Communication by email
Nowadays, communication between people, institutions, companies and organizations is digital.
According to some statistics retrieved on the web, emails generates a daily traffic that is tending to increase, as shown by the data below:
|Daily traffic in billions of business and consumer emails - Source: www.radicati.com|
Therefore, in 2022 a daily email traffic of 333.2 billion emails is expected (in numbers 333,200,000,000 🙄).
However, it is not so much the vast amount of email traffic that surprises us, as the total unawareness of users regarding the need to protect the content of each email.
In fact, in the daily traffic, as described above, a large percentage of emails is sent “in plain text” without the adoption of cryptographic solutions that protect the content of each message.
In our opinion, emails we send should always be encrypted by default, regardless of whether they are personal or business messages; there should be no distinction since the principle of confidentiality of correspondence makes no difference.
It is unnecessary to report in detail the reference legal norms - at least at the European level - that regulate confidentiality and personal data protection.
In Europe, privacy and data protection rights are fundamental rights.
It’s probably worth asking why in 2022, people still don’t use encryption systems to exchange emails, while they bother to choose instant messaging apps that adopt security protocols instead.
It almost seems that more attention is being paid to the security of instant messaging app communications and more minor to email communications.
There is a perception of security as a synonym of protection and, therefore, also of confidentiality.
In reality, these are profoundly different but complementary concepts.
The following postulate applies
What is the reason, in terms of privacy and security in communication, why we should care more about instant messaging and more negligibly about email?
Instant messaging apps and privacy
We have already written about the most popular instant messaging apps (WhatsApp, Signal, Telegram) and the risks they pose, not only (or rather not only) for security aspects, but above all for the limitation of the user to have complete control over their personal data1.
What is aberrant is to see how lightly instant messaging apps are used in the public and private sector and by those with institutional roles.
Public figures and even those in institutional roles should refrain from using instant messaging apps like WhatsApp, which are based on centralized systems and do not allow the user to have complete control over their data and the communication content.
Public bodies and institutional roles have email addresses with their domain for email communication.
However, personal smartphones are frequently used for mixed-use, even service needs.
We don’t think this is the correct solution.
However, beyond our opinion, probably not being shared, you should wonder if users of apps like WhatsApp are aware of the fate of metadata, even if the contents of messages are encrypted.
It is precisely from public subjects and those who hold institutional roles that one expects special attention towards the contents of their communications, not only in terms of security but also about the respect of the regulations on the protection of personal data and privacy.
How many data breaches for forwarding messages or screenshots?
These subjects are utterly dependent in their communication (which also involves the recipients) on those companies that developed the apps. Indeed, they do not have complete control of their (also) personal data when using centralized systems.
Receiving messages through instant messaging apps like WhatsApp would cause us extreme concern, and this is just one of the reasons we decided to not use it.
Do you worry about the confidentiality of the contents of your emails?
We do not intend to attribute to ourselves or wear necessarily the “privacy” banner. Still, people often underestimate the profile of privacy and security in communication, as already said on more than one occasion.
Sometimes people wholly and unconsciously unfoundedly claim to have nothing to hide and therefore to be “exempt” from privacy.
In this regard, it may be helpful to mention the well-known Edward Snowden’s statement, who - to those who made this claim - replied:
“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different from saying you don’t care about free speech because you have nothing to say.”. (Edward Snowden)
It is unthinkable that even today, we do not reflect on how delicate the communication issue is concerning the confidentiality of the contents exchanged and that we have not developed an ethical conscience to activate encryption by default.
Acting consciously also means having deep respect for the recipients of the communication we transmit.
Is it possible that we are so superficial that we do not pay attention to these critical aspects?
Hoping for more significant and broader awareness on this issue, it could happen that many don’t know how to reach the goal or are still undecided.
The question, at this point, might be “What is the solution?”.
We can answer this question by presenting some of the IT solutions that are currently available.
GnuPG - OpenPGP
Encrypting email messages is possible by signing and encryption keys for each email address.
On the OpenPGP website, we read:
OpenPGP is the most widely used email encryption standard. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) as a Proposed Standard in RFC 4880. OpenPGP was originally derived from the PGP software, created by Phil Zimmermann.
GnuGP, as we said, implements the OpenPGP standard, and on the their website, we read:
GnuPG is a command line tool without any graphical user interface. It is an universal crypto engine which can be used directly from a command line prompt, from shell scripts, or from other programs. Therefore GnuPG is often used as the actual crypto backend of other applications.
Even when used on the command line it provides all functionality needed - this includes an interactive menu system. The set of commands of this tool will always be a superset of those provided by any frontends.
It is a tool that you can use with shell-bash commands in the Terminal.
Using, for example, MailMate, when an encrypted email message arrives, the client runs the following command:
/usr/local/bin/gpg --no-verbose --batch --no-tty --compliance "openpgp" --status-fd 2 --verify "path/filename" -
GnuPG is also available for various operating systems in packages.
The GnuPG website links to the Email Self-Defense website, where there is a complete guide to making the appropriate settings.
On macOS you can install GnuPG via Homebrew with the following command
brew install gnupg gnupg2
macOS users can still install GPG Suite, a complete package also available for Monterey.
Once you have installed GPG Suite, you can launch the GPG Keychain app to create keys for each email address.
After creating the keys, the user can decide whether to upload the key to the server.
Immediately after creating the keys, the user will receive an email from the https://keys.openpgp.org server that is described as “a public service for distributing and searching OpenPGP-compatible keys, commonly referred to as ‘keyserver’”.
From then on, by configuring your email client, you will be able to send signed emails and encrypted mails.
The GPG Suite also contains a plugin for Apple Mail, but you have to pay for it.
You sign, encrypt and decrypt emails by email clients such as MailMate without installing the GPG Suite because they manage the processes directly by gnupg commands.
With just a few steps, you can configure your system to be able to send and receive encrypted emails.
For iOS, instead, it is possible to identify some compatible apps this standard from the website of OpenPGP.
In addition to the above solutions, it is possible to buy a S/MIME certificate from a Certification Authority that allows you to sign, encrypt, and decrypt the contents of emails.
With the S/MIME certificate, it is possible to send encrypted emails only if the recipient also has a S/MIME certificate (basically, it is impossible to send encrypted emails from a sender with OpenPGP to a recipient with S/MIME).
ProtonMail users do not need to do what is described in the previous paragraph because the solution of the Swiss company already contains an encryption system, leaving the user the possibility to choose - from the settings - between PGP/MIME or between PGP/Inline.
ProtonMail users can send encrypted emails to ProtonMail recipients or external ones.
In conclusion, we would like to make everyone aware of the need to use solutions that allow exchanging encrypted emails by default.
Each user should be concerned about the security of their communication and provide accordingly.