A Thinking Man

I wrote this paper some time ago and decided to give it another airing here.  As the internet is being increasingly used by counsellors and clients, it raises some security issues that surround the use of computers in this area.

It Wouldn’t Go Away

It was one of those things that I thought didn’t affect me. Electronic privacy was an issue for cyber-geeks, multi-national businesses, criminals, terrorists, and the occasional paranoid (or so I presumed). I comfortably told myself that if I didn’t think about it, it wouldn’t matter and that it would eventually go away. But it persisted in creeping into my consciousness. Three things in particular gave the issue a strong nudge in my direction.

• I had been corresponding with email clients from around the world for a number of years. During that time it became apparent on several occasions that clients were distressed (and in one case even physically endangered) by the fact that their confidential emails to me, and my confidential replies to them, were being read by someone else in their own family or at their place of work. Sometimes it was accidental, sometimes it may have been deliberate snooping. But for whatever reason, privacy invasion was starting to happen on a sufficiently large scale to come to my attention. Imagine a situation where husband and wife independently seek anonymous counselling, using the same email address and computer, without wanting the other partner to know!

• I received an email from somebody pretending to be Henry Fielding, the Eighteenth Century English Novelist (who apparently has an email account at Yahoo.com). It didn’t take too long to realise it was a fake and that one of my friends wrote it as a spoof (there aren’t too many of my acquaintances who studied for a PhD in Henry Fielding), but it did remind me that the names in email addresses and on email signature files are not necessarily all that they are cracked up to be. Banks and Businesses have been concerned about this for some time.

• My machine was getting old and beginning to creak a bit, so I thought about sending it in to my computer supplier for a new lease of life - a memory and hard-disk upgrade. Up until the time I contemplated this I thought that I had followed good practice. Although I used a word processor and database to record my counselling logs, I followed the procedure recommended by my Professional Association and replaced client names with codes. I stored the code key securely on a separate disk and away from my machine. But the more I thought about it, the more I began to feel uncomfortable about the possibility of a third party (such as a young computer technician) reading even my coded logs. And I then realised that all of my appointment correspondence was stored on my hard drive containing many client names and addresses. I needed to do something before letting the machine out of the study.

There are many ways in which the privacy of computer composed, stored, or transmitted information can be compromised.

Privacy Violations At Base

Many people in problem relationships, on finding or suspecting that their partners or other family members are seeking email counselling, would be very curious to find out what details the correspondence contained. In my experience many husbands and wives want to write in confidence about their individual struggles to stay in the marriage, their sexual and financial difficulties, their thoughts about their children and in-laws, and their ‘private’ addictions. In most cases they are far from ready to have this material revealed to anyone else. It is not unknown for victims of abuse to write about the abusers still living in their households. However, all this information is at risk from a local, deliberate or accidental invasion of privacy.

These clients wouldn’t dream of putting all that information on the back of an open postcard and then leaving it around on their table for days for family, colleagues, or odd passers-by to read. If they dared to write it down at all, they would usually put it in a sealed envelope and store it in a safe place. But in many cases, storing mail and sensitive documents on a computer is about as secure as leaving the information on a postcard in a coffee-shop. Many people who may be using the computer legitimately or illegitimately could search out or stumble across the correspondence. (How many times have you frantically clicked on a document, hoping that it might be the one you were looking for, only to realise that it wasn’t?) And even where some attempt is made at protecting the documents concerned with a password (as in an email program for example), it is not uncommon for that password to be used by many family members or for it to be relatively easily accessible to them.

Similar risks exist for counsellors. Not only might they want to protect their own privacy, they have a responsibility to take reasonable measures to protect their clients’ privacy. More and more counsellors are using personal computers to store client and session information. Why write it out by hand if you can type it in and, for example, print out professional session reports, and keep accounts and other statistics at the press of a button?

These counsellors wouldn’t dream of putting all that information on the back of an open postcard and then leaving it around on their table for days for family, colleagues, or odd passers-by to read. Their professionalism would encourage them to store these records in a safe place. But in many cases, storing mail and sensitive documents on a computer is about as secure as leaving the information on an open postcard on a table top in a public place. These professional records can also be stumbled across (or sought out) by other friends, family, or colleagues with access to the same machine. And although password protection is possible with some packages, we suspect that it is not used as often as it could be, and that it is often not strong enough protection.

Both clients and counsellors are at risk from at least three other types of base privacy invasion, and although occurrences of these types are rare, they are certainly not unknown.

• The computers of both clients and counsellors are occasionally stolen (allowing thieves moderately easy access to information that could not only be embarrassing, but which could also potentially be used in blackmail).
• The computers of both clients and counsellors also need occasional repair and upgrading. Convicted internet paedophiles (amongst others) have certainly learned, that what you carelessly leave on your hard disk (or what you thought was deleted) can easily be found by a stranger with access to your machine and a small amount of technical know-how.
• The computers of both clients and counsellors can be penetrated by hackers. It is not inconceivable that a counsellor’s computer might present an attractive target to someone seeking interesting files to look at or amend. In addition, with the popularity of ActiveX controls, scripts and Java applets, there is an increased chance the that the HTML content you may receive in an email message could access or modify files on your computer without your knowledge or consent. ¹

The FBI were involved in tracking down a 30 year old New Jersey man who succeeded in creating Melissa (the fastest growing computer virus to date). In March 1999, Melissa caused significant problems on the Internet because of the amount of emails that the virus was generating. ² It is estimated that over 100,000 organisations were seriously affected. Melissa works like this. You receive an email from someone you know with the subject line: “Important Message from (their name)”. Inside the email is a message: “Here is the document you asked for, don’t show anyone else.” The document contains a list of pornographic sites, but the real problem is that when you open the document it automatically runs a program that reads your email address book and sends exactly the same mail to the first 50 names. And so the chain goes on. Counsellors or clients who have been a victim of Melissa may find themselves very grateful that the program only read email addresses and distributed a list of pornographic sites. It could have wreaked havoc with counsellor/client confidentiality by finding and distributing very sensitive documents.

Privacy Violations In Transit

There is a myth that anything which is typed and sent down a telephone line is more secure than a handwritten snail mail letter. It is a myth.

If you select the appropriate options, your email program will display headers which will reveal something of the route your mail has taken to reach you. If we assume that on most occasions this information is correct (a dangerous assumption - spammers know how easy it is to change and obscure this) you will be able to identify the main staging posts on your journey - the computers where your mail was temporarily stored before being passed on. Theoretically, any letter I receive could have been stopped, read (and changed in some way) at every one of those destinations without my knowledge. Depending on how often you check your email, your open correspondence could sit on your ISP’s server for hours or even days.

If you send confidential information from a work email address, it stands a greater chance of being read. Network managers may be responsible for ensuring that you are not passing on company secrets or sending libellous statements, and for ensuring that incoming mail doesn’t contain pornography or viruses. Several large companies have started to back-up and monitor their email stores daily.

Doubtless, the vast majority of snail mail post officers are too honest and too busy to want to read your postcards, and the same is probably true of email routers. However, the point is this: when you have something important and confidential, you take sensible steps to attempt to hide it from accidental or deliberate snooping. If secure envelopes are available, why not use them?

Security About Content: Is This What You Said?

While the prospect of someone deliberately intercepting and altering your mail may seem unreal, consider the following more plausible scenarios:

• Your find yourself in dispute with either a client or counsellor. You and your opponent both refer to sensitive and important documents that you claim substantiate your points. However, your opponent produced, before a disciplinary hearing, a different version of the document you thought he or she had from you. It would be good if you were able to show that the contents of the electronic document had been changed from the one that you had originally sent.
• A male client with marriage difficulties receives email counselling over a number of months which is significantly helpful to him in rebuilding his marriage. However, in a misguided attempt to help a friend in a completely different difficult marriage, the client forwards edited extracts of your letters, and the friend starts to get inappropriate, incomplete, and almost certainly bad advice with your name on it. It might be useful (at some stage) to be able to demonstrate that the email had been tampered with and was not your original document, created specifically for one person only - your client.

Security About Identity: How Do I Know Who You Are?

Consider the following two letters:

• Dear Abigail (Counsellor)
  Thank you for your support in helping me seek local help to stop being sexually abused by my father. However, for the time being I have decided not to report him to the authorities. Please don’t send me any more letters.
  Ruth (Client)
• Dear Michael (Client)
  Please excuse the unusual email address, but my Internet Service Provider is experiencing mail problems at the moment and I am having to use a friend’s address. Please use this email address until further notice. In your last letter you sounded very distressed and on the verge of leaving your dishonest wife. Michael, I really want to encourage you to stay with her ….
  Richard (Counsellor)

The first letter seems routine enough. There is nothing unusual in an abuse victim not wanting to report the abuser whom she may love. But suppose Abigail’s father had read her letters and was wishing to end the correspondence to protect himself by using Abigail’s name and email address? As a counsellor, wouldn’t you want to be assured that the letter had, in fact, come from Abigail, if at all possible?

In the second letter the prescriptive nature of some of the comments may jar, but the explanation for the change of email address is plausible enough. But suppose Michael’s wife is posing as his counsellor in order to keep her husband? As a client, wouldn’t you want to be assured that the letter had, in fact, come from Richard, if at all possible?

When my father died, in order to perform the relatively routine task of closing his bank account, the bank (quite reasonably in my view) asked me to provide a death certificate (a photocopy was not acceptable because of the possibility of forgery) and three forms of identify to verify that I was who I was claiming to be. Although we have become used to proving our identity in many areas, the practice is still not widespread with sensitive email correspondence. Email counselling correspondence is an area that is crying out for a system for identity verification.

What Is Needed

In order to protect client and counsellor privacy, and in order to instill confidence in using computers to compose, store, and transmit sensitive electronic information, the following facilities are needed:

• Secure Email Access A means of controlling who knows about (and reads) the emails.
  

• Secure Coding A strong system for encrypting sensitive documents to protect the privacy of those documents in transit and when stored on disk.
  

• Veracity of Document A strong system for certifying that the contents of sensitive documents have not been tampered with.
  

• Secure Signature A reliable way of verifying the identity of the document source.
  

• Secure Wiping A way of wiping information from disks so that it is reliably beyond the reach of recovery.

And of course, if such facilities were universally available and free, it would help.

Possible Solutions

The good news is that there are readily available solutions that would solve all of the above problems. Perhaps the bigger issue becomes one of persuading clients and counsellors to use the facilities.

Internet Email Account
An easy way of controlling email access is for the client to have a separate email account and password to manage when email is downloaded and read. However, if this is not possible (a spouse, for example, might be come interested if you suddenly want to set this up) it is very easy to achieve the same result using a free email account where your mail is accessible only when you visit a particular internet site and enter your chosen password. You don’t have to involve your Internet Service Provider or configure any software. All you have to do is select a name and password and a new email account is set up for you. You don’t have to download your mail to disk and can read it and reply onscreen.

There are many sites where a free internet mail is available (for example, at Yahoo, Excite, AltaVista, Bigfoot, Lycos, and Hotmail).

However, free internet email accounts only solve the problem of secure email access. They don’t solve the problems relating to storage and transmission and should always be used in conjunction with some form of encryption for complete privacy.

Encryption and Digital Signatures
Before you dismiss cryptography as the stuff of spy novels and action comics, or of films involving a suited gentleman with a briefcase, consider what you want to achieve. You are, sitting in your office, faced with the rather mundane task of sending a sensitive, confidential letter and of storing a copy safely in such a way that no one else can read it. You just want to be sure that the addressee was the actual and only recipient of the email and you want him or her to know that you were unmistakably the sender. National security isn’t at stake, but confidentiality is. How can you accomplish this? You can use cryptography and digital signatures. You may find it lacks some of the drama of espionage films, but the result is the same: information revealed only to those for whom it was intended.

Although he didn’t have problems with electronic security, Julius Caesar did face worries about his messages being intercepted and changed. In order to overcome this he replaced every A in his messages with a D, every B with an E and so on through the alphabet. Only someone who knew his “shift by three” rule could decipher his original text. This is a very simple example of using a mathematical function (cryptographic algorithm) in combination with a single key (in this case the number three) to encode and decode text. Although this worked for Caesar, it is an extremely weak system by today’s standards. Once the key is discovered, the code is cracked, but the key has to be widely distributed for the code to operate.

In the early 1970s a much stronger two key encryption system was developed by mathematicians working for the British Security Forces at GCHQ. ³ In a two key system users have a public key for encryption and a private key for decryption. You publish your public key to the world while keeping your private key secret. Anyone who has your public key can encrypt messages to you, while only you with your private key can decrypt them. Anyone can encrypt to you without the need for them to have your private key. At present it is computationally infeasible to deduce a private key from public key information.

The primary benefit of public key cryptography is that it allows people who have no pre-existing security arrangement to exchange messages securely. The need for sender and receiver to share secret keys via some secure channel is eliminated; all communications involve public keys and no private key is ever transmitted or shared. … Public key encryption is the technological revolution that provides strong cryptography to the adult masses. ⁴

PGP - Pretty Good Privacy
- is a powerful, freeware, flexible, two key encryption program that has been invented by Phil Zimmermann and has been made available around the world. In addition to giving counsellors and clients the ability to easily and very securely encrypt email messages, the program also has the following very useful features:

• the easy creation of keys, and publication of public keys;
• the ability to encrypt any document (as well as email) so that sensitive documents can be safely stored on disks;
• the ability to digitally sign any document;
• the ability to check whether signed documents have been tampered with;
• the ability to securely wipe files from disks;
• the ability to work either from within most email programs as a plug-in, or alongside any email program using clipboard.

PGP produces a digital signature based on the document’s content and the author’s private key. If the content is changed in the smallest way, the signature becomes invalid. The person receiving the document can use PGP to verify the signature (author’s identity and data integrity). For some people, being secure about the author and content of any documentation is more important than encryption.

In recent years, an alternative two key system, S/MIME (Secure Mime) has become widely available (mainly because it has been packaged into Outlook Express and Netscape Communicator). Although this system is very good, at Connections we have decided (at the time of writing) to recommend the use of PGP for the following reasons:

• PGP uses a much longer encryption key and is therefore much more secure. If security is important, why accept second best?
  If all the personal computers in the world - ~260 million computers - were put to work on a single PGP-encrypted message, it would still take an estimated 12 million times the age of the universe, on average, to break a single message. ⁵    
• PGP generates free keys from within its own program. To get a digital ID to use with S/MIME you have to register with a certifying authority (who will, of course, charge you an annual fee for the privilege). This puts the benefits of the system beyond the reach of many who might want to use it. It has been argued that while commercial customers may chose S/MIME, PGP will become the popular choice for personal communication.
• PGP makes the encryption and signing of non-mail documents very easy. You can use it outside your email program on any other electronic document.
• PGP comes with the facility to securely wipe documents from disks.

Personally, I’d always recommend PGP encryption above anything. And now that it integrates with most email packages, there’s simply no excuse for not using it. ⁶

PGP is the de facto standard for e-mail encryption on the Internet. It is packaged in a single application which performs encryption and decryption, digital signature, verification, and key management. There is no need for separate certificate management systems or certificate authorities, which among other reasons, has led to the popularity of this system. ⁷

Why pay money for an inferior system when a much superior one, offering you so much more, is free?

(There is even a free service that uses PGP and provides third party authentication of proof of posting emails, and will provide a third party date stamp for receipt of emails. See the free Digital Stamper Service .)

Electronic Privacy Policy

In addition to having a confiodentiality policy, all counsellors who have a computer should have an Electronic Privacy and Authentication Policy.

We will:

• Encrypt (using PGP) all sensitive documents that we store.
• Wherever possible for the recipient, encrypt all sensitive emails before posting (preferably, but not necessarily using PGP).
• Digitally sign (using PGP) all sensitive documents and emails that we produce, and make information available how this signature can be verified.
• Encourage clients to set up Internet Mail accounts where appropriate, and to use these in conjunction with encryption (preferably, but not necessarily using PGP).
• Encourage clients to use encryption (preferably, but not necessarily using PGP) when sending sensitive messages and documents to us.
• Encourage clients to digitally sign (preferably, but not necessarily using PGP) all sensitive electronic communication with us.
• Use PGP to securely wipe ‘dead’ sensitive documents from our disks.

The Ironic Conclusion

There is no doubt that computer crime is on the increase. One report estimates that it cost companies well over $100 million in losses last year. ⁸ There are also disturbing signs that it may continue to increase at an alarming rate, not just because of the expansion of computer usage, but also because people seem to find it easier to commit electronic crime than traditional physical crime. If you can sit in front of a screen and take someone’s private information by moving a mouse, it is easy to delude yourself that you are not stealing. ⁹

The irony is that against this backcloth of growing concern about computer security, excellent systems exist for making electronic communication more secure than traditional manual systems. For example, a digital signature is superior to a handwritten one in that it is nearly impossible to forge, and it attests to the contents of the information as well as to the identity of the signer. And encrypting messages on your disk (using a dual key system) is far superior to hiding your papers in the bottom drawer of a cupboard.

If as counsellors or clients we experience privacy infringements, we cannot blame the weaknesses of the system. The security solutions exist. All that remains is for us to use them.

(I write as one who is still travelling and not as one who has arrived and would welcome any constructive feedback.)

Download PGP

---

1 Security notes accompanying Outlook Express.
2 Simon Walman, No Hiding Place, The Guardian, Wednesday March 31, 1999.
3 Steven Levy, The Open Secret, Wired Magazine, April 1999 (http://www.wired.com/wired/archive/7.04/crypto.html).
4 Phil Zimmermann, The Basics of Cryptography, PGP Documentation with Version 6. (Those of you familiar with Zimmermann’s writings will be aware of my debt to him for the arguments and examples in the section on cryptography.)
5 William Crowell, Deputy Director of the National Security Agency, March 1997.
6 John Elliott (Internet Consultant), Securing Your Email, Internet Magazine, May 1998.
7 Sathvik Krishnamurthy, Securing Your E-mail, Messaging Magazine (http://www.ema.org/html/pubs/messmag.htm).
8 Reuters, Computer Security Threats Climb, PC WORLD, 5 March 1999.
9 Referring to the work of Sutton and Mann, published in The British Journal of Criminology (38), quoted in You’re Nicked, .net (57) Spring 1999.
Needless to say, I have has no commercial links with any of the above products. I am happy to recommend them as a means of solving a real problem. I cannot be held responsible for any problems that may arise from your use of these products, or offer any support for their usage. The decision to use them, and the responsibility for their use, are yours.
Since publishing this I have become aware of various other relevant software developments. I am grateful to the people who have written to me with their comments:

• Eraser is considered to be a better document/disk wiper than the wiper included with PGP.
• Scramdisk is another useful freeware program which provides a better way of securing documents for storage. It enables the encryption whole portions of disk space rather than individual documents or files (you create a secure virtual drive). If your documents and data files are installed on your secure virtual drive, and if you re-route all the associated temp files that are automatically created with your documents to default storage on your virtual drive, then you avoid two problems: having to encrypt each document; having to securely delete any associated temp files.
• HushMail provides a free, fully encrypted, Web-based email system. This means that sensitive letters don’t need to be left unencrypted on Web mail servers. It must be stressed, however, that mail is only encrypted if it is sent to other Hushmail users.
• StealthMessage provides a free, fully encrypted, Web-based email system. This means that sensitive letters don’t need to be left unencrypted on Web mail servers. This is better than Hushmail in that the recipient doesn’t need to be a StealthMessage user. They will receive an email inviting them to go to StealthMessage and open the relevant encrypted email using a previously agreed password. Lots of enhanced security features, no software to download, very simple to use.

Tags: Caesar, code, confidential, confidentiality, counselling, counsellors, digital signature, e-mail, electronic security, email, encryption, Eraser, hackers, Henry Fielding, HushMail, Melissa, PGP, Phil Zimmermann, privacy, public keys, Scramdisk, Secure Mime, StealthMessage, therapists, Therapy, verification