With the intense level of “following,” monitoring, tracking, and general oversharing going on these days, it’s easy to forget some people in the world still care about privacy. But as people and businesses continue to shake off old perceptions of security and embrace more online protections, encrypted email services are becoming increasingly attractive. With ongoing news of mishandled or stolen consumer data splashed across the media, it appears our fundamental right to privacy and safe communications is becoming a thing of the past. This has left many people wondering how to better safeguard themselves and their online assets, while still clinging to the last vestiges on anonymity.
Encrypted email offers a great solution and can provide a safe haven for individuals seeking refuge from the ongoing threat of surveillance and monitoring. Whether its intrusion from cyber criminals or government oversight, your email offers the least amount of privacy and security of all modern communications. The truth is, your email accounts are valuable to hackers, as they often open up a treasure trove of personal information related to your life. Criminals find ways into your email using these clever methods:
- Brute force or social engineered attacks.
- Password compromise on other accounts.
- Computer malware used for “keylogging,” which captures passwords as they are entered.
This reality has left many people in search of new ways to safeguard their communications. Now finding themselves at the mercy of prying eyes and internet service providers, there seems to be little alternative. But while most people would certainly enjoy a good boost in privacy, they don’t really understand how encrypted email works. And given their desire to maximize their security and trust—rather than increase their risk—it can feel intimidating to go forth into a land of unknown internet services. That’s why any encryption solution should be fully understood and vetted before being used. By looking more closely at the nuts of bolts behind these services, it is possible to learn the technology’s framework; how you can choose the right provider; and why it is a viable and effective response to the dismal state of personal privacy.
The Computer Handshake
When discussing technology, it’s often easier to put its functions into human terms. Because it is the great brainchild of our species, almost any analogy in real life can be applied to our cyber world. When two devices are looking to make a connection, they must first use what is called an automated “handshake” process to form a relationship. This initial contact also establishes the speed, authorization, and type of connection the computers will use.
A classic example would be the special tone, or computer greeting heard after a modem dials up another modem—just like two strangers uttering a greeting. It also sets up rules for future communications and negotiates the parameters of the established channel. Most encrypted email applications use Transmission Control Protocol (TCP) to set up this first meeting of devices, which ensure every piece of data is properly and reliably transmitted through a three-way handshake. The TCP allows one side to establish a connection, while the other side can either accept or deny the invitation. In this way, the sending device is the client and the waiting side is the server.
Let’s look at the introduction in computer-speak:
- Device A sends a “Synchronize” packet (SYN) to Device B
- Device B receives the SYN
- Device B sends back a “Synchronize Acknowledgement” (SYN-ACK) to Device A
- Device A receives the SYN-ACK
- Device A sends an “Acknowledge” (ACK) message to confirm receipt of the SYN-ACK
- Device B receives the ACK
And in human terms:
A: Hey, I want to talk to you.
B: Okay.
B: I received your request to talk.
A: Okay.
A: I received your confirmation that you heard my request.
B: Okay, let’s start talking!
Now, if this were two people having a conversation, it would be a long night—not to mention a straight up weird one—but machines are different; they need this kind of methodical verification in order to function properly. Humans, not so much.
Sending The Encrypted Message
The TCP connection that enables this handshake is not encrypted by default. Without an additional layer of protection, anything sent over this channel will be seen in plain text and exposed for a cyber attacker to read or modify. This is where encryption comes in. Depending on the method being used, this encoding can be accomplished in a number of ways.
Let’s assume the email provider is using the most commonly used protocol aptly named Pretty Good Privacy (PGP). To send an encrypted message, the sending device will first need to generate a random encryption key that can only be used once for that specific message. It will then encipher the contents of that communication, otherwise known as the “payload,” using that specially coded key. The device will do this by taking the recipient’s public key (which it has gleaned through a “web of trust” authenticating process) and attach a newly encrypted one in its place before sending off the payload. In this way, the message is now carrying an anonymous, encoded header that allows it to move undetected through the network. The whole communication—both the data and encrypted key—are then sent to the receiving device where they are decoded using a reverse of the same process.
Of course, when the message first arrives at its destination, the encryption keeps it from being read. So, the device must detach the coded key from the payload, decrypt the key using its own private one and then decipher the communication using the newly-minted key. Just think about how different levels of security work together, and it makes sense. The message stays locked up tight, but the key goes through a transformation on the receiving end so it can be used as a deciphering tool. Devices on both ends will always have the same public and private keys—these never change between messages. The only key that changes is the randomly-generated one produced by the sending device. It is a disposable key created for one-time use, thrown away once the message is decrypted. This enhances its security considerably. And when the receiving device want to return the message (and become the sender), it employs precisely the same process. In this way, both sides are continually making special, top-secret keys to be used and then destroyed, so no evidence or trail remains.
That said, most encrypted email services on the PGP protocol provide one level of security, as they encode only the messages being sent. However, the communication channels through which they are travelling are not secure, as their data is still being presented in clear text and can be easily monitored and manipulated. By employing a virtual private network (VPN), a user can add another layer of encryption to the process through the encoding of their personal IP address. That way, when a subscriber in San Francisco uses a VPN to go online, their cyber identity is hidden and may appear to be coming from Vancouver, New York, or any number of gateway cities. This additional security measure is an easy and affordable way to maximize the privacy of your communications.
How Does This Relate To Email Providers?
Regardless of which email provider you use, both the handshake and encryption process will remain similar. What will vary, however, is the way vendors store and manage your personal data. Even if the application is basically secure, poor or irresponsible stewardship of your information can lead to breaches in the exact security you are trying to foster. Here are some commonly questions to consider:
Should your data be stored on a local PC or on the vendor’s system?
For some privacy-minded users, storing their information with a third party sounds like a questionable idea, but there are some benefits to using a cloud-based system. First, it’s arguably safer than using a local storage-only application, mostly because email providers have invested hundreds of thousands of dollars into security systems capable of warding off most advanced malware and brute force attacks. Reversely, finding this level of protection for a PC can be wildly expensive. Accessing your saved emails on a secure cloud service is extremely difficult for an attacker, whereas gaining access to your personal device (and your data) is far easier.
Should you use a free or paid email service?
While choosing a free service might seem like a no-brainer, there are certain drawbacks to be aware of. When you utilize free encryption, you are entrusting your private information to a company who may, in turn, sell it for targeted marketing or place invasive ads in their software. After all, they have to make money somehow. So, when you pay for a service, you are likely satisfying that financial demand for a vendor who will then guard your information accordingly. In fact, the argument could be made that paying a vendor for their solution assures their dedication to your privacy, otherwise they will quickly find themselves out of business.
What else should I know about my email provider?
When choosing a vendor, consider the location of its headquarters and data centers. Even if the provider is dedicated to protecting your data through solid business practices, lenient or unethical laws of the country where they house their services can put your information at risk. Many governments will take advantage of information-sharing agreements and surveillance laws that allow them to seize information and share it with whomever they like, and for any reason. If this happens, the email provider has no choice other than to comply with the demand and turn over their records, thereby relinquishing access to whatever user information they have. This not only breaches the security of your account, but it places your private information in the hands of a questionable government agency.
Despite the various shortcomings, encrypted email is still an effective way to protect your online privacy and keep your information away from hackers and government spies. With a proper understanding of the technology’s strengths, weaknesses, and overall framework, you can find confidence in the service and a real way regain your power as a safe and anonymous citizen.