20 May 2019

Folklore of Opportunistic Privacy

There is a wide body of people that believe they are sending information private because they are sending using Microsoft Office 365, Gmail, or using a third-party service that sends all messages using transmission layer security.

And they may be right; if secure sometimes is good enough.

There is the notion of “opportunistic privacy” also referred to as “opportunistic TLS”, which sounds pretty cool. It certainly sounds secure.

But what does this really mean? Let’s take a look at deciphering a popular myth about secure messaging.

(Warning, if this article seems too technical, it is important enough that we suggest you forward to your IT consultant.)

With email, many popular services tout secure messaging simply because they enable “Opportunistic” TLS private transmission. This simply means, if the sending server can transmit using secure transmission methods, it does; but if it cannot, it simply transmits the message in plain text, like a message written on a postcard…like your tax, investment, or health ailment details written on a postcard.

Not great; but is it good enough? Well, that may depend on how many servers there are out on the Internet where email TLS transmission does not work. How often does this not work? At least 1 in 10 messages on average sent by Google Gmail or Microsoft servers using opportunistic TLS are sent in plain text, according to them. And for some recipients, 10 in 10 are sent in plain text (click to read more, Tech Essentials article, “Not All TLS is Created Equal”).

But wait, there are also different levels of secure transmission. TLS 1.0 and 1.1 are deemed not to be secure enough for transmission of financials like credit card data (for PCI Compliance). TLS 1.2 is good.

So, what about enabling “opportunistic TLS 1.2” privacy? This generally is not an option (other than with RMail).

Well, wouldn’t it be simpler if the servers simply “enforced” TLS privacy? This also sounds good, but what it really means is that if the message is not able to be transmitted securely, it is not sent at all. Not good. Instant calls to IT staff complaining. Ugh.

What is really needed is a service that can be set to do the following, invisibly to the sender, and just figuring out automatically the best user experience for the recipient. The ideal secure messaging service should:

1. Send opportunistically secure with the level of security the sending company desires as a minimum (i.e. TLS 1.0, 1.1 or 1.2) and, if this level of security cannot be met, still enforce security by reverting to an alternate method. Of course, the alternate method should also be easy; it should not require recipient log-ins or retrieval links. The alternative should deliver direct to the recipient inbox and automatically manage any password needs.

And better,

2. if when sending, the service also set up a simple way for the recipient to reply securely so they may also be able to attach documents in their reply and transmit back to the sender encrypted, regardless of the receiver’s system with without recipient log-ins.

And even better,

3. provide the sender with delivery and open tracking visibility with proof of privacy compliance for each message (HIPAA, PII, PCI); and best, with auditable proof of compliance for those dealing with GDPR (Article 5 and Article 31 compliance).

And perhaps,

4. mark the email so the recipient is aware the sender took the care to protect the particular email content.

Finally, the ultimate;

5. all of the above while providing the administrator the option to set automated rules so certain messages are sent encrypted with the above methods based on certain message text or key word triggers in the message subject; or from a mobile phone by simply adding a symbol in the subject. And perhaps, if the words “wire transfer”, “investment portfolio”, or “attorney-client privilege” are in the message, send in a super secure manner, so the content even remains encrypted inside the recipient inbox when not being viewed by the recipient.

Microsoft Office 365 and Gmail don’t accomplish this. But RMail does. RMail does all of this and makes it simple and affordable. Install and try RMail instantly, at no cost. Click here to download for Outlook or Gmail.

Join an RMail training session live or view a recorded video. 

If you would like your IT consultant to purchase RMail through Ingram Micro, pass along this link.


To learn more about RPost products, visit www.rmail.com or www.rsign.com