Email is one of the oldest, most widely used and widespread messaging and web protocols on the internet. Even today, this form of “electronic letters” is still used for a variety of important communication channels, be it private, business or for sending official documents, invoices and much more.
The transfer of the concept of letters into the digital space even goes so far that in Germany, for example, e-mails are covered by the secrecy of letters and telecommunications, similar to telephone calls or the analogue counterpart to e-mail: the written letter. [1]
Nevertheless, not the entire world shares this understanding of e-mails. At the same time, e-mails offer much more far-reaching possibilities to intercept information unnoticed and to analyse it on a large scale than is the case with analogue letters. Large IT corporations such as Google, which potentially have access to the communication of hundreds of millions of people worldwide with their e-mail service “Gmail”, repeatedly prove that users of these services “should have no expectation of privacy”. [2, 3, 4]
But even leaving aside the economic interests of email providers, who evaluate and/or resell the data of their customers for advertising purposes, communication via fundamentally unsecured and unencrypted channels is simply no longer in tune with the modern age. This applies not only to journalists and activists, but also to everyone else, be it in a private or business context. Completely unencrypted communication enables industrial or governmental mass surveillance and can become an instrument of exploitation and socio-economic oppression in addition to being a threat to democracy and freedom of expression. [5]
This does not mean that e-mail is coming to an end – quite the opposite! As a versatile, open, decentralised and undemanding communication tool, email has some appealing advantages over many centralised systems in use today. But the technical implementation and our usage behaviour with it must change sooner or later; and sooner rather than later.
Types of Encryption
Before we get into the applied part, the different types of encryption and some basic terminology should be clarified. Because as in so many areas, the same applies here: Not all encryption is the same.
Encryption of Mail Access
This is the secure transmission from your own computer to the mail server. This is usually done using secure internet protocols such as HTTPS. Encrypting this interface ensures on the one hand that neither the operators of the network (for example, a public WLAN) in which the end device is located nor the potentially intervening servers (such as the infrastructure of the Internet provider) have free access to the transmitted information. On the other hand, the use of secure internet protocols helps to ensure that the server with which one interacts is really who it claims to be. [6]
Encryption of Mail Transmission
Meanwhile, the protection of the transmission of an e-mail to the intended recipient is entirely up to the e-mail provider. To protect their users, they can either always encrypt the transmission paths of the e-mail if the other party also supports such encryption or even insist on it and generally not send e-mails if encrypted transmission cannot be guaranteed.
Encryption of Information and Content
In particular, this involves encryption methods that are applied directly to the content of an email to ensure that it can only be read by the recipient or the person sending the email. Even in such cases where third parties gain access to the e-mail by intercepting it during transmission or by other means, the encryption of the information ensures that they cannot view the contents of the message. Even the e-mail providers themselves, on whose servers the messages are located, cannot access their contents due to the encryption of the information. [5]
Such encryption of the information contained in e-mails can happen in many different ways. However, almost all variants have in common that the other party, i.e. all communication partners involved, must also support a corresponding encryption method. In contrast to the encryption of transmission paths, however, this is less dependent on the mail provider and almost entirely on the initiative of the user.
All three types of encryption have their justification for existence and are absolutely not mutually exclusive. Unlike just a few years ago, encryption of mail access is fortunately considered the absolute standard today. Access to the mailbox via a web browser is usually done via HTTPS. If a desktop or smartphone client such as Thunderbird, Outlook or even K-9 is used, TLS-encrypted IMAP and SMTP connections are typically used. In the meantime, e-mail providers are increasingly paying attention to the encrypted transmission of messages or even enforcing it (if in doubt, information on this can be found directly on the website of one’s own mail provider). However, even 50 years after the first electronic letter was sent, there is still a lack of encryption of information and thus of the most effective form of communication encryption when sending e-mails.
OpenPGP: This is how it’s used
Although there is a large number of secure, reliable and, in some cases, widespread solutions, we would like to limit ourselves in the following to one particular option for encrypting information: “Pretty Good Privacy” or OpenPGP.
The (Open) PGP specification belongs to the end-to-end encryption methods, which – to put it simply – means that the respective information can only be read at the beginning (at the sending person) and at the end (at the recipient). During the entire transmission, storage and archiving, the content of a message remains encrypted. [7]
OpenPGP functions via a dual key system. Here, all communication participants generate a key pair once. This consists of a public key that can be sent to others or even published freely on the Internet and a private key that must be kept secret. If you want to send an encrypted e-mail to someone, you need the recipient’s address and their public key. This public key is used by a mathematical algorithm to encrypt the message to be sent. The encrypted information can then only be decrypted by the respective matching private key(s), such that the content of the message can only be viewed by the intended recipients.
Setting up programmes that implement the OpenPGP specification, such as the GNU Privacy Guard (GnuPG), has long required a considerable amount of technical knowledge and effort, but is now becoming easier to use for a less technical audience with the support of many email programmes and providers.
The first step is to select such a programme. For the desktop PC, the open source programme “Thunderbird” is highly recommended. For some time now, it has supported OpenPGP directly without external extensions and is therefore suitable for a particularly easy start on all Windows, MacOS or GNU/Linux computers. For Android, on the other hand, the app “p≡p” or the already mentioned “K-9” with the extension “OpenKeychain” is recommended. For iOS, the app “PGPro” is suitable, and for those who like to send emails via the mail provider’s web interface, there is the browser extension “Mailvelope“. An extensive, but despite all efforts not entirely complete list of compatible mail programmes can be found on the OpenPGP project page.
Weitere Informationen über die detailierte Anwendung von OpenPGP und GnuPG findet sich ebenfalls auf der Seite des OpenPGP Projekts unter dem Projekt “Email Self Defense” der Free Software Foundation und in dem “E-Mail Self Defense Leaflet” der Free Software Foundation Europe.
Further information on the detailed use of OpenPGP and GnuPG can also be found on the OpenPGP project page, under the Free Software Foundation’s “Email Self Defense” project and in the “Email Self Defense Leaflet” of the Free Software Foundation Europe.
Sources
- Roth, Wolf-Dieter (2006): Gilt für E-Mails das Brief- und Fernmeldegeheimnis? Heise Online, Telepolis. Online at: heise.de
- Kumar, Mohit (2013): Google – Gmail Users Should Have No Expectation of Privacy. The Hacker News, Online at: thehackernews.com
- Schiffer, Zoe (2019): Facebook and Google surveillance is an ‘assault on privacy,’ says Amnesty International. The Verge. Online at: theverge.com
- Kuketz, Mike (2021): Gmail – Google liest eure E-Mails mit. Online unter kuketz-blog.de
- The Free Software Foundation (2014): Email Self-Defense. Online at: emailselfdefense.fsf.org
- Heaton, Robert (2014): How does HTTPS actually work? Online at: robertheaton.com
- The OpenPGP Website: openpgp.org
Jan is co-founder of ViOffice. He is responsible for the technical implementation and maintenance of the software. His interests lie in particular in the areas of security, data protection and encryption.
In addition to his studies in economics, later in applied statistics and his subsequent doctorate, he has years of experience in software development, open source and server administration.