Will Email Ever Be Secure?

According to the privacy community, this isn't the end of encrypted email. It's a call to action.

Yesterday, Lavabit, the nearly decade-old encrypted email service — recently made famous for its use by Edward Snowden — announced to users that it was shutting down. The abrupt statement from Lavabit's owner strongly alluded to a secret legal battle with the government over private user data, which sent shockwaves through the privacy community, ultimately triggering the shut down of Silent Circle, another popular encrypted email service. For privacy advocates, the shutdowns are the latest discomforting reminder of the looming shadow of government surveillance, which has left some to question if the era of private and secure email has all but come to an end.

But according to sources in the space, that's far from the case. While Lavabit and Silent Circle may have shuttered email services, many avenues still remain. One well-known encryption service, Hushmail, confirmed to BuzzFeed, "We have no plans to discontinue the Hushmail service."

Like many in the privacy community, Pete Ashdown, the founder of the independent ISP XMission, sees this as a call to action. "I look at government attempts to control or monitor the internet as a challenge," he told BuzzFeed. "It keeps my gears turning in directions to stop them."

The American Civil Liberties Union's Christopher Soghoian agrees. "I think we will see a lot of innovation," he said. "Computer scientists like tough problems and if you can solve them, you could capture a significant portion of a growing market. I am confident that the security community will rise to the challenge and we will see an easy to use and robust tool in six months to two years that the average person will use."

According to the Electronic Frontier Foundations's Trevor Timm, the National Security Agency scandal has only spurred people to try to innovate. "We've seen in the past couple months an untold number of businesses sprout up that are offering their service based only on privacy," Timm said. "Silent Circle has seen a 400% month-to-month jump in July and I'm sure it's the same for many other businesses."

For now though, the primary concern seems to be whether email, in its current form, can actually be made secure.

"It's definitely a larger problem," Timm said. "Things like PGP [pretty good privacy] encryption are very hard to use and it takes a lot of patience to set it up yourself. If you mess up you could end up exposing yourself. Even when we're talking about PGP and encrypted email there is still the metadata that's available to law enforcement since that usually doesn't get encrypted."

"Email as it is standardized, is intrinsically insecure," Silent Circle cofounder and Chief Technology Officer Jon Callas told BuzzFeed. "IP address geo-location has turned from a fantasy to a fine art. So, in every email you have a timestamp and an IP address that places the author in the exact space and time they were when they hit send."

Callas notes that encrypting phone calls and even text messages are far more secure options to combat surveilance. "The difficulty of handling data increases the more it becomes stored," he said.

Yet despite the hurdles, privacy advocates and engineers remain optimistic. "Don't interpret this as it is no longer possible to offer secure communications," Soghoian said. "Companies that want to enter that space need to realize that it is more tricky than they thought originally and they need to design their product with the government as a threat in mind."

And for companies like Ashdown's XMission, that's exactly the plan. "Too many people depend on us," Ashdown said. "In fact, right now we're working on an encrypted email product as a response."

Skip to footer