Sure I love Gmail. But every so often, we hear stories of Gmail hacking and cracking and the online privacy dialog starts up again in force. What can a user do?
The obvious option is to use an application or service that encrypts your email. Whether via the web, or desktop or as a layer of security on your existing email program, encrypted email makes it that much more difficult (but not impossible) to crack your security code.
There are several options available to those seeking security. The one I see and hear about the most is Hushmail. Hushmail is a secure web-based email service that has been around since 1999, which is like 1,000 years in internet years. Email is stored in Hushmail in encrypted form, and decrypted when you log in with your password. When you send to another Hushmail user, the encryption / decryption process is automatic. Non-Hushmail users are provided with a secret question to answer before the email is decrypted. Hushmail also works on the iPhone and Blackberry devices (wait, no Android?) and can be incorporated as a layer on your Outlook program. Hushmail via the web is free, while domain-based, fully customizable Hushmail costs $1.99 per user per month.
The more expensive option is Zixmail, frequently used by companies seeking HIPAA compliance. This service works much like Hushmail and also allows you to send encrypted email to others, whether or not they are Zixmail users. Zixmail provides desktop email encryption that includes automated key management and delivery through a secure web portal. It can be used with any corporate or web-based email system, and optional plug-ins are available for full integration with Microsoft Outlook. ZixMail can be set up to automatically scan out-going emails sent from the secured network for sensitive information and encrypt them. Recipients receive a notification in their inbox informing that a secure message from the Zixmail sender is waiting to be read. Click the link and the recipient is taken to a message center where the user is prompted to log in with a password to view the email; new users are prompted to create an account and establish their password. Depending on the number of users, that cost can start at $75 per user per year.
There also is VaultletMail, a desktop app that allows you to send encrypted mail to others, whether or not they are VaultletMail users. Those who don’t use VaultletMail can access a SpecialDelivery Service, which prompts you to create an account and special catchphrase (“The Eagle Flies At Dawn”) or some such to access encrypted messages. VaultletMail has lots of controls over what can be done with emails (no copying, forwarding, printing, etc.), can employ a “self destruct” for emails that sit unread for a period, and can even send from an anonymous email address.
Google has now enabled encryption for Gmail by default when you use the Chrome browser. The tech behind the encryption is called HSTS, which directs the browser to only use a particular website over a secure connection. If you use Firefox, you can add an extension that encrypts your Gmail – Gmail S/MIME which allows you to send and receive signed and encrypted messages in Gmail. The extension operates with every S/MIME-capable mail client including Microsoft Outlook (2000-2010), Microsoft Outlook Express, Mozilla Thunderbird, and Apple Mail.app, and now works up through Firefox 4.0, Seamonkey, and the latest versions of Gmail.
Speaking of Mozilla, if you use their Thunderbird email system, you can use the Enigmail extension. Enigmail requires you to install the Enigmail extension for Thunderbird and the GNU Privacy Guard software for your operating system. The application adds an OpenPGP dropdown menu in Thunderbird which contains the set up wizard. Encryption is selectable in the S/MIME dropdown menu in the composition window. While the encryption process is a bit cumbersome, you can use it with any email provider serving as the backend of your Thunderbird program.
It goes without saying (but I’ll say it anyway) that secure email encryption is all well and good, but it is no panacea or defense against a valid government subpoena. These programs will protect your legally permissible communications, but will not protect you from disclosure of your illegal activities. So email wisely. And securely.