If someone is offering you “secure email”, you’re probably getting a scam. After a number of people referenced their custom email providers claiming to offer “secure” email, I decided to investigate. What exactly were they offering? Turns out that most of these providers are giving a misleading set of security guarantees that, on the whole, could leave you a lot more insecure than you think. Here are four things that won’t make your email secure. Full disclosure: I work at Google, however, these thoughts are my own.
Ads don’t make your email insecure.
Let’s get this straight: an ad matching algorithm is not a human. If you’re concerned that a computer might be running algorithms on your email, keep in mind that scanning for viruses and spam actually increases your security. What matters is where information from your email goes. All* email companies can read your email if they wanted to. There may be other reasons why you would prefer to not have ads based on your email content, but focusing on ads is a distraction from real email security.
What should you focus on? Find a company that limits the number of people who can read your email, keeps audit logs so there’s evidence when they do, and has a strong corporate culture surrounding customer privacy – meaning that they look at their logs and severely reprimand people who abuse their access.
*All, except for messages sent using end-to-end encryption such as PGP.
Switzerland is not going to protect you.
Hosting your email in another country is most likely going to slow down, but not stop, a legitimate legal process from getting access to your account. Mutual Legal Assistance Treaties have been created between most countries to fix this exact loop hole. While we’re on the topic, you weren’t thinking of breaking international law were you? If you’re not conspiring with known terrorists, trafficking in nuclear material, or running a drug ring your own laws probably work in your favor. Citizenship is a great thing. For a more detailed analysis of international law, talk to a lawyer.
What should you be looking for? Companies that are incorporated in a countries with reasonable laws that are respected. Servers that are in places with reasonable legal and political stability. You’ll also want the servers to be in places that are nearby, with good internet connections, and electricity. It also helps if the laws actually matter in a particular country:
“Chinese society is now in the process of transition from too much emphasis on the rule of person … to establishing concept of the rule of law.” – Privacy International
STARTTLS is great, but your friends need it too.
You’ve been a good internet user. You have a long password, you make sure that your email website starts with https://. But there’s a dark secret to there internet: most email providers send your email without any protection! “Secure” email providers support something called STARTTLS, which protects your email between servers. But there’s a catch: your recipient’s email provider also needs to support it. Just because you’re sending from your “secure account” doesn’t mean that you’re safe. You have to check if your recipient is also using a secure provider!
Here’s what your email looks like most of the time because either you or your friend don’t have STARTTLS. Did I mention that the internet creeps have never been happier?
You - https - gmail.com — OUT IN THE OPEN — hotmail.com — https — Recipient.
(has STARTTLS) BAD GUYS WATCHING (no STARTTLS)
You want both sides to support STARTTLS so your email isn’t running around exposed on the internet.
You — https — gmail.com — STARTTLS — fastmail.fm — https — Recipient.
(has STARTTLS) (secure) (has STARTTLS)
OK, STARTTLS is important, but how do I know if I and my friends have it? Fortunately there’s a list of the most popular providers here. Notable things to run away from: me.com, mac.com, hotmail.com, yahoo.com, att.net, comcast.net, verizon.net. Does your email address end in one of those? Get a new account NOW, and remember to not send anything important to any of your friends with any of those addresses. I’m serious. Unsure about an address that isn’t on that list? Verify that it supports STARTTLS here. That’s hard. Isn’t there anything easier? You could create a Google document and share it with your friends instead of emailing it. This will require them to setup a Google account to view the document, thus forcing all your friends to inherit the benefits of Google’s security efforts.
Small is usually bad for security.
Security is hard. Even the best and the brightest don’t get it right all the time. The chances that a small company is going to get it right is even smaller. There are a million ways to install a virus on an email server. You need a team that’s smart enough to keep up with all of them, keep things patched up around the clock, and maybe even stay ahead of the game a bit. What to look for? Participation in respected security conferences, street cred from other security experts, and indications that security is part of the company’s core values. As a bonus, how are their lawyers at defending their customers from weird warrants?
… More data to come …