As predicted (by me) email encryption solutions are proliferating rapidly. All it took was a threat actor to appear on the scene.
The first time I met Mark Rasch we shared a stage a Detroit event in the ‘90s. He made a comment that stuck with me. “If email was easy to intercept we would all be reading Marsha Clark’s email.” He was referring, of course, to the prosecutor in the OJ Simpson trial.
We have always trusted our ISPs and the major telephone carriers to not intercept our emails and further assumed that an attacker would have to infiltrate those carrier’s central offices in order to read our emails. As usual, trust interstices are proven to be disastrous weak points as the NSA realized and took advantage of.
In the wake of continuing revelations of the surveillance state and the sudden dissolution of Lavabit, Edward Snowden’s reputed email provider, email encryption has taken on a new life. Here are a few of the developments, by no means all of them.
The Blackphone. A secure Android based phone with encryption of voice and text messaging using Silent Circle. This is the first computing platform to be marketed as secure which alone sets it apart. Available in the next several weeks it is already reported that they are sold out at the price of $695. A VPN service keeps web-browsing activity hard to know by the NSA. Just one problem. They have not figured out how to obfuscate Meta data, since that is extracted from the phone carriers.
Silent Circle. Co-founded by Phil Zimmerman of PGP fame, Silent Circle canceled its own work on a secure email system shortly after Lavabit’s demise. You can install their apps for peer-to-peer encrypted communications. Think the original Skype architecture on your phone. Skype before Microsoft got hold of it and it was implicated in early Snowden docs.
Virtru just announced a $6 million round of funding by Bessemer Venture Partners. It encrypts most email locally, including Gmail. You keep the keys. It is a browser plugin for webmail and an add-on for popular email clients like Outlook. It also has some features of Information Rights Management products such as the ability to revoke previously sent emails.
Mimecast. Most enterprise email solutions already had the ability to encrypt email but it was cumbersome to use and often only worked between people using the same service. Mimecast is a hosted email solution out of the UK that makes it easy to encrypt all email.
Proofpoint is another established hosted email security provider. They have been building out data centers in multiple regions to comply with local privacy regulations. On top of encryption capabilities they recently acquired Netcitadel and are expanding their defensive security capabilities.
Blackberry has introduced super secure BBM, their proprietary messaging app. Separate keys are used to encrypt each message. This is a required because even great encryption is vulnerable if a lot of short messages (like LOL) are sent repeatedly with the same key.
Subrosa is a newly launched free browser plugin for encrypted communication. Group chat and video are supported. While they implement security correctly keep in mind that they are using the browser and an attacker at any point could induce you to compromise either your computer or your browser.
ProtonMail looks a lot like Lavabit and has been getting a lot of press since their launch. The primary additional protection is that they are hosted in Switzerland so harder for the NSA to interfere with their operations. A big drawback is that you have to get a new email account.
Email encryption and privacy protection is set to become a booming industry. The biggest threat is that Google or Yahoo! could give up their own email mining activities and roll out encryption to everyone. That would be a great thing for privacy but a challenge to these other vendors. It is time to encrypt email by default.