In the months since Edward Snowden blew the whistle on PRISM—the NSA’s clandestine mass electronic surveillance data mining program—few buzzwords have been thrown around more often than encrypted e-mail.
Considering free e-mail services like Gmail and Yahoo are no longer options for anyone dead-set on keeping their correspondence private, encrypted e-mail services are all the rage lately. Once used solely by a small subset of privacy-conscientious Internet users, encrypted e-mail popularity is booming as new and established services go down and pop up every day.
In August, encrypted e-mail services started falling like dominoes. On Aug. 4, Tor Mail shut down after a suspected joint NSA and FBI malware attack took down its server base, Freedom Hosting. Admittedly, Freedom Hosting had it coming; they were allowing pedophiles to trade child pornography materials on its servers.
The biggest blow to encrypted e-mail thus far was the abrupt shutdown of Lavabit, which had run asymmetric encryption for its 350,000 users since 2004. Infamous for its use by Snowden, the service suspended operations on Aug. 8. In an open letter on Lavabit’s homepage, founder Ladar Levison said he would rather shut down than “become complicit in crimes against the American people.” Bound by legal restrictions, Levison strongly hinted at fighting a secret government lawsuit demanding confidential user information.
Next to fall—or rather to commit what Cryptocloud users have dubbed Privacy Seppuku— was Silent Circle, shuttering its Silent Mail service on Aug. 9 after seeing “the writing on the wall” in the wake of Lavabit. A blog post by CTO Jon Callas explained its preemptive closure to avoid government subpoenas, admitting “e-mail as we know it with SMTP, POP3, and IMAP cannot be secure.”
While Tor Mail, Lavabit and Silent Mail have all bitten the dust, many other well-regarded encrypted e-mail services are still alive and kicking. Services like GuerillaMail, Canada-based Hushmail, Sweden-based CounterMail and Switzerland-based Neomailbox are all up and running with no plans to stop anytime soon.
Despite government pressure and the inherent vulnerability of encrypted e-mail Callas described, new players are also entering the game. Kim Dotcom’s Mega made waves this week, announcing they’re at work on a “cutting-edge” encrypted e-mail service to run on a non U.S.-based server.
Mega’s CEO Vikram Kumar said, “There is probably no one in the world who takes the Mega approach of making true crypto work for the masses,” but added “it will take months or more to crack” as they develop a service with easy-to-use e-mail functionality that doesn’t undermine its end-to-end encryption core security proposition.
For now, Mega’s announcement is all talk. It’ll be months before their service is up and running.
On the other hand, German companies Deutsche Telekom and United Internet—who provide about two-thirds of the e-mail addresses in Germany—have already put new encryption services into practice. They’ve introduced automatic SSL encryption and moved data storage to exclusively German servers. Germany has been up in arms ever since Der Spiegel reported on mass NSA Internet spying in Germany and Europe.
In a statement, Deutsche Telekom CEO René Obermann said, “Germans are deeply unsettled by the latest reports on the potential interception of communication data. Our initiative is designed to counteract this concern and make e-mail communication throughout Germany more secure in general.”
Problem is, SSL can be intercepted and decrypted relatively easily, and by a lot more people than just the NSA. Not to mention the service only works within Germany, so any international e-mails are fair game.
While the safest encryption scheme is still widely believed to be the old PGP (Pretty Good Privacy), it’s complicated to encrypt, with many opting instead for these supposedly secure encrypted e-mail services. Silent Circle founders Phil Zimmermann and Callas—who created PGP in the early 1990s—said that all e-mails leak metadata.
In an era where the NSA is systematically commandeering the Internet, how secure these services truly are remains to be seen. No matter how many sites the NSA either directly or indirectly knocks down, or how many sprout up in their place, the core issue comes down to the fundamental mechanisms of e-mail security.
Back in April, before the PRISM storm even hit, Callas even went as far as to say, “E-mail as we know it today is fundamentally broken from a privacy perspective.”