Research: Email Security and Privacy.

Updated 1st of May 2021.

Copyright: European Union Public License, version 1.2 (EUPL-1.2).

As the available technology out there has increased, the right that we have to our own privacy while using technology, sadly, has diminished.

Contents of this article.

  1. Introduction.
  2. Email Security.
  3. Reasons to Have a Secure Email Account.
  4. CLOUD Act.
  5. ProtonMail, Tutanota, and Encryption.
  6. Setting up a ProtonMail Account.
  7. Carnivore Software and Conventional Email.
  8. Prism Program.
  9. XKeyscore.
  10. TLS for email.
  11. Sources.

1. Introduction.

As the available technology out there has increased, the right that we have to our own privacy while using technology, sadly, has diminished. Governments around the world have been trying to control our relationship with technology, regardless of whether that invades our own privacy, which means that the government can seize information they should have never been privy to. Because of this injustice, we all must protect ourselves from having our data taken without our protection by being cautious about how we use technology, which includes email securities. As a business, we have to be diligent in ensuring the security of employees, contractors, and businesses we work with by using an encrypted and secure email service like ProtonMail or Tutanota.

2. Email Security.

Since its introduction, email has maintained its role as a primary source of communication. It gives us the ability to instantly send long messages and documents to our contacts. But we still need to take precautions to keep those emails and documents secure. Email security involves protecting emails from illegal access, compromise, and deceit. Just as the internet has given us the gift of streamlined communication, it has also streamlined the ability for criminals to intercept that communication.

One of the easiest targets of cyber criminals is your email account. Email hacking is not new and has been around as long as email has been, but the abilities of criminals have become more sophisticated, putting users at risks they never saw coming.

Some of the biggest consequences to security breaches are:
• Credit card theft.
• Identity theft.
• Loss of customers.
• Loss of business.
• Breached confidential information.
• Financial devastation.

Only through the use of end-to-end encryption is your information truly safe. End-to-end encryption is a system of communication where only the participants of the email are capable of reading it. The information cannot be deciphered between the sender and the recipient.

3. Reasons to Have a Secure Email Account.

There are several reasons that you should use a secure email account for your communication.

  1. Email is how businesses send documents and information between its employees and other contacts. If sensitive information is compromised, the fate of the business could be put in jeopardy.
  2. Individuals who use unsecured emails run a big risk of receiving malware, used to steal information from their computers or put viruses on their computers.
  3. Emails are not truly deleted and exist in a cloud for every type of email service out there. The cloud is the server that the service uses to store its users emails and data. Emails can exist indefinitely on an unsecured server, leaving your information out in the void for years to come.
  4. All email users are vulnerable to online criminals, regardless of whether they are state-sponsored.
  5. When your own email account is compromised, it is not just you who is threatened, but all of your contacts as well. Having an unsecured email risks everyone associated with your email.
  6. Governments, including the U.S. and the E.U. will look for data to use against users, even when the email users have not been accused of a crime. So they are scanning personal data to try to find information to use against citizens without proper cause or justification, violating all rights to privacy that email users should have.

If you are an email user who feels like you have nothing to hide, you might wonder why privacy and email security matters for you at all. The truth of the matter is that no matter how clean your information is, the government having the ability to take confidential information of all kinds can put both individuals and businesses at risk. If the government knew private conversations, breakthroughs with companies, financial situations, and even who you are communicating with, all of the information can be held indefinitely to be used against you at a later time, even if you have not committed the crime. This makes the governments the criminals, not the email users.

We ask that our consultants utilize ProtonMail not just for our own security as a company, but for the security of the individual as well. No one should have their private information illegally seized at the whim of the government. Using secure email means security for all users for today as well as for tomorrow.

4. CLOUD Act.

In 2018, the United States government put in motion the CLOUD Act. The Act was created under the guise of keeping government surveillance laws up on par with the advancements of technology. What the Act actually does is it allows federal law enforcement to subpoena any stored data, no matter where the servers are. The CLOUD Act was created to the sole purpose of taking information that the government did not have the right to in order to use the data against the email account holder as long as they are a U.S. citizen. The CLOUD Act may only affect U.S. citizens on the surface, but as many countries around the work share information with one another, the data seizure opportunities might be greater than they appear.

The CLOUD Act itself may have had the support of the larger tech companies, like Google, Apple, and Microsoft, but it did not have the support of human rights groups, including Amnesty International and the American Civil Liberties Union. In short, the CLOUD Act violates the Fourth Amendment by allowing unreasonable search and seizure. The U.S. government can obtain data stored on foreign soil without having to go through the proper court process.

5. ProtonMail, Tutanota, and Encryption.

So how do we protect ourselves from the government’s self-allowed access to information that they should not have the right to? The use of email encryption and security is the answer. Utilizing email services that provide the right amount of protection can keep the government and state-sponsored criminals from taking the information they had no right to.

When choosing between secure email platforms, it is important to know that you are getting the best security possible. Both ProtonMail and Tutanota are well-known for their security. They share many features as well, including open source software, end-to-end encryption, and no logging of user data.

The email provider ProtonMail is very secure because the servers are located in Switzerland. Switzerland has maintained its position as one of the most reliable places in the world to have privacy. In the case of ProtonMail and the CLOUD Act, the U.S. and the E.U. governments do not have the right to access information stored on servers in Switzerland.

Outside of having secured servers stored in a neutral location, ProtonMail’s privacy comes encryption done in the browser, with a specific “bridge” to get IMAP using a standard client like Thunderbird or Outlook (does not work when a VPN is one). Having your email encrypted ensures that any parties that try to get into your email in between the server and your computer could not read any of the data transferred, ensuring your privacy.

Tutanota is another encrypted mail service that offers end-to-end encryption. Similar to Protonmail, the service uses encryption to ensure the messages have been encrypted well and cannot be intercepted by a third party. If a Tutanota user would like to send a secure email to a non-user, they can. The non-user would receive a link to a temporary Tutanota account, ensuring the response would also be encrypted. As a company, Tutanota’s primary goal is privacy, giving users assurance that communication is secure. The servers are based in Germany, however, which is part of the five eyes. Even if it is next to impossible to read encrypted data, the risk is still out there.

Both Germany and Switzerland are not big fans of government surveillance. With Germany having the European Union overseeing their activity, it seems possible that the security could be breached. In Switzerland, however, they do not have the same risk, but they do have others to consider as well. Switzerland does not have the same level of cyber security legislation, which also means there is not legislation against cybercrime. Both countries have sophisticated IT infrastructures, however, and the lack of government interference in Switzerland makes it more desirable for email encryption overall.

6. Setting up a ProtonMail Account.

Setting up a ProtonMail account should only take a few minutes of your time. This is how you can do it.

  1. Go to protonmail.com on your web browser. For the highest level of security, you could use a burner phone to register, ensuring that the account will not be linked with your personal phone or computer. There you will be given the option to create a free or paid account. Since you are just starting out, select the free option.
  2. The page you will be on now is the Create Your Account page. Setting your username means that you are selecting your ProtonMail email address.
  3. After you have selected a username, you will need to set your password. It is essential that your password be secure. Using a password manager will help you create a password that is strong and difficult to break by hackers. Our post on password managers further explains the advantages of using this type of service and you can read it here.
  4. ProtonMail will ask you if you would like to use a recovery email in the event that you lose your password. For the highest security, you should not provide them with another email address, but keep any other personal accounts separate from your encrypted account.
  5. After your password and username have been approved, ProtonMail will want to verify that you are a person. One option is to use your phone number and have them send you a text. This is not a safe option. The best option is to select the reCAPTCHA and confirm that you are human, but not provide any other personal information about yourself.
  6. Your account has been created, but now it would like you to set your alias. This is the name that will show up as you in your recipient’s email and is not the same as your email address. Your alias will depend on who you are sending the emails to, but ideally, it should not be your real complete name.
    After you have finished setting up your email, you are set to get started sending and receiving safe and encrypted messages, keeping your information private and out of criminal hands.

7. Carnivore Software and Conventional Email.

Carnivore is a software system that was designed to monitor email and electronic communications. It utilized a packet sniffer or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or part of a network. It would collect data and then send it through an aggressive filter that discards information that is not to or from the person that is subject to a wiretapping order. Although they don’t really discard the information they still keep it and store it forever. This software was able to intercept any email. This software was later abandoned, however their are others out there that fall under the same branch of mass surveillance. Controversy struck when several groups where concerned with the implementation and usage of Carnivore and the possible abuses of the software. 

8. Prism Program.

Planning Tool for Resource Integration, Synchronization, and Management, Prism is a code name for a program used by the United States Security National Security Agency. The program collects internet communications from various U.S. Internet companies. PRISM collects stored internet communications based on demands made to internet companies. An Example of PRISM was when Google LLC under Section 702 of the FISA Amendments Act of 2008 had to turn over all data that matched court-approved search terms. Search terms can consist of words like “bombs”, “guns”, “attack”. Depending on what the government is looking for they can cater it to their liking.

9. XKeyscore.

Is a complicated system, and various authors have different interpretations of the capabilities it actually has. In the words of Edward Snowden and Glenn Greenwald they explained it to be a system that enables unlimited surveillance of anyone anywhere in the world. The NSA has commented and said the usage of the system is limited and restricted. A deeper definition of it would be that XKeyscore is an NSA data-retrieval system which consists of a series of user interfaces, backend databases, servers and software that selects certain types of data and metadata that the NSA has already collected using other methods. The NSA has also shared this system with many other of the U.S. allies. 

10. TLS for Email.

Transport Layer Security aims to provide authentication, privacy, and data integrity between two communicating computer applications. Since email is effectively a plaintext communication sent from email clients to receiving email servers or from one server to another. This design limits and leaves the content of a message easy for anyone to eavesdrop. TLS helps solve this issue by offering encryption technology the message you sent and while it is in transit it will be secure from one email server to another. Key features include: Encrypted messages and Authentication. We believe at Ubinodes that the adoption of TLS is used by organization to ensure that their email is secure and optimized. 

11. Sources.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s