Email Encryption: Worth the Trouble?

What is PGP?

What do you have to do to get email security these days?

It's not easy. For one, we know from documents released by Edward Snowden that the NSA can — not necessarily does, just can — surveil massive amounts of electronic communication, storing what it finds in an extensive database for later analysis.

However, there is a limit to what the NSA can do: if your communications are encrypted with a strong enough password (at least 20 random characters) and the NSA intercepts your message, all they'll see is encoded gibberish.

So how do you encrypt your email? Turns out, it's not easy. Lavabit, a free service that used to offer end-to-end encrypted email, has shut down, and Silent Circle, which offers a suite of encrypted communication apps, recently closed down its secure email service

MORE: 13 Security and Privacy Tips for the Truly Paranoid

That leaves you wading through the confusing, poorly documented tangle of open-source programs and software projects.

Finding the right encryption program

Finding an up-to-date program that uses proven encryption algorithms is the easiest part. Then you need to find something that works with your computer setup — something compatible with your operating system, desktop email clients and email service.

If you type all these criteria into Google — "Gmail Chrome encryption," for example — you'll find several Chrome apps to choose from. However, most encryption programs are still difficult to use because their graphical user interfaces (GUIs) are either roughshod or nonexistent. This means users have to navigate many complicated menus or even use the command line to type instructions.

It's hard to ask an average technology user to put in that kind of effort.

"To the extent that [the security] space needs innovation, it is not in the area of cryptography, but in the area of user experience," said Moxie Marlinspike, a security and encryption expert best known for co-founding Whisper Systems, a data security company acquired by Twitter in 2011.

No more secure email accounts

Earlier this summer, Google argued in court that its millions of Gmail email users had no "objectively reasonable expectation of confidentiality," and that the company had every right to examine all correspondence that passed through its servers.

This may seem shocking, but Google is correct: Legally, it's no surprise that Gmail communications aren't necessarily private.

In the past, people who wanted guaranteed email privacy could turn to services such as Lavabit and Silent Circle. But after it was revealed that former NSA contractor Edward Snowden used Lavabit, possibly to avoid NSA detection while collecting and leaking hundreds of confidential documents, the service shut down, citing unspecified legal difficulties.

"Without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States," Lavabit founder Ladar Levison posted on the now-inoperable website.

A day after Lavabit shut down, Silent Circle shut down its own encrypted email service, though its encrypted mobile apps such as Silent Phone and Silent Text are still available. Silent Circle's chief technology officer, Jon Callas, wrote that the company had decided to end its email service because it could no longer ensure its users' security.

How PGP works

You may have heard people say they use "PGP," or "Pretty Good Privacy," to encrypt their email.

The name PGP originally referred to open-source encryption software developed in 1991. PGP was so influential that its encryption method, called the "OpenPGP Standard," still forms the basis of most encryption software, apps, plugins and other services found today.

MORE: 5 Free PC Programs Worth Downloading

Security firm Symantec eventually bought the original software named PGP, which is now incorporated into Symantec's paid services. But when people say "PGP," they are usually referring to any kind of software that follows the OpenPGP standard.

PGP-based encryption is still popular for a number of reasons. For one, every OpenPGP user has two encryption "keys," or pieces of information that make an encryption algorithm work, similar to the way a key opens a lock.

One of these keys is public, and one is private. So if you want people to be able to send you encrypted messages, you can give them your "public key." Using this key, your correspondents can encrypt their message so that only you, using your corresponding "private key," can unlock and read the message.

The advantage of this system is that I don't have to worry about my public key falling into the wrong hands. So long as my private key is safe, I can publish my public key on a website, or email it in an unencrypted email, which makes it easy to set up a secure connection with other OpenPGP users.

Setting up PGP

Setting up PGP

This all sounds great in theory, but unless you want to spend more than $100 for Symantec's PGP software, you're going to find that setting up a PGP encryption is easier said than done.

Security expert Robert David Graham of Errata Security called PGP "more trouble than it's worth." However, he said, PGP is probably the best place to start for someone new to encryption.

All of the OpenPGP authorities — insofar as authorities exist in open-source software development — have websites that look straight out of the 1990s.

The site you want is www.gnupg.org, which distributes free, open-source software called GnuPG, or GPG for short, that's based on the OpenPGP standard. GPG was written for users of the Linux and GNU operating systems, but the website also contains links to installation packages for Windows (gpg4Win) and Mac (GPGTools).

You're finally in the right place! Now all that's left is a solid hour or two of setup as you make your way through gpg4Win or GPGTools' long, but thorough instruction manuals. By the end of it, you'll have PGP-based encryption functioning on Outlook for Windows (if you used gpg4Win) or Apple's OS X Mail app (if you used GPG Tools).

But what if you don't use either of those clients, but instead use a browser? If you want to send and receive encrypted email via a browser-based email service, or webmail, you can install a browser-specific plugin. That plugin will act as a bridge between your browser and the PGP software already downloaded onto your computer.

To find the appropriate plugin, check your browser's app store or do a Google search for your browser's name plus "PGP plugin."

Why webmail doesn't cut it

Why isn't there an easier way to go about setting up PGP? Marlinspike says it's more than just a simple question of developing better user interfaces.

"When it comes to secure email, it has long been time to throw out the PGP model and start over," Marlinspike told us. "Unfortunately, however, for the past 13 years, the development of a usable secure email system has been blocked by one thing: webmail."

People love the convenience of webmail, but it's just not as secure as a desktop client, and therefore many cryptographers simply don't bother writing browser plugins for email encryption. "It is simply not possible to produce a secure email system that works in the webmail context," Marlinspike told us. "So most people who are interested in working on secure email haven't even bothered, because it's a non-starter."

Marlinspike says there are no browser-based encryption services that he could recommend "with a straight face."

In email, as with all online communications, privacy comes at the expense of convenience. So it's up to users whether they want to switch to desktop email, and thus increase their security, or continue to use webmail.

"It's a matter of tradeoffs," said Graham. "How much time do you want to spend learning this stuff, and how much do you fear the NSA?"

 Email jscharr@techmedianetwork.com or follow her @JillScharr. Follow us @tomsguide, on Facebook and on Google+.


About the author
Read more
This thread is closed for comments
3 comments
  • google says you have no right to expect privacy because you send mail through its servers?... wrong... there is no difference between an email and a phone call. in the 80's and 90's you plugged your telephone into a modem and sent your data. the only difference is the technology has matured and switched to digital but is based on the same premis. so is still covered by your governments wire tap laws.

    the problem arises because the judges dont understand this basic fact. they may be electronic communication but they are still communication between 2 persons. so should be subject to the same privacy laws as a telephone call on a land line.

    another thing... you hand write or type a letter, stick it in an envelope and post it... by googles interpretation they would have the right to open the envelope to read the contents of the letter when it hits there sorting office... no they dont have the right to do that. in fact its a federal in the u.s offense and offense against the crown in the uk. both of which carry hefty sentences. the only difference between an email and a letter is the delivery method. the idea behind it is the same. communication... google may be trying to tell you different but they are in the wrong... basically there hoping if they say it often enough it will be true... dont listen, demand privacy or stop using there services...
    -1
  • This quote from the above article is simple bunk!:
    ' People love the convenience of webmail, but it's just not as secure as a desktop client, and therefore many cryptographers simply don't bother writing browser plugins for email encryption. "It is simply not possible to produce a secure email system that works in the webmail context," Marlinspike told us. "So most people who are interested in working on secure email haven't even bothered, because it's a non-starter." ' There is nothing different about web based email systems regarding message security with PGP or GPG from standalone email clients. What is needed is a standalone PGP or GPG client which encrypts a text message offline into a PGP or GPG encrypted message which can be saved locally as a file, or just copied and pasted into a blank email message, whether that is on a standalone email client or one that exists on a web page, like Gmail, Yahoo mail, or whatever. The message is already encrypted, and is unreadable no matter which email system sends it! Same at the receiving end. The message is encrypted whether on the web page or in Outlook, or Windows Live Mail, or Apple mail, or Gmail, or Yahoo mail, or Eudora, or Pegasus Mail or anything else! The encrypted message then just needs to be copied into a text editor and/or pasted directly into desktop PGP or GPG, where it can be decrypted and read! Voila!!!
    0
  • At least for busineses, we have a product called Ccure Pro (www.ccurepro.com).This products takes care of email and text message encryption as well as allows to safly exchange documents within the team.
    0