Email Isn’t For Secure Communications

By Michael Wilson | December 12, 2016

What’s Wrong with Email?

Email is not end-to-end encrypted by default. When you send an email, it is travelling across several networks and usually through multiple companies (and sometimes countries) before reaching the recipient. By the time the message has been sent and received, it may exist on multiple devices (sender and recipient’s phones, tablets, computers, etc.) and reside on multiple servers. Gmail (and most other cloud services) has redundant back-ups of your data at multiple data-centers, located all over the world. That’s great for preventing data-loss, but bad for privacy.

It is easy to see how a hole in the security of any company, network, server, or device along the way could compromise your data. Security is all about finding and eliminating weak links, and email is one long chain of weak links.

So if email isn’t a safe way to send confidential information, what should you use?

Messaging Apps

Text-messaging is all grown up. The days of basic SMS texts are over, and there are now lots of apps competing to be your messaging client of choice. With that in mind, it is really important to understand how these apps work, and which services are offering true privacy and security.

SMS Texts

Every phone comes with at least one app for sending SMS text messages. These are the traditional, simple texts sent over your wireless carrier’s cell network (not as data, over the internet). These messages have effectively zero security in place. Your wireless carrier can read these messages, so this is not a good way to privately communicate with someone.

iMessage

Apple’s default messaging app for iOS can be a confusing one. Apple merges SMS Texts and their own “iMessages” into a single app. SMS Texts on iPhone are the same as described above, however iMessages are sent over the web as data and Apple claims they are end-to-end encrypted by default. iMessages can only be sent between Apple devices, and if you try to message a non-Apple user, it will default to SMS.

While this may be convenient, it also means that the average person usually isn’t paying attention to which of the two types of messages they are sending. Also, because Apple does not open up their software to 3rd party inspection, we really have no way of verifying that they are encrypting those iMessages. Apple could be recording the messages internally, sharing them with a government or corporations, or using them for any other purpose and we would have no way of knowing.

WhatsApp is the world’s messenger service, using end-to-end encryption by default. Especially outside of the U.S., it is far and away the most common way people message each other. It is so popular that in 2014 Facebook bought it for $19 billion. The Facebook ownership is really the only reason some doubt the security of using WhatsApp. Facebook is a data-hungry company whose business model is built upon knowing as much about their users as possible. In time, Facebook may look to weaken the privacy of WhatsApp in order to gather data from messages. They also presumably are able to gather some metadata about people using the app despite not being able to read message contents through end-to-end encryption.

Signal

The team at Open Whisper Systems has developed the gold standard of secure communications. It is open source, and due to that openness has been thoroughly vetted by security professionals.

I use Signal every day. #notesforFBI (Spoiler: they already know) https://t.co/KNy0xppsN0
— Edward Snowden (@Snowden) November 2, 2015

The Signal Protocol is so well built that Facebook has rolled it into Facebook Messenger, calling the feature “Secret Conversations”.

The Signal App is freely available for iOS and Android devices and also offers a desktop app. This is your best option for private, secure messaging.

Facebook Messenger

Messages in this app are logged into Facebook’s database just like anything else you post, share, like, or distribute in any way on Facebook. You should assume that anything sent through Facebook Messenger is not secure by default. If you want to securely communicate through Facebook, then you must opt-in to “Secret Conversations” and activate it each time you want to send a secure message. It is a hassle, and Facebook is clearly a company that doesn’t want to make it easy for you to keep data from them.

Outlook

The single biggest challenge when trying to communicate these days is getting all of the desired participants to use the same app, platform, or service. It really is a huge hassle, and so often it is just easier to use what people already have. Email and SMS won’t go away because they are familiar, easy, and everyone has them. Facebook Messenger is another easy choice that doesn’t put your privacy first.

If you need to send something securely, then it is up to you to chose a safe method and request that the recipient use it with you. Sometimes that means downloading a new app, or signing up for a service, but whatever you do don’t let frustration or inconvenience get in the way of your privacy and security.

The single best step you can take is to reduce your dependence on email and start using Signal with as many people as possible.

Posted in Security and tagged Android, Apple, Email, Encryption, Facebook, Facebook Messenger, iMessage, iOS, iPhone, Open Whisper Systems, Signal, SMS

About Michael Wilson

Michael Wilson is a Digital Strategist who works with people to build, protect, and elevate their brands online.

View all posts by Michael Wilson →