Email Encryption Basics

New to Email Encryption? Learn the fundamentals from our collection of articles for beginners.

Government Spying

Government surveillance efforts have eroded our personal and professional privacy. Domestic intelligence organizations and their allies, with the cooperation of major communications companies, sweep up and examine vast amounts of personal and corporate information. Foreign hackers also pose a severe threat to privacy, along with national security. Encryption is a crucial and effective defense against government spying.

Government Surveillance Affects All of Us
As the Snowden disclosures made clear, the US and its intelligence partners have been operating a massive surveillance apparatus, sweeping up huge swaths of personal and corporate data. The Five Eyes — the United States, Canada, Australia, New Zealand and the United Kingdom — originally worked together to share intelligence about the Soviet Union under a surveillance program called ECHELON. However in recent decades, those governments have begun to sweep up greater and greater volumes of data from ordinary citizens, domestic politicians and international targets.

This surveillance has occurred with the cooperation of major telecommunications and tech companies, who have given the NSA, GCHQ (British intelligence) and other organizations access to customer data, both by providing access to databases containing user information, and by allowing intelligence to directly tap into the fiber optic lines that ferry Internet traffic. Even if companies don’t wish to cooperate, secret surveillance courts can force them to disclose data while prohibiting them from informing customers.

All this data is organized using tools like XKEYSCORE, which allows NSA analysts to track everything targets do online, from email spying to identifying their friends, acquaintances and professional contacts. And despite modest attempts to limit the extent of warrantless spying, it is still growing.

In a recent email spying spying scandal, Yahoo! was revealed to be scanning all of its email users’ messages using keywords supplied by American intelligence agencies — just one more example of an indiscriminate surveillance dragnet. At the local level, government surveillance has been equally alarming, with law enforcement agencies tracking users based on their cellphones, and spying on their electronic communication data and metadata.

Foreign Hackers Threaten Security and Privacy
Foreign governments have breached both government and private databases to amass intelligence. The OPM hack — which compromised extensive background information on tens of millions of government employees and job applicants between early 2014 and April 2015 — is the most well known, but far from the only serious attack. Russian, Chinese and other foreign hackers have successfully targeted Boeing, Anthem Healthcare, and a wide range of other government and political targets.

Email spying has become increasingly prevalent as well. One recent breach exposing the data of 500 million Yahoo customer accounts. Other hacks have targeted the Democratic National Committee, government officials, powerful executives and many, many, ordinary users.

We don’t yet know the full consequences of this foreign government surveillance campaign, but it has already damaged American intelligence and security abroad. The United States has been forced to pull intelligence agents from our Beijing embassy, but the consequences will likely go much further.

The breached OPM data includes detailed and intensely personal information on the friends, relationships and backgrounds of federal employees, which could be used to blackmail and compromise intelligence officers and disrupt vital security work for decades to come. Combined with hacked medical data from the Anthem breach and other stolen information, the results could be devastating. In Phase 2, link to Timeline of Breaches and other resources.

Encryption Combats Email Spying and Government Surveillance
Strong encryption can disrupt government surveillance dragnets, preventing organizations from indiscriminate email spying. Encryption keys are picked randomly from a huge set of possible numbers. Hackers normally have to try out every possible number until they guess the right one — a process called brute force hacking.

With strong encryption like 256-bit AES, there are so many possible combinations that hackers are extremely unlikely to be able to crack a particular key in a reasonable amount of time — even with the massive investments intelligence agencies have made in computing power. Even if all the current computing power in the world were dedicated toward hacking your 256-bit AES key, the likelihood is that you (and possibly the human race) would be long gone before they cracked it.

Of course, it’s not quite that simple. TLS encryption — the technology used by secure websites as well as many email providers to prevent email spying — was supposed to be very strong when properly configured. TLS uses a protocol called Diffie-Hellman Key Exchange to create a secure connection between two parties.

This process uses very large prime numbers to encrypt data, and unfortunately, some older implementations reuse their primes. The NSA is believed to be cracking Diffie-Hellman primes slowly (one sources estimates a rate of one prime per year), allowing them to decipher a significant portion of Internet traffic — even traffic that’s supposed to be secure. It’s possible that other tools will prove to be less impervious to government surveillance than security professionals hoped.

However, even in a worst case scenario, encryption mitigates email spying if the provider uses Perfect Forward Secrecy (PFS). PFS encrypts each session with a unique pair of encryption keys. That means even if a successful hack compromised one key pair, it would not allow government surveillance organizations to decipher past encrypted connections.

To Defend Against Government Surveillance, You Need to Understand It
No democracy is immune to the abuse of power. When ordinary citizens are under constant surveillance, they feel less free to express their opinions, criticize their government, and hold their officials accountable. By protecting yourself from foreign and domestic government surveillance and encouraging your friends and family to do the same, you’re doing your part to keep your society free.

Privacy is Not a Crime: Why Everyone Needs Email Encryption
United We Snoop: Half Complacent About Surveillance
Surveillance Shuts Down Journalism: Fewer Sources Willing to Talk