NSA row sparks rush for encrypted email

May 18, 2014 by Rob Lever
A new push to encrypt email, keeping messages free from government snooping, is gaining momentum

A new push to encrypt email, keeping messages free from government snooping, is gaining momentum.

One new email service promising "end-to-end" encryption launched on Friday, and others are being developed while major services such as Google Gmail and Yahoo Mail have stepped up security measures.

A major catalyst for email encryption were revelations about widespread online surveillance in documents leaked by Edward Snowden, the former National Security Agency contractor.

"A lot of people were upset with those revelations, and that coalesced into this effort," said Jason Stockman, a co-developer of ProtonMail, a new encrypted email service which launched Friday with collaboration of scientists from Harvard, the Massachusetts Institute of Technology and the European research lab CERN.

Stockman said ProtonMail aims to be as user-friendly as the major commercial services, but with extra security, and with its servers located in Switzerland to make it more difficult for US law enforcement to access.

Encryption is a tool that can help dissident activists avoid detection in places like China or Iran, but the movement has also gained credence in the United States among those who want to stay clear of snooping from the NSA or other intelligence services.

Making encryption easy

"Our vision is to make encryption and privacy mainstream by making it easy to use," Stockman told AFP. "There's no installation. Everything happens behind the scenes automatically."

Even though email encryption using special codes or keys, a system known as PGP, has been around for two decades, "it was so complicated," and did not gain widespread adoption, Stockman said.

After testing over the past few months, ProtonMail went public Friday using a "freemium" model—a basic account will be free with some added features for a paid account.

"As our users from China, Iran, Russia, and other countries around the world have shown us in the past months, ProtonMail is an important tool for freedom of speech and we are happy to finally be able to provide this to the whole world," the company said in a blog post.

Google and Yahoo recently announced efforts to encrypt their email communications, but some specialists say the effort falls short.

"These big companies don't want to encrypt your stuff because they spy on you, too," said Bruce Schneier, a well-known cryptographer and author who is for CO3 Systems.

"Hopefully, the NSA debate is creating incentives for people to build more encryption."

Stockman said that with services like Gmail, even if data is encrypted, "they have the key right next to it .. if you have the key and lock next to each other, so it's pretty much useless."

By locating in Switzerland, ProtonMail hopes to avoid the legal woes of services like Lavabit—widely believed to be used by Snowden—which shut down rather than hand over data to the US government, and which now faces a contempt of court order.

Even if a Swiss court ordered data to be turned over, Stockman said, "we would hand over piles of encrypted data. We don't have a key. We never see the password."

'Dark Mail Alliance'

Lavabit founder Ladar Levison meanwhile hopes to launch a new service with other developers in a coalition known as the "Dark Mail Alliance."

Levison told AFP he hopes to have a new encrypted email system in testing within a few months and widely available later this year.

"The goal is to make it ubiquitous, so people don't have to turn it on," he said.

But he added that the technical hurdles are formidable, because the more user-friendly the system becomes, "the more susceptible it is to a sophisticated attacker with fake or spoofed key information."

Levison said he hopes Dark Mail will become a new open standard that can be adopted by other email services.

Jon Callas, a cryptographer who developed the PGP standard and later co-founded the secure communications firm Silent Circle, cited challenges in making a system that is both secure and ubiquitous.

"If you are a bank you have to have an email system that complies with banking regulations," Callas told AFP, which could allow, for example, certain emails to be subject to regulatory or court review.

"Many of the services on the Internet started with zero security. We want to start with a system that is totally secure and let people dial it down."

The new would complement Silent Circle's existing secure messaging system and encrypted mobile phone, which was launched earlier this year.

"If we start competing for customers on the basis of maximum privacy, that's good for everybody," Callas said.

Explore further: Google toughens security with Gmail encryption (Update)

add to favorites email to friend print save as pdf

Related Stories

Email service linked to Edward Snowden shuts down (Update)

Aug 08, 2013

A Texas-based email service reportedly used by National Security Agency systems analyst Edward Snowden said it was shutting down Thursday, explaining in a cryptic message that it would rather go out of business than "become ...

Report: NSA cracked most online encryption

Sep 05, 2013

The National Security Agency, working with the British government, has secretly been unraveling encryption technology that billions of Internet users rely upon to keep their electronic messages and confidential ...

Recommended for you

US won't reveal records on health website security

Aug 19, 2014

The Obama administration has concluded it will not publicly disclose federal records that could shed light on the security of the government's signature health care website because doing so could "potentially" allow hackers ...

Premier FBI cybersquad in Pittsburgh to add agents

Aug 17, 2014

The FBI's premier cybersquad has focused attention on computer-based crime in recent months by helping prosecutors charge five Chinese army intelligence officials with stealing trade secrets from major companies and by snaring ...

User comments : 4

Adjust slider to filter visible comments by rank

Display comments: newest first

JamesWebbsSpaceScope
not rated yet May 18, 2014
Don't they have tech that sees through ALL encryption?
Doug_Huffman
not rated yet May 18, 2014
No. That is not possible. A universal assertion of non-existence cannot be sustained without examination of the entire universe of discussion. There is always a Black Swan, though in this case, it's an eeney-weeney one.

Modern encryption is based on factoring a large number, a P versus NP problem, can it be done in polynomial time? Factoring a 256 bit number is immensely more difficult than a 128 bit number. Currently public keys of 1024 bits are advertised.
Z99
not rated yet May 18, 2014
Couple of problems with this post. D.H. confuses/conflates proof of non-existence with CURRENT real world (practical) decryption abilities. There are many (theoretical) methods to encrypt, all have vulnerabilities - but that is not the same thing as being able to decrypt all of them. Usually, it is human error that is the major risk in communication. There is only so much that can be done to change human nature, so this will continue to be the major vulnerability of any communication system. Public-key encryption is what is commonly used because it requires only one party to know the secret decryption key. This system, like all of them, isn't perfect, but IF implemented correctly makes wide-spread surveilance impractical/impossible. Current US law allows NSA to record meta-data AND/OR ALL encrypted communications of US citizens! Recording it (permanently) is different from decoding it. But. Until everybody does it, encryption signals that particular people have "something to hide".
Doug_Huffman
not rated yet May 19, 2014
ProtonMail now has a waiting list, waiting on additional server capacity for being overwhelmed with the demand.