Email is one of the most prevalent forms of communication. Yet, it remains one of the most misunderstood and insecure. The popular conception that email communications resemble a secure version of snail mail has no basis.
In fact, it is a complete myth.
Email communications best resemble a postcard in which anyone can read it whilst in transit, since an email has no envelope (i.e., encryption) to prevent unauthorized interception.
Because email is such an integral part of modern life, it is important to bear in mind certain principles in order to utilize email securely and privately.
- Never send sensitive information in an unencrypted email.
- With few exceptions, never use a full name as an email name.
- Never use Gmail, Yahoo, Hotmail, or any establishment email services.
- Avoid pseudo-private email services such as Hushmail, Safe-mail, et al.
- Never open an email attachment from an unknown sender.
- Exercise caution when opening or reading an email from an unknown sender.
- With few exceptions, avoid accessing email accounts via public computers.
- Avoid reading emails in HTML format.
- Avoid (as much as possible) webmail.
HOW TO SELECT THE BEST EMAIL SERVICES
Quality email services are generally user specific. Choosing an email service often depends on the location, purpose, and paranoia of a person. In almost all instances, however, it is recommended to give preference to an email service outside of one's local jurisdiction. Because offshore email services are outside the jurisdiction of local governments, they can usually ignore complaints by local governments. More importantly, in most circumstances, local governments cannot seize offshore email servers.
Nevertheless, offshore status alone is no guarantee of email privacy or security. Indeed, some offshore locations are essentially vassal states of certain Western powers dating as far back as the colonial period. Therefore, when considering an offshore email service, it is important to ascertain the status of a government's independence and the facts pertaining to its privacy and data retention laws. In addition to a government's privacy and data retention laws, it is important to ascertain whether an email service is a member of any reputable privacy organizations. In particular, if it is certified to meet or exceed certain privacy standards. Offshore email services with data retention and weak privacy standards should be avoided.
Commercial email services offered by Google and Yahoo, for example, should be avoided, as they are intrusive, insecure, and have poor privacy standards, and they share users' data with government agencies, in addition to the data they retain and sell to third parties. But more than this, however, employees at some email services (e.g., Google) have been known to read through users' emails; and commercial email services have data retention that keep permanent records of users' email accounts and retain a record of their IP addresses with every login.
Consumers must be perspicacious of many pseudo private email services claiming to be private and secure, when in fact, they are neither. Beware of certain email providers' names that might raise suspicion. Hushmail, for example, seemingly promises great privacy and security. It comes with High-grade Encryption; it sounds impressive; and it hides clients' IP addresses on select services. But a closer examination reveals a few significant red flags. Hushmail is an inappropriate email appellation because it raises suspicion; it has data retention; and, more importantly, Hushmail has been known to divulge data to the Canadian and US Governments.
Safe-Mail is yet another email service that seemingly offers great privacy and security; however, the company behind it, the location of the servers, and the political ramifications of using Safe-Mail, are all reasons to avoid it. Safe-Mail is an Israeli company, with Israeli servers, and with reportedly strong ties to the Israeli intelligence agency, the Mossad, which has close ties to the CIA and the US Government.
Special attention should be given to email services operated by privacy activists – but with cautious reservation. Some organizations are excessively partisan, disseminate misguided politics, and are extremely intolerant of opposing opinions. The organization known as RiSEUP, for instance, is a radical US-based socialist Marxist organization that requires full compliance of its political platform by potential applicants to be considered for membership. According to RiSEUP, "If you disagree with this [its social contract], then riseup.net is not for you."
Although RiSEUP markets its email services to political activists, it should not be used by government whistleblowers. Government whistleblowers require the highest standards of email privacy and security. Due to the sensitive nature of their work and the potential consequences of exposure, government whistleblowers should avoid politically-laced organizations as, they are the most likely to be infiltrated by government agents or targeted by government agencies.
Subscription-based email services are more private and secure than most free services and offer consumers a better platform, with more features, and enhanced customer support. Although there are a few free exceptional services available that offer superior privacy and security, this is more of an exception than the rule.
Subscription-based email services have a vested interest in protecting the privacy, data, and communications of their clients. In addition to utilizing more advanced protocols and a more secure server infrastructure, subscription services are more innovative, often times coalescing the best open source applications, including the OpenPGP standard, to better facilitate more secure email communications.
Although considerable preference should be given to email clients, webmail services may be acceptable if they utilize High-grade Encryption, since login data, such as passwords and usernames, may be sniffed without encryption. High-grade Encryption is available in many forms, including AES, Camellia, Blowfish, Twofish, Serpent, and usually in the size of 128- or 256-bit.
End-to-end encryption of email, however, is only possible through OpenPGP and other similar encryption standards. Do not mistake a webmail's High-grade Encryption to mean sending and receiving emails are encrypted. It only means a login to the mail server is encrypted.
James Black is the author of The Privacy Book. For more information, please visit www.sovereignpress.org