14 Mar Keep Your Secrets Secret: Secure Email Edition
What to do to keep your communications under your control, and why you should do it.
This post has been a long time in the making, and my apologies if you came in here today expecting some swinging foreskin, or slutty comics. This one is très serious and I’ll need your full attention please.
After the response to this thread yesterday, and the results of this survey, it’s clear that we all could use a primer in how best to communicate when we can’t trust the services offered to us by Big Tech.
I don’t say any of this to be snobby or elitist. But because I love you and I want you to understand and access (mostly FREE!) tools that can keep you and the people you engage with safer.
What I want to talk about today is email, specifically. But we will go on to cover texting and private messaging later.
What is encryption?
Encryption, at its most simple state, is merely the conversion of information (say for example, your personal emails) into code. This code can only decoded using the same key that was used to encode it in the first place. Without that key, it is merely useless, indecipherable nonsense.
What are encryption “keys” and how do they work?
There’s literally no way that I can explain this better than Panayotis Vryonis did in his Medium article from 2013. Take a quick second and pop over to this 4-minute read about Anna and her keys.
Did you read it? It was easy right? There’s no reason to over-complicate things sometimes, and Mr. Vryonis did a great job of creating a memorable analogy for encryption keys. Even though that article was from 2013, that process still works the same way today.
Isn’t my email already secure/encrypted?
Short answer: Not like you think.
Long answer: While major email providers do work hard to present your email to you in an *interface* that is encrypted (usually using HTTPS/SSL within the browser you use to read it – the same way Amazon does to take your payment information), while your mail is in transit from one server to another (most blatantly between differing providers – say, Gmail to AOL, or AOL to Hotmail), it is often sent in total cleartext.
That means that your words are obscured in NO WAY during transmission from your inbox to someone else’s. It would be like mailing a letter to someone in a cellophane envelope.
Anyone with a vested interest in seeing what you have to say could intercept all of your email, both in and out, without your ever being aware of it. Additionally, just as a kick in the teeth for no reason, Gmail stores things in your Sent folder COMPLETELY UNENCRYPTED. So copies of all of your messages, even those sent with forced encryption, are kept in your account without disguise.
No. I’m pretty sure Gmail is encrypted and secure.
Cool. I’m not here to argue with you. I’m trying to explain why specific channels might not be the best way you could do things. If you’ve got a raging hardon for Gmail, by all means…
And truthfully? Gmail is probably pretty secure in a lot of ways. You’re right. But it is important also to consider to whose allegiance Google swears. In other words – is Google really on your side? Or, like Yahoo before it, would it bend to even the mildest of NSA requests to hand over all of your communications?
You would never know, and (this part sucks and I’m sorry) it may already be happening, and Google may legally be prevented from informing you about it (or any attempts they may be making to fight it) by a gag order included in the NSA directive.
Something you might keep in mind about the internet (and how you share your information in any way), is a saying that originated with the artist Richard Serra in 1973, and has morphed through the years to represent the way that people are treated by corporations like Facebook and Google:
“If you are not paying for it, you’re not the customer; you’re the product being sold.”
In other words, Google really doesn’t have a ton of vested interest in preserving your privacy, especially from government entities with whom it has to play nicely in order to maintain its enormous breadth. And, since you don’t pay for their very convenient and very free service, they don’t have any specific duty or loyalty to you, as the consumer. No matter what public steps they may proclaim they’re taking to fight government interference in your personal life.
So then it’s hopeless?
It isn’t! You just need to be. more. careful.
There are email services that exist outside of the jurisdiction of the United States, that focus entirely on security and privacy. As a result, they often cost money to access the full range of features one might expect from an email provider.
My personal favorite company is called ProtonMail, and we’ve talked about them here before. Proton offers a free tier, in addition to to their paid options. If you don’t mind having a @protonmail.com address, the free option might be just the thing you’ve been looking for!
What if I own my domain name and want to use that for my email?
That’s awesome! That’s a branding win from go to whoa. Good on you for keeping things tight.
For just a few dollars per month, ProtonMail Premium offers custom domain support that takes about 10 minutes to set up, using whatever domain registrar you happen to have (maybe GoDaddy, Host Gator, or Google Domains – wherever you registered your domain initially).
From then on, you’ll be using YOURNAME @ YOUR DOMAIN .COM, but it will be powered and encrypted by ProtonMail.
Ok. I signed up for ProtonMail, so now all my email is encrypted from end to end, right?
Messages sent from within the Proton network (so from one @protonmail.com address to another @protonmail.com address) are encrypted by default. PGP keys are stored and supplied to encrypt and decrypt natively within the ProtonMail system. Those messages are safe. They can even be set to self-destruct after a set amount of time.
Messages sent from a non-Proton address (so Gmail, or AOL to a protonmail.com address) are not secure. They are still transmitted in cleartext. The same goes for Proton messages sent to non-Proton (so, your protonmail.com address to a client’s AOL or Gmail account) addresses. They are not encrypted and can potentially be intercepted.
So what’s the point then, if it doesn’t work with Gmail or AOL?
ProtonMail thought of this, actually! There is a feature built into ProtonMail that allows you to send an encrypted message to a non-Proton user, that can only be decrypted using a key that you set and provide to the recipient. This means that you will also need to send a message to them that includes the decryption key. Using a secondary platform (texting, or secure messaging) to share that information is not a bad idea.
Ultimately, the best case scenario is that the people you need to communicate with securely will also sign up for ProtonMail. For basic use it is FREE and has a respectable iOS and Android app that will allow users to utilize it just like they do Yahoo or Gmail.
This is already pretty long. Anything else?
Yes. As far as best practices go, this is a saying you should keep in mind at all hours of all days:
If we learned nothing else from Hillary Clinton in the past two+ years, the idea that email is inherently problematic and that information never really goes away, should haunt your dreams.
Be safe. If you’re not sure if you should say something in a certain way, DON’T SAY IT AT ALL. If you don’t feel comfortable conversing about personal matters with an earthlink.net address, TELL THEM TO STEP UP THEIR GAME. Force encrypted messaging if you have to.
It is NEVER worth it to sacrifice safety for convenience. You are worth more than the convenience of gmail.