Email wasn’t particularly designed with security, privacy, and encryption in mind. Threat actors like governments, ISPs, hackers, and big corporations can log into your account and read your emails. The good news is that you can use secure email services to protect your emails from prying eyes.
Whether you’re a home user or work for a big company, it’s good to know your email provider’s security features. Besides, not all email providers that claim to be secure are safe and private. Here’s a list of features to expect in a secure email provider.
1. Encryption Method
Many email providers offer basic security like spam and virus protection. But depending on your industry and jurisdiction, you may also want to secure your email communications with encryption.
Unencrypted emails are to blame for numerous major breaches in the past few years, leaking messages and credentials, and losing millions of dollars in revenue. Email providers know this, so they will normally explain the encryptions they offer on their website.
Sending an email over an encrypted network scrambles the email’s plain text, making it impossible to read the message without an encryption key.
Cybercriminals can easily intercept your emails if your email provider offers no (or poor) encryption. Standard providers, like Gmail, use transport encryption to encrypt messages between your device and the server. On the server, Google encrypts the messages at the network level. But Google can access the data.
The email then leaves Google’s server and heads to its destination. If the recipient’s email provider also uses transport encryption, the email will continue to be protected along the way. If not, the email will be unencrypted and easy to intercept.
However, Google scans your Gmail data to offer personalized and assistive experiences such as Smart Compose and Smart Reply.
The most secure providers use end-to-end encryption to protect your emails. This means that messages are encrypted on the sender’s device, and only the intended receiver can decrypt them.
With end-to-end encryption, the only person who can read the email you’re sending is the recipient. Not even the email provider can access your emails.
Secure email providers, like Tutanota and ProtonMail, use Pretty Good Privacy (PGP) for end-to-end encrypted email. This way, no one can read your emails, and your data is never used for advertising. For more secure internal communication, you may avoid emails altogether and use encrypted messaging apps, such as Signal or Wire.
End-to-end encryption works in two ways: symmetric and asymmetric. Symmetric encryption uses a single key to encrypt the plain text and decrypt the ciphertext.
Asymmetric encryption, also known as public-key cryptography, encrypts and decrypts data using two unique sets of keys. As such, it’s the more effective of the two. To learn more about these encryptions, you should brush up on how encryption works and what it does.
2. Logs
Email providers keep logs for various reasons, like DDoS protection. The logs kept may include IP addresses and connection times.
The amount of data logged and how those logs are stored should influence your decision. Whenever an email service stores logs, this data could end up with third parties.
The most secure email providers don’t store logs, so nothing can be traced back to you. The provider should also strip IP addresses from emails sent and received.
With an IP address, an attacker can know your internet provider and physical address. Consider using a good VPN to hide your IP address and location effectively.
3. Two-Factor Authentication
Login details are frequently leaked or hacked and used to access victims’ accounts. Two-Factor Authentication (2FA) means that stealing your username and password won’t be enough to log into your email account.
2FA depends on two things: something you know, like a password, and something you have, like a cell phone. One of the most common forms of two-factor authentication is your email provider sending you a code via SMS to use together with your username and password.
4. Metadata Stripping
Each email has metadata—bits of information that attackers could mine. Metadata could contain information about your computer, web browser, network, and email recipient. Secure email services usually strip this information out.
While the small snippets of information seem fairly useless, to an attacker, it’s the first step toward learning more about your conversations. For example, a hacker can use metadata to mine information about your life, habits, and preference.
5. Server Location
Where your email service is located can affect your data security and privacy as it determines how the provider will handle government requests for data.
Countries, like the Five Eyes nations and others, collect and share intelligence data gathered from email servers. Some nations, including the US and the UK, have data-retention laws that require email providers to store data for a certain period.
Providers in the US can be forced to grant the government direct access to their servers for surveillance of communications and stored information. Data requests can be accompanied by gag orders, forbidding the provider from disclosing what’s happening to the users.
Depending on the email security threat, server location could be a major consideration. For example, if you’re an activist, journalist, or whistleblower who can expect their communications to be subpoenaed by the government, an email provider located in Germany and Switzerland would be ideal. They all have tougher privacy laws.
6. Paid Plans
The unlimited “free” business model is fundamentally flawed. Email providers operate and maintain servers, offer customer support, and more. These things cost money, so a good email provider will likely charge for an account.
Many free email services might do more harm than good. Free email providers can collect your data and monetize it with ads.
Secure providers typically make money selling premium plans and not ads or your data. Some of these services allow you to pay anonymously using Bitcoin.
Keep Conversations Private Using Secure Email Providers
Email is one of the least private ways to send and receive content online. To keep your communications safe, consider using a secure email provider.
There are quite a few secure email services out there, each with a different set of features. Because of this, when choosing an email provider, you need to pay attention to features like end-to-end encryption, two-factor authentication, and data center location.
