[Cryptography] Microsoft announces new email encryption misfeature?

Jerry Leichter leichter at lrw.com
Wed Nov 27 07:11:54 EST 2013 

I read the description and couldn't figure it out.  But then you can almost never figure out the details of a Microsoft product from their marketing literature.  (They aren't alone in this, but they are certainly masters of the style.)

However... what *seems* to be involved here is a variation of the approach I described earlier, where certain businesses - particularly financial and medical - use a third party to implement a closed "secure email" facility for communication between their customers and the business.  To access your "secure email", you have to create an account with that third-party provider (who, indeed, as in MS's product can add their own branding to the service) and then log in to it.  Generally, you'll get ordinary email that contains a link to your account on the "secure email" service.

MS has used its ubiquitous email products and services to extend the model in two ways.  First, from the user's side, they've tried to hide the separate nature of the "secure" messages by making the link to the browser as transparent as possible, and, it seems, making the message you see appear to be within the mail program, rather than in a separate Web session.  (It's at this point that the marketing descriptions get the most complicated and difficult to follow.)  Second, from the corporate user's point of view, they've removed both the ability and the need to choose whether to send some mail to a customer as a traditional message or a "secure" message.  Rather, the corporate user sends the message just as any other, and then some management-configured rules decide how to route it.

One can look at this in many ways.  The security provided is certainly not air-tight, but it's a hell of a lot better than the complete insecurity of traditional email.  Yes, it's all controlled by management at the sending company, but they owned and controlled the infrastructure (or contracted it out to Microsoft) *anyway* - nothing gained but nothing lost.  Given that they don't control all the clients on the receiving side, some kind of overlay mechanism is needed, and a web link is hardly new.  (The battle to get people not to click on links or open attachments is long lost.  There was a time I could usefully surf the Web with Javascript disabled; that time is long gone, too.  The fight we have to win now is making those two activities safe - a fight I really, really wish we could have avoided, but there it is.)

Does this give Microsoft access to the "secure" mail between my doctor and me?  Maybe - it's impossible to tell from the description who actually has access to the decrypted material.  It seems likely, but then this is a product aimed at those using Microsoft's hosted mail services, which means they already have access to any cleartext mail.

Is this a land grab by Microsoft to get people to create Microsoft ID's?  I'm sure their view is "it couldn't hurt".  After all, they are in a race with Google (the most aggressive - just try using an Android tablet without creating a Google account) and Apple (which apparently has the largest collection of user credit cards, but is in some ways the easiest to avoid:  When you configure a new device, they strongly suggest you create an account, but right on the screen they offer to do it "later", and almost everything will work if "later" is in the 22nd century), not to mention Facebook and Disqus and everyone else.  So far, it's trivial to just create multiple accounts limited to very specific purposes, which has been my response.

Looking at the overall picture, the existence and spread of these services - and with Microsoft in the game, they will become much more common and visible - has a very important salutary effect:  It will lead people "in the large" to understand that "ordinary" email is *not* secure, something they've never focused on in the past.  Perhaps this will create an opportunity for other, better secure mail services, more suited to the all-to-all nature of email than the hub-and-spoke communications the Microsoft service and others like it aim at.  But someone - "one" writ large - will have to find a way to seize the opportunity when it emerges.  The window will likely be small.

                                                        -- Jerry

More information about the cryptography mailing list