First Lavabit, now Silent Mail: what secure mail is left?

14 Comments

It  has been tough week for those who love secure email clients and platforms. First, Lavabit, an asymmetric encrypted email service abruptly shut down on Thursday and was soon followed by Silent Circle, which preemptively shuttered its own client, Silent Mail. The presence (or potential presence) of government involvement, lawsuits, gag orders and the possibility of turning over information were all contributing factors to the shutdowns. That prompted us to wonder — is there anyone left who can pick up the slack left by the exit of these two players?

While there are many ways to secure email away from prying eyes, including browser extensions, one-off encryption websites and even building your own server, there are only a handful of standalone email services that offer encrypting features for private messaging.

Hushmail

The Canada-based private email service offers both business and personal email accounts, including an extra HIPAA-compliant client for hospitals. Mail sent between Hushmail users is automatically encrypted and decrypted, while outgoing messages sent to users on other platforms like Gmail can be opened via a secure passphrase. While the U.S. cannot directly request data from Hushmail, the company states in its FAQ that it is obligated to comply with Canadian law.

MyKolab

Run by the Swiss KolabSystems, MyKolab is a secure mail service that can also be downloaded for native desktop use. In addition to calendar features and a handy sync with mobile, MyKolab offers users the benefits of Swiss privacy policies on data storage and conforms to unique domain names to boot. However, it’s important to note that while the service can facilitate secure messages, it doesn’t actually provide encryption. In order to do so, there’s some extra finagling with a native email client like Kontact.

RiseUp

An anonymous collective devoted to privacy and social change, RiseUP offers a bare-bones mail service that encrypts all traffic on the site. The collective won’t store any sensitive data, including IP address, and utilizes StartTLS symmetrical encryption. For best use, the collective recommends pairing RiseUp with another client, like the open source Thunderbird. RiseUp is based in the U.S., so it remains at-risk for government shutdowns.

S-Mail

This longstanding email service may look a bit archaic, but still offers plenty of encryption for messaging needs. S-Mail utilizes encryption and SSL to send secure mail to other S-Mail addresses, keeping message and meta-data safe. But, it lacks end-to-end encryption in emails sent to addresses outside of the S-Mail system, so there’s a chance that emails can be intercepted on the recipient’s end. Also, while the website doesn’t list any specific contact information or address, a WHO.IS lookup indicates that the site is registered to an address in Scottsdale, Arizona. It’s highly likely that it is an American service, and so it remains at risk.

This is a short list, but one that may expand or contract within the coming weeks. As it stands, per the PATRIOT Act, the government can only request the data of U.S.-based companies. Whether more companies capitulate, or even rise up in defiance, to the government’s orders, the landscape of encrypted mail is turbulent at best and endangered at worst.

14 Comments

L. Daniel Nordstrom

Regardless of what anyone says, there is no secure mail—email is an insecure protocol, and that fact won’t change. The question is: which one offers SSL/TLS and is most reliable? And potentially also: which one requires no personal details to sign up?

Your best bet is to pick that one, and make sure you use PGP and whatever end-to-end encryption. Assume that everything is still stored after you delete it, and assume that any webmail client you use logs and tracks everything you do. Unfortunately, such is the reality we live in.

Actually, your best bet is obviously to either host it yourself, or rely on a different means of communication (perhaps I2P or Tor applications—I2P Mail, TorChat, BitMessage—or simply XMPP with OTR encryption).

Ultimately, though, it all depends on what it is you wish to achieve. If it’s just about privacy, encryption will suffice. On the other hand, if it’s about anonymity, it’s a different ballgame entirely. If it’s about being deniable, yet another.

Paolo Brandoli

A different email system may solve the problem.

We are developing a new protocol that allow to distribute emails without using email servers: the mails travel directly from peer to peer and are stored temporarily in other peers if the recipient is offline.

The mails are always encrypted, and there is no need to manually distribute the public keys because the clients publish them automatically in a distributed hash table.
More info here: http://igg.me/at/flowingmail/x/3978171

opolis secure mail

whats still left and for free is http://www.opolis.eu … point-to-point encrypted free email service and the sender decides what the recipient is allowed to do with your message ….

 

I recommend getting i2P. It’s what I use and have chosen to switch to for the purposes of personal email.

i2P is a tool that is, for the sake of conversation, similar to Tor. You download some software and install it. This begins a service that will route encrypted data through your computer, just like what happens with Tor (only you will never send traffic to the unencrypted open Internet).

i2P offers many services, one of which is email. It is necessarily limited in how much data you can store in your email so you will need to stick to exchanging email with your friends and family (avoid mailing lists and the like). However if you want secure mail then this is one of the best ways to get it, and it’s free.

As always, both you and the person(s) who you communicate with will need to use i2P for the messages to be “truly secure”. Considering it’s free however I see no reason to not consider it.

Dave Lucas

I never thought about encrypting much. I did tinker with PGP around 1995. But …

Comments are closed.