How To Secure Your Email From Hackers, Feds, And Exes

It doesn’t take a lot of work to secure your email, but it does take a lot of foresight. How often have you written an embarrassing email? How many of the emails in your mailbox right now could be used against you by hackers, police, or even an ex-girlfriend or ex-boyfriend? Previously we have published an article about how emails work and it is recommended that you understand this process.

The best way to secure your email is to encrypt it. Encryption protects your email against eavesdropping, government subpoenas, hackers, and evil exes. But encryption comes at a cost—to secure your email the right way requires coordination with the people you email.

Do You Need To Secure Your Email?

The Simple Mail Transport Protocol (SMTP) over which all email travels is modeled on the typical national postal system—but with a catch. In national postal systems, your email gets picked up at your home or office, sorted at your local post office or a regional center, transported to the post office nearest its destination, and then delivered. Email follows the same four steps—but all of the computers it travels over are privately owned.

That means nothing protects your email from simple eavesdropping. If your Internet Service Provider (ISP) or your recipient’s ISP or your ISP’s ISP want to read your email—they can. In fact, AT&T recently got in trouble for sharing all of the emails that traveled over their network with the U.S. National Security Agency (NSA). But it isn’t just big, scary national agencies who can read your email: Google and many other companies routinely use the email that passes through their servers for “data mining.”

Even if you don’t worry about faceless government and corporate agencies reading your email, you should worry about more personal attacks. According to an article published in the USA Today newspaper (14 Feb 2008), almost 90% of matrimonial lawyers in the U.S. say they’ve seen an increase in the number of divorce cases using email and other electronic evidence to reveal everything from adultery to hidden assets. A Google.com survey cited in the same article reveals up to 27 percent of Americans have snooped on someone else’s email.

How To Use Encryption To Secure Your Email

When you go to a secure website, it’s encryption that makes it safe for you to send your credit card number across the Internet. The credit card number is transmitted over the same privately-owned Internet as your emails, but the encryption prevents anyone besides the intended recipient—the merchant’s website—from reading your credit card number. You’ll use the same basic method to secure your email.

Originally developed in 1991 by cryptographer Philip Zimmerman, the Pretty Good Privacy (PGP) encryption and decryption program made it possible to easily secure email. Although named “pretty good,” the encryption used by PGP and PGP-like applications today is almost unbreakable by current computers. (Never listen to anyone who tells you their encryption is unbreakable: with a sufficient amount of computing power, all encryption can be circumvented. The good news is that it would take several million computer years to break into even the simplest PGP-encrypted email.)

PGP was originally distributed for free, but over time it became an expensive tool mostly used by corporations. A replacement was developed by the GNU project—the same people who developed most of the tools that power Linux. It’s called GNU Privacy Guard (GPG or GnuPG) and it powers all of the programs described in the rest of this article.

Use Mozilla Thunderbird To Secure Your Email

By far the easiest way to secure your email is by downloading Mozilla Thunderbird, the most popular free third-party email client for Microsoft Windows. After you install Thunderbird, you can download the free Enigmail plugin from enigmail.mozdev.org. You also need to download a copy of the Windows version of GPG from gnupg.org. (Thunderbird, Enigmail, and GPG are also support Linux and Mac OS X.)

Secure Your Email

After you have everything installed, start Thunderbird. If you’re new to Thunderbird, you need to setup your email account. Enter your account information into the setup wizard—it should only take about two minutes. Then you can click on the OpenPGP menu bar in Thunderbird and go to the Key Management screen. There you’ll want to click the Generate button to create a new key pair.

Each keypair includes a public key and a private key. Their names describe what you should do with them: give the public key to anyone who wants to send you secure email; keep the private key safe. To make it easy for other people to send you encrypted email, Enigmail can publish your public key on a public keyserver: click on your key in the key manager, click the Keyserver toolbar, and click Upload Public Keys.

You can test your email encryption by sending an email to Adele, “the Friendly PGP Email Robot.” Here’s how you send her an email: start composing a new plain-text email and add a subject and short bit of text to the body. Address the email to Adele at adele-en@gnupp.de and then click on the OpenPGP button near the top of the window. Choose the option to Encrypt the message and send the email. If you’ve uploaded your public key to a keyserver, Adele will download your public key and send you an encrypted automated reply.

How To Secure Your Email In GMailSecure Your Email

Both encryption and GMail are wildly popular among geeks and it seemed for awhile that Google would bring GPG and GMail together. Google Labs even released a GMail add-on that let it verify OpenPGP-signed messages. But Google never followed through on its GPG support—possibly because they wouldn’t be able to sell context-sensitive ads to people who received encrypted email.

For several years, an open source developer did what Google would not: he maintained a Firefox plugin that let people use GPG within GMail. But Google kept changing how GMail worked and he eventually withdrew GMail support from his plugin, FireGPG.

You can still secure your email if you use GMail, but you need to use a third-party tool like Enigmail for Thunderbird. Thunderbird makes this really easy: follow the instructions above to install Thunderbird, Enigmail, and GPG, then tell Thunderbird that you use Google GMail when you create your new account and it’ll take care of all of the details.

Email archive backup is also a great way to remove your emails from your inbox and store them in a safe place.

Comments

  1. says

    I think the only thing about my exes that I have to worry about is that they break into my email and read the mails. So the encryption wont work for that.

    It’s a bit too much work to get people I email with to use thunderbird and to use the key. But if I ever need to use email to send very classified information then I will definitely use this encryption stuff secret agent style :)