In a comment about secure email on a recent post Chet asked, “I have a few email accounts, however I don’t think much of their security. Is there anywhere you would suggest getting email that won’t read it, track you, or send your info to the government? I’m not sure if you already addressed this, but I am looking for better email.”
That’s a great question Chet, thanks for asking.
Essentially, you’re asking three distinct questions.
- Is there a way to keep 3rd parties from reading your email?
- Can I avoid tracking?
- Is there a way to keep your information out of the hands of the government?
So let’s take these one at a time.
Is there a way to keep 3rd parties from reading your email?
The good news is that the answer is yes. The bad news is that you’re going to have a hard time making it work.
It’s not really all that complicated. You simply download something called PGP (Pretty Good Privacy) and install it on your mail client. Most mail clients have addons that will make this relatively simple. You just install the addon, put in a passphrase, and you are provided with a public key that you can share with anyone in the world. They then use your public key to encrypt any message to you, and you use theirs to send encrypted messages to them.
The private key is a unique way that the message is decrypted. This private key is stored on your device and requires your passphrase to utilize it. This creates a fantastic end-to-end encryption.
Different mail clients have different addons, so you’ll need to find one that works with your email client (Mac Mail, Windows Mail Client, MS Outlook, etc.) and follow their instructions.
Now for the bad part…
I’ve had PGP integrated with my mail client for years and published my public key everywhere. I have never received a single encrypted email.
The problem is that, unless you’re actually worried about security, this just seems like too much work. Nobody else seems to ever want to go through the effort. So unless you are sending messages only to your other three tech buddies who are also concerned about privacy, this won’t really help you. It’s the perfect solution if everyone else would do it too.
A possible solution
ProtonMail may be a solution for you. It has the option to encrypt or not encrypt any email sent out. The information is stored encrypted on the server (which we’ll bring up later) or sent directly to the user, depending on whether you want to have it delivered encrypted or not. The user won’t have to do anything to keep your message encrypted other than use the password you get to them via some other means. You can call them with it, or send them a text. You just wouldn’t want to send them an email with the code to decrypting your emails.
This is a good option when you’re sending emails to people you personally know. It still doesn’t fix the solution of dealing with some contacts, but it’s about a 90% solution for most people. The one drawback is that you will not be able to use your mail client of choice.
Here’s a lengthy video of ProtonMail. If you’re just interested in using an email address like email@example.com, then you only need the free version and only need to watch the first half of the video.
Can I avoid tracking?
So now that you’ve figured out your preferred method of encrypting your email, you want to look at the tracking problem. There’s generally two forms of tracking when we talk about technology. There’s traffic tracking and physical tracking.
Traffic tracking simply records your movements online. Not navigating the web while signed into any services will avoid this. But that’s not much of an issue when we’re discussing emails.
Physical tracking is knowing your location by tracking your IP address. Depending on whether or not there is a dedicated IP address where you are, this tracking can get very specific. A lot of information can be gained this way and it is worth looking at how you can avoid it.
One solution is to use a VPN (Virtual Private Network). These come in different shapes and forms and can also have different names. The one we use and recommend is TunnelBear. TunnelBear has a free option that should cover the average email usage. They securely “tunnel” you through to one of their computers somewhere around the world where any action you take will come from their IP address. Another similar option would be to use the TOR browser, which does the same thing. TOR is completely free, but a bit slow. This probably isn’t an issue if you’re just sending basic emails though.
This option has the same drawback of having to use a web based email client. What I mean by that is that you still have to go to Gmail.com or ProtonMail in your browser instead of setting it up to just pop up on your phone or computer.
Is there a way to keep your information out of the hands of the government?
This really breaks down into three categories itself:
Legal aspects to secure email
Storing your email in another country can really impact the government’s ability to gain access to your emails. ProtonMail stores their customer’s data in Switzerland to provide the most privacy from a legal standpoint. While Switzerland has recently passed off banking information to the IRS, it still has one of the better reputations for keeping secrets. We can’t guarantee that they won’t bend with enough pressure from the U.S., but it is better than having your information in the U.S. where there are far fewer barriers to access. Storing your data outside of the U.S. simply creates one more hurdle the government has to overcome before being able to get to your data.
As I explained earlier, ProtonMail stores your files encrypted. A lot of services will do this today. This means that even if the government breaks in and gets your data, they would have to decrypt it manually. While this is possible, force decrypting data takes a lot of resources. Processing all of this data would drain the government’s tech resources for only a handful of email accounts.
Existence on the server
Another solution is to simply remove your information from the server. Most mail applications will give you the option to download the email and remove it from the server. This is a simple drag and drop option in Mac Mail that you may never have considered. The drawback is that you will no longer be able to access the email from across your multiple devices. But if you’re serious about keeping your information out of the hands of the government, it is a great option.
Any or all of these solutions should provide you with increased security. This should also provide you with enough information to determine what your particular concerns are and dig deeper if you want to know more. Information security is a difficult topic and can become very complicated quickly.
The best place to dig deeper into security is the Dark Net. The Dark Net is an unmonitored section of the Internet, accessed through special browsers. Despite the media’s insistence that it is only for drug dealing and criminal activity, it is commonly used by the press to send information out of oppressive countries, research institutes to keep their research private until published, and Christian churches in the Middle East who need to keep their communications away from Islamic States.
There you can find many forums and websites dedicated to open discussion about secure email as well as many other IT security related topics. But be careful what you click. If I get enough interest in the comments below, I’ll look at doing another post on navigating the dark web and using the TOR browser.
Due to the responses in the comments, I’ve written an introductory post to TOR and the Darknet.