Nobody seems to worry too much about sending postcards while they are away on holiday, after all, the contents of the average postcard is about as exciting as reading your weekly grocery list; “It’s very sunny, I’m here, you’re not, how’s the rain at home?”. That’s why we don’t care if the postman reads them or not, although I suspect that the majority of Post Office employees don’t worry too much about postcards as there is nothing to pinch.
But, would you attach your bank statement, or any other sensitive information that you didn’t really want out in the open to the back of a postcard? If the answer to that questions is no, then you should seriously look at your email security. Unless you are already using some kind of email security then sending an email with sensitive information is the same as sending the aforementioned postcard with your finances listed on it.
Email was never originally designed to be overly secure, it was designed to transmit a message from a sender to a recipient. It wasn’t until email gained popularity over the Internet that it really took off, historically it was confined to proper geeks. Now though that has changed, even my dog has an email account… so, how can we keep messages to man’s best friend safe and secure?
Encryption, that’s how. By encrypting outgoing email messages it doesn’t matter how many mail relays - electronic post offices - the message goes through, or how many eyes see the message as it will just read as gibberish. Here is an example of a small message that has been encrypted.
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP MESSAGE-----
This message was encrypted using a technology called PGP, and as you can see it is just a jumble of seemingly random characters and will not be decipherable on it’s journey to the intended recipient. Read on for an overview of what you need to do to be able to secure messages and make use of an encrypted email configuration.
Method of encryption
When it comes to encryption there are two popular methods to make use of, the first is - as we mentioned above - to make use of PGP (Pretty Good Privacy) to encrypt your messages, the second is using another encryption technology known as S/MIME (Secure/Multipurpose Internet Mail Extensions). Both have their advantages and disadvantages, however, once properly installed both result in the same thing, namely secure email messages.
Both PGP and S/MIME make use of technologies which are classed as public-key cryptography. With this method of cryptography you will have two “keys”, a public key, and a private key. The public key should be sent to all the people that you wish to receive encrypted messages from, and your private key should be just that. Only your own private key can decrypt a message that has been encrypted with your public key, this way anybody can have your public key and send you an email, but only you will ever be able to read it. For a far more in-depth look at public-key cryptography for those that would like to know more about it’s inner workings check out the Wikipedia page here.
So now you know what technology can be used to make your email messages private, but how do you actually make use of them?
Secure your email
Whatever your choice of desktop email client, be it Thunderbird from the Mozilla Foundation, Microsoft’s Outlook, or Apple’s Mail, you have some form of encryption available to you. It can be a little tricky to get all the relevant parts installed and configured, but once done you will have gained email privacy by way of encryption. Sending and receiving messages is then as easy as entering your encryption password, if you decide to set one (which is wholly recommended).
For Android mobile devices you have the combination of the K-9 email client along with AGP, and on Apple’s iOS you can set the default mail app to use the iPGMail extension which allows for transparent encryption. A bonus of iPGMail on iOS is that you can also tell it to encrypt files going to your Dropbox account too, that we really like.
It is also possible to make use of encryption when using webmail, however this has a major caveat for the convenience, that is you must have your private key, which is used for decryption, on the remote server. In this scenario you would need total trust in your email hosting company not to steal your private key. There are new and interesting avenues to take, one browser extension called WebPG integrates nicely with a number of webmail services to allow you to use PGP encryption and retain your private key under your complete control. It’s a little buggy in places right now, but all-in-all allows us to have secure communications via webmail services, that is a good thing, and the extension will only get better. It’s currently available for both Firefox, and Chrome web browsers.
As with any kind of data stored on remote servers, the location the servers and the company that owns them matters a great deal. If it is within a jurisdiction such as the United States, the United Kingdom, or one of the numerous states of the European Union then you should consider moving to a different email hosting provider. This is an even higher priority if you make use of webmail or prefer to connect to your email service using the IMAP4 protocol.
IMAP4 - which webmail generally makes use of - is very convenient as it allows you to quickly access any past email from any connected device without having to have a complete copy of all downloaded emails. This is possible as all email messages are stored on the remote mail server. If that remote server happens to be in one of the jurisdictions mentioned earlier then it’s relatively easy for the government of that country to request access to the messages and other activity log files.
It does not matter if a US or UK company owns and runs servers in a different country. The jurisdiction is decided upon by the location of the ISP itself. So the US government can easily serve a subpoena on an ISP and gain access to the data it holds for customers even if that data is in another country.
The only true way to protect your data in this respect is to move your email services to an email hosting provider that is domiciled in a privacy friendly jurisdiction, and you encrypt your emails as outlined above.
All you have to do is look at what happened with the private email service Lavabit to know that there is a very serious privacy issue leaving your email in one of these countries. Check out the Lavabit story here.
Are we really safe?
As with anything that is directly connected to a computer network, it is nearly impossible to make communications 100% safe. By moving your email accounts to a location that is high on privacy and encrypting important messages you can do a very good job of securing yourself from those that would otherwise easily snoop on you.
Putting on my paranoia hat for a moment there is one large caveat to all of this. You can go to all the trouble of locating your email services in a favourable jurisdiction, encrypting messages so they cannot be read by anybody other than the intended recipient, and only using SSL/TLS connections to mail servers. However, what about that recipient? You have to put trust in them not to reveal the contents of the email to any other organisation or person. Put simply, if you 100% do not want something discovered then don’t put it in an email message and click the send button.