Encryption and the Security of Counselling by Email

Because security, privacy and confidentiality are central to the counselling process, this section specifically addresses encryption and security with a focus on the context of email counselling.

The Risk of Email Interception

Given that several trillion emails travel around the globe every year, I believe there is a relatively low probability of any given email being intercepted by an eavesdropper wishing to compromise the confidentiality of online counselling sessions by email. However, you should be aware that emails which are not encrypted may be read by anyone who does intercept them. That is why online therapists should offer full support for encrypted communications (and certainly I always did at my own online therapy practice).

In my view, it is also essential to find out whether your choice of online therapist can guarantee that all emails, once received locally on the therapist’s computer, will also be stored in encrypted form — regardless of whether they were originally sent in encrypted form. In my experience, very few online therapists even grasp the reason why this should be done in the first place — namely, that without encryption, all material is fully available to anyone with physical or remote access to the machine — and far fewer actually do it. Not encrypting local email storage is a bit like leaving all your paper files open on a desk. If you ask about encrypted storage of client information like emails, and your online therapist tells you something like “don’t worry, I have a firewall, and I keep my antivirus software regularly updated”, or “I have all the latest software updates on my computer”, what should you do? Worry. They don’t get it.

Securing Counselling Emails in Transit With Strong Encryption

All email communications, whether for counselling purposes or not, can be fully protected with strong encryption. (See our “Site Privacy Policy” and “Security Details” pages, which include more detailed descriptions of how we handle email communications and any personal information here at CounsellingResource.com.) If you would like to secure individual counselling emails, one option is to install software based on the OpenPGP standard, considered by many security specialists to be the ‘gold standard’ of encryption software. One package is the free GPG, while another is the commercial product PGP. Alternatively, a web-based email solution, which is fully interoperable with the PGP standard, is available from Hushmail. PGP and Hushmail employ a combination of standard strong encryption and public key cryptography, which enables two people to communicate securely by first exchanging ‘public keys’ with one another; these keys enable their software to encrypt messages specifically for the other person’s email address. Once received, each correspondent uses a corresponding ‘private key’ — to which only they have access — to decrypt the messages which were encrypted with the public key.

A competing standard, called S/MIME (for “Secure/Multipurpose Internet Mail Extensions”), achieves essentially the same end result using public key cryptography. For email clients which support it, S/MIME can provide a much more seamless experience, with transparent behind-the-scenes key management and slick automatic encryption of outgoing emails as compared to the typically manual process of encrypting outgoing emails. (Recent versions of PGP include an automatic encryption option, but the implementation is so bloated and unreliable that to my knowledge, very few people actually use it.)

Protecting Your Communications With the Therapist’s Server

Any form-based questionnaire which you are asked to complete as part of getting started with online counselling should be protected by SSL encryption. However, this is actually sufficiently tricky that we’ve dedicated a special page to it — please see our separate article “Secure Web Forms: Are They Really?”.

• in practice
• online mental health
• security and privacy
• therapy