In this first in a series of blog posts on how to send private email, we explore an encryption add-on to Gmail or other web-based email for incremental improvement in privacy, but for utmost privacy, we recommend using a new Privacy-focused Email Provider (PEP) that was designed to send private email. We introduce the PEPs in this blog post, but delve into them in the next blog post.
Current web-based email systems
Millions of users use web-based “free” email services such as Gmail, Yahoo! Mail, Hotmail or the email services of their cable or phone company. There is no free lunch: Such providers are another example of how vendors of digital services collect user data and generate ad revenue. While such providers deliver a limited form of email encryption -- scrambling the text to make it unreadable in certain circumstances while it is in transit through a chain of servers en route to your recipient’s email server -- they do not go far enough, in our view, for comprehensive privacy.
Google’s Gmail, for example, the most widely used email system, attempts to encrypt emails while in transit, which works much of the time, depending on the recipient’s email service provider. However, Gmail and others, do not use encryption while the content is “at rest”; i.e., they store the text of your email on their server. What they offer is not true “end-to-end” encryption. Moreover, they have potential access to the full text and email meta-data (date/time, sender email address, recipient email address, etc.). Storing the contents of email messages on their servers unencrypted in full text has several implications, both positive and negative.
On the positive side, access to the full text enables Gmail to provide several convenient features that depend on their ability to scan email text. This includes the “smart replies” feature that suggest possible text, and scanning emails for likely indicators of "spam" (unsolicited emails for marketing or worse motives) or “phishing” (attempts by con artists to disguise their messages to appear like that of a known legitimate organization for the purpose of eliciting personal information from you).
On the negative side, Gmail’s ability to scan the text of emails gives them the potential to utilize algorithms (automated software processes) that scan for keywords that determine your areas of interest. They have the potential to add your areas of discourse to your personal profile. It also gives them the potential to inadvertently expose your emails if someone hacks into their servers or a dishonest employee misuses them. These risks are not far-fetched, as there have been several notable cases at big companies both of leaked emails and of dishonest employees misusing personal data.
It should be acknowledged that Gmail has introduced a useful “confidential mode” of sending email, but this has little to do with encrypting email text. Rather, it provides a practical, but unrelated feature that prevents forwarding and printing, but not taking a screen shot; it also allows expiration of the email whereupon it is deleted from the recipient’s email system (but still exists in your Gmail Sent folder and Google’s servers).
The core exposure and risk to the “free” web-based email services is that the emails are stored in their text form and thus are exposed to potential utilization for marketing, intentional prying, criminal hackers, dishonest employees, government court orders to release emails, or nefarious spying by global actors.
To send private email, supplement or replace Gmail
There are two camps of alternatives for stronger privacy in email:
Browser-specific add-ons for web-based email that encrypt email text
Alternative email systems from what we call the Privacy-focused Email Providers (PEPs) that offer end-to-end encryption, ease of use, yet utmost privacy This is our recommendation for maximizing privacy.
1. Browser-specific add-ons for web-based email that encrypt email text
Encrypted email browser add-ons for your current email, such as (alphabetically) Flowcrypt, Mailvelope, Secure Mail for Gmail, SendSafely, SnapMail, or Virtru, provide increased privacy through encryption, using a standard called PGP (“Pretty Good Privacy”). They have the advantage of providing increased privacy yet not requiring you to change your email address or provider, and in particular in Gmail’s case, they integrate with Gmail to varying degrees.
However, they may have one or more of the following important shortcomings:
may be somewhat cumbersome or technical to set up
may require you to exchange something called “public keys” or passwords with recipients
may require you to use their minimally-featured text editor when composing email messages (e.g., some lack even basic formatting or embedded images)
may not encrypt attachments, a crucial shortcoming
may self-destruct by design after recipient opens it (SnapMail)
may require the recipient to have a compatible decryption software, or in some cases only work between Gmail users
may have the inherent deficiencies of the widely used encryption standard, PGP
most seriously in our view, as an add-on to Gmail, Google still has potential access to at least the meta-data (date/time sent, sender’s and recipient’s email) and the subject line, which the PGP standard does not encrypt. We have expressed our concern that a vendor with a focus on data collection and advertisement and who already has a massive profile of who you are, what your interests are, what sites you visit, etc., may be, in our view, fundamentally conflicted when it comes to providing complete user privacy.
Some reviews of such add-ons to Gmail are found in the following articles:
ComputerWorld’s How to encrypt Gmail
Comparitech’s How to use PGP encryption with Gmail
TechWalla’s How to send a secure email on Gmail
PR Gomez’s Flowcrypt review
Due to the shortcomings we cited above, we conclude that the above solutions do not go far enough to protect privacy. Therefore, we recommend you seriously consider using, at least for sensitive emails, one of the PEP solutions below that provide seamless, self-contained email systems, with end-to-end encryption (encryption “in transit” and “at rest” on the vendor’s servers). We introduce these comprehensive PEP solutions for utmost privacy in this next section below and present them in greater detail in our next blog post, Use secure email systems that respect privacy.
2. Secure email systems PEPs with end-to-end encryption
Self-contained, secure email services from PEPs that do not utilize Gmail, Yahoo! Mail, Hotmail, or other non-secure email systems, include ProtonMail, Tutanota, and others to be surveyed in the next, second in this series of blog posts on email privacy. We will call these offerings Privacy-focused Email Providers or PEPs, for short. There are over a dozen reputable PEPs that give you secure and private email services. PEPs provide privacy by using encryption in transit and at rest. They do not store or scan the text of your messages and their attachments. Unlike the giant free web based email services, most PEPs store the email body, attachments, and in some cases the subject line in an encrypted (coded/scrambled) fashion that is unreadable. It is unscrambled (decrypted) on the author’s or recipient’s device. So even if someone hacked into their email servers, the email messages would be unreadable. PEPs claim “zero knowledge” in that the email vendor has no knowledge or access to your content, your identity, your keys, your passwords, or your areas of interest. More fundamentally, they are not in the business of collecting and monetizing personal information.
Stay tuned for our next blog post, Use secure email services that respect privacy, for a review of such comprehensive PEP alternatives.
Email messages “at rest” on most email servers are unencrypted (are stored in their full text) and potentially both message content and meta-data are accessible by your email provider. For improved privacy use either add-ons that enhance security and privacy, or better yet, full email service alternatives from PEPs that deliver end-to-end encryption and have zero-knowledge regarding its users.