Q. What are my options to protect my e-mail from snooping?
A. This question is a two-parter. If you want to protect your e-mail while it’s making its way across the Internet, you may not have to do anything. But if you want to secure it even while it’s on your mail service’s computers, you and your correspondents need to get to work.
In the bad old days, e-mail messages traveled from server to server as the equivalent of postcards, readable by anybody who could capture them flitting by. That’s changed dramatically in the past few years, thanks to widespread adoption of “Transport Layer Security” (TLS) encryption.
The beauty of this is that you don’t have to do anything; your e-mail service just has to enable this feature on its servers.
At the Google I/O conference in May, security product manager Stephan Somogy said that after Gmail began showing that heads-up, TLS adoption jumped by 20%. (The easiest way to see if your own mail service supports TLS: start an e-mail to yourself from anybody’s Gmail account and see if that red open padlock appears next to your address.) Today, 86% of messages sent from Gmail are protected by TLS.
Install a ‘crypto’ app
Full-time encryption, however, takes more work because both parties must use the right “crypto” app. That’s now in the news after the revelation that Yahoo scanned incoming emails on behalf of a U.S. intelligence agency to find a digital signature associated with a terror organization. The Yahoo incident would be the first case of a U.S.-based Internet company searching all incoming messages.
(Disclosure: As you can see from the links in this story, I also write for Yahoo’s Yahoo Finance news site. I have nothing to do with the company’s e-mail service.)
Beyond government surveillance, you might also want to encrypt your e-mail to stop it from being scanned automatically for advertising purposes or to guard against malware exposing your messages, on your computer or when stored on a mail provider’s servers.
I’ve had an app on my two Macs to encrypt e-mail from start to finish for the past two years. That sentence is in the past tense, because after installing Apple’s new macOs Sierra, I learned that this GPGMail plug-in doesn’t work in that operating system.
In an e-mail, lead developer Lukas Pitschl said that Apple made major changes to the internal workings of its Mail app that required an extensive rewrite. A Sierra-compatible beta release should ship “in the coming weeks.”
Even when GPGMail worked, nearly all of my e-mail came in unencrypted. My correspondents would have had to install this program, go through its setup process to create public and private encryption keys, download my own public key, and then have this plug-in use that key to encrypt a message that can only be decrypted with the private key I store on my own computer.
GPGMail, and the GPG Suite that includes it, are Mac-only, so on Windows I’d have to install a different app, such as GPG4win. (GPG is a reversal of “PGP,” the initials of the open-source Pretty Good Privacy program that helped make end-to-end mail encryption feasible early on.)
Yahoo and Google have been working on a browser plug-in to simplify end-to-end encryption, but that’s yet to yield a 1.0 release.
If you’re not attached to e-mail, Facebook’s Messenger app now offers much easier end-to-end encryption. But that imposes other limits: While I can install GPGMail on multiple Macs, Messenger encryption only works on one mobile device you designate at a time—and not at all when you use Facebook in a browser.