In the age of Big Brother, will on-premise email gain appeal? 


The Protect America Act and its younger sibling, the FISA Amendments Act of 2008, grant the NSA permission to monitor all internet activity going into and out of America without obtaining warrants, provided its general intelligence gathering plan is approved by the FISA Court.

Under the program we know as Prism, the NSA is then allowed to obtain electronic communications of any foreign user whose message(s) has been flagged as suspicious, and those of any user, foreign or American, who has been in communication with the initial user. If the connected communications belong to Americans, they are labeled as such, stored separately, and require warrants before NSA analysts can access them.

How this works in practice is that each year the NSA gives a slew of user information directives to internet giants like Facebook, Google, Microsoft, and Yahoo, and the giants comply, with varying methods of turning over that data.

It’s safest to assume that any email, sent from any service, will be monitored. However, for corporations seeking some control over who has access to their employees’ inboxes, there is a bright light, and its name is "on-premise email."

Until this past Thursday, you might have thought I’d say the bright light’s name was "secure email provider." On Thursday, one secure email provider suspended operations, and the other shut down entirely.

The problem with secure email providers is that, while the emails stored on their servers are encrypted, they are still stored on their servers. The metadata is clear as day, and, if the secure email provider also stores the encryption keys, the message bodies are readable as well. And most secure email providers do store the encryption keys, because managing these keys is a huge pain in the tuckus for corporations.

Now, on-premise email is no slouch in the pain-in-the-tuckus department. It requires an in-house IT team to set up and manage the mail servers, it’s more expensive than cloud solutions until you have enough users, and it can struggle to keep up with spam volumes.

HOWEVER: if you have on-premise email, you store your email, and you get to dictate who has access to it. If the NSA wants to pore through one of your inboxes, they have to come to you to get it.

I should also say: on-premise email isn’t new--quite the opposite. Back before the cloud wafted in, on-premise was the only option, and up through April of 2011, it was still used by 80% of corporations.[1] When you think about all that hassle vs all that convenience, 80% sounds pretty high. You might imagine that over the years, as companies got around to upgrading systems, and as advancements in on-premise features--particularly mobile-focused features, stagnated, that number would drop, and drop, and drop.

And you’d probably be right, were it not for the lack of data control that inherently accompanies cloud-hosted email.

But taking under consideration a) this lack of control, b) the amount of attention Prism and the broader wiretapping program have received in the mainstream and tech media, and c) the widely publicized decisions made by Lavabits and Silent Circle, what I’m wondering is whether that number will actually start to go up.

Given a choice between your way and the information super highway, which will you take?