Guidelines for protecting communications
Published 21.11.2013 | Updated 25.01.2016
Confidentiality, integrity and availability
Most commonly used services - how to protect against threats related to their use
Use of smartphones
Using communications services abroad
Remember that the confidentiality of messages delivered in Finnish telecommunications networks is protected by Finnish legislation. However, Finnish legislation cannot guarantee that confidentiality is retained in foreign communications services or outside the Finnish borders. Even if the user language of a service is Finnish, there is no guarantee that the service is implemented in Finland or that the processing of information is in compliance with Finnish legislation.
These guidelines provide detailed information on the threats in confidential communications related to the use of the internet and telephone and provide instructions for encrypting communications.
Pay attention to the following:
- what you communicate
- who you communicate with
- the devices you use for communicating
In protecting electronic communications, matters should be considered from the viewpoint of the confidentiality, integrity and availability of information. Confidentiality means that only those who are entitled to see messages, are allowed to do so. Integrity means ensuring that the content of the message remains unchanged and lawful, and that the systems used for communications function as they are intended to do. Availability means that information or services are available when they are needed.
Confidentiality is the most important thing, for example, when data containing personal information is delivered or business secrets are handled in communications systems.
Integrity is the most important feature when using online banking services: users must trust that the online banking site is genuine and it is safe to use the services. More information in Finnish: A guide for safe online shopping.
In public communications, availability may be the single most important factor. In other words, the message must be easily available to everyone. The encryption of communications improves the confidentiality of information, but may weaken the availability of communications. When considering the protection of communications, it is worth reflecting which of the three are the most important ones and select the protection measures accordingly. Below are listed examples of protection measures. The attainable protection is indicated under confidentiality, integrity and availability.
|E-mail encryption||Improves||No impact||Weakens|
|Electronic signature||No impact||Improves||No impact|
|Use of a strong
password / PIN codes
|Openness of the
|Encrypting data or
entire hard drive /
|Use of the most
popular cloud services
|WPA 2 encryption in
the WLAN network
|Improves||No impact||No impact|
Estimate the need for protection:
- Consider what information you are sending, saving or sharing in the services you use.
- Consider whether the delicacy of the information gives reason to protect it. Sometimes it is more important that it is easy to access the information and share it, in which case the use of strong protection measures can make it more difficult to share information flexibly.
- Choose the right protection measure for each service, if it is necessary to protect the information. There are several protection measures of different levels for various purposes available.
Third parties can be interested in, for example:
- location data
- ID data
- contact and communication data
- banking data
- work material
- software and devices in use
- user names and passwords
- web browsing.
How to choose a password
Use different passwords for different services. Pay special attention to the choice and storage of user names and passwords for services that are important to you. Use additional authentication methods provided by the service. This means that you cannot log into the service with you password only but you need a confirmation code sent to your mobile phone, for example. You may use password management services or software for storing passwords for services that are less important to you.
Tips for choosing a good password (in Finnish)
Consider carefully what sort of personal data you should enter into services. When considering the protection need, remember that all systems can be hacked and that they might contain vulnerabilities that can be exploited. It can be impossible to remove exposed data from the internet.
Ensure that your computer and mobile phone software are up-to-date. User names and passwords often end up to wrong hands via malware. Do not install other software to your computer and mobile phone than you need. Favour distribution channels and manufacturer websites that are widely known. Certain websites suggest that you install software. Do not accept the installation, unless you need the software.
In case your device should get lost, encrypt your computer's hard disk and use protection codes in your mobile phone. You can encrypt your hard disk by using the TrueCrypt software, for example. GPG/PGP software can be used for the encryption of files and e-mail messages. Another alternative is to use a separate data storage device with encryption features such as a USB stick.
The latest mobile phone models are often outfitted with data encryption feature. The encryption may be on automatically,if mobile phone protection codes are in use. It is advisable to activate the remote wiping of mobile phone data.
Take regular back-up copies of your data in case your device should get lost or break. Think carefully where you store them. It is advisable to encrypt the back-up copies especially if they are stored or transferred on the internet.
Mobile phone (voice, SMS, MMS)
All mobile call traffic is routed within Finland if the caller and the recipient subscribe to Finnish operators and both stay in Finland during the call. Finnish laws are applied to such communications. When calling abroad, when the other party to the call is visiting abroad or the other party is using a foreign subscription, the laws of the call's target and transit countries can also be applied.
Text messages and multimedia messages are routed within Finland when the sender and the receiver are in Finland.
Threats: It is not recommended to use a mobile phone for communicating sensitive issues without some specific measures by the user. It is possible to track calls and text messages as well as the location of the mobile phone through malware installed in the mobile phone, by using vulnerabilities in the information security of the SS7 signalling between telecommunications operators or via a fake base station that mimics a mobile network base station. Attacks require know-how and resources which means that they are typically specifically targeted to a person or an organisation. Because of these threats, it is not recommended to communicate confidential issues over the telephone.
FICORA's NSCA function has approved encryption solutions for transferring different types of classified information.
Encryption solutions approved by NCSA [pdf, 205 KB] (in Finnish)
Encrypting your connection: Mobile calls are encrypted between the phone and the base station.
Hiding your number: You can hide your telephone number to prevent the recipient from seeing it. The secret number will also be displayed on the sender data of the message when you send text or multimedia messages.
Services offered over the internet can be used via data connections in the fixed broadband network and wireless mobile network. The physical network is located in Finland, but the servers related to the network services and websites can be located outside the Finnish borders.
For example: News services, search engines
Each web visitor leaves a trace on the website. The same concerns the data entered by the visitors. Search words, visited pages and browser history are typical examples of stored data. In addition, most websites request the browser to store cookies containing data the user has entered on the site so that browsing the site is more flexible for the user.
International network traffic: In Finland, it is not allowed to store user-specific information without the user's permission, but general statistics of website visits and entered data are permitted. It is noteworthy that a major part of the services have been implemented outside the Finnish borders, in which case the laws of the service provider's country of origin must be complied with. There is no guarantee that the service has been implemented in Finland if the language of the service is Finnish.
The data stored during a visit to a website can be used for determining what the website visitors are interested in, planning websites and generating user profiles for advertising purposes.
Map and positioning services
For example: Google Maps, Nokia Here Maps
Map and positioning services are services tailored for location information. These services assist users in spotting the location of a specific target on the basis of the user's own location or route of the user's choice. The location information is stored with the service provider. Several websites and services ask for the user's location information so that they can provide the website with regional information, such as weather forecasts and information on regional events and services.
Restricting location information: By determining their service and device settings, users can opt for a feature that prevents the automatic disclosure of location information. When using positioning services, you can also prevent revealing your location information by downloading maps to your device. In this case, you must update the information regularly.
Examples: Facebook, Twitter, Instagram, discussion forums
It is recommended that you familiarize yourself with the information security practices of social media services before you use a service requiring protection or communicate in a manner that requires protection. It is noteworthy that once a piece of information has been published on the internet, it is difficult to delete it completely. In order to protect your identity, choose strong passwords for the services you use. When you publish information, remember that the information entered into the service can be accessible to others than the target group. As a rule, social media services are not suitable for delivering confidential information.
Examples: Skype, Messenger
Instant messaging software facilitates real-time communication between two or more people. If you are not sure whether the instant messaging software applies encryption, or to whom the message you send will be displayed, you should not send any confidential information via an instant messenger.
Examples: Gmail, Hotmail, Luukku, Yahoo, Suomi24, e-mail services as part of broadband subscriptions
Ensure that your connection is protected when exchanging e-mail. In addition, messages or attachments containing confidential information should be encrypted, if necessary. You cannot conceal message recipient information, because it is used on the web for the purpose of transmitting the message to the recipient. It is advisable to familiarize yourself with the service's information security practices before you start using the service, and check them before any communication needing protection.
Protecting your connection: Use a protected connection in your e-mail software, in compliance with the e-mail service provider’s instructions. The protected connection is determined in the connection settings of the e-mail software. The protected connection secures the connection between the computer and the e-mail server from eavesdropping.
When using a browser e-mail (e.g. webmail services, Gmail, Google), you should check whether SSL protection is turned on. This conceals the contents of traffic between your computer and the website server, and helps to ensure the authenticity of the website. A site applies SSL protection if the lock icon indicating it is closed and the address starts with https://.
Protecting the contents: E-mail message contents can be encrypted by using a special encryption method. You and the recipient have to agree on which encryption method to use. In most cases, the recipient must use the same encryption software for decrypting the message, or the recipient must know the password used for encryption. Software meant for protecting e-mail such as PGP (Pretty Good Privacy) can be used for encrypting the content of messages.
Examples: Dropbox, Skydrive
Cloud services are typically used for example to store back-ups and large amounts of information, and for the flexible sharing of information, such as photo albums.
In using cloud services, it is recommended to pay attention to the choice of password, protected connection or protection of content classified as confidential or sensitive.
Protecting the contents: Confidential files (photos, videos, documents) stored in cloud services can be encrypted for increased protection before they are transferred.
Online stores and banks
Examples: Amazon, Ebay
When users of online services log into the service or pay for their shopping, the service processes their personal information and means of payment, which are recommended to be sent via an encrypted internet connection only.
Encrypted connection: Prior to typing in any confidential information, you should always check that the website in question applies SSL protection. This conceals the contents of traffic between your computer and the website server, and helps to ensure the authenticity of the website. A site applies SSL protection if the lock icon indicating it is closed and the address starts with https://.
By clicking the lock icon, the information related to the verification of the authenticity of the website appears in the browser. The web address shown in the information must correspond to the web address shown in the address line of the browser.
Wired connections are always safer than wireless connections. Thus, it is recommended that wired connections are used in homes, in particular. However, many devices can be connected to the internet over wireless devices only.
Internet connections at home are typically implemented via broadband ADSL or cable connection. It is typical for these connection types that the connection is shared wirelessly on a WLAN base station for all users at home.
It is advisable to protect all traffic passing via your WLAN base station so that:
- it is not possible to eavesdrop the traffic passing through it and
- it cannot be accessed without a password. Current recommendation: WPA2 encryption (Wi-Fi Protected Access 2).
The most common public internet connections are the so-called open WLAN networks with unencrypted connection. Open networks can be found at airports, coffee shops, shopping malls, and other public spaces.
Anyone can connect to an open WLAN network. The data transferred via the connection is free for anyone to eavesdrop or store, if the applications used do not encrypt the traffic. Online banking services use https, which is one of the most popular encryptions used by applications.
Many public WLAN networks open to anyone ask users to log in via a website before the connection is established. Logging into the open network does not encrypt the traffic.
Those using a WLAN network open to anyone should first check with the network provider for information on the network and terms of usage.
In mobile networks, data transmission between the base station and mobile device is encrypted in Finland.
A smartphone is used for making calls and utilising internet services. General settings for communications are determined when the smartphone is taken into use. Services are mainly used by means of applications downloaded to the smartphone. Most of the applications require the user's approval for the use of, for example, network traffic or location information. Several applications use cloud services for saving or taking backups of the data processed by applications.
- When the smartphone is taken into use, the user can determine the general rights that the telephone's operating system has to communications.
- The user can change the settings later.
- When installing an application, the user approves or rejects the application's rights to communications.
- Some applications do not function or all the application features cannot be used if the user does not approve the usage rights that the application requires.
Based on the use of the telephone and the confidentiality of the data processed on the telephone, you should consider the usage rights of the data delivered by the smartphone's operating system and applications. For example, work duties may give reason to restrict the network traffic or location information delivered by the phone. However, the restrictions can reduce the possibilities to use a smartphone in basic usage. For example, the following applications require certain usage rights in order to function:
- Applications providing information on services available in the vicinity of the phone require the user's location information in order to function.
- Applications intended for keeping contact can use the contact information in the phone book, and it is not necessary to save them for each application.
However, you should bear in mind the possibility that the location information and the phone book are also delivered to and saved in the server of the application's administrator. Employers should consider the matter and advise the staff on the use of such smartphones that are intended to be used at work. For example, employers can compile guidelines on the initial phone settings according to the organisation's information security policies. Employers can also give advice on the principles related to the use of the phone.
With regard to the delivered data, you should pay attention to the following:
- Location information/Positioning information
- Backup copying
- Contact details
Smartphones can also request approval for the following purposes:
- Transferring advertisement tracking data
- Transferring data related to keyboard or usage experience in order to improve the service
- Sending WLAN base station data
- Sending data related to base stations in the mobile network
The use of the smartphone requires that the user creates a user account in the service that is maintained by the software manufacturer of the phone. The account is used to download updates and applications to the phone from the manufacturer's application store. The same account can also be connected to other services, such as to e-mail. A service provider can in its own service combine the data it has received from the same account with other data from the same service provider's services. It is recommended to activate the measures to further verify the login to the user account. The section Good practices contains more information on how to choose a password.
When the smartphone is used for the first time, it is possible to activate services related to locating, such as remote location of the phone if it is stolen. Information security risks related to these services should be assessed case by case.
Software updates should be activated as automatic, taking into account the barring of updates, which may be needed when the smartphone is used in foreign mobile networks (roaming costs).
More information on the use of applications can be found in the section Most commonly used services - how to protect against threats related to their use.
Providers of Finnish communications services, such as e-mail services, must provide confidentiality, integrity and availability for their communications services. The legislation of all countries does not ensure the absolute protection of the confidentiality of communications in the way that Finland’s legislation does. Finnish authorities cannot guarantee the information security of communications services provided by a foreign telecoms operator. Neither can they guarantee the reliability of their operations.
For example, the confidentiality of communications is not guaranteed when a phone call is made on a mobile phone abroad, even though a Finnish telecoms operator's SIM card would be installed on the phone. The same concerns the use of e-mail services provided by a Finnish telecoms operator abroad, because an internet connection provided by a foreign telecoms operator is used for the purpose.