Do I need secure email ?

The use of e-mail has grown at a phenomenal rate – almost a quarter of the world’s 7 billion inhabitants have access to the Internet. This figure is rising steeply – and usage in Europe is higher at 50%, with the UK being around 70%

A very large proportion of people with Internet access use email in their every day work and social lives - and all take email’s inherent ease of use as a given. Few, however, think about the consequences of a stray email or its content being accidentally or deliberately intercepted and read by others.

Email service have become a mission-critical communication tool - and yet it also has the potential to seriously compromise an organisation’s activities. The transmission of personal information over email is just one of many examples of sensitive information and content that we would not want to share with others. Information on new products, services or other commercial details are further examples of content that we may only want to be seen by a priviledged few.

What does Mailock do?

Mailock provides secure email services, but this is only part of the issue.

Many competitive services fail to provide confidence that the email has been sent to - and delivered to - the right person. To overcome this limitation, Mailock allows the sender to establish the identity of the recipient with a high degree of confidence, and make this a prerequisite of them opening the encrypted email content.

How often have we sent an email, only to realise that we sent it to the wrong person, or sent the wrong attachment? With Mailock, it's easy to put a "block" on a sent email to prevent it being opened, regardless of the underlying email service being used.

Did my email get to the right person?

Sending sensitive and secure content to the wrong person could well be as dangerous or litigious as if that same information was intercepted and published by a "hacker". So a sender needs to be confident that they are not inadvertently compromising their business, nor breaking any laws regarding data protection or personal privacy. For these reasons, Mailock believes that -

• Encrypting content alone is not enough – the sender needs a high degree of confidence that the right person (or people) have received and read the e-mail.
• The sender needs confidence that the intended recipients are, indeed, the only recipients of that email, by using authenticated identification of the target recipients.

Does Mailock's identity validation mean it holds a lot of personal data?

The answer is "no". Mailock simply acts as the channel through which the identity if verified – it has no need to hold anything other than basic details needed to set-up the user's Mailock account.

There are several ways in which someone can be identified – in fact, each can have a greater or lesser degree of certainty about it. At its simplest level, an originator could be happy that knowing the recipient's email address is all that's needed. However, Mailock also links to third-party databases, allowing more extensive checks by an originator – for example, they could ask for the recipient's name and post code, and verify it against an electoral register.

More secure still would be a "challenge" which the originator poses, and only the recent should know. These challenges can be configured in Mailock to be on a per email basis, or made selectively. They may also be integrated within an organisation's own back office system – for example, to challenge the recipient to provide certain characters from their account number with that organisation.

Finally a physical key ("dongle") could be sent to the recipient – without the key in their PC they cannot open their email from that sender.

Of course, with multiple senders validating a particular recipient, there is a greater likelihood the recipient is who they claim to be. Mailock makes this likelihood value available to other email originators – we call this our "secure score" feature.

So how does Mailock operate?

There are two core principles behind the Mailock proposition. The first is to encrypt email content and attachments, using powerful encryption systems (similar to those used for UK Internet banking). This gives users an assurance that – should an email be intercepted – it is going to be very hard for a hacker to break into the content. Not only that, but the "key" used to encrypt the email is changed daily, making unwanted intrusion even less likely.

The second fundamental part of the offering is to allow the originator (sender) of an email to determine – with as much certainty as they wish – that the intended recipient is, indeed, who they are supposed to be. We can do this in several ways - by using third parties to confirm certain information about a recipient, such as their name or postal address; and we allow originators to create unique or bespoke "challenges" for a recipient – in its most powerful form, only the sender's relationship with that individual could establish who they are. For example, the originator may give them a PIN, or even a hardware device to plug into their PC.

Do I have to install any software?

Mailock has three core types of user accounts – consumer, group, and enterprise.

Consumers will use a web-based system and there is nothing to install on the user's PC.

Groups may also use a web-based account, without having to install any software. However, if they particularly want to use Microsoft's "Outlook" email system then Mailock can provide a plug-in to make the integration easy.

Enterprise accounts (for larger organisations and businesses) will probably need to install Mailock software – this will usually be tailored to that organisation's email service, and provides the linkage between the organisation's in-house email systems, back offices, and so on with the outside world. In its simplest form this allows the originator to send email securely from existing email systems. Or there could be "rules" which we build for the enterprise, to ensure that any emails which contain (for example) the word "Confidential" in its title is sent securely via Mailock. Or the sender may wish to challenge an intended email recipient by asking them the 2nd, 4th and 5th characters from their personal account – and we can build the links to the enterprise's back office systems to make that challenge data response available for them to verify.

Mailock has been designed for the minimum impact on existing email systems and operations. There is a central component which we operate, and this provides the management of encryption keys, user registrations, and more.

How does "secure score" work?

At the heart of Mailock is its secure email capability. However, by establishing a relationship between the originator and receiver of any email, we have a “link”. If we can validate that the recipient has some credentials that we can confirm – such as an electoral roll registration – then the originator has more confidence that the receiver is who they expected.

By using this principle, we can extend the number of originators who contact the same recipient – each originator could establish their own unique “challenge(s)” to that recipient to further satisfy themselves they are indeed who they expected. A good example would be if the "challenge" asked for the 1st, 3rd and 6th characters of an account number, for instance.

By allocating a numeric value which we call a "score" each time a new originator confirms a recipient's identity, and adding this to any existing score for that recipient, we can establish from the total "secure score" how likely it is that the recipient is genuine. The higher the secure score, the greater the likelihood of a valid match. Each time an originator verifies a recipient in some way, that recipient’s “secure score” can be incremented within Mailock. So the more originators who check that they are the right person, then the higher their secure score would be. Of course, not all challenges will have an equal score, as some may be of greater importance than others.

Is there a charge for using Mailock?

There are three core Mailock user types –

• Consumers. An organisation can send a secure email to anyone they wish – in order to view and decrypt the email content, a consumer must be registered with Mailock. This costs the consumer nothing – it is a free account. With this account, consumers may securely reply to their incoming emails, and may also create emails to send to others, but only as text. They may not include attachments, and there is a monthly limit to the total amount of traffic they may send.
• Groups. A group is typically a small company or firm – it probably has several staff, and needs to send secure emails along with encrypted attachments. For example, a firm may wish to send sensitive information about a user's account with them. There is a charge for group accounts, which can be paid monthly, or "pay as you go". There are different types of group account with varying features – for instance, one type include a facility to perform anti money laundering (AML) checks as part of the package.
• Enterprises. Larger organisations and businesses will use a Mailock enterprise account. This requires a degree of integration with that enterprise's IT systems, depending on usage. As we have seen, the company may wish to set bespoke challenges for recipients, and this requires a link from Mailock to their back office database, for example. Costs will reflect the level of this integration along with traffic volumes.