Encryption and the Security of Counselling by Email
Because security, privacy and confidentiality are central to the counselling process, this section specifically addresses encryption and security in the context of email counselling.
The Risk of Email Interception
Given that several trillion emails travel around the globe every year, I believe there is a relatively low probability of any given email being intercepted by an eavesdropper wishing to compromise the confidentiality of our counselling sessions. However, you should be aware that emails which are not encrypted may be read by anyone who does intercept them. That is why CounsellingResource.com offers full support for encrypted communications: you have the option of encrypting any and all emails you exchange with CounsellingResource.com. Moreover, all email, once received locally, is also stored in encrypted form, whether or not the original email was itself encrypted.
Protecting Counselling Emails With Strong Encryption
All email communications with CounsellingResource.com, whether for counselling purposes or not, can be fully protected with strong encryption. (Please also see our Privacy Policy and Security Details pages, which include more detailed descriptions of how we handle email communications and any personal information.) If you would like to secure individual counselling emails, I believe the best option is to install PGP, considered by many security specialists to be the 'gold standard' of encryption software. Alternatively, a web-based email solution, which is fully interoperable with the PGP standard, is available from Hushmail. PGP and Hushmail employ a combination of standard strong encryption and public key cryptography, which enables us to communicate securely by first exchanging 'public keys' with one another; these keys enable our software to encrypt messages specifically for the other person's email address. Once received, we each use a corresponding 'private key' -- which only we have access to -- to decrypt the messages which were encrypted with the public key.
The Getting Started process for email-based counselling includes a space for specifying your public key if you would like to encrypt messages, and you can specify a public key at any time in the future, even if you don't do this as part of the initial process. You are not by any means required to encrypt our email communications, but the option is always available to you if you would like to do so.
Protecting Your Communications With Our Server
The welcome questionnaire which you will be asked to complete as part of the Getting Started process for email-based counselling is protected by full 128-bit SSL encryption, so that all details entered on the form will be secured during transmission to our server.
Special Considerations in Shared Environments
If you'll be working from a computer which is also used by other people, or which is owned by your employer, it's worth thinking about how this may impact on your privacy and security.
Counselling From Work
Decisions about whether to undertake counselling from work are of course entirely up to you. Although this may be directly sanctioned (and even paid for) by the employer, where it is not, I would urge you to be aware of your employer's policies regarding private use of computer and internet facilities, as well as conducting private affairs during work time.
Employers may assert a right to read any and all emails which pass through their system. Employers may also take a dim view of employees encrypting data held on employer-owned computer systems. Even taking the precaution of printing all emails once received and then deleting local copies may still leave a copy on an employer's mailserver which could be retrieved by the employer at a later date.
Maintaining Privacy in Shared Environments
If undertaking counselling from shared environments like internet cafes or libraries, you should take particular care to guard your privacy. Web browsers used to access web-based email accounts should not be left logged in to the web-based email service, and likewise usernames and passwords should not be stored in cookies. When in doubt, log out -- and when prompted to save user information in a cookie, 'just say no'.
Exchange of Email vs. A Centralized Server
Some internet-mediated counselling services promote the idea that a central 'secure' server, controlled by the service itself, provides a more secure mechanism than the exchange of emails. CounsellingResource.com takes a different view; here are a few of the considerations which inform this view.
What is a 'Secure Server'?
A 'secure server', one which you can access via "https://" rather than "http://", encrypts traffic being exchanged between you and the server. This makes it virtually impossible for someone who is eavesdropping on the transmission to extract meaningful information from the transmission. Effective encryption makes the communication stream look random. This is desirable.
However, it's also important to understand what 'secure server' does not mean. Specifically, a 'secure server' does not ordinarily store data in encrypted form. In other words, once a communication reaches the server, it is decrypted and stored in ordinary form. When you request information from the server, that ordinary information is then encrypted again, until it reaches you, where your browser decrypts it once more. So, a 'secure server' secures makes it possible to secure the communication, but not what is actually stored at either end.
Who Actually Runs Web Servers?
Generally speaking, only large companies operate and maintain physical control over their own dedicated web servers. Everyone else uses web servers housed in special data centres, run by companies whose business it is to provide web hosting or 'rack space' for other businesses. (Try typing 'web hosting' into a search engine to see how widespread the business is.) Often the physical servers themselves are shared between many different web sites run by people who never need to know of one another's existence. It is possible to look up the physical machine address of any given web site, and from that to perform what is called a 'reverse lookup' to determine how many other sites sit on the same physical machine -- often there are literally hundreds.
The upshot is that unless you are dealing with a quite large organization, it is very unlikely that they even have physical possession of their 'own' server(s). When your bank says they hold your data on a secure server, they probably have that machine locked up in a building with armed guards. But when a counselling service or some other psychology or mental health site says they hold your data on a 'secure server', they probably use a third-party data center physically maintained by third party personnel.
Distribution of Risk
Unlike services which hold web-based counselling sessions on a centralized server controlled by the service itself, exchanges of email allow risk to be distributed and thus lowered. A centralized server provides a single point of failure, making itself available for attack 24 hours per day, 7 days per week. Even if data on that server are never compromised, the machine itself can be brought down via any number of hacking methods, including the well-publicized Denial of Service attack, flooding, etc. This means that even if data remain uncompromised, your access to that data may be impaired or degraded.
In my view, any site which says "hey, we're holding a bunch of confidential client information here" is just asking for trouble!
A Philosophical Point
Finally, my own preference is to offer clients as much control as possible over the counselling process and the communications process. I believe exchanges of email promote client control much more than centralized server systems which hold clients' data for them.
And What About the Data Protection Act?
In the case of electronic records, such as those generated in the course of internet-based counselling, there are additional legal requirements which bear on confidentiality and privacy. As indicated in the CounsellingResource.com Privacy Policy, Mulhauser Consulting, Ltd. -- which provides the services of Dr Mulhauser -- is registered in the UK as a Data Controller under the Data Protection Act 1998, so I understand the special requirements for safeguarding personal information held electronically. Note that with the exception of very narrowly specified uses, it is a crime in the UK to conduct business using personal information held on a computer without being registered as a Data Controller -- and pastoral care, which includes counselling, is one area specifically identified by the government as not qualifying for exemption from the Data Protection Act.
Individually identifiable information about client sessions is retained in accordance with the Data Protection Act for a period of 6 years.
Related Articles at CounsellingResource.com
Recent questions from ‘Ask the Psychologist’:
- Guilt About My Affair
- Girlfriend Seems Covered in Red Flags
- A Heavy Heart…My 18 Year Old Daughter Moves Out
- Husband’s Pretty Young Boss Has a Crush on Him
- Why Didn’t I Have Stronger Withdrawal Symptoms from Meds?
- I Give Plants, Numbers, and Letters Human Characteristics
- Why Do Abusive Parents Deny the Abuse Ever Took Place?
This page was last reviewed by , Tuesday, 22 April 2008.
The URL of this page is:
http://counsellingresource.com/counselling-service/encryption-and-security.html
