E-mail is the main communication method for many companies and organizations in both internal and external communication. Too often it is forgotten how unsecure e-mail is.
E-mail messages are like postcards
E-mail is the main communication method for many companies and organizations in both internal and external communication. Too often it is forgotten how unsecure e-mail is. An unsecured e-mail is like a postcard: as it moves around network everyone can read it. Postcards obviously are a completely unsuitable method of communication for companies.
Unprotected e-mail is readable to everyone
Often it is perceived that an e-mail only passes through one computer to another. In reality, the message travels to the receiver through several stages.
When simplified, e-mail communication works so that an e-mail box is used for reading messages, storing them and sending messages with different client programs intended for it. The actual message, however, travels through e-mail servers to other mail servers and different proxy servers to the receiver’s mailbox server. The receiver reads the messages from the mail server with the e-mail software in use. In other words, e-mail travels through several servers from sender to receiver.
Furthermore, it should be remembered that an e-mail travels in perfectly readable format through all these stages. Basically anyone can read the message on the way without the sender and receiver knowing anything about it.
Why should an e-mail be encrypted from a legal point of view?
Different countries have different legislations. For example, according to the Constitution of Finland “the secrecy of correspondence, telephony and other confidential communications is inviolable”, this also applies to e-mail. The law in question does not, however, apply outside the Finnish borders. In the internet servers can locate anywhere around the world. In other words, if a server is located in Sweden, for example, the Finnish law does not apply and Sweden can legally monitor and read the message traffic.
- The Parliamentary Ombudsman stated unambiguously that confidential information may not be sent via an unsecured e-mail (record number 3438/4/09). Confidential information includes, for example patient and personal information. The confidentiality of information is regulated by acts such as the Act on the Openness of Government Activities and the Personal Data Act.
- According to a statement by the Data Protection Ombudsman (record number 1431/41/2007), Finnish companies may not send their customers’ or employees’ personal data via an unsecured e-mail. The controllers of the registers must protect personal data and process it cautiously. A combination of personal ID number and a name, for example, is considered to be personal data.