Why you should be using encrypted email

A simple problem with an even simpler solution.

Email was created more than 45 years ago as a way to easily send messages from one computer to another. Fast forward to today and email has become quite possibly the most ubiquitous method of communication on the internet. Every online service we use depends on users having an email address: Amazon, Netflix, Spotify, Expedia, Twitter— you name it, they all require an email address to sign up and use. In this sense, Email has undoubtedly become your online identity. Furthermore, work revolves around email. The first thing you get when you’re admitted into university or enter a new job is an email address. Though messaging has very much penetrated the workspace in recent years, it has not and never will displace email, for better or worse. Despite its popularity, email hasn’t changed much since its inception in 1972. Sure, apps such as Gmail and Mail on Mac have made it easier to use, but in reality, it’s still the very basic, straightforward and unsecured medium it was back in the 70’s. What has changed, however, is the way we use email and the type of content that we communicate within it.

These days we receive reservation confirmations, receipts from online purchases, private messages from coworkers and relatives, and all other sort of private information over email that is basically unsecured and easily legible by any third party. The importance of this fact is that, unlike Facebook where you post something knowing that the whole world can see it, the one-to-one dichotomy of email leads users to share highly sensitive information in a seemingly private way when, in reality, it’s everything but private. Case in point: see the image below and note a typical unassuming email containing a person’s credit card information.

This may seem like a stupid mistake, but you’d be surprised at how common these type of emails get sent on a daily basis (I’m looking at you, mom). The only factor taken into consideration by the sender in these cases is that they trust the person on the receiving end. The problem here is that the medium is the one not to trust. To bring this point home, it’s best to see what an email actually looks like to a computer (see below).

What you’re looking at is an email in its purest technical form. It’s basically a script, no different than a word file, that gets bounced from server to server all around the world until the email reaches its intended recipient. If you can read it, then so can the servers. This is the simplest way to demonstrate the security flaws in today’s most widely used medium.

The security problem

One can easily make the comparison between email and SMS: both technologies are old and have been adopted for the private and immediate exchange of information. However, unlike email, messaging has evolved from SMS into platforms such as WhatsApp, Signal and Telegram, which bear the encryption that enables users to safely exchange private information. Encryption is the process by which data is obfuscated by the sender and can only be revealed by its intended recipient. This process disables middlemen and third parties from snooping into your conversations. The problem with encryption, however, is that it still hasn’t been standardized in email. There are multiple types of encryption and email service providers have never agreed on using the same one. The most popular encrypted email services use an encryption called PGP, which is now questionable in light of new and better encryption protocols that have arisen in recent years, including the Signal encryption. If the name Signal rings a bell, it’s probably because it’s the most widely used encryption protocol in the messaging industry since its integration by WhatsApp, Skype and Signal Messenger. It’s worth pointing out that this is the one encryption protocol that’s been publicly endorsed by famous whistleblower and privacy advocate Edward Snowden.

The data location problem

Now, there’s a second vector that we have to mention in the whole email security conversation and that’s “who owns the data”. Regardless whether your emails are encrypted or not, it’s likely that you don’t actually own them. Instead, they are owned by the the company that hosts the email service. An easy example of this is Gmail: all your emails are stored in their servers, which is why you can easily login into your inbox from any computer around the world. This is not just limited to generic email services, but encrypted ones too. The terms of service of these email services all state that they own the data and reserve the right to do with it as they please without necessarily telling you about it. Trust me, I learned this the hard way when I learned that the government of Panama had been collecting my emails without my consent to use the information in a legal battle against me (we’ll leave that fun story for another time 😉). To overcome these obstacles you can opt for hosting your own emails in a home server like the recently launched Helm device.

The privacy problem

One of the most convincing of arguments to move to a secure email service is that of privacy. You need not have something to hide to want to protect your privacy. The fact is that privacy is quickly becoming a luxury in today’s internet. Consider that the biggest email service provider in the world, Google, is an advertising company. Why would a company that generates 84% its revenues from advertising give away an email service for free? The truth is Google amasses extraordinary amounts of data from the conversations you have over Gmail in order to “optimize” its ad targeting services. Although Google claims that it no longer reads users’ emails, it still allows 3rd party applications that work on Gmail to read users’ entire inbox. Don’t get me wrong, Gmail has done an amazing job at making email easy to use, but its merits are dwindled by its parent company, Google, which is not exactly privacy-driven.

In conclusion

We’ve clearly identified the main privacy, security and ownership issues with email, but how do we go about solving it? What‘s an ideal substitute for Gmail? Unfortunately, existing encrypted email services don’t solve for all three problems. Most of them depend on jurisdictions to provide peace of mind, but ultimately they own both your data and your encryption keys. this is why we decided earlier this year to launch our own solution: Criptext. If there was any other solution similar to it, you would reading about it here in this blogpost, but unfortunately there isn’t. Every other secure email service out there uses archaic encryption and collects your emails in their servers. Instead, Criptext is basically built like WhatsApp, but for email:
1. It doesn’t store your emails in its servers, instead they’re only stored in your device.
2. It uses the Signal encryption protocol, which assures you that not even the company can read your emails.
3. Encryption keys are generated and stored on your device, which means only you and the recipient can access the content of your emails.
4. All the code is open source, which means all claims are verified by the online community.

Now, for some, transitioning into a new email service may seem like a hassle, but it’s a hassle worth going through. We’re now living in a world where security breaches are happening with higher frequency and higher magnitudes. Just this week Quora suffered a breach under which 100 million of its users’ account data was stolen. This is aside from the fact that ad-based businesses like Yahoo Mail are known for reading your emails and sharing your information with advertisers. Events involving Cambridge Analytica this year have made people all over the world more privacy conscious. Today, encryption and privacy should no longer be considered features, but rather standards. When it comes to email, Criptext is truly setting the standard for email privacy in the industry.