Assuming that my ISP is interested in my POP-address Email:
Can they read it?
C anthey simply get a copy when it passes through the server?
Can I tell if that is the case, and is there something I can do?
- Yes
- Yes
- Not if they want to hide it.
Most ISPs have privacy clauses in their user contracts stating that they won’t do that unless they’re compelled by a warrant, however. Check your user agreement.
Your ISP, or any intermediate router/cache/server, can read email or any other files unless they are encrypted. Using sufficiently strong encryption software like PGP will protect the privacy of your communication, but requires whoever you are communicating with to have the same software.
I’d assume that any ISP of a decent size will have encryption - decryption software themselves anyway, so that probably wouldn’t help much…
It is pretty much like sending a normal letter. There is nothing to stop the post office workers from reading your mail - except for the privacy regulations and laws.
If you want real privacy in your written communication, get hold of PGP, and exchange keys with your communications partners. You’ll also be assured that anthing you receive is really from who it says it is.
Encryption/Decryption software won’t help much against PGP. The key lengths are very large, and can’t be broken by simple brute force. PGP helps a whole lot.
Remember to exhange keys by a different route, though. That will eliminate the (tiny) possibilty that someone might intercept your public key and use it to decode your communications later.
PGP is avaliable for a good many operating systems and as a plug in for many e-mail programs. You might also try GNUPGP.
Um, no. That’s not the way it works. The whole point of public key encryption is that it does not require secure key exchange. You’re supposed to publish your public key for all the world to use. That’s what it’s for. Public-key encryption systems use a pair of keys, the public key and the secret key. Anything encrypted with one can only be decrypted with another. You publish your public key, and anyone can use it to encrypt a message to send to you. That message can only be decrypted with your secret key, so presumably you are the only one who can read it (if you’ve handled your secret key securely). If you want to send to someone else, you encrypt with their public key, not your secret key. If you want to sign a message so that the recipient can prove that it came from you, then you can encrypt it with your secret key (or, more typically, encrypt a MAC) so that if it decrypts with your public key it must have come from you (note that this is authentication, not security, since anyone can get your public key and use it to decrypt something signed with your secret key).
You only have to worry about secure key exchange if you’re using a symmetric encryption algorithm where the same key is used to both encrypt and decrypt.
Your point to Tarantula was right on target. Whether or not the ISP has the same encryption software is irrelevant. As long as you handle the secret key of your PGP key pair properly, your data is secure. For anyone who thinks PGP is not secure, the article below describes the problems encountered by international law enforcement trying to recover PGP-encrypted data from terrorist PDAs:
Most of the ones I’ve bothered to read say that they won’t release the data without a warrant, but they intentionally neglect any mention of internal use. Securing the data against improper browsing by employees requires a whole different level of access control on the file systems which can interfere with basic administration functions, so most ISPs don’t bother. This means there’s nothing but the staggering dullness of your typical email to keep the night-shift support guy from browsing everything on the server.
micco has the answer. ISPs are not going to be able to use “encryption/decryption” software to do ANYTHING unless all we are talking about is Office-encrypted or ZIP-encrypted files or some other weak, lame-ass encryption.
Thanks for the correction, micco. I feel like a fool for posting such drivel - especially since I know better.
I stand corrected. Thanks for the pointer…
In the US, they don’t need to: the ECPA (Electronic Communications Privacy Act of 1986) says they can’t read the messages, unless they absolutely have to in order to deliver them. For example, if somebody sends a message to nonesuch@example.com, the postmaster could legally check the body to try to figure out who it was supposed to go to. In practice, though, nobody bothers doing that–too much effort, especially with spammers guessing addresses–so the system just bounces it back.
As a functional note (since I run two different mail servers personally…errmmm…make that two and a half now) it is trivially easy for a disreputable or dishonorable mail system admin to sit and read your unencrypted mails and attachments all day long. I know one at my company (no longer working there) who used to read people’s mails from 8-5 every single day, while pretending to work, so in effect getting paid $60,000 a year to snoop on mails. He also monitored all ICQ/AIM traffic too, and would sit and scan through the gigabytes of logs, looking for keywords.
PGP is free, freely available, and just not that hard to use. People in general who complain about their privacy being violated yet take no steps whatsoever to protect their privacy make me shake my head sometimes.
I agree completely. Not to hijack or drag this into GD territory, but I think this bears on the basic OP. The problem is caused by our legal culture which rewards this behavior. Several recent cases (e.g. DeCSS) have been based on the fact that a company can choose to use ridiculously weak security and then seek legal penalties under DMCA or similar when someone breaks it. If the company wanted security, they’d use a decent algorithm in the first place, but they’re more interested in fishing for torts. Real security, whether for emails or anything else, if fairly easy to accomplish if you’re willing to take the steps to use existing tools. If you’re not, you shouldn’t be surprised (and, IMO, should have no basis to sue) when someone cracks your data.