Email Encryption Improving ‘Gradually,’ Especially for Less Popular Email Providers Like ISPs

The Washington Post reported Tuesday that the NSA collects contact lists from personal email and instant messaging accounts, including from potentially millions of Americans (http://wapo.st/19Qk11a). Greg Nojeim, director of the Center for Democracy and Technology’s (CDT) Project on Freedom, Security and Technology, called the practice a “significant intrusion on associational rights that will chill free expression all over the world,” in a Tuesday statement (http://bit.ly/1bWYuHF). Sen. Mark Udall, D-Colo., called the reports “highly disconcerting,” in a Wednesday statement (http://1.usa.gov/1bX2fgk). If true, he said, “the news underscores the need for greater transparency and greater oversight over information collected under executive branch authorities.”

Most webmail providers encrypt the authentication page with SSL, so hackers using insecure broadband connections like those at Internet cafes can’t steal login and password information. For many providers, the rest of the session isn’t secure, leaving emails sent over insecure connections vulnerable to interception, said Joe Lorenzo Hall, CDT senior staff technologist. Webmail providers have been turning on broader SSL encryption for the last decade or so, he said. Google has offered SSL encryption of its webmail browsing sessions since 2004, and others like Yahoo, Microsoft Outlook and Hotmail offer the service as an option consumers can turn on, he said. SSL is “kind of a minimal step,” said Eli Dourado, research fellow at the Mercatus Center at George Mason University. “Even if this is all implemented, [an email service] still has a lot of limitations,” he said. Hall added: “There’s a reason you send love letters in envelopes and not on postcards. There’s a reason you find an envelope with security marks when you send a check. All that stuff is the exact same with email, so you do want to have some things protected.”

Several ISPs that offer subscribers email services do offer SSL -- that so-called “minimal step” -- as an option, including AT&T, CenturyLink and Mediacom Communications. RCN and Time Warner Cable don’t offer encryption. Time Warner Cable is “continually evaluating our Internet offerings and features to provide the best experience for our customers,” said a spokesman. An RCN spokesman said much the same thing. Cox Communications offers full SSL encryption by default, said a spokesman. With regard to end-to-end encryption, the company “may consider providing something in the future, however we have no immediate plans to do so,” he said. Spokesmen for Verizon and Comcast had no comment, and neither company’s website offers information on an SSL option for its webmail services. None of the ISPs we contacted provided information on how many subscribers use their email service or on whether those users choose to enable SSL, where it’s an option.

Midcontinent, like Cox, offers full SSL encryption by default. Midcontinent hasn’t seen much customer demand for more advanced encryption, said a spokesman. The cable operator with subscribers in the western U.S. is considering enhanced encryption as a part of offering email that’s compliant with the Health Insurance Portability and Accountability Act, he said. “We do a considerable piece of business on the enterprise side providing data services to health providers.” Midcontinent employees are considering end-to-end encryption as part of the cable ISP’s work to expand those offerings, said the spokesman.

"It is clear that customers should be extremely wary about depending on these services for security,” said Peter Eckersley, Electronic Frontier Foundation technology projects director. Even basic encryption at the authentication site can be vulnerable, he said. “There is typically a step before the login page when the company’s site briefly uses HTTP before it switches to the more secure HTTPS protocol.” That one step alone can leave information vulnerable to hackers or intelligence agencies who might perform a man-in-the-middle attack to steal a username and password, said Eckersley.

Advanced encryption is technologically complicated and sometimes more expensive, Hall said. “It’s not like it’s trivial.” A company using SSL for an entire webmail session would have to send “more bits over the wire,” which could require more data centers or more bandwidth, he said, all of which cost money. Google, Facebook and others, however, have improved other aspects of encryption. Both have committed to using Perfect Forward Secrecy, which uses a unique encryption key for messages sent during a browser session -- so that capturing a single encryption key doesn’t give a hacker access to all sessions (http://bit.ly/1aOEqSw and http://on.fb.me/1aOEsKh). Google also uses Transport Layer Security, so that emails going to and from other email services are encrypted, as long as the other company’s server is willing to encrypt those emails (http://bit.ly/1aOEBgB). Few, if any, other webmail providers offer TLS, Hall said. “Basically, Google is the only major U.S. email provider that does a really good job of webmail encryption,” Eckersley said. “The others have been getting gradually better, but we haven’t seen any of them match Google’s standards.”

No one has determined how to encrypt metadata information, Dourado said. Since servers must know where to send an email, information in the header, or metadata, is often completely visible, he said. Even two technology-savvy people who could use end-to-end encryption couldn’t obscure their metadata, if they were sending across email services, he said. Eckersley said “even Google doesn’t offer a service that includes ‘end to end’ encryption that would protect you against eavesdropping by your mail provider itself. And of course we know that AT&T, Verizon and the other big U.S. telcos have basically been surveillance organs for the NSA.” Given the limitations, secure email remains available “only to geeks” who know how to use complicated software or know how to vet secure email providers like Lavabit, which recently folded rather than comply with government demands to disclose its users’ information, Eckersley said. Hall echoed his comments, saying “this is hard enough for nerds like me.”

Hall is optimistic the enlivened security and privacy debate which began this summer has increased momentum and attention on issues like email encryption. “Most people who were comfortable not knowing these things now have to ask these kinds of questions,” he said. “There are now more people thinking about the guts of how the Internet works. And there’s a lot of pressure, and a lot of movement” from the media and from the public for more security over email, he said. The latest revelations are really “the straw that broke the camel’s back,” for Yahoo and perhaps for others, he said.