// Insofar as is possible this is a non-technical answer to the question. Tl;dr: I list secure email providers at the end of this post. //
Email is inherently insecure, it was built with private communications in mind but realistically an email is as insecure as a postcard.
When I send an email from Oxford to San Francisco from Gmail to Yahoo! Mail my email is susceptible to numerous interception techniques either in transit or on Google or Yahoo!’s servers. In this scenario my Email has 7 interception points: On my computer, in transit to Gmail’s servers, on Gmail’s servers, in transit from Gmail to Yahoo!, on Yahoo! Mail’s servers, in transit to my friend’s computer, and finally on my friends computer. And a chain is only as strong as its weakest link, so if both my friend and I work hard to protect our computers from hackers we still rely on Gmail and Yahoo! protecting our email.
Who wants to hack you
There are 3 groups we want to protect against when sending an email. Government agencies (read: NSA), the email provider, and hackers (read: organised crime). You can’t protect against two and not the third, if Gmail can access your emails so can the NSA and if the NSA builds a backdoor into a service that backdoor is accessible by others. You have to stop all three groups accessing your email because if just one group has access, then all three have access.
Reasons they want access to your email:
NSA: Mass surveillance and individual targeting.
Gmail: Keyword scanning for advertising.
Hackers: Spamming, stealing bank details, identity theft, the list is limited only by imagination of how you can make money with stolen personal details.
Below is a diagram from Brian Krebbs, a security researcher, which shows your email is more valuable than you think.
How you are vulnerable
There are various methods of intercepting your email at any one of those 7 access points. A quick method (read: 1 hour) involves hacking into a location in Cardiff where the Transatlantic Communications Cables (TCC) begin, setting up a node to intercept the email and then waiting for me to click ‘send’.
The NSA is able to use all 7 of the access points I’ve mentioned. From what I’ve learnt from Jacob Appelbaum and Glen Greenwald’s articles on the NSA’s ‘collect it all’ culture it’s likely that they are making use of all 7 and others that I don’t know about.
See this NSA powerpoint slide.
PRISM is a surveillance program started by the NSA (later with involvement from the UK’s GCHQ) that collects your emails. Notice how Microsoft, Yahoo! and Google – the world’s largest email providers, with a combined 1.2 billion users – were first to be part of the program. Email is still the number one method of communication on the Internet, with more users than Facebook or any other service. So its importance to folks like the NSA is clear – if you’re sending an email you should assume its ending up on Prisms servers and Ed Snowden’s former colleagues have easy access to it.
Outside technical privacy flaws inherent in Email, we can also take a look at the laws protecting the privacy of email users. The majority of email users send email with a United States email provider, this includes Gmail, Hotmail and Yahoo! Mail. As we saw with the demise of Lavabit, that’s not the safest place for your emails or your privacy.
– After 180 days of sitting on a US email provider’s server your email becomes US public property, source: No One Is Talking About The Insane Law That Lets Authorities Read Any Email Over 180 Days Old.
– One survey showed 55% of US employers monitor and read their employees’ email, source: Smart Policies for Workplace Technologies.
– Lavabit’s story is worth reading, it was the email provider of Edward Snowden up until it was closed last year. We can conclude that no email is safe from prying eyes while on a US company server, I believe Ladar Levison wrote something similar as a PSA on Lavabit.com before he lost his appeal earlier this year.
– Read Glen Greenwald’s No Place to Hide: http://www.amazon.co.uk/No-Place…
Metadata, or data about data, is also important. For example the metadata of this Quora answer will be the time it was written, the writer, how long I was on the Quora site for, my location, what browser I’m using, what exact computer I’m using, local time on my computer… the list is so long that I wont continue. To put this into perspective, there is usually more metadata attached to emails actual data. Metadata follows you throughout the web and is arguably more valuable than actual data. Fantastic talk by one of my heroes, Mikko Hyppönen: How the NSA betrayed the world’s trust — time to act – he briefly delves into the ‘it’s just metadata’ argument.
When you send an email all of this metadata is sent with your email. When you reply or forward an email you include all the metadata from the previous email. For example, if a group of people are having a conversation over email then with the simple hack I mentioned above you could gain access to the usernames and locations of everyone in the conversation and the subject of discussion all without ever reading the emails. More: What Your Email Metadata Told the NSA About You. This is a great tool for freaking people out, I thoroughly recommend spending a minute using it: a people-centric view of your email life.
A final thing to mention is the fact that when you send an email to someone using Gmail, even if you’re not a user, you automatically give Google everything about you – you don’t need to agree to their terms and conditions (which includes reading your email, last week’s news: A Good Result That Raises Questions, Google Uncovers Child Porn in Gmail). This goes for all US-based email clients.
What you can do
So email is insecure, data and metadata reveal an awful lot about you and you’re setting yourself up for a major privacy invasion by using Gmail, Hotmail and Yahoo! Mail. But there’s hope. As Ed Snowden said earlier this year: „We’re past the point where citizens are entirely dependent on governments to defend our privacy, we don’t have to ask for our privacy, we can take it back“ (Reset the Net).
„All intelligence services… all of them, are afraid of easy to use, secure communications tools.“ – Jacob Appelbaum.
Asymmetric encryption is the answer, it’s one of the things we can rely on and it’s easy to use. I’ll list secure email providers at the end.
Step 1. Use encrypted email:
Pretty Good Privacy (PGP) encryption is a tool which allows you to turn the content of emails into meaningless gibberish for all but the sender and receiver. There are easy to use email clients that make this possible. More info: https://en.wikipedia.org/wiki/Pr….
Step 2. Use a non-US email provider:
Using geography to protect your emails is a start but not reliable, I’m writing a blog post on it currently. For example the privacy laws of Germany or Switzerland are better than the privacy protections offered in the United States or the UK. But the US government can still send its citizens subpoenas even if they’re in Switzerland. But taking your email outside the US is essential for privacy, even using Naver would do, I doubt the NSA have access to the Korean email provider and even if they did, they don’t have the man-power to translate billions of Korean-language emails.
Step 3. Don’t trust your email provider:
Taking your email out of the US is a start, but the ideal (easy to use) solution would be a zero-knowledge email provider. Zero-knowledge means the company cannot access your emails unencrypted and only ever has access to encrypted data. More info on this: http://zeroknowledgeprivacy.org/.
Step 4. Host your own email server (minor technical ability required)
Rolling your own email server isn’t as hard as it sounds and it removes a couple interception points from the 7 I mentioned above. It means you’re the admin of your email and you’ll be the guy the NSA will ring up to build a backdoor into your server.
Here’s a list of email privacy solutions:
Mailpile is a self-hosted email client: https://www.mailpile.is/
I work for Lavaboom: https://lavaboom.com/en/
There’s also a very good list here: http://prxbx.com/email/
Bill Franklin, worked at Lavaboom
81.2k Views · Most Viewed Writer in Email Service Providers