webmail and low bandwidth DE
In my last blog2blog post to Robert W Martin, I asked him to explain why he wants to live his life online without needing his own equipment - something he calls digital existence.
You gave a pretty decent answer, Rob. For me, one of the most powerful motives for seeking digital existence is that it is now technically conceivable to overcome the security concerns inherent in hardware independence. This point was hammered home by your comment on your experience with electronic health records. If Alberta Health and Wellness can provide secure remote access to legally protected patient records, certainly it is possible to provide secure (or at least secure enough) remote access to my CV drafts, letters to the power company, and weiqi game records?
Digital existence has a different attraction in the South Pacific. If I had to characterize computer use in this part of the world it would be as follows:
- There is a large cohort of older, wealthy, professionals who are heavy Internet users at home and at work; they can afford the high price of connectivity
- There is a larger cohort of young users who have very little disposable income
- This younger cohort are primarily unsophisticated but passionate users of low bandwidth social computing - hi5, bebo, facebook, free sms gateways to local mobile phone companies, and photo sharing sites
- This younger cohort would love to share files and video as well, but the slow and/or expensive connections in the region make this impractical - you can almost hear a chant of I want my youtube
- This younger cohort does not own their own computers nor do they typically have Internet connections at home - they rely on Internet cafés, computer labs at educational institutions, and their workplace to get online
So, with that, time for some the paranoia. When we started this, you asked, "can you really trust webmail?" A great question. Let's examine this with a little differential risk analysis. If you were going to send me an email, the list of locations where your message falls under threat would be as follows:
- The traditional POP3/IMAP (i.e. Outlook Express) scenario:
Rob's POP3/IMAP client, Rob's PC, Rob's LAN, Internet, Rob's mail server, followed by the Internet again and then into an area influenced by my email choices.
- The webmail (i.e. gmail, yahoo, or hotmail) scenario:
Rob's browser, Rob's PC. Rob's LAN, Internet, Rob's webmail host, followed by the Internet again and then into an area influenced by my email choices.
- POP3/IMAP client vs. browser
- the POP3/IMAP/SMTP mail server vs. the webmail server (which includes SMTP of course)
The browser, on the other hand, will often write some or all of your webmail fetched mail to cache - especially on a shared computer where you do not control the settings . Even once the cache is cleared, your mail may linger until some cryptographic disk wiping takes place, unless you cache to a removable device. Also, your browser would be vulnerable to session hijacking attacks that would not impact a mail client. For machine independent secure emailing, a thumb drive mounted mail client and a thumb drive mounted browser (see xb browser) are probably equally good, but having a thumb drive feels like cheating when the point was to have no hardware of your own. If you disallow thumb drives, the browser seems to come out ahead in the digital existence balance.
Looking at the servers, both traditional POP3/IMAP/SMTP servers and webmail server's can archive some or all of your email after it has been sent or received, including messages that you have deleted. Perhaps the difference is that webmail servers are guaranteed to have a copy of all of your mail, and it will be all indexed and ready for searching by:
- you
- any data mining software
- any advertising (think gmail) software
- any unscrupulous sysadmin
- any criminal who gains access to this juicy repository of information
- any government agent with a warrant (Patriot Act or otherwise)
Photo by: nico.cavallotto