Ways to protect your email from prying eyes

Security experts say email is like a postcard and almost anyone can read it while the note is in transit

It’s time to face reality: Pursuing digital security should be as much of a no-brainer as locking your door before you leave the house. Identity theft, corporate security breaches and an increased interest in personal privacy are forcing some changes. 

Many of us are choosing stronger passwords and changing them more often, locking down social media accounts and being more conscious of how we communicate. If you haven’t taken these steps, you should.

But one of our favorite forms of electronic communication — email — remains one of the hardest to secure. Security experts say email is a lot more like a postcard than a letter inside an envelope, and almost anyone can read it while the note is in transit. The government can probably read your email, as can hackers and your employer.

What’s the solution? Make your email more like a letter inside an envelope. The best way to do this is with a process known as encryption, which scrambles a message into unreadable code that needs a key to be unlocked, providing a layer of protection if someone intercepts your email.

The downside to encryption tools is that they are usually difficult to install and use. In addition, they require the person on the other end to be using the same tools. Thanks to a renewed focus on privacy and security, however, new tools are arriving regularly that should make it easier to encrypt email.

One promising new encryption tool is Virtru, a feature that can be added to Chrome and Firefox browsers or installed on the Mail program on the Mac and for Outlook on Windows. One of Virtru’s big selling points is that it works with web-mail services like Gmail, Yahoo and Hotmail. There are also apps for iOS and Android.

Another big benefit of Virtru is that recipients don’t have to be using the service or any other encryption program to see your email. They receive an email that contains a link to your encrypted message. Once they click a button to verify their email address, they can read the unencrypted message in a separate web page and reply.

Their responses won’t be encrypted unless they also use Virtru, but your original email won’t be included in the response, so it remains hidden from prying eyes. While Virtru is not a completely seamless experience, it is a walk in the park compared with some of the other options, which require signification coordination with the recipient of your messages.

To install the browser plug-in, click the Get Virtru button on the company’s website and it will detect what browser you’re using. Click to download and the extension will install itself, all quickly and easily. You don’t even have to restart your browser. (The company says support for Internet Explorer and Safari is coming soon.)

The next time you compose a new email, you’ll see a blue bar at the top of your email window with a little toggle button that lets you turn Virtru encryption on or off and access other options. Then, type your email normally and hit send.

Emails and attachments are encrypted on your computer or mobile device and decrypted on the other side — so-called end-to-end encryption, which means they can’t be read in transit and they can’t be decrypted without a key if they are intercepted.

I particularly like that you can determine which emails you want to encrypt, case by case; and I like that it encrypts any type of attachment as well as normal email messages. The service also adds control over your emails after you send them: you can disable forwarding, for example, and even set messages to expire after a certain period of time. You can also revoke access to an encrypted message so your recipient won’t be able to decrypt it in the future if the relationship goes sour.

The methods aren’t foolproof; someone can obviously still take a screenshot of an email once it’s decrypted, or copy and paste the contents into a different file. And if your recipient writes back without encrypting the response, at least part of the conversation is not secure.

Another drawback comes on mobile. You must use Virtru’s app to compose and send secure messages on your mobile device, since it doesn’t work on other mail apps on the phone. And there is one other aspect about Virtru that might make some people leery of the service: One of the company’s founders, Will Ackerly, was a security engineer for the National Security Agency, the government agency that is said to intercept many forms of digital communications.

Open source

Virtru promotes his background as a benefit. And John Ackerly, Mr. Ackerly’s brother, a co-founder and the company’s chief executive, says the company has taken pains to prove it is not tied to the NSA. Much of Virtru’s code is open-source and has been published for peer review, giving the public a chance to look for potential vulnerabilities or back doors.

Any Virtru product code that hasn’t been published online is available for anyone who requests it, John Ackerly said. That doesn’t affect the strength of its encryption; it’s more like showing you the inner workings of a lock on a door. You can make sure the lock is strong, but it doesn’t mean you can copy the key.

In addition, the company is encouraging other companies or even individuals to set up servers that will store the encryption keys Virtru uses to decrypt emails. That would prevent all the keys from being stored in one place, adding another layer of security. When it comes to security, such distributed systems are generally safer.

Although Virtru is relatively easy to use, it is not nearly the only option — especially if you just want to send a single encrypted message, perhaps one that contains financial information. If you’re looking for one-off encryption, try a site like InfoEncrypt, which says it encrypts messages in the browser without storing any information.

With InfoEncrypt, you type a message, create a password and then encrypt it. Then, you copy the encrypted message and paste it into an email and send it to someone. This is a little onerous, though. In order for the recipient to open the message, the sender must also pass along the password, presumably through something other than email.

Another one-off option is SafeMess, which works much like InfoEncrypt. But SafeMess lets you set an expiration time for your messages, ranging from three minutes to 90 days. Expect more simplified encryption tools soon. But for now, at least, a crucial part of email security might be recognizing that email shouldn’t be used for your most secure communications. It’s a hard thing to get used to, since we’ve used email for so much for so long. 

Security experts say it is easier to encrypt more temporary communications, like text messages (using a service like TextSecure) than far-flung and varied email systems. And whenever you think about secure communications, it’s good to remember the safest method of all: talking face-to-face.