BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Friday, 1 June, 2001, 14:30 GMT 15:30 UK
Warning over e-mail snooping
encryption can protect mail messages
Can you spot the hidden message?
By BBC News Online technology correspondent Mark Ward

European citizens are being warned that encryption is no panacea against the tapping of electronic communications.

This week the European parliament recommended that citizens and companies adopt encryption to protect their messages from the Echelon electronic eavesdropping system.

You should not get a false sense of security from using encryption

Caspar Bowden
But experts say citizens should not get complacent if all they do is use encryption to protect the messages they send because the technology has vulnerabilities that can be tricky to close.

Others fear that because encryption software can be tricky to use many citizens will be put off using it.

Echelon exposed

This week saw the publication of a long-awaited European Commission report on the Echelon electronic eavesdropping network.

The report confirmed the existence of the network, which is operated by intelligence services in US, UK, Canada, Australia and New Zealand, and revealed that it had the ability to routinely tap phone calls and faxes as well as almost any type of net-based communication.

The report recommended that citizens and businesses routinely use encryption technologies to scramble electronic messages to ensure that if Echelon captures them it will be unable to decipher them.

Menwith Hill
Menwith Hill:part of the Echelon network
But some experts say that adopting encryption should not be seen as the only action concerned citizens have to take.

"You should not get a false sense of security by using encryption," said Caspar Bowden, director of internet thinktank the Foundation for Information Policy Research, "but that's not a reason not to use it routinely."

Mr Bowden said encrypting e-mails will confound Echelon-like surveillance in which intelligence services casually trawl through datastreams looking for "suspicious" activity or messages containing key words.

Although encryption scrambles the contents of a message, it does nothing to hide who it is being sent to, so intelligence agencies can still track who is communicating with whom.

But, he said, it is unlikely to protect people if they attract the undivided attention of intelligence services because they would be able to exploit vulnerabilities in the software on a machine despatching e-mail messages.

Mr Bowden said that many software packages that do protect e-mail messages are hard to use for people who are unfamiliar with computers.

Encryption confusion

Last year two US researchers from Carnegie Mellon University asked 12 test subjects to try to send an encrypted e-mail message using PGP 5.0 - one of the most popular encryption programs available.

Privacy options
Pretty Good Privacy
GNU Privacy Guard

Of the 12 subjects who underwent the 90 minute test, three failed to properly encrypt the message they were sending, seven used the wrong keys to encrypt it and one was unable to work out how to send the message at all. All those taking part were college undergraduates and very familiar with e-mail.

The test subjects struggled because they did not fully understand how the encryption system of PGP works. It uses a technique known as public key cryptography to scramble messages.

Public key encryption uses two keys to scramble and decipher messages. One key is known as a public key and is widely distributed; the other, the private key, is held securely by an individual.

Messages are protected by scrambling them with the public key of the person you are sending a message to. Mathematics ensures that only the private key held by the person you are mailing can decrypt the message.

Encryption warning

But the Carnegie Mellon researchers said this concept proved tricky for their subjects to grasp. They concluded: "It does not make public-key encryption of electronic mail manageable for average computer users."

Mr Bowden said changes to e-mail and Web software were likely to make it easier for people to use encryption and stop their online activity being tracked routinely.

Privacy Tips
Choose random collections of letters as passwords
Use anti-virus software
Use a personal firewall
Delete unsolicited commercial e-mail messages without opening
Limit the personal information you pass on to websites
Don't let websites gather cookies on your browsing habits
Install and use an e-mail encryptor

"It's only a year since cryptography export controls on US software were eased," he said. "So software designers are at an early stage of integrating encryption seamlessly."

Certainly the number of secure software packages and web-based systems that attempt to make encryption easier to use are increasing. Now citizens can use websites like, that lets people collaborate securely over the web, and Hushmail that routinely encrypts mail messages.

However, British citizens should be aware that the controversial Regulation of Investigatory Powers (RIP) Act gives law enforcement agencies the right to demand decryption keys from anyone, and it imposes prison sentences on those that refuse to hand them over.

The RIP Act also forbids people, under threat of prison, from telling anyone that they have been asked to hand over their key. In at least two reports legal experts have condemned these decryption powers as a breach of human rights.

Search BBC News Online

Advanced search options
Launch console
See also:

11 May 01 | Europe
EU investigators 'snubbed' in US
22 Feb 00 | Washington 2000
Encryption for all
05 Mar 99 | E-conomy
What is encryption?
18 Apr 01 | Sci/Tech
Cybercops arrest online liberty
Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories