Some alternatives to letter mail are obvious. Many businesses have significantly reduced outbound paper mail volumes by sending general correspondence, newsletters, invoices, and statements electronically. Contracts can be digitally signed or scanned; this is so common that fax machines, along with the analog phone lines they require, are becoming obsolete. However, security concerns limit the use of email. Some businesses have adopted an approach whereby notifications are sent by email and customers must log in to propriety systems to view messages and documents.
Electronic payment systems have also reduced the need for snail mail. In the consumer space, it is rarely necessary to write and mail a cheque, and direct deposit has dramatically reduced the need to receive and deposit cheques. This is unfortunately not the case in the business world, where payment by cheque remains very common. While services such as PayPal have gained traction, and will see increased volumes during mail disruptions, the banking industry has failed to implement a universal, cost-efficient, and easy-to-use funds transfer system. It is still easier and less expensive for many businesses to issue a cheque and drop it in the mail.
It is easy to envision a more secure email system to address these requirements and virtually eliminate the need for paper mail. Invoices can be exchanged in a standard format that allows them to automatically enter accounting workflows, and corresponding payments could be sent electronically. Consumers will receive, view, and pay bills in a single application, perhaps a future email client or the next generation of personal finance software. To achieve this vision, two obstacles must be overcome: security and document standards.
Over the past few years, some progress has been made in the area of email confidentiality. The majority of email flows over TLS, making it more difficult for third-parties to intercept in transit. However, email continues to remain unprotected on servers, and perhaps more critically, still lacks even basic integrity controls. It is absurd that nearly twenty years after Internet email became mainstream, it remains trivial to forge, rendering it useless for applications such as financial transactions.
Electronic messaging requires a solid security framework with confidentiality, integrity, and availability controls. The algorithms and protocols required to achieve this already exist, but the required standards have not materialized for several reasons: government opposition, a perception that it is too difficult, and an unrealistic approach to security requirements.
The last factor, an unrealistic approach to security requirements, is perhaps the largest obstacle, and it will be discussed in a future column. But in summary, most proponents of secure email reject anything short of the highest possible level of security, one that far exceeds that provided by the postal system. True end-to-end email security requires changes in every email client and precludes most uses of webmail. Security is not binary, and there are workable intermediate alternatives that could be more readily adopted.
Credit cards statements are a good example. No Canadian financial institution will email credit card statements because, “email is not secure.” However, they are willing to print the same information on paper and mail it to customers, despite the fact that it is likely to spend some time in an unlocked mailbox, be accessible to anyone else at the same residential or business address, and be disposed of insecurely in the garbage because most Canadian households don’t have a shredder.
Email suffers from a near absence of document standards. In many ways it is modelled after the postal system: Put anything small enough in the envelope, and hit send. While the ability to attach files is very useful, standards are not used for messages, invoices, statements, payments, and other common use cases. As a result, the same types of documents arrive in plain text, HTML, and Word, Excel, and PDF attachments, none of which can be automatically processed.
Efforts to create open standards for business documents started more than a decade ago, including the XML-based OASIS Universal Business Language (UBL). It it clearly viable. Since February 2005, use of the UBL Invoice standard has been mandated by law for all public-sector business in Denmark. Every month, several million UBL invoices are currently exchanged in Denmark.
Advances in security and document standards would increase productivity and further reduce reliance on lettermail.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…