A Course on Security & Privacy Week Seven: Emails!

Considering the fact that insecure emails can cost you an election (well, if you’re a woman and not a white supremacist), it’s probably a good idea for people who aren’t Nazi punks and their diet-racist ilk to secure their emails from scumbags, both government and not. Here’s how to do that.

STEP ONE: Have A Sensible Email Ecosystem (Multiple Accounts)

It may be inconvenient at times, but it’s a really good idea.

First, you should absolutely have an email account where all your commercial newsletters and other spam-ish crap goes. (Sidebar: if you want to learn which e-commerce sites sell your email, follow this tip) In addition, you can always use https://www.sharklasers.com/ to put in legit email addresses in places where you have to put in an email but don’t want to create an account where your information can be stolen or sold.

Then there’s your work email, which you need to keep for work only, especially if you work in any capacity that means you could be faced with an FOIA request. Keep it at a professional level and follow your IT department’s regulations (or at least do that and be better). I’m not going to cover this as much as I’m not in control of how your company does their email.

Then there’s your personal emails for your various life aspects. If you have a pseud, you’ll have a pseud account. You have your “main” account, which is probably for talking to friends and may or may not have compromising information. That main account also has the issue of probably being the account you talk to your activist friends on, and the stuff you talk to your activist friends about is what you want encrypted. You may have more accounts, but that covers the big ones. Your job is to consider each one of those emails, what its purpose is, and how vulnerable it is. Yahoo is insecure AF. If you use two-factor and practice good email hygiene, Google Mail is fine for day-to-day life, but they will hand over your information to intelligence agencies. Your university and work will also have policies on wiretapping, as will most other free email accounts. Go forth and find out what those are by googling “[type of email account] wiretapping NSA” or “[type of email account] privacy policy” and go read up.

STEP TWO: Clean Up Your Inbox

This is the email part of getting your information into your own control. Also, by reducing spam, you reduce the number of places that have your email address, which reduces opportunities for phishers to try you.

Get unroll.me, especially if you sign up for every newsletter known to humanity. And if you want to get rid of some of those accounts, try JustDeleteMe to make your inbox more manageable or to clear out your main inbox and move everything to the commercial/spam one.

STEP THREE: Add Two-Factor Authentication to Email You Care About

This is jumping ahead a bit in my sequence — I want people to add multi-factor authentication to all their accounts in one fell swoop- but it’s important. The big DNC hack that confirmed everyone’s opinions of politicians could have been prevented if John Podesta used two-factor authentication (he was actually phished). Add it to your Google Account immediately using this tool.

STEP FOUR: Have a Secure Email Account for Resisting

This shouldn’t be surprising: you need this for the same reason you should have WhatsApp and Signal. Keeping your secure ops separate from your everyday chatter makes it less likely you’ll slip and share opsec over a Yahoo account.

As usual when you’re talking about something techy and semi-mainstream, you have a bunch of options with no clear solution. So here are your options.

Easiest solution, but needs buy-in: get your activist friend circle on a secure webmail site like Protonmail or Tutanota. If you’re using Tutanota, obviously use the shared passphrase feature to make sure that you’re talking to the person you think you’re talking to. If you want to test your secure email account with an end-to-end encrypted message, just send me a note at callmemaed@tutanota.com and we’ll practice.

Medium solution: Have a gmail you use for activist stuff, but encrypt messages with Mailvelope. Here’s how. One tip I have is to make sure you save your passphrases in LastPass/a secure password , because you will want a long one that’s hard to break.

Medium to hard solution: Keep using your webmail, but start using Thunderbird with Enigmail to make sending encrypted messages easier, as explained in this guide: use Thunderbird to send emails on that domain, and use Enigmail and the appropriate PGP tools to encrypt your messages.

Hardest, most secure solution (if done correctly): you (and your friends if possible) build your own email domain, use Thunderbird to send emails on that domain, and use Engimail/PGP to encrypt and decrypt them.

STEP FIVE: Start Sharing Your Public PGP Keys and Collecting Your Friends’ Keys

If none of your friends or fellow activists use PGP, it’s basically useless, which is why I think most people should start with a Protonmail or Tutanota account, which does a lot of that work for you. (Like I said, I’m callmemaed@tutanota.com) The more people who use PGP and share their keys with each other, the more likely you can send someone an encrypted message or have a source or new person share information with you securely. If you look at my tagline, I include my PGP “fingerprint”, which you can use to look me up on a public keyserver and from there, send me an encrypted message on Gmail.

Homework

1. Create your email “ecosystem” — what email addresses do you need? Do you have them? If not, create them
2. Create a secure email account with Protonmail or Tutanota
3. Install Mailvelope in your browser and choose ONE account to use it with.
4. (optional) Get one person’s PGP key and send a message to them using Mailvelope. OR if you and a friend are both on a secure email platform, send them a message and use the passphrase feature, having decided on the shared phrase over Signal or WhatsApp.