The Internet is over 30 years old, and is accepted as a given. TCP/IP is an accepted protocol outside of the Internet as well as a standard within it. The protocol for sending email, SMTP (simple mail transport protocol), is simple and easy to implement. The Internet's openness has made it easy to build on, easy to grow, and easy to adopt.
The Internet is a new form of commons, which is overused because it is free (marginal cost is almost zero). Everyone who has access to the Internet can communicate with everyone else who has access to the Internet. Unfortunately, the Internet's openness is also easy to exploit by malicious or vainglorious people, who want to communicate with everyone as well.
The openness of the Internet makes all communications the equivalent of postcards readable by anyone watching them go by. Encryption can disguise the postcard information, providing a strong virtual envelope for messages.
Many companies make email systems that employ encryption to keep message content private. Many of the solutions are either technically challenging to use or require users to behave differently, which has the same effect. All of these solutions succeed in making message content unreadable except by the recipient. None of these solutions make anything other than the content private.
Although making email content private does protect specific proprietary documents such as business plans, products designs, and legal and financial communications, however, making email content private does not prevent spam, viruses, or malware. The Internet as a whole is public, open, and simple. All email addresses are public even in the email systems that encrypt content.
Spam and wide distribution of viruses result when standard email addresses are public. Email addresses can be obtained by spammers or virus distributors in a variety of ways. For example, fraudsters may send email using a fake return address, a process known as spoofing. They sometimes include legitimate-appearing URLs (Uniform Resource Locators) to direct recipients to the web site of a known organization, while the actual URL that is hidden in the HTML (hypertext mark-up language) code is to a different address. Fraudsters effectively make themselves anonymous, and they include false links in an attempt to obtain personal information.
Others have attempted to keep email addresses private. This is to require that all messages be sent and received via an encrypted (e.g., SSL or secure socket layer) web browser connection to a particular server farm. This is known as a “pull” email system to which users have to log in to receive their email. This works if the recipient already has an email account with this “pull” email system.
However, if a user uses an email client to receive email, a so-called “push” system, the addresses must become public to reach that user. This can be countered with a solely-web-based email system, where all communication between the user and the web site is via SSL, an encrypted link. However, when an email is sent to a user who doesn't have an account on a web-based system, an email must be sent via normal channels to an email client which makes the email address public. Even when the user does have a web-based email account, which a user must remember to check periodically, email can lie in his/her inbox unread for an undetermined length of time, rendering the email worthless if it has a time value.
For example, a typical ABC company sells power tools on its web site and customers buy products on the web site, entrusting their personal information such as name, address, email address, credit card numbers, etc. to the ABC company. After customers buy via the web site, the ABC company sends a confirmation email to customers verifying what they just bought. The ABC company follows up later with shipping information, post-sales information, and marketing information about products in which customers might have a future interest. All these emails travel over the public Internet in a clear form, with neither content nor addresses private.
Most secure email solutions encrypt the content of emails. However, in the case of the ABC company, the content is not the part of the email that is sensitive (unless the credit card is reprinted in full, an unlikely event). Rather, the address of the email is. Fraudsters can steal email addresses and dress up the email content to appear as if it came from the ABC company, and ask customers to “verify their account information”. That is, they effectively ask customers to send the fraudster their names, addresses, credit card numbers, mother's maiden name, etc., while customers think they are sending this information to the ABC company.