Roger Clarke's Web-Site


© Xamax Consultancy Pty Ltd,  1995-2022

Roger Clarke's 'eCommications Security'

Why are we still using postcards for our confidential e-Communications?

Version of 18 August 2010

Notes for a Panel Session at the Bled eConference, 22 June 2010

Roger Clarke **

© Xamax Consultancy Pty Ltd, 2010

Available under an AEShareNet Free
for Education licence or a Creative Commons 'Some
Rights Reserved' licence.

This document is at

1. Email is So-o-o-o-o 1972

RFC 822 was published in 1982. There have been some minor refinements, and RFC 2045-49 (Multipurpose Internet Mail Extensions - MIME) attachments were added in 1996. Several proposals were written for secure email (PEM, S-MIME), but none ever broke through. A great deal is left to software-writers, and no significant, standardised upgrades have been forthcoming.

Why not? Probably because there's too little incentive to innovate, because so much of it has to be open standards and hence advantage can be quickly competed away. For example, Eudora was passed into the public domain some years ago, because Qualcomm could see better ways to make money.

2. Alternatives Have Proliferated

The many forms of IM have become the text-messaging services of choice for vast numbers of the people who began using the Internet after about 1998.

The ISPs who continue to use the 'walled-garden' business model try to avoid providing inter-operability with their competitors' IMs; and hence many people want you to 'join Facebook', or whatever their current preferred SNS might be, or be reachable on Skype Voice / Video / IM. Those are popular with Gen-Yers, but for iGens the text-messaging service of choice is SMS.

There's been no scope for a standardised security solution, because:

3. Drivers of Adoption of Insecure Products

People don't make reasoned decisions to adopt eCommunications products and services. Their decisions are made based on convenience and fashion, augmented by peer-pressure.

Even if people listed their wants and don't-wants in eCommunications products and services, security would be a very low-priority feature. That's because threats are non-visible and hard to understand, and hence people have (unwarranted) comfort.

4. Awareness of Security Risks

Not just people, but also many organisations, exhibit very low awareness-levels of security threats, vulnerabilities and consequences. Here are some examples.

Many corporations do not require and support security for their staff while on the move (although some do impose links via a VPN, encrypt data on the disk, auto-encrypt to external devices, etc.).

You'd expect whistleblowers to take great care to protect their identities. Postings to Wikileaks have been sent using TOR (The Onion Router), which uses multiple proxies to anonymise the source of a message. But some files sent through TOR have been unencrypted. So the exit node from the TOR chain has been aware of the file that has been sent to Wikileaks, and when. (And the entry-node to the TOR chain has had access to both the content and the sender!).

It's a concern that even one person who is taking considerable legal, financial and personal risks in leaking documents fails to understand the openness of 'postcards'. But it may be that multiple people who have posted to Wikileaks have done so without encrypting the content.

Naive 'newbies' dominate text-messaging and image-transmission between mobile-phones, and are surprised when their misbehaviour is publicised and traced back to them.

Gmail users 'just don't get it' when I decline to talk with them except via a real email-address.

Among many other factors in the current lack of understanding is the fact that Gen-Yers grew up in an era when self-exposure was rampant.

5. Counter-Examples

But let's be fair - there are a few positive stories.

SSL / https is mainstream, and has been highly successful in protecting sensitive data in transit (although not in authentication). That worked because "it came with the software".

Internet Banking is understood in many societies to require care. The meme does seem to have spread that normal emails and web-forms involve unacceptable risks when you're operating on your bank account.

Virus-detection software has come to be reasonably well-understood by the general public, and there is even some basic understanding of what a firewall is and why people should want one.

6. Signs That Consumer Attitudes Are Maturing

As Gen-Yers mature, they are discovering the risks that arise in open eSociety, and they are also steadily accumulating things to hide. A flex-point may come when privacy suddenly seems a lot more important than before. iGens, meanwhile, have seen how naive Gen-Yers have been on Facebook, and are much more savvy. I deal with this at greater length in Clarke (2009). Harbingers include the backlash against Facebook during the first half of 2010, by the media and segments of its user-base. More on that here.

7. Some Pointers To Solutions


Thanks to Roger Bons (ING) for organising and chairing the panel session, and to my other colleagues on the panel, Tanya Castleman (Deakin Uni, Melbourne) and Ulrike Lechner (Bundeswehr University of Münich, Germany)

Author Affiliations

Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of N.S.W., and a Visiting Professor in the Department of Computer Science at the Australian National University.

xamaxsmall.gif missing
The content and infrastructure for these community service pages are provided by Roger Clarke through his consultancy company, Xamax.

From the site's beginnings in August 1994 until February 2009, the infrastructure was provided by the Australian National University. During that time, the site accumulated close to 30 million hits. It passed 65 million in early 2021.

Sponsored by the Gallery, Bunhybee Grasslands, the extended Clarke Family, Knights of the Spatchcock and their drummer
Xamax Consultancy Pty Ltd
ACN: 002 360 456
78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916

Created: 18 August 2010 - Last Amended: 18 August 2010 by Roger Clarke - Site Last Verified: 15 February 2009
This document is at
Mail to Webmaster   -    © Xamax Consultancy Pty Ltd, 1995-2022   -    Privacy Policy