How assured are you that your email communications are truly private?
What are you doing about securing your emails in transit and at rest on all your devices and in your email servers, which are most likely hosted in the Cloud? Using PGP perhaps? Is there a good enough and practical solution to the issue of Email Privacy?
Digital Privacy is hard to attain, even for the most CyberSecurity savvy & proud geeks amongst us (recent blog on the subject here). I found great interest in the following article from Filippo Valsorda “I’m throwing in the towel on PGP, and I work in security” and here are my thoughts and comments on Email Privacy more focused on personal communications (i.e. non-corporate).
Pretty Good Privacy (PGP) to secure emails
What is PGP?
Pretty Good Privacy (PGP) is probably the most recommended approach to securing emails. For example, the Electronic Frontier Foundation (EFF) Surveillance Self-Defense (SSD) project recommends the use of PGP, which they define as: “Pretty Good Privacy (PGP) is a way to protect your email communications from being read by anyone except their intended recipients. It can protect against companies, governments, or criminals spying on your Internet connection, and, to a lesser extent, it can save your email from being read if the computer on which they are stored is stolen or broken into.”.
How to setup PGP?
The EFF SSD provides basic instructions to configure PGP (e.g. here for Mac OS and Windows), which require the installation and configuration of three programs “GnuPG, Mozilla Thunderbird and Enigmail” all working together. While there are alternatives to the email client and the PGP plugin used, instructions are typically not that simple. I recall for example a report that Glenn Greenwald (journalist involved in the Snowden case) almost missed out on NSA stories because he didn’t have the time to set up PGP. Snowden anonymously sent Greenwald a bunch of emails, and even a step-by-step guide to setting it up, but Greenwald put it off. “It’s really annoying and complicated, the encryption software,” he told the Times.
PGP is ugly and impractical!
Having researched, used and played with PGP, I strongly relate to the experience reported by Filippo Valsorda, which highlights:
- High effort required. Setting-up and using PGP to protect, well enough, communications such as emails, require a lot of effort.
- High technical & security knowledge required.
- Poor user experience to setup, and use, the environment, especially considering the use of multiple devices.
- Low adoption rate. Like Filippo, I also spent diligent time in setting-up my PGP environment and in planning on how to best use it. I got finally ready to communicate securely… to find myself quite PGP-lonely (Filippo reports receiving at most 2 encrypted emails a year).
- Questionable security design through long-term (or perpetual) encryption keys, where the one key is the weakest link, and the reliance on a chain of trust (how trusted?).
While encryption certainly works, taking your email security in your own hands with PGP is a rather arduous and impractical option. In addition, PGP (or encryption) also doesn’t provide any protection on the email metadata (i.e. sender and recipient). It only secures the content of the message and this is due to the design of Email (not a limitation of encryption or PGP).
How to best secure emails?
The key reason why emails are so hard to secure in practice is because of the design of email services and because we probably overuse and misuse emails:
- Email exchange protocols are not well designed for security purposes in general.
- Email messages are typically stored for long period of times (longer than necessary?), if not perpetually, in multiple locations: endpoints and email servers including in the Cloud, in both business and personal contexts.
- Too many emails are used in communications (personal and business), in my opinion, and they are typically used inefficiently (too long, too much details, too many parties involved).
I suspect that Hilary Clinton (here), and many who have been impacted by leaked emails would now think twice about using emails for sensitive communications.
In my opinion, the less emails the better for communication efficiency and the better for security and privacy.
Filippo Valsorda reports a change of primary communication method, using “Signal or WhatsApp, which offer vastly better endpoint security on iOS, ephemerality, and smoother key rotation.”. I use the above apps and also Wickr, as some leading Australian political figures are also reported to do. Filippo also informs parties wanting to communicate with him:
- “If you need to securely contact me, your best bet is to DM (twitter) me asking for my Signal number. If needed we can decide an appropriate way to compare fingerprints.”
- “If we meet in person and need to set up a secure channel, we will just exchange a secret passphrase to use with what’s most appropriate: OTR, Pond, Ricochet.”
- “To exchange files, we will negotiate Magic Wormhole, OnionShare, or ad-hoc PGP keys over the secure channel we already have.
A key to better manage online communications securely and privately is to use alternative and more secure methods of communication to emails, especially for short communications that doesn’t require long-term storage. Consideration can be given to Signal, WhatsApp, Wickr, SudoApp, ChatSecure and other applications.