The DNC is never going to be the equal of these companies
employing thousands of engineers and managing millions of email
accounts when it comes to security, so perhaps it should stop
trying and let the experts take over.
That’s a suggestion bordering on sacrilege to many people who care
about security, who believe real security and strong encryption
are possible only when you manage your own data and encryption
keys yourself. And it’s true that trusting a company to manage
your email reduces your security in some ways. For one thing, it
certainly means that company has access to all your email
messages. For another, it may mean that law enforcement or
intelligence officials can access those messages without your
knowledge through court orders or mutual agreements with that
company. So there are definitely trade-offs, and if those are the
security threats you’re most worried about, and you’re equipped to
configure your own server setup, then you probably should not
entrust your email to a third-party provider.
If, however, you’re more concerned about your email being read by
external attackers in, say, Russia, then the perceived security of
handling all your own email may do more harm than good. And if
your area of expertise is political strategizing and maneuvering,
rather than encryption protocols and firewall configurations, you
would almost certainly be better off delegating responsibility for
your email to a company that knows what it’s doing.
I’ve been thinking about this ever since the DNC emails leaked — and in light of Hillary Clinton’s controversy over the use of a private email server. Should these organizations even be using email at all? Server-side storage makes searching and access to one’s account from multiple devices more convenient, but it exposes these organizations to huge risk. Mobile messaging with end-to-end encryption (Signal, iMessage, WhatsApp) is in many ways less capable than email, and eliminates certain decades old conventions like “forwarding”, but it’s inherently more secure.
Email might be too ingrained to walk away from. It’s universal. But the high-profile targets like the DNC (or the United States Secretary of State) running their own servers is certainly not the answer. What’s the best solution?