The warnings about the longevity of email are regular and ominous: Don’t be careless with it. Email is forever.
Indeed, in some very high-profile cases it seems that way. Former CIA director and retired US Army General David Petraeus lost his job and his reputation, and "gained" a criminal record in 2012, when emails from an account he thought was private exposed his mishandling of classified information and an affair with his biographer.
Much more recently – just in the past couple of weeks – a trove of embarrassing correspondence from the email account of former secretary of state Colin Powell was posted on the website DCLeaks.com. In the words of an anonymous television anchor, they upended the perception of Powell, also a retired four-star US Army general, as a stoic diplomat and revealed him to be, “just as gossipy as everyone else.”
DCLeaks.com has also posted documents from email accounts of the former commander of NATO forces in Europe, Gen. Philip M. Breedlove; and of George Soros, the billionaire backer of Democratic presidential nominee Hillary Clinton and numerous other liberal causes.
[ ALSO ON CSO: Best practices for email security ]
As Olivia Nuzzi, a political reporter for the Daily Beast, put it in a 2014 tweet shortly after the hack of Sony Corp.: “Dance like no one is watching; email like it may one day be read aloud in a deposition."
Still, in other high-profile cases it doesn’t seem like it is forever. Clinton is clearly the most famous example of that – the FBI reported after an exhaustive investigation of her use of a private email server while she was secretary of state that they had been unable to find tens of thousands of emails that had been deleted as not work-related.
More recently, Internal Revenue Service (IRS) Commissioner John Koskinen was facing an impeachment vote in the US House (it has been delayed) for destroying emails that had been subpoenaed by Congress. Those have apparently not been found either.
So which is it? Is it forever only for the masses who use commercial email systems from providers like Google, Yahoo, Microsoft, Earthlink, AOL and Apple, but not for those who can control both the storage and the reach of their emails?
According to the experts, it depends.
“It’s a maybe,” said Jon French, security analyst at AppRiver. “It depends on who has the data and what has been done with it.”
Or, as Nathaniel Borenstein, chief scientist at Mimecast put it, “in the general case, there's only one possible answer: Who knows?”
Or, in the words of Justin Harvey, head of security solutions at Gigamon, “there are no certainties in life, and email truly being deleted or removed is one of those uncertainties.”
Or, as Chester Wisniewski, principal research scientist at Sophos, put it, “like most things in life, there are no obvious or satisfying answers.” He said perhaps the wiser thing is to ask another question: “Who are you worried about having access to your ‘deleted’ messages?”
All of which makes emails sound a bit like paper documents. While they obviously exist in the digital world, how easy it is to preserve or get rid of them depends on how many copies there are, where they are and who has them.
French noted that it is possible to “wipe” or destroy a hard drive, but if the data are backed up somewhere else, or if emails have been sent to other people, all of those copies would have to be destroyed as well.
“If the email exists only on a single server and that server has all of its data permanently and irrecoverably purged, the message and its content are gone forever,” he said. “Destroying drives and storage tapes can be a relatively easy task.
“But having the ability as well as the certain knowledge that all copies of the emails are destroyed is the hard part,” he said. “That’s where the ‘emails are forever’ idea likely comes from.”
Borenstein agreed. “Email is stored in all the places you can imagine, and probably more,” he said. “Some emails, on some accounts, on some servers, for some people, are deliberately kept forever. Much more often, however, the email software tries to honor a user's request to delete a message, and deletes it from its database. However, that software – and you the user – have no way of knowing whether it still exists elsewhere.”
[ RELATED: Email security still a struggle for most companies ]
Wisniewski noted that Google claims to delete “deleted” messages, “in a reasonable amount of time – 30 to 60 days from what I can see. But that doesn't mean they aren't part of backups that are in long-term archival storage that arguably could be subpoenaed.”
Harvey emphasized again that the world of email is a world of uncertainty. “In general, when you send an email, you have no way of knowing if that email is being archived, or intercepted by someone between you and the receiver,” he said.
“Even if you’re encrypting the message with a key and sending it to someone, how can you ensure that the receiver isn’t going to store that email in clear text on their own hard drive?”
French added that if emails were intercepted in transit by a man-in-the-middle attack, then obviously they could be held in a place that neither the sender nor the recipient knows about.
In other words, while it is possible to destroy unwanted emails completely, it can be difficult and complicated, especially if those communications have gotten outside of a very controlled environment.
That, Harvey said, is why the situation with Clinton is different from most others. “The emails were stored on servers her administrators controlled, and they took a deliberately systematic approach to the eradication of her emails,” he said, adding that corporations with their own mail systems have similar capability.
Still, he said that kind of control is, “truly unique and that less than 1% of the overall Internet population have the ability to do these sorts of actions.”
Hence the warnings that, especially when it comes to work emails or personal ones, a user would want to keep confidential.
“If it is your work email, you have to assume your company is keeping all of it, plus most of your history for archiving and legal purposes,” Wisniewski said.
“You should never discuss anything in an email you wouldn't want used as evidence in court. That would include discussing potential legal violations like HR, intellectual property theft, patents, insider trading, etc.”
Borenstein said it comes down to risk. “No email is forever,” he said, “but looking for old emails is like looking for DNA at a crime scene. It's not always there, but if you look hard your chances of finding it are often pretty good.”
That does not mean the average user is entirely helpless when it comes to maintaining a reasonable level of privacy. But it does take a bit of effort.
Wisniewski said the lessons that should be learned from the Gen. Powell hack are: “always use two-factor authentication for your email when available – Google offers several options – use unique complex passwords everywhere – the only ‘hack’ was the attackers logging in with his credentials – and don't write down things you don't want the public to know about.”
Encryption is also available – experts mention GPG/PGP and S/MIME among others. But even that can be compromised by skilled hackers, if they are able to get users to fall for social engineering attacks like phishing.
Harvey said the hackers could then, “copy the private key and keylog the password in order to decrypt anything and everything that’s ever been sent encrypted.”
The other problem with that, Borenstein said, is human nature.
“Users will pay any price for security, as long as it doesn't inconvenience them in the slightest,” he said. “Adding person-to-person encryption requires at least an extra mouse click or two on both ends, and users hate that.
“Also, the concepts involved are confusing to many people. The email community has had much better luck with server-to-server encryption, and this is widely used, but it only fixes copying in transit. The other problems all remain.”