Email Security:
Revelation that the NSA has been looking at more emails than they probably should be raises the issue of how secure are your emails? This will be a multi-part blog about different methods of communication. If you happen to be reading this from outside the USA, then some of this may not pertain to you or it may be even more pertinent. In this country we have the 4th amendment that is supposed to guarantee us the freedom from illegal search and seizure. Over the years what this actually means had changed with different court rulings. Most of us expect our email and other communications to be hands off and secure. This is a fallacy I hope to correct with this and future articles.
How Secure is your Email:
The short answer is, IT’S NOT! Email was originally developed to send simple text messages between computers. Nothing was encrypted – not even passwords. Today email is still the centerpiece of most online communication. Many services use an email account as the basis of the service. Think Gmail.com, Mac.com and Outlook.com. These are used for a lot more than simply sending and receiving email and using an email account for access to other services doesn’t change the security of the email system. The simple truth is that most email is passed around in a basic text format. So even if you are using a secure connection to pass your mail from your machine to the server, most likely from there to the destination server your mail is passed around and stored in plain text. Anyone with access to the server could view and read your mail. Anyone capable of reading the traffic between servers could read your emails. However, at the server level the volumes of email being processed create security through anonymity that would deter most from trying to find a specific email.
There are some services that have tried to eliminate this problem. Hushmail is a Canadian secure email provider. They have several levels of service they offer. It was revealed that a Canadian court forced it to decrypt some users emails and turn them over. Hushmail also offers a version of their mail that utilizes a java applet that runs on the customers machine to encrypt the email. This is the most secure method but still has some vulnerabilities if the applet were compromised.
Lavabit, a US based secure email provider used by Edward Snowden, decided to shut down rather than comply with government demands to divulge information on some of its customers. Silent Circle, another messaging provider stopped their offering of encrypted email offerings as well.
The problem with secure emails is that if someone else holds the keys to your security, then the law allows the government to force that provider to cough up the keys and the data. The only protection for a service provider is if they don’t have they keys. This means that if you really want secure email communication you have to encrypt it yourself and pre-share the key with the person you are sending it to.
If you really must send secure data by email be sure it’s encrypted locally. In my next post I’ll discuss some of the other methods of communication and how secure they are.