Email must be the most hated communication tool ever invented, as well as the most ubiquitous. To put it bluntly: everyone uses it, and everyone wishes they didn’t.
But it’s not just that it doesn’t handle multiperson conversations well, or that stuff gets lost in inbox, never to return. Some of the very factors that make it ubiquitous also make it seriously insecure.
To find out why email is so insecure, and what that tells us about how to secure it, we need to look briefly at the history of email. How did we end up with this tool?
How did we all wind up using email?
Email dates back to the 1970s. A whole bunch of people claim to have invented it: Ray Tomlinson’s claim to have done it for ARPANET in 1971 is generally accepted but VA Shiva Ayyadurai has a competing claim to the title. Let’s just say: it’s old.
It dates to a time when servers had less computing power than your phone, and possibly less than your garage door. That being the case, and lacking the web 2.0-style let’s-make-a-shiny-app-in-seconds tools we’re all now familiar with, communication tools had to be SIMPLE.
As in, they had to not suck up power and bandwidth, so they had to be technically simple, and they had to not require a large user interface which would have taken forever to make. So email was born. Source
And much of this is built right into email.
Why wasn’t email built secure from the start?
As well as dating from a time when the web was powered by rocks and bits of string, email also dates from a time when the architects of new web tools saw an open, federated ecosystem as the natural consequence of the new technologies they were working on.
If you’ve ever tried to get pictures off a Samsung phone onto an Apple computer, you’ve experienced the opposite of this – the ‘walled garden’ effect, where your behavior is constrained by the services offered by one provider or group of providers. For businesses, this is the ideal: a walled-garden ecosystem that consumers never leave is the legit business version of controlling the numbers racket on the west side.
For consumers, it’s a mixed bag. When you tie an open system of communication to a walled garden of service provision – like apps on a phone – you get some of the best of both worlds. It’s easier to use, seamless, nice to look at.
But you lose a lot of control and lot of your ability to opt out. Your agility as a user is compromised.
That’s the thing to understand about the early web: it was built by idealists, pragmatic as to methods but certain they were building a better, more open world. You and I, according to these early web pioneers, weren’t going to be consumers or providers. We were going to be Netizens.
Email’s open structure and federated approach to software provisioning is a hangover from those times. But in a world of spearphishing and corporate psyops and consumer espionage, we can’t afford to remain naive.
Nice history lesson. So how unsafe is email?
You’re not safe from hackers
Typically, email is sent across the internet as plain text. Anyone can intercept and read any unencrypted email – and if you and your correspondents aren’t using an encryption service on top of your emails, and you’re not talking to each other in Navajo, you’re unencrypted.
It’s not always easy to tell where an email originated from too. Lifehacker has a cool post on how to do that, but there’s no inbuilt verification requirement.
Can you encrypt through your email provider? Kinda. Outlook has an encryption feature but it’s messy.
Gmail messages are encrypted with Transport Layer Security on the way out – but they only stay encrypted if they’re Gmail-to-Gmail (or TLS user to TLS user) – and even then, Google reads them anyway. And not just with machines.
You’re not safe from your email provider
Let’s start at the beginning. You write an email to a work colleague or a friend and there it is, sitting in your Drafts folder. You never sent it anywhere. Is it safe?
Nope. Google has always told its users that its software reads your emails. That’s pretty iffy by itself – it creates a gigantic lake of data that could potentially be used to identify and attack you.
But it turns out that Google actually allows staff to read your emails.
And if Google’s doing it, wanna bet smaller email providers aren’t?
You’re not safe from malicious code
Most email providers will let you put HTML inside an email. That’s how come marketing emails look like this:Source
…and not like this:
But HTML is code that can do all kinds of stuff. In fact, since like email it’s an open framework that’s experienced serious feature creep since its inception as a way to make a motherf***ing website, no-one knows for sure exactly what it can do. (That’s true of all technology; the street isn’t the only place that finds its own use for things.)
One thing we know it can do is infect self-hosted corporate email servers, though it can’t directly drop self-executing code into your actual computer anymore.
We know now that Google’s been having a sneaky peek – but all it takes is a hack, court order or a particularly hacked-off or bored employee, and your emails are in front of eyeballs you never meant or expected them to be.
So how can you make email secure?
Short answer: you can’t.
You can do basic stuff to make a fundamentally secure communication system more secure, or you can switch to a secure messaging app. But trying to make email secure is like trying to make a tent secure. The only way to do it is to make a fundamental change.
"A speedy VPN that's very easy to use and covers basic privacy needs well enough"
- Excellent available variety of servers
- Servers are fast and secure
- Offers six connections
- Safe Wi-Fi Protection
- Loads Websites 3 To 5 Times Faster
- No Logging