Is privacy and a secure email on your wish list? How does the “most secure email program” sound to you? Or rather, is that still possible in this post-Snowden era? How about a completely secure search engine?
I set out to investigate how secure is secure. I finally received a StartMail beta account, a year after I signed up for it and I am now among the last of the 50,000 beta testers worldwide to use it free for 90 days. I am curious: will it live up to its claims?
Short of sending an open invitation to hackers, I am contemplating testing the StartMail account in different ways, such as forwarding malicious emails to it – isn’t that what beta testing is meant for anyway?
If privacy is sacred to you, you have probably heard of Lavabit, the Texas-based email provider favored by computer geeks and NSA leaker Edward Snowden, which the operator voluntarily shut down last August rather than “become complicit in crimes against the American people” by defying orders to hand over the crypto keys to US authorities.
Lavabit recently lost its contempt of court appeal and its founder, Ladar Levison is currently busy with his Kickstarter campaign to raise funds for what he calls his Dark Mail Initiative, an anti-NSA email protocol with end-to-end encryption that would make it impossible to access anyone’s messages. The aim is to clean up and release the source code used to power Lavabit, according to Levison.
StartMail is developed by StartPage and Ixquick, owned by privately held Dutch firm Surfboard Holding BV and known to many as the world’s most private search engines – anonymous search engines with the performance and results of Google plus the guarantee that the users’ searches will not be stored and cookies will not be planted. Likewise, StartMail claims it will not scan the email messages nor hold any data for marketing or algorithms purposes.
Google is also reportedly working on a new version of its popular Gmail service that makes end-to-end encryption tools like PGP (Pretty Good Privacy) easier to use. But with its huge advertising business, it is hard to imagine how Google could design a site-wide end-to-end encryption email service without scanning the messages at all.
If one chose to preach philosophically: perfect privacy cannot exist in this imperfect (post-Snowden) world that we live in now.
After all, for all the efforts to encrypt email messages, the e-mail headers and routing protocols can still reveal who the senders and receivers are and these data, enough to bring grins and glee to the authorities, are damaging for privacy freaks.
Furthermore, the government can still request the passcodes used as keys to decrypt messages. In the US, even though there is the Fourth Amendment to protect against any unlawful searches, federal agencies have been taking advantage of a part of the Electronic Communications Privacy Act, which requires warrants only for emails stored on a third party server for less than 180 days – ie. No warrant needed for accessing email older than 180 days.
Computer geeks will tell you that emails are designed for communications and convenience, not security. Security will simply destroy the utility of emails.
But emails have also become weapons of mass destruction in their own right. You may have heard of how hackers could send emails with embedded programs which upon receipt by the innocent parties could allow the senders to intrude into the computers.
Which brings me to a related matter: the safe use of emails and computers. It may be best practice to access all your emails on your smartphone and handheld devices as much as possible, including the sending and saving of documents with USB OTG (On-The-Go) connectors. You can attach a flash memory stick to a OTG connector to connect and then send or save documents from your device, just like the way you send or save documents through emails on your computer.
That way, you can easily delete (set to “delete from server” on your device) any malicious emails to minimize the chance of damaging your computer. In the worst case scenario of opening any malicious messages, you can simply delete them or reset the device to original factory settings. Your computer is out of the picture. And if you also practice “no file saved” (except program files) on your computer, but to an external hard disk, you have double-insured yourself.
The following words of wisdom from a good Swiss friend are noteworthy:
“I am living with the idea that an e-mail is like a post-card which the postman could read ….. provided he was interested and had the time.”
Vanson Soo runs an independent business intelligence and commercial investigations practice specialized in the Greater China region. He blogs at http://vansonsoo.com. He writes frequently on security matters.