Email Privacy a Myth – To Protect Your Data, It Must Be Destroyed
By Katharine Fong
President Obama talked today about the National Security Agency’s electronic surveillance efforts and Americans’ privacy concerns, but the buzz in the cybersecurity world centered on two major email encryption services’ decision to close down yesterday.
What does the shuttering of Texas-based Lavabits (reportedly used by Edward Snowden) and the email encryption services of Maryland-based Silent Circle mean? The New York Times Bits blog says it signals that emails, “even if they are encrypted, can be accessed by government authorities and that the only way to prevent turning over the data is to obliterate the servers that the data sits on.”
(Indeed, Lavabits destroyed its servers, much to the consternation of some of its users.)
“This raises the question of whether anyone can realistically offer an online encryption service that promises confidentiality,” said Kurt Opsahl, senior staff attorney for the San Francisco-based Electronic Frontier Foundation.
Silent Circle cofounder Jon Callas said much the same in a blog post today. “Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has,” he wrote. “Email as we know it with SMTP, POP3, and IMAP cannot be secure.”
Opsahl says one can still send an encrypted message over email, using programs from PGP (Pretty Good Privacy) and open-source GPG, among others. These offer end-to-end encryption protection. But Opsahl says this requires both parties to have the software installed – and it’s not easy. “It’s hard to do, especially for those not sophisticated with encryption protocols.”