In this day and technological age, it is very important to secure information that is sent by email. This can be done in a variety of ways, obviously with some methods being more exotic and/or costly (and, thus, oftentimes non-permissive) than others. However, the bottom line is that sensitive information (i.e. SSNs, DOBs, PHI, account numbers, and similar identifying information) being sent by email should be secured. The purpose of this blog is to show how it can be done for free, both, to the sender and the receiver, with only a small amount of reciprocal work between the two (which, in the end, will likely pay off to both to the Nth power).
Generally speaking, any information, comments, revisions, or remarks that one would not desire to be broadcasted (i.e. found…hopefully, ever…) should be “secured”. Typically, this means by securing the information by way of encryption. There are additional layers of internal networks (i.e. intranets as opposed to the Internet) that can also be addressed, but for purposes of this conversation, we will ignore “internal threats” (which are generally totally absent from law firms) and focus on avoiding or mitigating external threats, such as hackers, web trollers, and cyber criminals.
When we talk about encryption, we talk about different methods of security on various levels. Most commonly, this will come down to information contained in attachments sent by email and/or the information contained in the body of the email itself.
The simplest method of encryption is, generally, an encryption of an attachment to an email, such as a PDF document (see Blog on encrypting PDF Attachments). This can be very effective for the purpose that it is intended to serve but it does not serve to encrypt/secure the contents of the body of the email. Sometimes, this is where mistakes are made because a writer might unwittingly include or deliberately discuss contemporaneous information in the body of the email, either, by reiterating the very information that they initially encrypted (and intended to keep secret) in the attachment or, otherwise, discuss other confidential information that was not intended to be put “out there”.
For illustration purposes, I will describe how “encrypting” information occurs (what is actually happening during the process of sending and receiving of information and that which is trying to be intercepted intermittently during that process), so that it can be understood.
When information is transmitted from a ‘sender computer’ or location, it is metaphorically put into a diamond-cut shredder which information cannot, easily, be reassembled (without the correct codec necessary to reassemble it). The recipient’s computer (the only one who will be in possession of the correct codec) will be able to reassemble the diamond-cut information into a sensible document. When the authorized recipient (i.e. you or your intended recipient) receives the email or attachment, or the document or email, it will simply appear normally in their email inbox. However, everyone else out there in the cyber world (i.e. undesirable persons trying to grab personal information and/or steal identities), when they scan for personal information, see nothing but a senseless, mish-mashed pile of senseless strings of 1s and 0s, which cannot be sensibly or reasonably reassembled without the “codec” or “decryption code”.
In short, and simply put, only the “sender” and “receiver” will be able to understand each other, and anyone else trying to intercept the communication (especially, intermittently) will be left with nothing but ‘static in the background’ (in other words, ‘channel 3’ in the old days).
Similarly, and contemporaneously, email providers, also, cannot provide intelligible information on encrypted emails, because providers are nothing more than ‘intermittent’ service providers who do not have the ability to reassemble the ‘shredded’ information that was originally sent from the ‘sending computer’ to the ‘receiving computer’ (and, as a result, the information passes through email providers’ servers as ‘jumbled garbage’) — again, think channel 3.
With the above being said, one needs to determine what information they want to encrypt: for example, a particular attachment, all attachments, or the entire email.
Since many people and most businesses use Outlook for email purposes, and most people cannot afford the exotic/expensive “iron envelope” services intended for larger corporations, this blog expressly deals with the affordable method of encrypting emails between Outlook users, at no additional cost to either user (the sender or the recipient).
It is a feature that is not frequently realized by general users, but it is very much present and already built into Outlook (hey, I didn’t build outlook – nor would I want to – but this is a cool feature that can be put to use when appropriate). Since there are very few (explicit) step-by-step directions on the internet, feel free to use or copy and paste whatever you want to into an email and instruct your customer or client to do the same (specific instructions immediately below).
So, here is how you send encrypted emails with outlook. This blog presumes that you use outlook 2013 or higher, which means that some of the steps or screenshots may slightly vary, depending on the version you are using:
Step 1: Get a digital signature. This is what is used to electronically identify a particular sender and recipient from “some other” sender or recipient; in other words, this digital “signature” identifies you and will (when your recipient gets one, too) ‘identifies’ your recipient. This can be obtained free.
- When in the Outlook program, go to the blue “file” menu. Click “Options”.
- When the options are revealed, click “Trust Center” on the left, and then click the “Trust Center Settings” on the right. Now that you are in the “trust center”, click “email security” on the left panel and then “get a digital ID” in the middle of the page. The result is that you will be sent to a Microsoft page regarding options for digital signatures. There will be several immediate options, as well as other information posted on the page concerning the nature and function of digital IDs (feel free to read any or all of this information). For purposes of this blog, though, I will digress from the informational pages and directly suggest obtaining a totally free digital signature. Of the options available, I chose Comodo (because it is a company who will not send advertisements or, otherwise, clutter up your inbox for its own marketing purposes). Note, however, that you can choose to use whatever company you wish.
- When you click on your chosen company’s link to obtain a free digital signature, just follow the prompts to get the digital signature and, also, read the comments and remarks that describe how only one authenticated digital signature can be downloaded “per email address” notwithstanding the device onto which you elect to initially download the signature. If you need further information on this, I can further explicate. Generally, you should download your digital signature on the device upon which you anticipate using it the most – typically this is your particular business PC or MAC; thereafter, the file can be added to other devices, such as phones, tablets, laptops, and so on, by saving/exporting the “signature file” to some kind of flash drive or other memory device and then plugging it into other devices and uploading/importing it.
Now that you have your digital signature, set your encrypted email “settings” by going to the trust center settings, as described above and then marking the appropriate boxes. Generally, you will only check the third box, and not “automatically” enable the remaining settings; however, this is your choice.
Once this is done, you will have a “digital” signature.
When you open outlook, you will, now, have a new, otherwise, hidden option when you send or reply to an email: that is, to digitally sign the email and/or encrypt the email. This will, now, be found in the “options” menu of a new or reply email.
Here is where things get as absolutely simple as it is complicated. At this juncture, you can optionally (or automatically, if that is what you chose above) digitally sign (and ‘share’) your digital signatures with others. Generally speaking, a recipient of a “digitally signed” email should right-click the digitally signed email that they received, which will download (or “update”) the “digital signature” to their “trusted” database.
With this in mind, realize that Outlook will require everything to be done in the reciprocal sense. As a result, Outlook will not immediately allow you to send or receive encrypted emails to “unauthenticated” receivers, which means that you will probably not be able to send encrypted emails at this point.
However, the solution is ridiculously simple:
The desired receiver repeats the above steps and s/he ‘reciprocally shares’ their digital signature with you. Once each of you, mutually, ‘share(s)’ your digital signatures, you will be able to send and receive secured and encrypted emails between yourselves, via Outlook, at no additional or extraordinary cost either of you.
While this blog may be a bit lengthy, it should realistically take a sender and a receiver approximately 10 to 15 minutes, each, to accomplish this, and the sender will not have to continuously repeat this except to inform (copy/paste) the next intended recipient on the instructions on how to accomplish the same. Similarly, thereafter, the recipient should be sufficiently apt to accomplish the same, with little or nothing more than forwarding instructions (above).