FIVE and a half years ago there were none. Now there are more than 2,000 subscribers

to email in Cambodia, receiving and sending thousands of messages a day. It's used

for everything from business accounts to end-of-year reports to quick memos to love

letters - yet how secure is our email?

It's a question that was highlighted two months ago when a computer hacker managed

to break into hotmail.com, the free email service available over the internet, and

exposed the email accounts of all 40 million Hotmail users around the globe. With

email in Cambodia a fast-growing means of communication, some experts here say that

protecting our cyber-messages should be more of a concern for users, who may not

realize the potential for security breaches.

"Sending an email is like sending a postcard," said Mike Gaertner, an information

technology analyst currently working in Phnom Penh. "Anyone who has the know-how

can read it."

Bill Herod, advisor to Kids, a public internet service in Phnom Penh, agreed.

"Email is not secure. It's written in plain text, and [when it's sent out] anyone

in the world can get into that stream. It's a serious consideration if you're dealing

with lawyers, or have private business considerations [being carried out by email],"

he said.

But this doesn't necessarily mean we should be canceling our email accounts and running

back to snail mail. Experts agree that to try to intercept a specific message takes

a lot of time, know-how, and probably a bit of luck too.

Emails being sent out are delivered from one Internet Service Provider (ISP) to another,

for example from Bigpond in Phnom Penh to Demonnet in San Francisco. Because of the

sheer volume of email traffic flying through cyberspace, to be able to filter out

specific messages to intercept would take a huge amount of software and hardware,

as well as an enormous amount of time.

But David Lewis of Bigpond admitted that hackers were more likely to be able to intercept

messages while they waited at an ISP to be downloaded onto a customer's computer.

"The chances of having your messages read by someone else while they're waiting

at the ISP is entirely down to the security of the mail server," he explained.

He noted that Bigpond kept their mail server in a locked room, with access restricted

to only three people who know the password.

"You can't break in via the internet to Bigpond," he said. "You would

have to gain physical access to the room itself."

So Bigpond is foolproof?

"Well, no," he admitted. "Security holes are spotted and exploited

all the time. We're not complacent, but at the moment you can't break in. Of course,

tomorrow, we might hear of some new hole - the thing has to be actively managed."

One thing that can certainly improve your chances of keeping your email safe is to

encrypt your messages, a practice which is becoming more and more widely used in

Europe and the US, especially for businesses like banking, and which is used in Phnom

Penh by some embassies. Encryption services are available free over the internet,

or by companies set up specifically to provide encryption codes.

One such system is the humbly-titled PGP (Pretty Good Privacy), which requires both

sender and receiver to use the same encryption code. Anyone surveilling the email

or trying to intercept messages would be unable to do so unless they had a copy of

the encryption key.

Mike Gaertner is currently exploring the feasibility of setting up an encryption

service in Phnom Penh.

"I see it as a personal expression of freedom - the right to send a message

without anyone else reading it," he said.

An added bonus of an encryption service such as the one Mike proposes to set up in

Phnom Penh is the "certification of warranty" that it provides.

"When you sign up to use the encryption key, you have to be able to prove that

you are who you say you are," he said. New users show their passports, or other

reliable forms of ID, and are then signed up for the service. When someone receives

an email via this encryption service, they also receive an automatic guarantee that

the sender has been certified bona fide.

Knowing who you're really talking to through email is an important side to cyber-transactions

that people often overlook, according to Gaertner.

"In real life, everyone has a passport or an ID card, but in digital life, there

is no such thing. This is a way to try to organize it."

But there are loopholes in the service, as pointed out by Bill Herod.

"Encryption still has an element of trust built into it," he said. Potentially,

a new user could fake their ID to set up a bogus certification. "This is exactly

the kind of loophole that the bad guys would look for," he said.

Although the chances of having your email intercepted by a random hacker are small,

a more sinister possibility is that of email surveillance by employers, or even governmental

departments.

"In Vietnam, for instance, all email goes through the government server,"

says Gaertner, "so the government has the possibility to spy on people's private

messages. But as far as I know, the government here does not have the equipment to

spy on private email."

Herod was equally sure that the men at the top are not spying on us.

"I can say with certainty that no-one at the Ministry of Interior is monitoring

Bigpond or Camnet [Cambodia's two largest ISPs]."

Than Sina, Secretary of Sate at the Ministry of Interior, was less forthcoming in

his denials of surveillance.

"We're discussing the National Security Act at the moment," he said, "and

this may include laws on the email and internet.

"It's important to look at security issues without violating the rights of the

people. When you're talking about tapping phones and surveillance, you have to ask

at what level of security you're talking about," he said, but refused to be

drawn on the current level of surveillance that prevails in Cambodia.

One thing that is known for sure: if you are sending private emails from work, it's

completely possible that your employer is monitoring your movements. One prominent

western diplomat was recently left red-faced after his superiors discovered that

he was sending pornographic photographs by email - the embassy he worked for routinely

scanned employee emails for any large photo attachments.

Perhaps the most common concern of regular email users is the possibility of infecting

their computers with viruses that are passed on unwittingly through received messages.

Viruses, or more often, virus warnings, come spinning through the internet every

day, and most people with email access have at some time or another received anonymous

virus warnings through their mailbox. In fact, say the experts, most of these are

just rubbish - a 1990s version of the unwanted chain letter.

"A virus cannot get into your computer just through receiving an email,"

says Lewis. "The only way for it to happen is if you open up an attachment that

came with the email. For instance, I could write a program which would delete your

hard disk, and call it 'sex.exe'. If you were crazy enough to open it, the damage

would be done - but just looking at the email I sent you couldn't do anything."

A recent US Department of Energy statement noted that: "We are spending much

more time debunking hoaxes than handling real virus incidents". There are even

entire websites devoted to hoax viruses, including the top ten hoaxes of all time,

and stories of how unsuspecting email users were duped by fake virus warnings. (See

box).

Meanwhile, as the flow of email traffic to and from Cambodia grows, more and more

people are coming to rely on it as their primary, or even sole means of communication

with the outside world. This, says Herod, means that the need for security will grow.

Yet at Kids internet service, one regular customer was less than impressed by a friendly

security warning.

"I'm not worried at all, because I never write anything particularly private,"

he said. "I wouldn't care if the whole world saw my emails."

Useful web sites on email security

Ziplip.com - a free encryption service, plus information about email security.

www.at.pgp.net/pgpnet/pgp-faq/faq.html - frequently asked questions about PGP.

www.cert.org - summary of the most frequent internet security incidents.

www.av.ibm.com/Publish - an IBM site dedicated to information on protection from

viruses and virus hoaxes.

kumite.com/myths - excellent site detailing latest scares and hypes, plus top ten

hoaxes of all time.