If you haven’t already registered to attend the HCCH a|Bridged event on electronic technology and the Hague Service Convention on December 11 in the Hague, you should! I will be speaking on a panel with Katerina Ossenova of the Department of Justice and Emma Van Gelder of Erasmus University in Rotterdam, titled “The Prism: The Tech Battle for e-Service.” Each of us has been given a technology to champion for use under the Convention, and mine is secure email. Today I’d like to give a few ideas about the topic.
We have to evaluate email or any other technology both from a legal perspective and from a technical perspective. Email has one overriding advantage over all other electronic technologies under the Convention: the close analogy between email and postal mail. If we are willing to say that email is in the postal channel, then there is a pathway to the widespread use of email under the Convention under Article 10(a) without the need for a protocol to the Convention or to national legislation meant to allow the use of email under Article 19. No other technology can latch on to a method of service permitted by the Convention today in the same way. There is also some legal difficulty, though, which arises from the mismatch between the Convention’s strong focus on territoriality and the reality of how email works today. In short, in order to say that you’ve sent an email from country A from country B, you have to be willing to go with the postal metaphor and not look too closely into what is happening at a technical level, because if you do look, you will see that the “place of sending” and the “place of receipt” are difficult concepts in the Internet Age.
From the technical side, we want to evaluate email as a secure method of service, which means looking at the three components of security. First, authenticity. When I get an email, can I be sure that it is what it purports to be, i.e., that a malicious person hasn’t “spoofed” it? Second, integrity. Can I be sure that the message hasn’t been altered in transit? Third, confidentiality. Can I be sure that no one aside from me and the sender was able to read the message? There is a fourth component, proof of receipt, which is not typically thought of a security issue but which, in a practical sense, may be the most important of all.
It’s a mistake to ask whether email is perfectly secure. No technology is perfectly secure. The question is whether email is reasonably secure, and I think it is sensible to ask whether it is at least as secure as the use of old-fashioned postal mail, a method that we know is acceptable under the Convention in the absence of an objection from the state of destination. With email, we see that there are strong technical means of providing security that are available, but that are not widely deployed and in some cases may not scale well. To protect authenticity and integrity, technical methods such as DomainKeys Identified Mail, Sender Policy Framework, and Domain-based Message Authentication, Reporting & Conformance, all of which make use of the DNS system, are available but not universally used or enforced. The DNS system itself is insecure, and while mechanisms exist to secure it (e.g. DNSSEC), they are not in wide use. To protect confidentiality, end-to-end encryption for the body of email messages (not the headers) is available, but is not widely used and poses high hurdles for ordinary email users. Whatever legal protections email provides are substantially weakened by the terms of service of various email service providers.
Traditional postal mail, in contrast, provides relatively weak technical guarantees of authenticity (the use of raised seals, etc.), integrity (the physical protections given to mail and especially registered mail in transit), and confidentiality (the use of sealed envelopes) but strong legal protections. The analogue to the email service provider is the postal service, and while the postal service in the receiving country can open and inspect mail, that is not really a relevant type of insecurity in the context of service of process.
What about receipts? Here the post has a significant advantage over email. Sending registered mail abroad, with a return receipt requested, may be slow, but it results eventually in receipt of the recipient’s signature.Email has a standard receipt mechanism, but sending a receipt is at the option of the recipient. There are third private services that, for a fee, say they provide proof of delivery and that an email was read. I have experimented with a couple of them and have satisfied myself that they are not foolproof. It’s not clear that we should want to rely on services that aren’t part of the email standard.
Anyway, these are a few things I’ve been thinking about, and I’m looking forward to a really interesting discussion in a few weeks at the Hague!