Email Safe: 7 Ways to Protect

Did you know that even if you delete an email immediately, you haven’t erased it without a trace? There’s always a copy. Webmail relies on cloud technologies, so for you to access it from any device, anywhere in the world, and at any time, backups of all emails must exist on various servers worldwide. Furthermore, at any moment, any email you send may undergo scrutiny from the hosting company. It is claimed to be a method of protecting you from spam, but in reality, third parties exploit this opportunity to read our emails for selfish and base reasons.

We’re all familiar with advertising in email services. But did you know that the selection of ads is influenced not only by the content of emails sent and received from other accounts within the email service but also by emails where the senders or recipients had accounts on other services?

Conclusion: the company intercepts and reads all emails, not just those moving between its own servers.

• In 2019, a federal court issued a decision approving the settlement of a class-action lawsuit allowing legal proceedings related to five data breaches at Yahoo! that occurred from 2012 to 2016, affecting at least 194 million Yahoo! customers ¹ ². The company agreed to establish a settlement fund of $117.5 million and implement numerous changes in business practices aimed at preventing future data breaches. Has anything changed since then? The question remains open. In class-action lawsuits, both parties are given time to clarify all circumstances and present their responses. Legal disputes in such cases can drag on for many years.
• Google, against whom a lawsuit for email scanning was filed back in 2014, inadvertently revealed during a court hearing that it does indeed read user emails. The company immediately tried to conceal or retrieve this data but was unsuccessful ³ ⁴ ⁵. The case raised questions about what exactly Google was scanning or reading. According to the plaintiffs, including several major media corporations such as the owners of USA Today, Google at some point realized that by only examining the content of incoming emails, they might miss valuable information. The plaintiffs claimed that Google shifted from examining the content of only archived emails stored on the Google server to checking all emails in a Gmail account, whether they were sent from an iPhone or a laptop in a coffee shop.
• Sometimes companies even attempt to secretly view emails for their own interests. One of the most well-known cases occurred in 2014 and involved Microsoft, which faced public outrage when it was revealed that they were examining the content of incoming emails from a Hotmail user suspected of having a pirated copy of Microsoft software ⁶. As a result of this revelation, Microsoft stated that law enforcement agencies would handle such investigations in the future ⁷.

Such cases are not limited to private email. If you send an email from your work account, the IT department of the company where you work can also review and save it in their archives. The IT staff or management will then decide whether to pass the flagged email through their server or involve law enforcement. Emails containing trade secrets or questionable materials, such as pornography, fall into a risk category. Emails are also checked for spam. If the IT department is reviewing and saving your emails, each time you log in, you should receive a reminder of the existing policy — although many companies do not do this.

While most of us may accept that emails are scanned for spam, and perhaps some are willing to overlook the viewing of their mail for advertising purposes, the thought of outsiders reading our emails and taking actions based on their content evokes unpleasant emotions. Therefore, when you write an email, even if it’s minor or even if you’ve deleted it from your inbox, remember that the text and images from it are likely to be reviewed and saved, perhaps not indefinitely, but for a significant amount of time. However, most companies retain emails for quite a long time.

Now that you are aware that governments and corporations read your emails, the least you can do is make it as difficult for them as possible.

Ways to secure your correspondence

Encryption

To become invisible, you’ll need to encrypt your message so that only the intended recipient can unlock and read the content.

Most webmail services use encryption when a message is transferred from one inbox to another. However, when some services forward a message between mail servers (Message Transfer Agents, MTAs), they may not use encryption, meaning your message won’t be protected. You’ll need to encrypt your message so that only the recipient can unlock and read the content.

All types of encryption share the commonality that they use a key — a kind of password — to decrypt and read the encoded message.

• In symmetric encryption, the same key is used for both encrypting and decrypting messages. However, symmetric ciphers are more challenging to use when two parties are unfamiliar with each other or are geographically distant, as often occurs in online communication.
• Most tools for email encryption utilize a method known as asymmetric encryption. This means that two keys are generated: one — private key, stored on a personal device, and the other — public key, made openly available on the Internet. The keys are distinct but mathematically linked.

So, what is needed for encrypting the content of your emails?

The most popular email encryption method is the PGP plugin (Pretty Good Privacy), which is not free. It is a product of Symantec Corporation. However, its creator, Phil Zimmermann, also developed a free version called OpenPGP, which is open-source. Another option is the GnuPG program (GNU Privacy Guard), created by Werner Koch, which is also free. The good news is that all three programs are interchangeable. In other words, it doesn’t matter which version of PGP you use because the core functions are the same in all three programs.

OpenPGP in Thunderbird

Lavabit is an open-source encrypted email service that was founded in June 2004 and shut down in August 2013 after the U.S. federal government ordered it to hand over its private Secure Sockets Layer (SSL) keys to enable government surveillance of Edward Snowden’s emails. It was relaunched on January 20, 2017. Initially conceived as an alternative to Gmail, Lavabit aimed to prioritize the confidentiality of correspondence and user comfort.

The ease with which someone without the key can hack your code depends on the complexity of the mathematical operation and the length of the encryption key itself. Common encryption algorithms today are public. This is good. Beware of closed, non-public encryption algorithms. Public algorithms have undergone scrutiny for vulnerabilities — meaning people intentionally tried to hack them. When vulnerabilities are discovered or an algorithm is breached, it becomes obsolete, and new, more secure algorithms emerge. Outdated algorithms don’t disappear, but it is strongly recommended not to use them.

Keys are within your control, and it’s crucial to monitor them closely. If you generate an encryption key, you will store that key on your device. If you entrust encryption to a company, such as through a cloud service, they can store your key. The main cause for concern is that by law, this company may be obligated to hand over your key to law enforcement or intelligence agencies, and you may not be informed about it. You need to read the privacy policy of every encryption service you use to understand who will have access to your keys.

When you encrypt a message — whether it’s an email, text message, or phone conversation — it’s preferable to use end-to-end encryption. In this case, your message cannot be read until it reaches its destination. With end-to-end encryption, only you and the recipient have the keys to decrypt the message. No one else, including the telecommunications company, website owner, or app developer — i.e., none of those whom law enforcement or intelligence agencies may approach for information about you — can do so.

There are special PGP plugins for Chrome and Firefox browsers that significantly simplify the encryption process. One of them, called Mailvelope, excels in creating and storing PGP public and private keys. Simply enter the passphrase, which generates the public and private keys. Then, the next time you compose an email using webmail, select the recipient, and knowing their public key, you can send them an encrypted message.

Metadata

Even if you encrypt your emails using PGP, anyone can still read a small but very informative part of your mail. We are talking about metadata.

What constitutes email metadata?

• Recipient and sender email addresses.
• Addresses of all servers the email passed through from sender to recipient.
• Date.
• The subject line, which sometimes can reveal a lot about the encrypted content.

Metadata, a remnant of the early stages of the Internet’s development, still remains part of every email, but in modern email services, this information is concealed.

Third parties can read the metadata of an encrypted message, and they will know that on a certain date, you sent an email to a specific recipient, and two days later — again, and so on. Perhaps there is nothing inherently alarming about this, as these third parties won’t be able to read what exactly you wrote, and you likely don’t consider the technical details of how the email was routed through which servers and at what time to be significant. However, you might be surprised by how much can be gleaned solely based on the email route and the frequency of sending.

Although tracking and storing email metadata is not the same as intercepting the actual content of emails, it can still be viewed as an invasion of privacy.

IP Address

If you examine the metadata of a recently received email, you will see the IP addresses of the servers that served as relay points for your email worldwide as it traveled to the recipient. Each server — just like every person using the Internet — has a unique IP address, a numerical value that depends on the country of your residence and the internet service provider. Each country is assigned its own block of IP addresses. Different parts of the world have been allocated entire blocks of IP addresses, and each provider has its reserved sub-block, which, in turn, is divided into sub-blocks based on the type of services provided: switched access, dedicated line, or mobile internet. If you have a static IP address, it will be linked to your account and home address; otherwise, your external IP address will be generated from the pool of addresses owned by your internet service provider.

For example, the IP address 175.45.176.0 belongs to North Korea. An email from a sender with such an IP address is likely to be flagged for further scrutiny. Someone from the government might want to know why you are corresponding with someone from North Korea, even if the subject of the email is “Happy Birthday.”

According to Snowden, the NSA and other agencies store the metadata of our emails, text messages, and phone calls. But can the government really store the metadata of absolutely everyone? Technically — no, but…

In the United States, the term “Lawful Interception” (abbreviated as LI) has existed for quite some time. It refers to obtaining communication network data in accordance with legal authority for analysis or evidence purposes. Three federal laws in the United States explicitly permit LI.

• Omnibus Crime Control and Safe Streets Act of 1968 — a law from 1968 ⁸. Section III specifically addresses interception investigations.
• Foreign Intelligence Surveillance Act of 1978 (FISA) — a law on clandestine surveillance for foreign intelligence purposes, enacted in 1978, establishes procedures for physical and electronic surveillance and the collection of intelligence information ⁹.
• Communications Assistance for Law Enforcement Act (CALEA) — a law enacted in 1994 by Bill Clinton ¹⁰. The purpose of CALEA is to enhance the ability of law enforcement agencies to conduct lawful interception of traffic. The Act establishes requirements for telecommunications equipment manufacturers and service providers to design equipment, facilities, and services in a way that enables targeted surveillance, allowing federal agencies to selectively monitor any telephone traffic. Since 2005, the act has been expanded to apply to broadband internet access networks and VoIP telephony.

To truly become invisible in the digital world, it’s not enough to just encrypt messages. You also need to:

• Conceal your real IP address — that is, the internet exit point, your trace. It can reveal your location (down to a specific address) and your internet service provider.
• Erase data about your software and hardware — when you go online, a report is sent to the website about the software and hardware you are using. Determining the specific software installed can be done through various technologies. The browser transmits information to the website about the version of the operating system you have installed and sometimes about other software you use on your computer.
• Safeguard your anonymity — identifying a person on the Internet is very difficult. Proving that you were at the computer when something happened is quite challenging.

Read. How to Become Invisible in the Digital World: 9 ways

Each time you connect to the Internet, you are assigned a specific address. This becomes a problem if you want to remain invisible online: you can change your name (or not provide it at all), but the IP address will still reveal your location on our planet, your internet service provider, and the person paying for internet access. All these pieces of information are present in the metadata of an email, and subsequently, they can be used to identify you. Any form of communication, whether it’s email correspondence or something else, can contribute to the identification of your identity through the IP address assigned to the router you use at home, at work, or at a friend’s place.

NYM

NYM is a new generation privacy infrastructure that allows you to secure your email correspondence and other forms of online communication. If you want to learn more about NYM, you can visit:

• Official Website
• Discord Community

Read. NYM: What It Is and How It Ensures Privacy in The Network

Follow these steps to protect and secure your email messages:

• Step 1: Download and install NYM Connect from the link https://nymtech.net/download/nymconnect.
• Step 2: Download and install an email client, such as Thunderbird, from the link https://www.thunderbird.net/.
• Step 3: Launch Nym Connect.

• Step 4: Launch Thunderbird and configure the proxy.

• Step 5: Done. You are protected.

By using NYM to encrypt your email, you gain the following advantages:

• You protect your messages from interception, analysis, or modification by third parties, as they pass through the NYM network, which hides your IP address, metadata, and communication patterns.
• You maintain your anonymity by not disclosing your identity during registration or use of the email service, and you do not link your email address to your other accounts or data.
• You control your data since you are not dependent on an email provider that may store, sell, or transmit your information to other parties.

Proxy and remailers

IP addresses in emails can certainly be forged. Some people use proxy servers to replace their real IP address with someone else’s, making it appear that their emails are sent from a different location. The idea is that with a proxy server, you can conceal the fact that the email was actually sent not from China or Germany but from North Korea.

Instead of setting up and managing your own proxy server, you can use services known as anonymous remailers, which hide the real IP address from which you send emails. An anonymous remailer simply changes the sender’s email address before sending the email. The recipient can also reply using the remailer. This is the simplest option.

With some remailers of the first and second types, you can only send emails; replying is not possible. Remailers of the third type, or Mixminion, allow replying, forwarding, and encrypting emails. If you plan to use this method for anonymous communication, you need to find out the capabilities of your remailer.

Tor

One way to mask your IP address is by using onion routing, like Tor. This open-source software was developed by the U.S. Naval Academy in 2004 to allow military personnel to conduct research without revealing their location and has been enhanced since then. Tor is designed for individuals living in countries with authoritarian regimes who seek to bypass censorship in public media and services, as well as conceal their search queries. Tor is free software available for anyone, anywhere, including you.

How Tor works:

• The system fundamentally changes the model of accessing a website. Typically, when you go online, you launch a web browser and enter the address of the desired site. A request is sent to the site, and within milliseconds, your browser receives a response and the requested page. The website identifies, using the IP address, your internet service provider and sometimes even the region of the world you are accessing the internet from. For example, if your device claims to be in Germany, but the time and data transmission speed suggest you are somewhere else in the world, some websites, especially gaming ones, may interpret this as an attempt at fraud.
• When using Tor, the direct connection between you and the target website is hidden by using additional nodes, and every 30 seconds, the chain of nodes connecting you to the site you are browsing changes without causing any inconvenience to you. The multiple nodes connecting you to the site are like layers in an onion. In other words, if someone tried to trace you through the viewed website, they would be unable to, as the route constantly changes. If there is no connection detected between your entry point and exit point, your connection can be considered anonymous.
• When you access the network through Tor, your request to load a page is not sent directly to the corresponding server but to another Tor node. To further complicate matters, this node passes the request to the next node, which then directs it to the website. Thus, we have an entry node, a middle node, and an exit node. If I needed to see who accessed my company’s website, I could only see the IP address of the exit node, the last one in this chain, not the entry node. Tor Browser can be configured to use exit nodes in a specific country, such as Spain, or even a specific exit node, like one in Honolulu.

To use Tor:

• Website— torproject.org
• Google Play
• App Store

Why not simply create an email server directly on the Tor network? It was done — Tor Mail, an email service hosted on a site accessible only through the Tor Browser, was created. However, the FBI, investigating a case unrelated to anonymity, obtained a warrant for access to the data stored on it, and consequently, to all encrypted emails on the Tor Mail server. This instructive story demonstrates that even if you are confident in the security of your information, you can be mistaken.

However, it’s essential to note that Tor technology has several drawbacks:

• You lack control over exit nodes, any of which could be in the hands of the government or law enforcement.
• You can still be monitored, and your identity could potentially be revealed.
• Tor operates very slowly.

To remain invisible, with each new person, communication needs to start from scratch if the possibility of leakage is to be eliminated. A regular email account may be linked to various aspects of your real life — friends, hobbies, work. For confidential communication, it’s necessary to create a new email account through Tor, ensuring that the IP address used to create the account cannot be linked to your real identity.

Creating an anonymous email account is a complex but achievable task.

Disposable phone

There are private email services available. If you pay for them, you’ll leave a trace, so it’s preferable to choose a free web service. However, it’s worth noting that currently, services like Gmail, Microsoft, Yahoo!, and others require providing a phone number to confirm your identity. It’s evident that using your real number is not an option since it can lead back to your actual name and address. Perhaps you can link your account to a Skype phone number, as Gmail now supports voice verification instead of SMS verification. However, to create a Skype phone number, you’ll still need a valid email address and a Skype voucher. If you think you can fix the situation with a prepaid mobile phone, you’re mistaken. If you’ve ever made personal calls from this prepaid phone, identifying you becomes easier than taking candy from a child.

Instead, it’s better to use disposable phones. Some may consider using such phones a prerogative of terrorists, pimps, and drug dealers, but there are many situations where law-abiding citizens might find them useful.

However, buying a disposable phone while maintaining anonymity is quite challenging. Your actions in the real world can help establish your identity. Of course, you could walk into a hypermarket, pay for a disposable phone in cash, and top up the credit (again in cash) for a hundred minutes of talk time. Who would know? Well, quite a few people would.

• How do I get to the hypermarket?
• Take an Uber?
• Take a taxi?

All this information could be relevant to an investigation.

I could drive my car, but again, law enforcement could trace me thanks to automatic license plate readers in public parking lots, which identify vehicles on the watchlist. Data from these readers could be relevant to the case.

Even if I walk to the hypermarket, my face will be captured by several surveillance cameras inside the store, and this video could also be relevant to the case.

Okay, let’s say you send someone else, a stranger to you, to buy the phone, maybe pay a homeless person right on the spot. They enter and purchase a phone and a few top-up cards for cash. This is the safest way. You can meet this person later many kilometers away from the store. This way, you can physically distance yourself from the point of purchase. In this situation, the weakest link is the person you’ve agreed with — how much can you trust them? If you pay them more than the cost of the phone, they will most likely fulfill their part of the agreement and hand you the phone.

Next, you need to:

1. Activate the disposable phone by calling the mobile operator’s support service or through the website. If you don’t want your conversation recorded “for quality control purposes,” it’s better to activate the phone online.
2. Change the MAC address.
3. Connect to the Internet via NYM or Tor.
4. All information you provide about yourself on the website should be fictional. Instead of your address, use the address of a large hotel that can be found on the Internet. Invent a date of birth and PIN code, and remember this information in case you need to contact customer support in the future.

Some email services don’t require any verification, and if you’re not concerned about authorities pursuing you, Skype phone numbers are perfect for registering a Google account and similar things.

Conclusion

Thus, you have:

• Concealed your IP address using NYM or Tor.
• Purchased a new disposable mobile phone, on which you received the confirmation code from Google or a voice call.
• Created a new anonymous Gmail account, resulting in an almost untraceable Gmail account.

You can send sufficiently secure emails from this account, where the IP address is hidden thanks to NYM, and the content is unreadable for anyone except the recipient due to PGP encryption.

Note! If you want to maintain the anonymity of the new account, you must:

• Access it only through NYM, making it impossible to link your real IP address to this email.
• Avoid using internet search until you log out of this anonymous Gmail account; otherwise, you might accidentally enter a search query that somehow points to your real-life identity. Even searching for weather forecasts can reveal your location.

As you can see, achieving and maintaining invisibility requires extraordinary self-discipline and unwavering vigilance. But it’s a reasonable price for invisibility.

The most important takeaway from this article is as follows:

• Be aware of all the ways an interested party might identify you, even if you’ve taken some precautionary measures.
• Even with all these precautions, when using an anonymous account, always remain vigilant. Without exceptions.
• Always use end-to-end encryption, ensuring that a message cannot be read until it is received by the intended recipient. End-to-end encryption is useful in various scenarios, including encrypting phone calls and instant messages.

¹ BBC. Yahoo to face class action lawsuit over email spying — 28.05.2015
² NLR. Is Your Class Action Settlement Reasonable? A Look Inside the Court’s Approval of the Yahoo! Data Breach Settlement May Shed Some Light — 3.11.2020
³ Reuters. Google won’t face email privacy class action — 19.03.2014
⁴ The Guardians. Google faces lawsuit over email scanning and student data — 19.03.2014
⁵ The Guardians. Gmail does scan all emails, new Google terms clarify — 15.04.2014
⁶ SPI. Ex-Microsoft employee charged with passing blogger trade secrets — 19.03.2014
⁷ The Guardians. Microsoft tightens privacy policy after admitting to reading journalist’s emails — 21.03.2014
⁸ OJP. Omnibus Crime Control and Safe Streets Act of 1968–1987
⁹ BJA. The Foreign Intelligence Surveillance Act of 1978 (FISA) — 1978
¹⁰ CALEA