Secure Email Irony

I recently had a wonderful (?) experience with secure email that I just have to share.

As some of you may know, I'm something of an expert on the subject of secure email, having worked as a Technology Strategist at Beth Israel Deaconess Medical Center in Boston and as a Technical Consultant for the MAssachusetts Health Data Consortium. One of my contributions at BIDMC was the architecture for their PatientSite Patient-Physician communication system. At MHDC I helped develop a secure email architecture and protocol for B2B secure email exchange, after having worked on an end-user-to-end-user secure email pilot that demonstrated the inordinate administrative cost of that architecture. So I'm pretty familiar with the ins and outs of secure email, shall we say, though I have not been actively involved with this stuff since about 2005 or so.

So last week I was out in California for fun and some meetings, and at one of these I met a gentleman from the CA branch of a Boston-based bank. We exchanged pleasantries and cards. A day later I received a notification that I has a secure message from that bank, and I assumed it would be from this fellow or one of his colleagues. I duly registered on their Zixmail-based secure email portal in order to retrieve my message. Ah, but this was not, in fact, intended for me, but instead was for an actual client of the bank whose name began with T. So I became privy to some of poor T's banking information.

I sent an immediate reply through the system that I was not the right guy, and that they needed to be more careful about the email addresses for their clients before using the system.

Sadly, I was not clear enough in my response, so the manager to whom my message was redirected by the original agent still thought I was T. This manager somehow had the idea that T was simply confused by the use of the system, or something, so started extolling the virtues of secure email - again, to the wrong person.

What this story tells us is that simple email security - the kind sold by Zix and many others - is really not that simple. There are a whole lot of factors that go into building a secure system, and encryption (the encoding of the bits so they can't be read as they cross the internet) is really the easiest part of the whole thing. The hard stuff is all "soft problems": how do we teach people how to use the system, for example, or, as in this case, how do we authenticate end users so that we don't have a simple, single point of failure (wrong email address supplied by user, mangled on entry, or misread somewhere). This particular issue could have been largely solved by asking T to supply a piece of personal information when registering to receive the initial secure message. I could not have done that, of course (but I could now, heh, heh). Zix, as a security provider, should be held responsible for allowing their customers (who are typically not directly in the security business) to think that an email address is sufficient authentication.

Security is a complex problem, and convenience is almost by definition antithetical. I think that companies like Zix who try to sell "simple" solutions are actually doing a disservice to the community by building a veneer of security that adds cost to the system without providing sufficient real security to warrant the cost.

I should say that I do not want to single Zix out as a culprit, though they are one of the more aggressive vendors in this market. There are many others who are equally culpable, Zix merely happened to be the provider in this case.

Copyright 1997-2018, Ben Littauer