I'm not a lawyer, but I'm currently working on getting my company HIPAA-compliant, so I know more than the average person about this.

My understanding is that there's a thing called the "conduit exception" which basically says that if data is transiently passing through a channel and it's not being looked at, it's ok. But wherever the data lands must be HIPAA-compliant.

This seems crazy to me, but that's how it works I think. For example, if you encrypt PHI and store it in AWS without signing a BAA with them, that's a HIPAA violation, even though the data is encrypted and Amazon can't see it. But if you send encrypted data through AWS without actually storing it, that's fine.

Mail is specifically mentioned as a thing that qualifies for the conduit exception. I'm not totally clear why it isn't a HIPAA violation the moment it arrives at a destination (it's not in-transit at that point, and it's potentially not in the possession of the intended recipient either), but it seems pretty well accepted that it's not.

All that to say: I think encrypted email would still require a BAA because it's being stored, not just transmitted.

It's a crime to open someone else's mail and generally speaking the post office does a pretty good job of reliable delivery. Even if an address is a bit wrong/corrupted, it can likely be delivered just from the name and the zipcode.

Email is a lot harder. The older SMTP standard sends emails unencrypted so there's a possibility of a MITM reading the email. But also addresses if you get them wrong can end up in the wrong hands. For example, if someone sends an email to cogman10, I'll get it, but if they go to cogman1O I won't get it. A lot of the nuance of how secure and when it's secure gets erased by auditors to just "email is insecure".

The post office is heavily regulated not to open your letters with severe criminal penalties if they do. An attacker also can't quietly X-ray your letter in transit to get a sneaky copy.

They also send faxes to providers as well. It's kind of ridiculous when you think of it.

Dollar bills are essentially untracked, good everywhere, secure, work no matter what. Same goes for normal mail, and it's a federal offense to tamper with it.

Nothing electronic will ever be secure, unless it is never, ever networked. Networking changes "touch physical thing" into "everyone on the planet plus their bots" can touch it.

Even if you pass harsh laws, you need to geogate network connections to only within that legal jurisdiction. Otherwise, it's pointless.

The real, true problem is anonymousness. I used to advocate for, now I'm done. The problems anonymity solve, are a gnat compared to the ones it creates.

I'm all for ipv8, but with a unique ID in the packet identifying the person directly.

I can't drive a car, own a gun, drive a boat, buy explosives, ply many trades, and 100 other things without a license. Maybe unrestricted internet access is in that category, and bad behaviour means it is revoked.

The Internet was a toy for a long time. Now it's the backbone of all commerce, industry, personal communication, with life threatening implications at times.

Play time is over.