Making E-mail Safe

November 1, 2003

As e-mail increases in popularity, many who worked in the Dark Ages of fax and post believe it should be the “killer application” for improving communication at law firms. The speed and ease of use that e-mail brings has proved to be hugely beneficial when distributing and receiving information – indeed, once an organisation introduces e-mail there is no going back.

The lack of speed of communication during legal proceedings is the number one gripe from clients, whose only option is to wait for recorded delivery post unless their lawyers incur the expense of a courier. It is the same complaint from lawyers and solicitors themselves, who know that e-mail could improve their working efficiency and bring benefits to internal communications.

However, the insecurity of e-mail is a major stumbling block for law firms. While it provides fast links internationally and improves the service offered to clients, it is neither secure, confidential nor auditable. An e-mail is effectively the electronic equivalent of a postcard, it could have been snooped on by anyone en route with no way of proving that the correct person actually received it. Plus, how staff members use e-mail is an issue that all businesses are dealing with and, due to the reputation law firms have to maintain, e-mail usage is a particularly mistrusted area. The unstoppable tide of messages is shown in recent statistics, which state that e-mail users send and receive an average of 50 e-mails a day – in the case of law firms it is likely to be more.

Fears surrounding correct e-mail usage and security and have been one of the main factors holding back the take up of e-mail in the legal profession. Absolute trust and complete confidentiality is the basis of good legal practice, so the importance of sending a document securely and proving it reached the correct person (non-repudiation) is paramount.

The Law Society has recognised how insecure a medium e-mail is and has addressed these issues in its guidance for using e-mail: “Firms should not include confidential information in non-encrypted e-mail without the informed consent of clients”. This means express permission is needed from a client − hardly ideal and not good customer service.

Flawed Approaches

Some legal firms that are currently using e-mail have tried to address these guidelines by incorporating e-mail disclaimers on the same basis as faxes. Many attach a disclaimer to every message sent from their servers ensuring they have all security and confidentiality angles covered in a written statement. Useful as a tool for showing clients how good your legal prose is, but ineffective in seriously tackling security issues.

“This e-mail is private and for the intended recipient only – if you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it.” If you have received such a disclaimer you will know they can extend to paragraph after paragraph, and often when printing the message the disclaimer alone eats up a page. Most importantly a written statement is hopeless in preventing the message being intercepted or read by an unauthorised or even malicious party.

Another method law firms have used to address the Law Society’s guidelines on best e-mail practice is to encrypt all e-mail messages. A number of solutions have been developed to enable this, however many seem to bring more problems than benefits by increasing cost and complexity for the sender and recipient.

The most popular form of encryption is Public Key Cryptography (PKC). This relies on two paired keys – a message encrypted with one key can be decrypted with the other, and vice versa. One of the keys is kept private and the other is made public – this means that essentially the originator cannot be impersonated as any message has to be signed with his or her key.

However while simple to use between two people, it gets very complicated very quickly when expanded. With everyone using public key encryption – paralegals, legal secretaries, clients and even suppliers – everyone has to manage everyone else’s public keys. This is where Public Key Infrastructure (PKI) comes in – this is a management framework for public keys, run by a trusted third party known as a Certification Authority. PKIs can issue, store, release, revoke and otherwise control public keys.

PKI provides every user with his or her own unique cryptographic certificate, which means that every time a staff member moves, keys must be changed – an expensive process. Additionally companies need to install PKI-compliant software on both servers and desktops of all users. This has proved to be expensive and time-consuming enough for internal users, but extremely complicated when dealing with clients. Legal firms have reported serious problems persuading clients (and their IT departments) to install PKI software at their end and some have described clients pulling out of the system altogether.

The expense and complexity of PKI therefore risks losing all the advantages that e-mail aims to bring. A new alternative is needed that brings together security, ease of use and ubiquity, without the need to install and maintain new software at either the sender or recipient’s end.

A Solution

One solution available that ensures e-mails only go to the intended recipients and provides the sender with proof of delivery is the post restante method. This works by storing messages on a secure server, requiring password access to view them or to download any attachments. This method also secures e-mail correspondence against unauthorised interception by applying industrial strength encryption in both directions. It requires no installation of any new software on either the sender’s or recipient’s computer and works with all major e-mail programs, making it easy to reap the benefits of e-mail with no workplace disruption.

Using this method, the sender only has to compose an e-mail as normal, and then tags it to be sent by recorded delivery by simply adding an extra name, typically “By Recorded Delivery”, in the address field of the e-mail. The secure server then automatically intercepts this e-mail and the intended recipient receives a notification e-mail telling them they have new mail ready for collection. The recipient simply enters a previously agreed password into the notification e-mail and once this is checked they receive their 128 bit SSL-secured e-mail and any attachments in their web browser, ready to be printed or securely downloaded. The sender gets an automatic receipt once the secure e-mail has been accessed. This provides a guarantee of confidentiality and guards against non-repudiation.

The ease of use of this system is two-fold. Not only is there no need to install software at the recipient’s end but, as it works with all types of e-mail systems automatically, set up time is minimised and no training is needed. In terms of administration there is no need to build and maintain expensive public key infrastructures that have to be updated every time a user is added.


The advantages of e-mail are plentiful and can improve customer service while at the same time decreasing costs for the legal world – but it is an essentially insecure medium that is not designed with security or confidentiality in mind. Lengthy disclaimers in theory cover your back but in practice are near useless. First generation encryption such as PKI brings more problems than answers, therefore legal practices must look at simple, easy to use technology that doesn’t disrupt their or their clients’ working practices and allows them to meet Law Society guidelines.

Gordon Olson is chairman of Meticulus Solutions Ltd and has been a leading figure in the Document and Knowledge Management industries for some 15 years. The Red Letter e-mail server from Meticulus uses a post restante method of sending and receiving secure and auditable e-mails. More at