicting Federal Court Rulings on NSA Phone Surveillance Ignite Debate – What to do in the Meantime?