MODs please see this information notice in the mod's forum. Thanks!
Boards Golf Society are looking for new members for about the society and their planned outings here!
How to add spoiler tags, edit posts, add images etc. How to - a user's guide to the new version of Boards

GDPR €20 mil+ risk of not providing for encrypted email communication

  • #1
    Registered Users Posts: 1,659 ✭✭✭ Impetus

    While html emails were never a secure communication solution (compared with plain text), the current bug in Outlook and other email clients, in the way that they process S/MIME (and open PGP) encrypted/digitally signed emails makes the use of html email totally negligent for serious emails involving personally identifiable data. There doesn’t appear to be anything wrong with S/MIME – just the client that uses it.

    S/MIME emails (in cleartext) that are encrypted end to end between the sender’s and recipient’s email client (eg Outlook 2016) are probably safe, using the latest version of the client software*. Providing no logos or background or text colors are used in the email – ie text only.

    Some of the biggest offenders in terms of html emails are airlines and hotels, confirming reservations. Amazon order confirmation emails are always in plain text. Though they are not perfect – AWS comes to mind. In my view a company is negligent, unless it offers a checkbox option for html or text emails.

    Swiss Sign have it down to a fine art. S/MIME certificates for an email address cost EUR 25 pa and is valid all over EU. For serious ID confirmation, they use SwissID, which involves a trip to a SwissPost office with an ID card and email verification. This face to face certificate has the same status in Swiss law as a handwritten signature. SwissSign is a joint venture with SwissPost and several Swiss insurers and other financial companies.

    As an aside, GDPR has not been fully thought through from a privacy perspective. Eg if you set your browser to clear cookies when done, every time you visit a site from an EU IP number, you will have to sign off on one or more stupid questions – eg do you agree to us planting cookies in your browser… .. I don’t mind cookies for the session, but they get dumped afterwards…. GDPR has made surfing a pain – with all these pop-up windows to be checked every time one visits with a clean browser… So in effect, GDPR has been designed to ‘break you’ and force you to set your browser to store cookies ad infinitum…. Every time I use the web, I hate the EU even more by the day with all this clicking. And I especially hate companies that have huge check box overlays that one can’t ignore. I won’t do business with one of them, ever.

    A digression…. If an email server is hacked successfully, and contains unencrypted emails the hacker can sell your information in the black market… . (I had a hotel in a certain country in the EU recently ask me email my payment card number etc to them… I said, no I will post it because the reservation was for several months hence and the post would only take 2 days.)… I pointed out the GDPR issue she was exposing her company to… I sent her my S/MIME signature (to a large hotel chain) and she was unable to exchange hers with me to achieve encrypted email. So I shall not be staying in that hotel. So in my view any company that doesn’t facilitate S/MIME emails for the exchange of personal information should be hit with the full EUR 20 mil or 2% GDPR fine, in the event of a leak of PI.

    An email server with encrypted emails is useless to hackers. Some banks give one ‘secure access’ to their internal email system with multi-factor etc, to communicate with one’s contacts in the bank. Banks can get away with this – but the rest of the world needs a universal encryption/authentication system such as S/MIME.

    *S/MIME relies on certificates, like TLS, and I suspect that many states (and others) have fake certification authority access that allows them to mint their own or TLS or S/MIME certificates enabling them to perform a person in the middle attack on what people believe to be secure communication, so that they can read your messages and sell anything salacious, etc in the appropriate market. But nothing is perfect. Encrypted plan text is a good start.

    Video on how to install a certificate: