Most of us use e-mail every day and we take it for granted – but how safe is it really?
E-mail is like a traditional message – if it’s opened, it can be read. The text is unencrypted, and so insecure if compromised. E-mail used to be sent between two servers using plain text, though today a common encryption method is used as a standard called Secure Sockets Layer (SSL). This makes the chance of data being intercepted in transit (for instance in a public WiFi network) unlikely.
End-to-End encryption is the ultimate solution and one that is giving national security agencies a difficult time. An analogy of this system is: with conventional post, the write owns all of the infrastructure between themselves and the recipient: the post boxes; the delivery service… so there are no third-party links (or vulnerabilities) in the communication chain. Full control of the communication process lies with the two ends. In another example, if you wanted to end-to-end a ‘mail using Google, you would need to own the company.
The Pretty Good Privacy encryption was designed in 1992 by cryptologist Phil Zimmermann. It has been described by analysts as being the closest encryption to military standards. It is available as an open-source application (OpenPGP), though is little taxing to employ as it requires specific clients and the settings between the two ends must be configured precisely. Another cost to the user is the processing power needed for encryption and decryption.
Different companies have tried to find solutions for e-mail security; ProtonMail has its own servers and uses the web browser for decryption. Such a solution of course places security in the hands of a third-party, creating a potential weak link if that company were to be compromised. Private companies are perhaps a little reluctant to explore this market as breaches could lead to civil action and litigation. There are a number of encrypted products and services available which are aimed at high-end corporate customers.
The Future of E-mail Security
Google already reads e-mails – though this is an automated meta-crawl, a search to ensure their services are not being used to deliver unpaid-for advertising. The intelligence services perform meta-crawls for security reasons stating that if a user has nothing to hide, then there is nothing to worry about. They are becoming increasingly frustrated at the private and corporate use of various encryption methods.
SSL is the best the average user has in terms of security unless one of the above options is applied. Users should check their settings to ensure this is enabled. Unless the user really has something to hide from Google or Governments, then the meta-crawlers are not such a big deal; it’s highly unlikely that an individual will compromise your privacy by reading ‘mail. The hackers are a different matter, though it is probably more important to keep accounts safe by hardening passwords to prevent access and setting up 2-Step verification if available.