Email privacy crash course – Part 1: Introduction

Privacy crash course part-1: Introduction diagram

Email is essential. Almost every adult person connected to the Internet uses it. Consumers, businesses, governments, political organizations, non-profits – we all use email on a daily basis. Unfortunately, email is transmitted using systems and protocols that were designed decades ago, when awareness of security and privacy issues was low. Almost all email is transmitted in the clear, and is easily intercepted and monitored by service operators and intruders. Of all the Internet privacy and security risks, email arguably poses the greatest risk of all.

In this series of six articles we will explore how typical email users can enhance their privacy using the right tools. We will also provide a comparative overview of major email privacy tools and services available today. The major aspects of email privacy including encryption, metadata, anonymity, usability, ubiquity and people networks, will be discussed and practical recommendations will be provided.

How worried are you?

Snowden’s revelations created unprecedented public awareness of government surveillance. In addition to covert surveillance, governments routinely try to force email service providers to give it access to customer emails, often successfully. Recent attempts by US and UK governments to legalize dragnet collection of email (and other) metadata met with strong public resistance.

Moreover, breaches such as those at Sony, LinkedIn, Twitter, Ashley Madison and Rosebutt exposed businesses and millions of people to embarrassment and extortion through exposure of contents of their emails (and, through their email addresses, of their use of certain services). Hillary Clinton’s reckless use of her home email server for confidential communications and the recent breach of the Democratic Party email servers by Russian hackers drew further public attention to potentially dire consequences of leakage of political and government secrets via compromised emails.

Government surveillance efforts and criminal hacking are more than matched by predatory intrusion of our email privacy by Internet giants. To name a few, Google and Yahoo‘s privacy policies state that they scan their customers’ email. Apple’s privacy policy states that it stores email on iCloud, unencrypted. While Apple claim that they do not read your email, trusting them on this is a judgment call.

So how worried are you, the email user? In our experience, users can be broadly categorized in terms of their privacy awareness as oblivious, in-denial, bewildered, need and must-have.

“Oblivious” users simply do not care about digital privacy. Teenagers probably form the largest part of this group. Good luck to those trying to convince them otherwise before they grow up.

“In-denial” users know that they are being surveyed and intruded on, but prefer to close their eyes and say “I have nothing to hide”. This is a futile statement. We all want and need privacy while communicating with our lawyer, accountant, medical care provider, job recruiter, business partner. This does not make us criminals who have something to hide.

“Bewildered” users are a fast growing group of people who know that something is wrong with their email  privacy but do not know what to do about it, as they are not knowledgeable about the available tools. We hope that this series will help them to make their choice.

“Need” users have a clearly defined need for privacy, but often struggle with usability and/or total cost of ownership  of the available tools. Business users form the largest part of this group.

“Must-have” users know that if their email privacy is breached, their freedom and physical security are in danger, and they may even die. Whistleblowers and Iranian dissidents reporting on the niceties of ayatollahs’ regime to journalists, are two examples of this.

In the upcoming articles we will highlight the existing solutions that may be suitable for each of the above user categories. You may ask: why people with different awareness levels need different email privacy solutions? The answer is that unfortunately, there is no single perfectly usable solution today. Different solutions provide different levels of usability and privacy (typically but not always, the more usable the solution, the less secure it is). People will only use a privacy solution when it creates a proper balance between their risk awareness and the usability penalty they are willing to incur.

A word about fearmongering used by some governments to convince their parliaments and constituencies that email surveillance is absolutely needed to fight terrorism and child pornography. Contrary to what they want us to believe, terrorists and child pornographers virtually never use email – they prefer more exotic, difficult to use but highly secure communication methods. Conversely, at the time of attacks terrorists sometimes use completely insecure communication channels (as they did in Paris), and for recruitment they use open social media. This article is not for them.

 

What is email privacy all about?

Most people think that email encryption is synonymous with email privacy. This is not the case. While email content encryption plays an important role, other factors strongly affect your email privacy.

These include metadata – the curse of email that makes surveillance possible even if email content is encrypted; anonymity – the prevention of disclosure of your email address (which is often the same as your identity); people network – the availability of people willing to use compatible tools to communicate with you securely; ubiquity – the ability to make secure use of standard email services; and usability – arguably the biggest obstacle to email privacy, as people tend to give up on privacy if achieving it makes using email difficult. In the following articles we will discuss each of these in detail.

Email privacy diagram

So what are your options?

There exist quite a few email privacy tools, and apparently some new, advanced services and tools are coming up. Among others, email clients with built-in or add-on PGP encryption are widely available (albeit difficult to use). Closed end-to-end encryption services such as Protonmail and Tutanota cater to the needs of people who are willing to communicate only with other users of the same service and use a dedicated email address and storage. Server-side encryption services such as Hushmail and Startmail provide high usability at the expense of foregoing end-to-end encryption. Tor-based services such as SIGAINT provide excellent anonymity but low usability and no encryption. Decentralized experimental services such as Bitmessage provide excellent all-around privacy and confidentiality, but have low usability and very small people network. Choosing your email privacy protection tool can therefore be daunting. In the following articles we will try to help you to make an intelligent choice that fits your needs, privacy awareness and usability tolerance.

You can proceed to the next article: Email privacy crash course part 2: Encryption or go straight to Part 6: Make your choice.

 

7 comments

  1. Brandon

    ‘Closed end-to-end encryption services such as Protonmail and Tutanota cater to the needs of people who are willing to communicate only with other users of the same service.’

    Protonmail has a work-around where non- Protonmail users are sent a link to the encrypted email. The user enters a password and decryption takes place via the user’s browser.

  2. EasyCrypt

    Correct, and so do Tutanota and other closed systems such as HPE SecureEmail. This, however, requires that sender use a separate secure channel to communicate the password for opening the message to the recipient, and the encryption is not end-to-end in such case.

  3. Peter Šurda

    Current PyBitmessage (0.6.0) has a lot of usability improvements compared to 0.4.4, and has an email gateway integrated, so you can send/receive emails directly. You’ll lose some security that way, but you’re still anonymous and can still use PGP.

    [disclaimer: I’m involved in the project]

  4. Justarandomdudefromearth

    To the author : your article is very very well written, full of useful informations for noobs (links to every interesting programs etc…) and less noobs too. I really loved it and am keeping your website as a favorite hoping to see Part 2, 3 etc… soon 🙂

    I learnt I am in the box “in-denial” cause I usually say I have nothing to hide. In an other hand because I am curious and always want to learn and try new things I regularly use ProtonMail to exchange with some friends. I spent a lot of time trying to convince (with few success) all my friends to switch from any messenger app they were using to Signal. I don’t use Facebook, Twitter, Instagram and these kind of things (I even don’t have any idea what half of them do !)… But I tried Hubzilla, just to see … I tried during some time in the past uTox and Ricochet as well as Bitmessage solutions (still using Bitmessage as an email address btw). And also tried Tutanota during some month a long time ago (should really give it an other try !). And also for fun/learning what it is and what it does I tried i2P and different email services using Tor (Lelantos, Sigaint, etc…). At the end I only kept some few things I use regularly. I would love to use more of them every day but the fact is in my friends … No one (excepting very few people) wants to leave the probablynotsosecurenotsoprivate service they use since years to communicate or share. And when I ask why, usually the answer I have from them is always the same : “because all my friends use what I am using right now !”. So having friends switching from well known services/companies (google, Facebook, WhatsApp, Viber, Microsoft, etc…) is a pain in the a** and because of that situation I end up being almost alone in my friend’s network to use a moreprivateservice to communicate. Or we are 2 or 3 max and even there the others don’t use the service so often, they just tried to make me happy and that’s it.

    Websites like yours are great because they are easy to understand. They present options in a way which make them interesting for anyone who wants to give a try. So thanks for your efforts 🙂

    Btw, Found this page from the reddit page of PrivacyTools, please, continue this great project ! :-)))

    • EasyCrypt

      Thank you Justarandomdudefromearth, we are glad to hear that you find the article useful. Our diagnosis: you appear to be Belwildered rather than In-Denial, and you clearly suffer from the People Network syndrome 🙂

      Please stay tuned for the following articles, we love comments!

  5. Robert Estlinbaum

    Cheers

  6. Cloud Security

    Great topic that could be forwarded to a lot of corporate email users, including senior leadership.

Send this to a friend