E-mails and security

The use of e-mails raises information security (and data protection) issues at various points:

• Anyone who communicates via e-mails should first realise that the confidentiality of an e-mail usually corresponds to that of a postcard.
• Optionally, confidentiality can be achieved by e-mail encryption. The GWDG provides services for this purpose. However, e-mail encryption presupposes above all an appropriate infrastructure for the recipient. The communication partner must therefore also become active.
• In the case of e-mails, there is initially no guaranty about the identity of a sender. Faking a sender’s name is just as easy for e-mails as for letters and postcards, where any sender can be written on the envelope or card.
• There are also optional components related to encryption technology for the verifiability of senders. The authenticity of a sender can be proven with so-called cryptographic signatures, i.e. it can be checked whether an email has actually been sent by the owner of a particular e-mail account.
• In addition to the technical aspects of e-mail security, it should also be examined whether the disclosure of information to certain recipients is permitted at all: Here it has to be checked whether confidential content or personal data should or may be transmitted to the recipient at all and whether, insofar as this is affirmed, the disclosure of information via the only limitedly trusted medium e-mail is a suitable way of communication.

A major security problem with e-mail usage is the abuse by criminals. These misuse e-mails,

• to distribute malware (viruses, trojans, etc.) (virus e-mails),
• to persuade disclosure of confidential information (phishing e-mails) or
• to cause harmful actions, e.g. transfer of money or purchase and transfer of vouchers (fraud e-mails).

When dealing with e-mails, this risk must always be taken into account. You will find a guide to this at Checking e-mails for dangerousness and malicious content.