17 Comments

Summary:

The NSA (and who knows who else) has made a habit of perusing our collective emails, we now know. Which makes it a perfect time to brush up on electronic security.

It always seems to take some sort of  major meltdown for people to bother to think seriously about security and privacy. Whether you’re afraid of being erroneously targeted for typing the word “bomb” one too many times or you just don’t want someone sniffing through your private correspondence, there are steps you can take to make it effectively impossible for the sneakiest hacker – or the savviest NSA agent, as the case may be – to monitor your missives.

Encryption is essential

When done correctly, encryption is all but impossible to break (yes, yes, every encryption scheme is technically breakable, but in today’s reality, good encryption is for all intents and purposes unbreakable). And while nearly 70 percent of companies use encryption to store sensitive data, many companies and individuals don’t bother to take these same measures for email. Even though every single day we likely send sensitive or personal data such as credit card and social security numbers, confidential corporate details and all types of personal correspondence.

By its very DNA, encryption is a confusing thing. Even those users who do take the extra step of using encryption to safeguard their email mistakenly assume that encrypting their messages in transit is enough to keep out prying eyes. But there are actually three distinct steps to take that can ensure you lock out snoopers.

Step 1: Create a safe route

If you use a mail client for email, you’ll want to make sure that you enable SSL (Secure Sockets Layer) encryption within the settings or preferences of your individual email account (you may need to check with your ISP or IT to make sure it is supported). SSL encrypts traffic between you and your mail server, and so prevents breaches referred to as “man in the middle” attacks (where someone grabs your email while it’s in transit).

Similarly, many individuals – and increasingly many companies – use programs like Google’s Gmail for the majority of their emailing. Most such web-based programs support secure connections using a Hypertext Transfer Protocol Secure (HTTPS) connection. The little S on the end shows that your traffic is encrypted, and so is virtually impossible for the connection between you and the mail server to be compromised. You can always confirm you are connected securely by finding the padlock icon or the “https://” in the browser address bar of whatever browser-based mail program you use(e.g. https://mail.google.com/).

Without such a secure connection, using web-based email is like sitting at a Starbucks doing a private call on your speakerphone – you’re broadcasting your communication for anyone to hear. (And just in case you actually are sitting at a Starbucks or anywhere else accessing a third party’s Wi-Fi, remember that you are potentially using an unsecured network every single time.)

Step 2: Give email some armor

A secure connection to the server is critical, but it doesn’t encrypt the message itself. That means that all those emails you send via Gmail, iCloud, Yahoo, and Outlook among others are sitting free and clear on servers that, as we’ve learned, the NSA has free and easy access to.  That’s where adding encryption software like OpenPGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) or third-party OpenPGP-based add-ons such as Mailvelope come in. These encrypt your email message itself, not just the route along the way.

However, encrypting email messages does not come without some (hefty) inconvenience. Before a message is sent, senders and receivers first have to exchange public key certificates and install each others’ in their respective browsers or email clients. As you can imagine, setting up all your contacts with corresponding public keys is cumbersome. So you need to set some rules.

For business use, companies should set policies that define which type of emails must be encrypted. For individuals, you’ll essentially need to do the same – decide who and what is important enough that you are willing to endure some up-front efforts in exchange for your peace of mind.

And it’s worth noting that since most encryption programs don’t cover the metadata of your messages – everything from the subject line and above – you might want to think about how much sensitive information you’re typing into that header field.

Step 3: Lock all the doors

Going through the above steps is important, however forgetting about what happens to all those sent and received messages afterwards is like locking your house but leaving the windows open. Emails residing on desktops, laptops and mobile devices may still be at risk without a proactive “data at rest” encryption plan (unless you implement something like OpenPGP and S/MIME for all of your emails). If you  understandably find solutions like PGP too weighty, though, there is a middle-ground.

Windows Encrypted File System (EFS) feature allows users to encrypt email storage files (such as .PST and .OST) on desktops and laptops; similarly, Mac users can use built-in FileVault which encrypts the entire hard drive on the fly. And some mobile operating systems like iOS provide out-of-the-box device level encryption.

As an alternative, check out one of the specialized webmail applications like hushmail.com that use encryption for all email, and can work with custom domain names as well.

Raj Sabhlok is president of  Zoho Corp., the parent company of  Zoho.com and ManageEngine. Follow him  on Twitter @rajsabhlok.

Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.

Photo courtesy ollyy/Shutterstock.com.

  1. Ringo Starfish Sunday, June 16, 2013

    The government’s computers can decrypt most encrypted messages. Since they’re intercepting and storing all electronic communication in giant data centers, anything they can’t decrypt today will still be there three years later, when computing power has advanced to the point where they can read it.

    Share
    1. Ringo,

      That’s is probably true. Rumor has it, the NSA can already decrypt many encryption algorithms. But, I would still prefer encrypting to the fullest extent possible, if nothing else than to make them work a little harder for my data! ;)

      Raj

      Share
  2. Karen Saucedo Monday, June 17, 2013

    Ringo, agreed. Encryption, no matter how “unbreakable” is just encryption.
    Our US power grids have been hacked. Memorial Sloan Ketering’s Radiation Treatment system was hacked. Things are hackable.

    Frankly, unless I had something to hide, I’d spend my efforts on other equally worthy realtime issues.

    Share
    1. Karen,

      Let’s just give up all of our civil liberties! Better make sure you didn’t take any undocumented tax deductions while you are at it!

      Raj

      Share
  3. Orlando Kalossakas Monday, June 17, 2013

    Most Encryption algos have been written by the same people that today are spying on all of us, common Joes. That goes to say how can you trust such encryption mechanism, it’s like buying guns from your enemy.

    Share
    1. Orlando,

      Yikes! That is a scary thought!

      Raj

      Share
  4. Mandatory XKCD reference, regarding PGP: http://xkcd.com/1181/

    Share
  5. and who’s to say hushmail.com and others who claim no one can break their stuff is really secure? there’s nothing that’s really secure…. except face-to-face conversation :)

    Share
  6. These comments seem a bit pessimstic, as in, “Gee, that NSA is so powerful we might just as well all give up now.” And the fact that you have nothing to hide doesn’t mean that they aren’t reading your email. There are lots of ways to accidentally get on their watch list even if you’re as innocent as your deal old grandma. And commercial and research organizations have *lots* to hide, namely, trade secrets, business plans, etc. For a way to keep confidential email away from the eyes of those not intended to read it see http://www.hermetic.ch/eee/eee.htm

    Share
  7. S/MIME is great in theory, but the problem is NO ONE IS USING IT. Nor are they likely to even check if an email signature is correct. It also doesn’t work with most webmail services, like Gmail. Ditto but more so for PGP/GPG.

    Share
  8. Also, I’d be highly surprised if any CA doing business in the US hasn’t escrowed some kind of decryption with the USG (or at least has the ability to make private keys available on request). S/MIME, if it ever got traction, might be good for reducing private snoopers, but not state-sponsored surveillance.

    Share
  9. With Microsoft helping the NSA decrypt user data, can you really recommend any Microsoft features to protect data from the NSA’s busy noses? (That it, after all, the title of your post.)

    Share
  10. I don’t care if they’re reading my email, since I’m not doing anything wrong. Even if some flag is triggered, they could see by examining the email that it’s a false positive.

    Share
    1. What if anyone who you have ever emailed or has emailed you does something wrong?
      You are considered an associate – off to gitmo with you.

      Share

Comments have been disabled for this post