The position I find myself in is that an organisation has sent my highly confidential and sensitive medical and financial documents to another party by unencrypted e-mail. I have no problem with the second party having seen said documents but I'm very disturbed by the fact that these documents were transmitted in this way, which as far as I understand means they will have transited over a number of servers en-route, which could be controlled by almost anyone who could be copying or forwarding e-mails passing over their servers. The destination e-mail address is a gmail address, which means that my confidential documents are now in the possession of Google and will be sitting on their servers for at least six years, even if the recipient deletes the e-mail. One way I sometimes think of to explain how e-mail works is writing something on a postcard, going down to the marketplace and shouting "Can anyone take this message to sometown?" and some stranger says "I'm not going all the way to sometown but I'm going in that direction, so when I get where I'm going, I can go to the marketplace and find someone who can carry it on towards sometown", so I give this stranger the postcard, taking the risk that he might read it or copy down the contents, as might the other strangers he passes it to on the way to it's final destination. However, that ignores the risk of interception with e-mail, so perhaps a better analogy would be sending the information via a radio transmitter, which can only transmit a short distance and the signal is then picked up by a repeater station (which could be under the control of anyone, who could record the information) and re-transmitted and this is repeated until the broadcast reaches the intended recipient. Obviously anyone who decides to listen in to the broadcasts will hear the information as well but maybe that's not a great analogy either, as intercepting e-mail is a bit more complicated than just tuning a radio to a certain frequency. Anyway, even if my analogies are good I obviously can't take action on the basis of what I understand the situation to be and will need some authoritative source which explains it, which I can show to a solicitor or use as evidence myself if I can't find anyone to act for me. So I was wondering if anyone can point me to such sources explaining how unencrypted e-mail is at risk of being intercepted or copied and that any e-mails and attachments sent to google servers are in their possession and not just the intended recipients?
In some countries, medical records must be encrypted during transmission. In the US, for example: http://electronichealthreporter.com/thinking-of-emailing-medical-records-think-again/
Thanks. I'm in the UK and I'm not sure that there's any law that says such records have to be encrypted but the Data Protection Act does indicate that measures appropriate to the data concerned should be taken. I'm not really trying to find information about the legal situation though (the solicitor should know that or be able to easily find it out) but the technological side of things, as they seem not to be so particularly informed when it comes to that, with one solicitor telling me that there was no evidence that my information had been shared with anyone other than the intended recipient. You could say that about a bunch of documents that were left on a table in a public area for some time, if you didn't have CCTV watching them but one would tend to assume that at least one person had looked at them. In this case, we know that Google have a copy so to continue the analogy, it would be like saying that we know someone photocopied all the documents and took the copies away with them but we can't show that they've read them. The servers the e-mail transited over may have taken copies as well and the ISPs may have read them but there's no way of proving this, anymore than there is of proving that a hacker may have intercepted the e-mail in transit. Even if the information is used to my detriment sometime in the future, it will be impossible to show that it was obtained as a result of this breach of security but from past cases I've read it seems likely the regulators would come down quite heavily (they can fine up to £500,000) on the organisation concerned if I reported them.
The number of unencrypted communications between the legal and medical communities is shocking. Laws are completely disregarded or, at the least, are unknown to the Sender/Recipients. Nothing will change that in the near future.
In the UK, the Data Protection Act applies. IMO, the ICO is negligent in not being specific that ALL b2b communications must be encrypted, let alone sensitive ones, last I looked, it was vague. But I think it could be inferred that, if there were a breach, the companies involved would at least get a mild slap on the wrist. I'm only too well aware that all kinds of sensitive information which has no business being in the open is routinely sent over a postcard mechanism by businesses - email. And it is careless and negligent because there are credible alternatives, it's simply lazy for businesses to claim otherwise. At the very least, support an encrypting file-sharing service (not email). The other thing that might be useful is to obtain the company's Information Security Policy (there are some standards that apply, but they should have one, and that should nominate a reporting mechanism). Normally, the Finance Director would be the place to start, and in terms of raising or escalating the problem, an email to them raising the issue would be a useful stake in the ground. As far as an authoritative source of evidence that email is hopelessly insecure (at rest in the organisations - think Sony Entertainment -, in transit - think ISP, email provider, anywhere in the core, and ALL the TLAs - not only your friendly local spooks but all the other people they share indiscriminately with) - there isn't a good authoritative source because quite specifically, the authorities are downplaying this, and like I say, the ICO are negligent in not mandating encrypted b2b communications wall-to-wall. Anyway, some options are - I don't know what your objectives are here, is it an apology, better behaviour in future, financial compensation or what? - nor is this legal advice! - but get the solicitor initially to write to the company notifying them of a possible breach of the DPA, and asking them for information on their security policy and responsible persons. How it goes from there is variable, but could include a complaint to the ICO.
The NHS at least seems to be alert to the risk and prohibits sending confidential information other than via it's secure internal e-mail system. There have been some six figure fines imposed by the ICO for breaches and that tends to concentrate minds!
I agree that the ICO is very weak on this. I read a paper by a NHS hospital discussing the risks of sending confidential data by e-mail, which notes that the NHS Confidentiality: Code of Practice states that "no patient identifiable data should pass unencrypted over the Internet", in line with DPA 1998 Principle 7 which specifies that "appropriate technical and organisational measures shall be taken", so the NHS certainly seems to think that it is prohibited to send such data unencrypted. It also says that it it is the opinion of the ICO that sending information via e-mail is equivalent to putting it on a postcard and sending it by Royal Mail. I think this is a very weak analogy and IMHO one of mine is much more accurate. Whilst there's obviously some risk of post being lost or misdirected, I don't see how anyone could argue that it is equivalent to transmitting the information unencrypted over the Internet and I would have no complaint if my records had been posted, which the organisation could have easily done and indeed prior to this breach they'd agreed to only communicate with me by post after I explained the inherent risks of e-mail to them, which they thought was secure. I'm always baffled why companies with websites don't have SSL-encrypted portals via which people can send and receive communications (with a basic notification sent to the recipient's registered e-mail address when there is a new message for them), as that would be relatively easy to set up and be in their control. I'd only send already encrypted files via a file-sharing service like Google, as even if the connection to it is SSL-encrypted you still have to send the recipient a link to it via unencrypted e-mail and that could be intercepted, allowing anyone to access the files. Even if the authorities wish to downplay the risks, I would have thought an academic or expert would have published a paper discussing the risks but I haven't found anything so far. I'm certainly looking for financial compensation, as I'm immensely distressed by the fact that my sensitive records have been disclosed to god knows who (certainly Google have copies of them) by this negligence and could be used to my detriment at any time in the future. I'd rather let a solicitor deal with it, as complaining to the ICO will involve a lot of effort on my behalf explaining what happened and providing evidence, won't get me any compensation for the damage done and they'll probably just slap them on the wrist and say there's no evidence that my records were intercepted on this occasion, which there obviously can't be. Even if I suffer identify theft or have my records used to my detriment in future, I won't be able to prove that it was as a result of this breach. I'm not just interested in financial compensation though, I think that if I can prove my claim it might do more to clarify the legal situation and awareness of responsibilities in respect of private information and the use of e-mail than any complaint to the ICO. As well as breach of the DPA, I'm thinking there might be claims for breach of confidence, misuse of private information and breach of Article 8 HRA, which are all relatively new and developing areas of law.
@doveman - the postcard analogy is indeed deeply misleading in that it would take a lot of resources to identify the metadata and content of the postcard - whereas the cost of doing so electronically is negligible and is known to be being done and shared with many users across many countries, including retention (the treason of our security services). The UK doesn't have the equivalent of HIPAA, but it seems to me that the NHS should have established clear guidelines. The trouble is, there appears to be no agreed mechanisms either for transmission or secure storage, even though these are pretty feasible and not cost too much. The link below seems to imply that then NHS has provided an encrypted attachment process for email to unencrypted providers including Gmail, so this implies an established practice, I would have thought. http://systems.hscic.gov.uk/nhsmail/secure Incidentally, I don't think it's quite right to focus solely on the transmission/communication aspect of the situation - what happens either end is important (and as you imply, the data retention policies of intermediaries and cloud providers). What their disposal policies are etc etc. The problem with going to law with this (I think you should have a case, and they may well have been reckless - but unfortunately that's not at all the same as winning a case and getting compensation, most particularly in this area) - is that you will be incurring costs, and the intransigence of those involved is liable to be high, and you are fighting the system. Some of these cases take years to get anywhere and the ultimate winner is only certainly going to be the lawyers. Unfortunately, they have the weight of the system behind them, there is the difficulty in proving actual harm, and also in proving "standing" (IOW, what has actually occurred). I think it's important though to make trouble for the organisation involved, and this might well be better achieved by threats, complaints to the company(formally), the ICO, the NHS, your GP, complaints to your MP, newspapers, trade associations, ombudsmen etc. They might then pay you to go away. But that's hopefully what your solicitor can advise. I would choose a lawyer that has experience in the field....
Thanks deBoetie, that link does indicate that the NHS at least consider using unencrypted e-mail to be unacceptable and they must have based this conclusion, at least in part, on their assessment of the DPA and other legal requirements. The way I see it there are several potential points where the information is at risk of being compromised: 1. On the organisation's own computer systems, especially if they are provided/maintained by a third party but even if managed in-house, sending confidential and legally privileged information in an unencrypted e-mail could leave it exposed to other people in that organisation who have no business seeing it. I believe it is the solicitor's responsibility to make sure the information is kept confidential, so just by sending it unencrypted on his employer's system could breach that duty. 2. At the sender's ISP, who probably has a industry-standard policy which allows them to inspect data passing over their networks for various reasons. Likewise at the recipient's ISP. However, if the sender/recipient used an SSL connection to access his e-mail, this would prevent their ISP from viewing it. 3. Once the email leaves the originating server, it’s completely out of the sender's control. Before it reaches its final destination, it will be routed across multiple servers, maybe in several countries, whose operators could copy or forward any data travelling across their servers . There is no control over where it will travel, whose servers it may cross or how long it will be stored on those servers. The sender has no control over the privacy policies or contract terms of any of these intermediaries and has no way to prevent third parties from intercepting the data, which can be done without leaving any trace. So there is a high risk that confidential information and attachments sent by email could be accessed or intercepted by third parties. 4. On arriving at Google, whose privacy policies allow them to access any data stored on their servers and share it with third-parties if they believe, in good faith, that it is reasonably necessary for a number of reasons. 5. On the recipient's computer system. In this case, I believe it was a private individual's personal PC, so there's not a risk of it being exposed within an organisation but there is obviously the concern about the risk of failing to wipe the data securely before disposing of the storage media. That is something that could be remedied though, if it hasn't already been disposed of. Had he been sent paper copies, I would expect him to know to shred them before throwing them away but it's unlikely he'll know about the need to securely erase electronic records and may need someone to show him how to do so. Had the documents been kept secure by the organisation, I could be reasonably confident that my medical records would only be disclosed by the NHS in response to a UK warrant and even then the responsible Data Protector can object to disclosure and try and limit it. Now there is a real chance that they have been disclosed, or will be disclosed, to unauthorised persons without any such protection. I understand the concerns about bringing a claim. I can't afford to pay the costs up-front, so would have to find someone willing to act on a conditional-fee arrangement and would want some guarantee about the minimum damages they would settle for, so that they don't agree a deal where I receive £500 damages and they get £10,000 costs. Some cases I've looked at suggest that it's no longer necessary to show physical harm or financial loss, with distress and anxiety being sufficient to bring a claim but several solicitors I've spoken to have made clear that they'd only take on a case where they could show physical harm or financial loss. It's typical that they only want to take on the easy cases though, particularly when their chance of getting paid is dependent on winning (if you're paying them upfront, that's a different matter), so it doesn't mean that a claim for distress would fail, only that they're not willing to take a risk on a somewhat unclear area of law. A lot of specialist solicitors in this area of law only act on behalf of companies and organisations, so it's quite hard to find a suitable firm but I'll keep looking. I imagine the organisation might be willing to pay me to go away and avoid reputational damage if I agree to a gag order but not if I've already told everyone I can think of what they did. Even under a gag order, winning the case could clarify the law but chances are they'd settle before it got to court if it looked like there was a serious risk of them losing and so the issues would never be considered by a court.
@doveman - the only other thing that occurred to me in terms of collateral (in case you hadn't seen the material), is expert testimony provided to the Senate committees relating to recent LEA pushes to have backdoors put in products and services - and Cameron's notorious attack on encryption, with his "in extremis" Eton nonsense. This is not email-specific, nor does it cover the whole threat model, where presumably the courts would not include LEA as a threat, but is fairly unequivocal that encryption at rest and in transit is best practice, and the converse unsafe. http://www.judiciary.senate.gov/mee...the-balance-between-public-safety-and-privacy This includes transcripts and supporting documents from the invited experts. Keys under doormats http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf?sequence=8 Of course, it would be nice if a worthwhile debate could actually be had in the UK BEFORE the blighters come out with a fait-accompli Snooper's Charter Plus. Best wishes with however you choose to pursue this - I think it's important to speak up on these things, even though we are facing a tidal wave of complacency and official denial and collusion.
Thanks deBoetie, I'll have a good read through those documents and see if there's anything that might be helpful to my case. On the issue of whether the courts would consider LEA/Security Services a threat, I would say that we have laws which specify in what circumstances they can access medical records and whilst it would be pointless trying to argue that they shouldn't intercept unencrypted communications if someone is stupid enough to send confidential information that way, I would think that the courts would recognise that the sender has unlawfully exposed that information to those authorities when they shouldn't have. Were a medical professional to copy someone's records and hand those copies over to the authorities without lawful justification that would obviously be a breach of confidence for which they would hopefully be held accountable. In such circumstances, where it is known who was provided with copies, it might be possible to order the authorities to destroy the copies that they were unlawfully provided with as well but that's a different matter. I would suggest that if a medical professional (or other person lawfully in possession of the records and under a duty to protect them) transmits them unencrypted over the Internet then, considering the existence of bulk interception programs, they are effectively providing those records to the authorities unlawfully and whilst they may not have intended to or understood the implications of what they were doing, I would suggest it is still negligent. Of course that is just my opinion and the courts may well have a different one.
@doveman - regarding LEAs, I think the point is that even if you put aside the risks of your in-country LEAs having the data, the information sharing and raw feed access given to other LEAs in "allies" - however many eyes we're talking about (which can include bulk datasets being given to Israel for instance) - means that you have lost control over the laws, conditions and number of people examining that data. That could reasonably be seen as a legitimate concern regarding data protection, as current rumblings around Safe Harbour illustrate. The courts "ought" to stand up for the law in that case, but they tend not to for political expediency, and it's very time-consuming and expensive to litigate (especially when the defendant uses unlimited public money to defend the illegal). I have that specific outrage concerning Intellectual Property, which I'm pursuing in a rather desultory fashion, but I am livid about it.
I found this page, which is hardly authoritative but does at least give a fairly easy to understand description of the basics of how e-mail works: https://luxsci.com/blog/the-case-for-email-security.html What it fails to cover is the various pieces of network equipment/routers that the data will have to travel across to get from one SMTP server to another, so even if the sender's SMTP server is able to contact the recipient's SMTP server and send the e-mail without using any intermediate SMTP servers, the data will nonetheless have to travel across any number of pieces of equipment, under the control of various people/companies and possibly in a number of different countries, even if the sender and recipient are in the same country. The e-mail headers won't reflect this, as they only show which SMTP servers the e-mail passed through and they can't be relied on anyway, as any of the servers could have scrubbed or edited the headers. It also relies on the lazy and inaccurate comparison of e-mail to sending a letter using the post office. So I'm still looking for a more accurate and authoritative description.
