Email privacy crash course – Part 4: Usability vs. Security
The previous articles in this series covered email Encryption, Metadata and Anonymity. We shall now explore the often neglected but arguably the most important aspect of email privacy solutions: usability.
Why is usability important?
Ninety-nine per cent of the users will drop an email privacy solution like a hot brick if it makes email difficult to use. Unfortunately, some email privacy providers are enamored with the technical/crypto part of their solutions and fail to make them easy to use. Others do invest in usability but struggle with keeping their solutions secure. Typically for the available email privacy solutions, the more secure the solution, the less usable it is. Let us examine the security/usability trade-offs in a representative sample of existing solutions, as shown in the following picture.
Security of stand-alone PGP clients such as browser plugin-based Mailvelope, native client-based Enigmail or mobile app APG is relatively very good: their decryption keys are generated and stored on your device; their code is open-source, is stored on your device and can be signed and recompiled by the user to verify its authenticity. However, the stand-alone clients are notoriously difficult to use. They burden users with key management, including manual import of addressees’ public keys and manual synchronization of keys between desktop and mobile devices. This makes usability of stand-alone PGP clients unacceptable for a great majority of email users – except geeks and dedicated privacy buffs.
On the other end of the security/usability spectrum are the server side encryption (SSE) services such as StartMail, Hushmail and TorGuard. Usability of these solutions is perfect: they allow use of any standard email client on any mobile or desktop device. However, their security is unacceptable. We have described this in detail in Part 2 and can only repeat here – do not use these services unless you are OK with your emails being disclosed in clear text to the “secure” SSE service providers.
Tutanota (and apparently also Ghostmail) go a step further by facilitating a single password for both account access and private key decryption. While having to input one password instead of two improves usability, Tutanota achieved this by doing client-side password hashing – a technique widely considered to be insecure. Since Protonmail uses two separate passwords, it is more difficult to use but more secure than Tutanota. Note that unlike the SSE and stand-alone PGP client based solutions, both Protonmail and Tutanota suffer from people network and ubiquity limitations. These are discussed in detail in Part 5.
While choosing among email privacy solutions you should, among other factors, balance security and usability. Bear in mind that, as discussed in Part 3, all the email privacy services mentioned above encrypt email content but fail to protect your metadata.
Are you a privacy purist?
In cases of privacy being extremely important to you and the other party willing to cooperate, by all means consider using such schemes; but if you are just an email user who does not like the idea of mass surveillance or wants to keep his personal and business transactions private, stick to one of the PGP-based email privacy services that provides you with an optimal combination of usability, people network and metadata protection.
Solutions in development
Some interesting new solutions that are still in development (more about it in Part 6: Make your choice).
Mailpile is a stand-alone PGP client with a twist: it periodically downloads all your email into your computer and deletes it from the server. You can access your email at your computer (when it is running), or from another computer using a browser. However, this creates serious issues with both security (you need to secure your computer very thoroughly) and usability (your mail can be lost unless you spend a considerable effort on backing up your computer; for outside access you need to reconfigure your home firewall, which is beyond almost all users).
DarkMail is a complex new specification and open source development led by the former owner of Lavabit. DarkMail encrypts email metadata in a way that minimizes its exposure as the email traverses the untrusted networks, and provides separate encryption of different parts of email messages, significantly improving security. However, usability of DarkMail is questionable, as it requires both replacement of email clients and modification of the entire SMTP infrastructure. We do not believe that such modification is possible in the observable future.
What about non-email messaging?
This series is about the privacy of email, not of instant messaging. The great, unbeatable advantages of email are its ubiquity and usability – everybody uses it, and it is easily accessible from any device. However, instant messaging has also grown to be very popular, and some IM services are more advanced than email in protecting your privacy. Below is an overview of a sample of such services, along with some advice to privacy-sensitive users of IM.
Do not trust “secure” IM providers that do not publish their source code. This includes Apple’s iMessage, WhatsApp, Google’s Allo, Threema and Facebook’s Messenger. If they do not publish the source code, you (and the security research community) can never know what they are really doing. End-to-end encryption conflicts with other services they are trying to piggy-back on their IM, such as AI bots. Moreover, they often issue misleading statements or tell half-truths. For example, WhatsApp are backing up your messages unencrypted on Google servers – not exactly our idea of end-to-end encryption. Google made their Allo non-encrypting by default – who knows how many users will overlook this. Reportedly Facebook plan to do the same with Messenger. Apple can read your iMessages stored on iCloud for backup.
Pure open source IM providers are more trustworthy but you need to do some research and read reviews. Among these, Bitmessage, Signal, Telegram and Ricochet, while still being considered experimental as they have not suffered through many years of hacking attacks, are popular. Unfortunately, they cannot even come close to the people network, ubiquity and ease of use of email or WhatsApp, and thus their use remains very limited (with the exception of Telegram that was taken up massively in Iran). Telegram is, however, considered by the security community to be problematic in terms of operational security.
Decentralized secure IM services provide better anonymity and resilience to attacks. Telegram and Signal use central servers, which makes them vulnerable. Moreover, both of them require your phone number for authentication or registration, defeating anonymity. The decentralized, peer-to-peer Bitmessage and Ricochet seem to be (experimental but) solid. Both feature end-to-end encryption and excellent metadata protection and anonymity. However, neither of the two is available on mobile devices, implying poor usability. Also, do not use Bitmessage in their “email” mode – this turns out to be just another SSE service as your messages emerge unencrypted on their email gateway.
Our next article is Part 5: Ubiquity and people network.