Email Privacy

Email in general is not a secure method of communicating.  Free email accounts are free to use because you are the product.  Your personal information, contacts, the contents of your messages, and the meta data associated with your communications are very valuable to companies who monetize that data.  All of the major free email providers fall into this category, like Google, Yahoo, Facebook, etc.  When signing up for these free services you agree to their Terms Of Service, which disclose that nothing you send and receive is private and may be collected, used, and also disclosed to third parties including law enforcement if necessary.  I am over simplifying a big topic here, but the bottom line is there really is no expectation of privacy when you use many of the these free email providers.

While investigating an attempted murder I wrote a search warrant which needed to be approved by a judge before it could be executed.  Because the crime occurred after hours (after the courts were closed), I telephoned the on-call Judge who requested that I fax her the completed search warrant for her review.  I followed the procedure and was told that I would receive a signed warrant within the hour, sent to my agency email address.  The warrant was returned to me shortly thereafter with the Judge’s signature.  The Judge used her personal Gmail account to correspond with me.  Details of that case which included statements from witnesses, evidence, and the probable cause for obtaining the warrant were now in the hands of a third party (Google).

As a Detective I investigated the sexual assault of a young girl.  The investigation included taking the victim to a forensic medical exam with a nurse and victim advocate who specialize in documenting evidence found on the body.  The procedure allows the nurse to collect DNA evidence and photograph injuries and also conduct a detailed interview of what occurred.  A report detailing the evidence collected during the exam including photographs are given to the investigating Detective to include in the case against the suspect.  When the victim and I left the hospital after the exam the nurse told me she would email the photos and reports to me within 24 hours.  The next day I received an email from the personal Gmail account of the nurse.  The email included the report and over 150 explicit photographs of the victim that were taken during the exam.  I expected the information would come in the form of a secure link to a password protected server or internal network associated with the hospital that did the exam.  This unfortunately was not the case.  The details of this crime, the child victim’s personal information, and extremely sensitive and private photographs would now reside on Google’s servers forever.  I can only imagine how many other victims may be at risk of their information being seen if that personal email account was ever hacked or compromised.

In all fairness, Google is a very secure email provider.  They do security well; however there is no privacy because the contents of your messages are monetized by the company and you have no control over it.   For more information about the data that Google collects on you and why, go HERE.   To read more about the value of a hacked email account, go HERE.

An comprehensive post that discusses many of the top email providers and their specific threat models can be found at Justin Carroll’s blog.  Here is the direct link: https://blog.yourultimatesecurity.guide/2016/05/email-threat-modeling

Encrypted Email
You can go to great lengths to secure and encrypt your email and much has been written around the web on these topics.

Below is a can’t miss series of posts on secure email communication.
Part 1 | Part 2 | Part 3 | Part 4 | Part 5 | Part 6

ProtonMail
This is an excellent choice for an encrypted email service that is based outside of the U.S.  ProtonMail is free, however their paid Premium subscription offers users even more storage and the advantage of using multiple accounts for compartmentalization.  A review of ProtonMail Premium (https://blog.yourultimatesecurity.guide/2016/08/protonmail-premium-review/)

If you are hiding from the government, leaking NSA secrets, selling illegal drugs, or engaged in money laundering and racketeering schemes, Swiss law will not protect you.  But if you have a moderate threat model and need an email provider that places a high value on both security and the privacy of its users, ProtonMail may be right for you.  I have used it since it’s creation in 2014 and I agree with the positive reviews of respected privacy advocates around the world who recommend it as a solution to many of the problems that mainstream email providers have.

Leave a Reply

Your email address will not be published. Required fields are marked *