Does Email Verification Hurt Privacy?

Email Authentication /Benchmark. The kind of forensic examination that security experts conducted on data purportedly from the laptop com...

Email Authentication /Benchmark.

The kind of forensic examination that security experts conducted on data purportedly from the laptop computer of Hunter Biden, at The Washington Post’s request, can help establish the authenticity of emails. But it also creates privacy risks that could be prevented, said Matt Green, one of the experts.

Green, a Johns Hopkins University cryptologist, was able to verify 1,828 emails by checking the cryptographic signatures that accompanied the messages. Such technology was created to verify the origins of emails, to prevent spam and other scams, but it allows the content itself to be checked as well for authenticity or alternations — even years after it was initially sent. 

Green, though he checked emails at The Post’s request for the supposed Biden data, would prefer that nobody have this ability, so that everyone’s emails could stay more private. The solution would be simple, he said. Security experts rely on what are called “cryptographic keys” to verify emails. One is called a “private” or “secret” key, and it’s kept secure by the email service itself, which in the case of most of the Biden emails was Google. 

It “signs” the email with cryptography, creating an unintelligence jumble of letters and numbers that can be decoded with the second, “public” key. The result is that anyone in possession of the right public key, which includes almost any email service, can check emails against the cryptographic signature to verify authenticity, or alternatively, detect frauds or alterations.

But email services such as Google periodically replace their secret or private keys. If they had a routine practice of releasing these old keys — say, a year after they stopped using them — the whole verification system would stop working. Anybody could use the old private keys — now made public — to sign an email, which means verification would be rendered meaningless.

Frauds would be much too easy to be valuable, Green said. All emails would be equally suspect and unverifiable. “The fact that Google signed it means that we can verify the contents even if they’re stolen. And I think that’s a mistake on Google’s part,” Green said. “Signing this email encourages theft.” Google said making such changes have to be done in an industry-wide way.

“We’re working with standards bodies, like IETF, and other email providers to enhance these standards. These changes cannot be performed unilaterally and require an industry shift to ensure that the security of email is not compromised,” said Google spokesperson Kaylin Trychon, referring to the Internet Engineering Task Force, an organization that helps set tech standards.

The other expert who examined the data for The Post, Jake Williams, who conducts forensic analyses for financial services companies and others, disagreed with Green. “I don’t think releasing [DomainKeys Identified Mail] signing keys makes theft any less likely, but it does make what we did far less reliable,” Williams said.