Encryption and the Security of Counselling by Email

The Risk of Email Interception

Given that several trillion emails travel around the globe every year, I believe there is a relatively low probability of any given email being intercepted by an eavesdropper wishing to compromise the confidentiality of online counselling sessions by email. However, you should be aware that emails which are not encrypted may be read by anyone who does intercept them. That is why online therapists should offer full support for encrypted communications (and certainly I do at my own online therapy practice at MyTherapist.com).

In my view, it is also essential to find out whether your choice of online therapist can guarantee that all emails, once received locally on the therapist’s computer, will also be stored in encrypted form — regardless of whether they were originally sent in encrypted form. In my experience, very few online therapists even grasp the reason why this should be done in the first place — namely, that without encryption, all material is fully available to anyone with physical or remote access to the machine — and far fewer actually do it. Not encrypting local email storage is a bit like leaving all your paper files open on a desk. If you ask about encrypted storage of client information like emails, and your online therapist tells you something like “don’t worry, I have a firewall, and I keep my antivirus software regularly updated”, or “I have all the latest software updates on my computer”, what should you do? Worry. They don’t get it.

Securing Counselling Emails in Transit With Strong Encryption

All email communications, whether for counselling purposes or not, can be fully protected with strong encryption. (See our Privacy Policy and Security Details pages, which include more detailed descriptions of how we handle email communications and any personal information here at CounsellingResource.com.) If you would like to secure individual counselling emails, one option is to install software based on the OpenPGP standard, considered by many security specialists to be the ‘gold standard’ of encryption software. One package is the free GPG, while another is the commercial product PGP. Alternatively, a web-based email solution, which is fully interoperable with the PGP standard, is available from Hushmail. PGP and Hushmail employ a combination of standard strong encryption and public key cryptography, which enables two people to communicate securely by first exchanging ‘public keys’ with one another; these keys enable their software to encrypt messages specifically for the other person’s email address. Once received, each correspondent uses a corresponding ‘private key’ — to which only they have access — to decrypt the messages which were encrypted with the public key.

A competing standard, called S/MIME (for “Secure/Multipurpose Internet Mail Extensions”), achieves essentially the same end result using public key cryptography. For email clients which support it, S/MIME can provide a much more seamless experience, with transparent behind-the-scenes key management and slick automatic encryption of outgoing emails as compared to the typically manual process of encrypting outgoing emails. (Recent versions of PGP include an automatic encryption option, but the implementation is so bloated and unreliable that to my knowledge, very few people actually use it.)

Protecting Your Communications With the Therapist’s Server

Any form-based questionnaire which you are asked to complete as part of getting started with online counselling should be protected by SSL encryption. However, this is actually sufficiently tricky that we’ve dedicated a special page to it — please see our separate article about secure web forms.

Special Considerations in Shared Environments

If you’ll be working from a computer which is also used by other people, or which is owned by your employer, it’s worth thinking about how this may impact on your privacy and security.

Counselling From Work

Decisions about whether to undertake counselling from work are of course entirely up to you. Although this may be directly sanctioned (and even paid for) by the employer, where it is not, I would urge you to be aware of your employer’s policies regarding private use of computer and internet facilities, as well as conducting private affairs during work time.

Employers may assert a right to read any and all emails which pass through their system. Employers may also take a dim view of employees encrypting data held on employer-owned computer systems. Even taking the precaution of printing all emails once received and then deleting local copies may still leave a copy on an employer’s mailserver which could be retrieved by the employer at a later date.

Maintaining Privacy in Shared Environments

If undertaking counselling from shared environments like internet cafes or libraries, you should take particular care to guard your privacy. Web browsers used to access web-based email accounts should not be left logged in to the web-based email service, and likewise usernames and passwords should not be stored in cookies. When in doubt, log out — and when prompted to save user information in a cookie, ‘just say no’.

Exchange of Email vs. A Centralized Server

Some internet-mediated counselling services promote the idea that a central ‘secure’ server, controlled by the service itself, provides a more secure mechanism than the exchange of emails. CounsellingResource.com takes a different view; here are a few of the considerations which inform this view.

What is a ‘Secure Server’?

A ‘secure server’, one which you can access via “https://” rather than “http://”, encrypts traffic being exchanged between you and the server. This makes it virtually impossible for someone who is eavesdropping on the transmission to extract meaningful information from the transmission. Effective encryption makes the communication stream look random. This is desirable. (But see our article on secure web forms for a note on the difference between encrypting the blank form as it is sent to you and encrypting the actual details you send back to the form!)

However, it’s also important to understand what ‘secure server’ does not mean. Specifically, a ‘secure server’ does not ordinarily store data in encrypted form. In other words, once a communication reaches the server, it is decrypted and stored in ordinary form. When you request information from the server, that ordinary information is then encrypted again, until it reaches you, where your browser decrypts it once more. So, in the typical usage of the term, a ‘secure server’ secures makes it possible to secure the communication, but not what is actually stored at either end.

Who Actually Runs Web Servers?

Generally speaking, only very large companies operate and maintain physical control over their own dedicated web servers. Everyone else uses web servers housed in special data centres, run by companies whose business it is to provide web hosting or ‘rack space’ for other businesses. (Try typing ‘web hosting’ into a search engine to see how widespread the business is.) Often the physical servers themselves are shared between many different web sites run by people who never need to know of one another’s existence. It is possible to look up the physical machine address of any given web site, and from that to perform what is called a ‘reverse lookup’ to determine how many other sites sit on the same physical machine — often there are literally hundreds. (Actually, servers with SSL certificates are always hosted on dedicated addresses, so further sleuthing may be required.)

The upshot is that unless you are dealing with a quite large organization, it is very unlikely that they even have physical possession of their ‘own’ server(s). When your bank says they hold your data on a secure server, they probably have that machine locked up in a building with armed guards. But when a counselling service or some other psychology or mental health site says they hold your data on a ‘secure server’, they probably use a third-party data center physically maintained by third party personnel.

Distribution of Risk

Unlike services which hold web-based counselling sessions on a centralized server controlled by the service itself, exchanges of email allow risk to be distributed and thus lowered. A centralized server provides a single point of failure, making itself available for attack 24 hours per day, 7 days per week. Even if data on that server are never compromised, the machine itself can be brought down via any number of hacking methods, including well-publicized Denial of Service attacks, flooding, etc. This means that even if data remain uncompromised, your access to that data may be impaired or degraded.

In my view, any site which says “hey, we’re holding a bunch of confidential client information here” is just asking for trouble!

A Philosophical Point

Finally, my own preference is to offer clients as much control as possible over the counselling process and the communications process. I believe exchanges of email promote client control much more than centralized server systems which hold clients’ data for them.

And What About the Data Protection Act?

In the case of electronic records, such as those generated in the course of internet-based counselling, there are additional legal requirements which bear on confidentiality and privacy. As indicated in the CounsellingResource.com Privacy Policy, Mulhauser Consulting, Ltd. — which provides my own online services — is registered in the UK as a Data Controller under the Data Protection Act 1998, so I understand the special requirements for safeguarding personal information held electronically. Note that with the exception of very narrowly specified uses, it is a crime in the United Kingdom to conduct business using personal information held on a computer without being registered as a Data Controller — and pastoral care, which includes counselling, is one area specifically identified by the government as not qualifying for exemption from the Data Protection Act.