The UK Minister for Food recently made a gaffe about using a personal phone. He might not realise how big a gaffe it was, however. His comments were part of a wider debate about the UK’s Home Secretary having admitted to using her personal email account for government business. Whilst government business should be carried out using government (approved) equipment and services, there’s a big difference between making a phone call and sending an email.
The TL;DR, phone calls are pretty secure but email absolutely is not. Read on, I’ll explain, as succinctly as I can.
On the surface of it, using one type of communication device or technology might seem much like another. In reality the technology underneath and the security of them varies drastically.
Telephone Calls are Reasonably Safe
Your common or garden telephone in the UK is considered pretty secure. Your land line is connected to an actual cable that goes to a cabinet in the street. That cabinet is connected via real cables (or optical fibre) to the telephone exchange. You call is then routed from there around a network owned and operated by BT[1], eventually working its way to the destination. It’s pretty difficult for a rogue actor to get access to that pipeline. They either need to tap the wire at one end or they need to get into BT’s secure network.
Mobile phones are a little more vulnerable. It is possible for a snooper who’s physically near either end to listen in to the radio signals between the phone and the mast and hear the call audio. Also, as more organisations get involved in anything so the risk of a compromise within one of them grows. A call routed from Vodafone through BT to EE is more vulnerable simply because there are three organisations involved.
There have been incidents where large telephone networks have been hacked, but it is relatively unlikely that unfriendly foreign organisations are listening in to telephone calls in the UK.
Naturally, government business should be conducted on government (approved) devices. There are many reasons for this, but let me give you just three:
- People tend not to encrypt or adequately access protect their phones. Both can be enforced by policy with a government phone.
- Although it’s difficult to intercept an actual telephone call, some smart phones have been hacked to record audio and even video and relay that to rogue actors. Again, organisations can set policies to try to reduce this risk.
- If a government phone is lost it can be remotely disabled immediately.
Email is Horrendously Insecure, End of Story
The basic protocol the internet uses for email is now more than 40 years old. It was developed when The Internet was a very different animal to what it is today. There have been a number of security updates since then, but there are still some big holes.
One obvious problem is data at rest. Email is a store and forward system, when you send an email from your phone or computer it goes to an email server which then tries to work out what to do with it. That email server stores your email. Because email is not an end-to-end encrypted protocol, the mail server has access to the contents of your email, as does anyone who was sufficient rights (whether legitimate or hacked). I once demonstrated this to an unbelieving manager by changing emails that he sent.
What’s more, when data is written to storage it has a funny habit of hanging around. There are systems to try to make sure that deleted data is really deleted but not everybody uses them, the result being that it’s sometimes possible for a hacker to retrieve emails that passed through the server a long time ago.
Now let me take another angle, if you can receive emails, that means you have an email server somewhere that’s acting on your behalf. That email server is open to The Internet. If you’re foo@bar.com I could connect to the email server at bar.com, say “Hi, I’ve got a message for foo” and under the original protocol your mail server wouldn’t even check who I was. Almost all do now check, but the checks aren’t 100% fool proof and it’s still possible to send emails that appear to be from people they’re not.
As sender and receiver, we also have no control over the path that the email takes. The vast majority are simple, I’ll send my email to the mail server at tomfosdick.com which will look up your server at bar.com and directly transfer the email. As long as both email servers are uncompromised and the link between them uses an up-to-date strong encryption that’s relatively secure.
But there’s no guarantee that will be the route that gets taken. It could end up going through an email server in Russia. It could go between two servers that aren’t using strong encryption or even any encryption at all.
There’s a whole library of different techniques and different ways that email can be compromised, intercepted, altered and faked. If it’s done well, as an end user it can be impossible to tell if it’s been compromised. Even experts can’t absolutely tell if a message has been observed by a rogue actor on its journey, or if it’s been left on an insecure server somewhere for a hacker to pick up at a later date.
A final note here, one of the reasons that it’s important that government officials (including Ministers) to only conduct government business using government (approved) devices using government accounts is because they’re monitored and logged. This is a completely separate reason why a government official using a personal account is a serious issue; it opens the person up to the allegation that they were deliberately avoiding scrutiny. There are times when Ministers need to do secret things, but there are protocols for that. Avoiding scrutiny is a pretty good sign that a government official is working in their best interests, not ours.
WhatsApp et al are Comparatively Secure
A lot of newer messaging apps are comparatively secure compared to email. This is because they’re end-to-end encrypted. Your phone (or web client) encrypts the message and only your intended recipient has the key to decrypt it. It doesn’t matter how many servers or other pieces of network equipment it passes through, they could all be compromised, it wouldn’t matter because they don’t have the decryption key, they can’t view the message contents.
Having said this, there is information in the metadata; an attacker who did manage to compromise the network might be able to see who the message was from, to, when it was sent, when it arrived, how big it was etc. This kind of information can be extremely useful, but unless a hacker can crack the encryption, they can’t view the message itself.
Of course today’s strong encryption can be cracked by tomorrow’s mobile phone, so just consider that if your data does get stored, someone in the future might be able to crack it.
Do be very aware that not every messaging service is end-to-end encrypted. Twitter direct messages, for instance, are not. Their contents are also stored by Twitter indefinitely. Not only could the Twitter organisation exploit the contents of your direct messages, a data leak could easily expose your direct messages to threat. If you’re a government official there’s a reasonable risk your entire twitter DM history could end up on Wikileaks.
Wrapping It Up
For the vast majority of business and government needs, the good old telephone is plenty secure enough, but make sure that you comply with your organisations usage policies and don’t bleed your professional communications across into your personal accounts.
For the majority of business, email is fine. The reality is that millions of emails are flying around all the time and only a handful have anything interesting or valuable to a hacker. Emails are also, generally, pretty secure within the organisation itself. If you’re sending an email from your professional account to the professional account of someone else in the same organisation, that should be relatively safe.
Do be aware that if you’re sending information to people outside your organisation there’s a chance that email might be compromised. There’s a small risk that anything bad will happen, but it is there nonetheless.
A top tip is to remember that the telephone is comparatively secure. If you receive an email message that you are in any way concerned about, or you suspect anything not entirely straightforward, call the person.
Again, do not bleed professional stuff into your personal accounts. That’s a big no-no. Don’t, for instance, send a document to your personal email because you can read it better on your phone that way.
Newer messaging apps can be more secure, but check that they’re end-to-end encrypted and using a encryption technique that’s currently considered secure. You might be surprised how insecure some of the common platforms are.
[1] Yes, there will be people reading this and the words “well, technically, it’s not that simple…” will be on the tips of their tongues. I know; there is always a balance to strike between being technically accurate and boring the vast majority of readers into a stupor. You might consider T-REC-H.248.1 a little light reading before bed, but you’re a very, very niche minority.