Encryption Could Starve Carnivore

Tools Scramble Your E-Mail

Sigaba and ChainMail are refining encryption technology to protect e-mail from Carnivore and other predators. Encryption uses a complex mathematical formula, called an algorithm, together with a unique numerical variable to scramble data into meaningless gibberish called ciphertext. The recipient of ciphertext must use the same numerical variable, called a key, to decode the message. (See "How It Works: Encryption.")

Encrypting e-mail is not a new idea. But most consumers are slow to adopt the technology, partly because it's difficult to manage keys and because all recipients must use a compatible system. Until recently, it hasn't been possible to encrypt Web-based e-mail like Hotmail or Yahoo mail. Nevertheless, increasing public anxiety about privacy has bolstered interest in encryption.

Stealth Surfing

ChainMail, for example, has released a beta version of an open-source encryption product called Antivore that scrambles e-mail using the popular Pretty Good Privacy (PGP) algorithm. But Antivore goes a step beyond simple content encryption and adds a secure, encrypted "pipeline" between you and your ISP. It's similar to the secure socket layer used to transmit credit card numbers to electronic-commerce sites. But both the correspondents and their ISPs must adopt Antivore. (See "For Your Eyes Only.")

Antivore is actually an interim product that ChainMail accelerated because of the Carnivore controversy, notes Sean Steele, director of business development. In development is an Internet server product named Mithril, which includes encryption. Both programs run on an ISP's servers. ChainMail hopes the open source community will help perfect Antivore, and plans to incorporate improvements into a final, open source version of Mithril as well as other encryption applications.

ChainMail has made some progress with smaller ISPs. Broadband Network Service, a regional ISP in central Virginia, is among those beta-testing Antivore. Most of the ISP's customers are small and mid-size businesses that aren't equipped to manage their own e-mail and security, says Colin Learmonth, president.

"We don't necessarily see [Antivore] as combating Carnivore, but as a way of securing your e-mail ... from any third party," Learmonth says.

Sigaba takes a slightly different approach that doesn't directly involve the ISP. When a Sigaba subscriber sends an e-mail, the company's server issues a unique one-time encryption key to both sender and recipient. Sigaba's e-mail plug-in on the sender's machine then uses the key to encrypt the message. The same plug-in on the recipient's machine uses the key to decrypt it.

"We're just passing a key," says Sigaba's Bliss. "We never get in the business of delivering mail." The entire process is transparent to users, and neither Sigaba nor the ISP sees the unencrypted message.

Sigaba expects to release its server software this fall. In the meantime, it offers free plug-ins that work with Outlook 2000, Eudora 4.3, and Internet Explorer, and also encrypt Web-based e-mail. Support for other mail programs is in development. (See "Sigaba Enhances E-Mail Security.")