We’re entering an era where user privacy is becoming a precious commodity. The massive breach of 500 million Yahoo user accounts, followed by the leak of the company’s previous cooperation with intelligence agencies, offers a stark reminder that you can trust no one with your data.
We use emails to exchange sensitive data such as credit card numbers, or sensitive, confidential information. Often times we ignore the fact that those emails are being stored on third-party servers and that there are many ways they can fall into the wrong hands. And we all know what happens after that.
With data breaches rising in size and number year over year, the chances that you become one of the many victims of the next massive hack are gradually increasing. So if you’re not worried about the security of your emails as they rest in the cloud or on some clandestine server, then you should be.
If you are and you’re thinking about taking matters into your own hands, here are a few measures you can take to protect you against intruders and hackers.
Sign-up with a secure mail service
While most email services use encryption while transmitting and storing emails, they don’t do it in an irreversible way. What this means is that they still possess the keys to decrypt and access the emails, should the need arise. That’s the case with the most popular email providers, such as Yahoo, Gmail and Microsoft. Moreover, services like Google tend to scan your emails to deliver you better targeted ads.
The only real solution for ensuring the contents of your mailbox won’t be deciphered by people other than yourself is to use end-to-end encryption, the technology that is at the center of much controversy and debate between the tech industry and government agencies.
End-to-end encryption stores keys on endpoint devices instead of servers, making it theoretically impossible for service providers to access user content. The technology is already being used in messaging apps such as WhatsApp and iMessage.
Email providers such as ProtonMail use end-to-end encryption to protect their users. ProtonMail encrypts messages on the browser before sending it to the server. The keys are stored on the server to make them accessible to users when they log in on their browsers. But to make sure the keys are not accessible, they’re encrypted with a separate password that is only known to the user and isn’t stored anywhere. That’s why when you register for a ProtonMail account, you’re prompted for two passwords: one for your account and one for your keys.
Some believe that ProtonMail’s encryption can protect you against NSA-level intrusion. However, that will likely depend on the people you send your emails to. As long as you’re only exchanging with ProtonMail accounts, you’re good to go. But if you send emails to users from other services that do not provide end-to-end encryption, your messages will be still be vulnerable because a breach of those accounts will at least reveal some of your emails.
Setup PGP protection for your emails
If your current email account is too valuable and you can’t switch to a secure mail service, or if you want to make sure that your emails are safe as they move across other platforms, you can use a PGP tool to add a layer of security to your emails.
In a nutshell, PGP creates a public/private key pair for each account. As the names imply, the public key is published for everyone to access and the private key is safeguarded by the account holder.
Anyone who wants to contact a particular user uses their public key to encrypt the message before sending it. The recipient of the email uses the private key to decrypt the message. As PGP relies on asymmetric cryptography, data encrypted with the public key can only be decrypted with the private key, which means that no one other than the private key holder can read the message.
Mailvelope is a decent PGP tool that is installed as an extension on your browser and adds encryption, decryption, and signing capabilities to your webmail applications.
One of the advantages of PGP tools is that they can integrate with any mail service. This means you get to keep your current account and can ensure protection across different accounts and providers. However, the use of PGP can somewhat be awkward for less savvy users. Also, take note that while PGP tools usually encrypt the email body and not the header, which means metadata such as who you’re connecting to, the timing of your exchange, and the email subject will not be encrypted.
And making sure the private key remains private is your own duty.
Use crypto apps
An alternative to the aforementioned tools is to use new crypto-apps such as Cyphor. A privacy application developed by two Canadian students, Cyphor is a general purpose encryption implement that seamlessly adds encryption capabilities to a wide range of online services, including Gmail, Slack, Facebook and others.
Cyphor enables users to set-up secure channels by setting up encryption keys and encrypting user input before sending it over the internet. With encryption and decryption taking place on the browser, the service provider won’t be able to gain access to your emails and chat logs.