On Monday, the U.S. House of Representatives passed the Email Privacy Act, sending it on to the Senate. Sponsored by Kansas Republican Rep. Kevin Yoder, the legislation has been introduced in three consecutive sessions of Congress. Last year, it made it out of the House, into the Senate. This time, it passed the lower chamber with a voice vote.
The bill updates U.S. law to say that data users store using third party providers, including email stored on servers and files held on cloud storage services, are protected by the Fourth Amendment against warrantless searches by law enforcement.
“Many Americans take great precaution to store their emails, on services like Dropbox or in the cloud, yet our federal law perversely treats that data storage as if it’s abandoned by its owner, and therefore loses constitutional protection,” Yoder said before the House, in advance of the vote. “In addition to updating our constitutional rights, these privacy protections create business certainty. They ensure consumers will remain happy to continue to using cloud storage services.”
While it’s nice to see a member of Congress who appreciates the American tradition of privacy, internet users don’t need to wait. A number of email and cloud services providers already offer services that secure users’ email against search not by policy, but by encrypting the data at rest so that only the customer can read it. In other words, the emails and other files can only be read after decryption with the users’ key. So it doesn’t matter if the service provider gives the police (or anyone else) access because they won’t be able to read anything.
Protonmail. This service requires two different passwords to get in. The first one opens the site up, but the second one decrypts all the user’s data. Emails to and from Protonmail users will be automatically encrypted in transit. Emails to and from other services won’t be encrypted in transit, but they will sit encrypted on Protonmail’s servers, so if law enforcement managed to get access to the Switzerland-based company’s servers somehow, it wouldn’t do any good. If a user really needs to send a secure message to a correspondent who isn’t using Protonmail, it also has a cloud-based way of doing so. The service recently launched a hidden service on Tor, so that users who don’t even want a record in their browser of using the service can hide it (this also helps people living under repressive regimes). The service’s free level will work fine for most users. Premium services cost 4€ per month (priced in Euros).
Some privacy hardcores don’t like Protonmail because it holds the key on its servers, sending it to users so they can use it to decrypt in the browser. It’s a fair critique, but it still takes users much further down the road of security than Gmail.
Lavabit. Made famous as the email provider of choice for NSA leaker Edward Snowden, Lavabit will soon return with three levels of service, ranging from user-friendly encryption to there-are-black-helicopters-everywhere mode, as The Intercept reported. Ladar Levison, its creator, has created a new method of encryption that obscures a message’s metadata as well as its content. We hope to follow up soon to explain this a bit more. Lavabit is not yet available for use, but customers can pre-order service at a steep discount now.
Tutanota. This service is based in Germany. European email providers are governed by stronger privacy laws. Much like the prior two services, Tutanota stores messages encrypted at rest, even if they were sent in plain text. Its software is open source, which allows security researchers to check it for holes and bugs. Its basic service comes free and premium runs 1€ per month. On the service’s blog, it says that almost 40 percent of its users’ messages are end-to-end encrypted these days.
At either the cutting edge of security or snake oil, the Observer has also been in touch with the founders of two other services that claim to be able to provide a next level of protection, securing your data even when it gets outside of your control. Ajay Arora, founder of Vera, called this “ambient authentication,” the ability to secure data not just with a password, but against being viewed at the wrong time or in the wrong place. Vera appears to be aimed more at enterprise customers, but Sendr makes similar claims for its new hardware, SendrBlock, which is currently oversubscribed on its Kickstarter campaign.
Vera just launched a private beta for an email service, which gives users control over whether recipients can forward, print or copy messages.
We’re looking forward to reviewing these services in more detail. In the meantime, though, both promise encryption at rest. It’s nice to see entrepreneurs pushing the innovation envelope.
Email users should consider using a paid email service rather than a free one. As a free and open standard that allows users to communicate with anyone without permission, email is heavily abused by spammers. “At Protonmail, we are constantly investing heavily towards combating this sort of abuse, and we have entire teams dedicated to anti-abuse,” Andy Yen, the Protonmail CEO, told the Observer in an email following the announced shuttering of another encrypted email service, Ghostmail. “It is not an easy job and requires extensive time and resources.”
By paying for your email service, consumers help support companies that make spam difficult.
Anyone who pokes around enough online is sure to find posts from security aficionados arguing against any one of these services. While many of these techies will make good points, the only way to keep one’s thoughts completely secret is by never sharing them.
Any measure a user takes to encrypt their personal data will protect them more than relying on old fashioned email.
UPDATE: After publication, Vera announced a private beta for its email product, which has now been noted in the post. February 9, 2017 10:52 AM.