E-mail is not secure because it was never meant to be. Should you encrypt yours? Most definitely.
The standard case in support of encrypted e-mail frequently begins with a reminder that safeguarding personal information that may be in the e-mails is always smart. Nothing wrong with this line of reasoning. However, I would like to start from a different point. Answer this question for yourself: Do you think that it is reasonable that governments log every on-line communication without consent of the content creators? I say no. Don’t agree? Consider it this way, what would Americans think if a new law was passed that said that from now on, all letters and packages traveling through the postal system would be opened, copied, and put in a permanent file under their name. Birthday checks from grandma (did you file this as income?), love letters, everything… seems like a substantial abuse of power and a perfect metaphor for what is reportedly happening with e-mail. Nosy and rude, very unduude-like
I am not deluded to the fact that a motivated government can and will get to the contents of just about anything they want, including contents of encrypted e-mail. The goal here is to make it time-expensive for these nosy parkers to get anywhere. It is as much of a protest and indication of my lack of consent, as anything else. Truth be told, there is not much in my e-mails that would qualify as juicy, sensitive or illegal.
If most people did it, the traffic background radiation would be high enough that it would not be worth the trouble to log it. And that is the point.
One beautiful thing about e-mail is that it is not owned by anyone (although Google is about a third of the way there). Anyone can, and does, use it. But governments and shysters have no single point of control to target. Process papers cannot be served on a protocol.
However there are a host of e-mail providers, including a couple of dozen that offer end-to-end encryption. Two of the more frequently discussed are Hushmail out of Canada, and Protonmail from Switzerland. I completely expect that these are noble folks and they are fighting for the forces of sunshine and goodness. For today. However, each of these are subject to the laws for the jurisdiction in which they operate… laws and customs can change. A good example of this is the change in anonymity of Swiss bank accounts. After being the mainstay of fiction plots and real life seekers of anonymity, in late 2014 many of these banks rolled over and voluntarily revealed to United States law enforcement details about Americans who had Swiss accounts, and how much was in these accounts. Before that in 2009 UBS, Switzerland’s largest bank, agreed to pay a $780 million fine relating to allegations of concealing identities and assets from the United States Internal Revenue Service. The United States found enough leverage to squeeze the business and got what they wanted. If this could be done with cash, I posit it could be done much easier for e-mail and other data.
Forget the idea that an e-mail provider can just insert a government-only back door. Government secrets are leaked frequently, and if they are not leaked then they are hacked. Steganography is not security.
Even worse that being pressured to give it up, would be to give it away for free. In late 2013 and 2014 yahoo! had a breach of something north of a billion (yes, with a ‘B’) accounts… e-mail and all. In fact, there is a reasonable chance that one of those accounts was mine, back in the day. But here is the choicest nugget of all from this story. Yahoo! sat on the fact that they had been p0wned, not making a public disclosure until after they had engineered the sale of the company to Verizon. Two. Fucking. Years. Later. I am looking for a word, something like ‘gross negligence’ but way stronger. I can’t even.
So here’s the rub. Encrypted e-mail is good, but trusting someone else to do it for you is problematic. What to do? Do it yourself. Easy to do? Not exactly, but it is within grasp, if you are willing to stick with it for a bit. Pursuing this route allows you to ‘Trust No One’ or maybe better said as
“Trust the math.”
Or at least trust Phil Zimmerman and the subsequent cadre of coders who have audited his code for Gnu Privacy Guard, GPG (also called Pretty Good Privacy, PGP)… legal, audit-able encryption free for the masses. He has street cred in my book, Unfortunately, he spent years being harassed by United States Customs Service for allegedly violating the ‘Arms Export Control Act’ where the United States government maintained that cryptography was a ‘munition’. By allowing people outside the United States to use his cryptography software, he was an illegal arms dealer. Zimmerman is possibly tied for first place with Ladar Levison of Lavabit, also a bastion of duude-ness.
Good news is that you cannot put the genie back in the bottle. Now that encryption software, or better put, ‘no cost and audit-able open source encryption software’ is widespread (and it is) then no amount of laws from governments can extinguish its availability. It might be ruled unlawful to use, but it will not be possible to stop parties who have decided to use it. GPG, s/mime, or something else… it’s free for the taking.
There are some good tutorials out there on how to set this up. I have set mine up using Thunderbird (mail client). There are other ways to do it as well. This task is best begun by rolling up your sleeves, firing up your search engine of choice, and taking the first step. Maybe in the future I will do this in more of a how-to posting.