The voracity of internal security among email hosting organizations differs, I’m sure, by organization but at least in our case, we know that it would be easier for someone to break into a user’s home and crack their laptop than a rouge employee to open a customer’s email. While we still don’t know how The State obtained these messages, we can be fairly assured that were they obtained illegally by an ISP employee this person will be looking at criminal charges just as the college student that hacked Sarah Palin’s email account a few months back.

Don’t get me wrong, desktop-to-desktop encryption with a solution like PGP is good. But it takes a level of user sophistication and coordination generally not found in the populace. And, in the end, if the leak comes from someone with personal access to the local system it doesn’t matter how the messages are encrypted, they’ll be read.

Unfortunately, the security tips you recommend simply don’t apply in this case. Don’t get me wrong, they’re certainly good advice. However, users must understand that SSL/TLS is not a panacea. It only protects the emails while in transit and does nothing to secure it while at rest — either at an ISP or within your mail client.

A rogue administrator at an ISP could still read and divulge the information, even if TLS had been used. Email at the ISP would be stored in the clear, then (perhaps) re-transmitted over a secure wire…where it would be delivered to the destination, again in the clear.

Which means that if the second scenario occurred, a user with access to Sanford’s email inbox could still have accessed the information. Even if the inbox was protected with a username/password, innumerable utilities can be found online to bypass this protection on most mail clients.

The only solution that truly addresses the problem is email encryption — that is, encrypt the data, not just the pipe that carries it. This would protect against both scenarios you mention: neither the rogue admin, nor the “trusted” friend would be able to open the email.

Today, email encryption is very easy to use. The company I work for, PGP Corporation, specializes in making the process easier than ever (am I passionate on the topic because I work there, or do I work there because I’m passionate about it? Hard to say). But even without extra software, most mail clients offer message encryption built right in.

Given the pervasiveness of email interception and inspection, combined with the increasing value (personal and commercial) of the information contained in email, isn’t it time email encryption became the rule, instead of the exception?

And, as more services move into the cloud, or hosted environments, these issues will only increase. As the industry evolves, security needs to be baked into the data, not added on to the pipe.