Last week, Google traffic spiked to my tutorial, How to Install Your own Private Email Server, and I wasn’t sure why until a Washington Post reporter called me. She wanted to understand how Hillary Clinton might have installed a “homebrew” mail server as the AP described it. News of Clinton’s actions apparently inspired a lot of people to investigate taking back their email privacy. It’s understandable: the Snowden leaks have left us all feeling exposed.
MORE FROM JEFF REIFMAN
The reason the Clinton email server story has legs is because it invokes the shadow side of the Clinton legacy. Her tweet that she wants the public to see her email is so intellectually dishonest that it brings back to mind President Clinton’s famous, “It depends upon what the meaning of the word ‘is’ is.” Clearly, by running its own email server, the Clinton team had full control over which emails to turn over for public disclosure to the State Department.
I want the public to see my email. I asked State to release them. They said they will review them for release as soon as possible.
— Hillary Clinton (@HillaryClinton) March 5, 2015
Not only does the media uproar over Clinton’s email server highlight gaps in her political judgment, it shows weak technical acumen. Her server was poorly secured. It’s possible Clinton’s server leaked more diplomatic cables than Chelsea Manning.
It also highlights the arrogance of her desire to opt out from the kind of involuntary disclosure the Obama NSA subjects the rest of our email accounts to.
The Challenges of Securing Your Email
While I’d first written tutorials for running your own email back in 2004, I revisited the topic after Snowden’s NSA whistleblowing in 2013. While the tools and capabilities have improved in the past decade, the truth is that you have to be a highly skilled system administrator to properly manage your email in a secure manner — even if you’re not the senior diplomat for the United States.
A lot of plain text email travels the web unencrypted. Currently, Google reports 78% of outbound Gmail is encrypted and only 58% inbound messages (up from 65% and 50% respectively last summer). When Google first added these figures to its transparency report, only one percent of Comcast.net email to Gmail customers was encrypted.
To ensure the privacy of your communications, you need to use encryption technology with trusted keys. For most people, this means Pretty Good Privacy (PGP) encryption. Unfortunately, configuring PGP keys and using them remains extremely difficult and beyond the reach of casual users. Furthermore, you can only use PGP with other PGP users. This greatly limits its usefulness and adoption. This also doesn’t address the desire to keep our recipient lists private.
Google is working on a browser extension for Chrome, called End to End, that will simplify PGP a bit, but it’s still in alpha. There’s a similar product called Mailvelope that tries to do this today. And, there’s an iPhone App called iPGMail that tries to make reading and sending encrypted messages easier on iPhones.
The problem is that privacy and encryption aren’t built into our email systems and it’s not been a priority for software and device makers to improve the usability and everyday usefulness of security technologies.
Frankly, there aren’t practical ways for the everyday person to secure their communications from prying eyes, let alone sophisticated government spying.
Don’t Try Hosting Your Own Email
Unfortunately, hosting your own email is not likely the answer either.
If you choose to run your mail server on a shared virtual private server (VPS), your email is only as secure as your hosting company’s business protocols. And, you have to quickly keep up with the steady stream of zero day vulnerabilities such as Heartbleed, Freak, et al.
If you run your server at home, then there’s also a variety of physical security, reliability and redundancy issues that come up. For example, what if you’re traveling, the power goes out and your server won’t come back up? What if someone breaks into your home — is your disk encrypted? How secure is your home WiFi network during everyday use?
The system administration tasks are fairly sophisticated too. Installation’s not simple and you have to know your way around SSL certificates.
Furthermore, the front end usability of open source email products such as Roundcube still struggle to keep up with Gmail and others. Certainly, you can use off the shelf products such as Microsoft Exchange Server but with these come the risk of built-in surveillance backdoors.
Once you start connecting inbound and outbound messages to your smartphone, you open up other potential avenues for third party surveillance – even if you take precautions.
After a lot of research and trial and error, I chose not to host my own email server. Instead, I chose an incremental step of separating my personal and work email. I migrated my personal emails to Australian-based FastMail. The company claims to be free of NSA surveillance. I’ve also appreciated the mental separation between work and personal communications that two email accounts provides.
Certainly there are many ways for the NSA to read my personal emails as they bounce around the Internet, but not as easily as they siphon up all of my Gmail. Even if I choose to use encryption technologies for email – few of my colleagues and friends do.
If you want increased peace of mind, another option is Norwegian Runbox, which promotes itself as secure offshore email for companies, organizations and individuals. It encrypts your email and supports built-in PGP encryption options. While U.S. based secure email providers Lavabit and Silent Circle were forced into shutting down, it’s less likely that the U.S. government could gain access to or pressure this type of overseas provider. Plans start at $19.95 annually. (Note: Pricing corrected since original post.)
It doesn’t appear to me that Americans want to pay this much for privacy en masse.
Our Lives Are Open Books
Ultimately, for the moment at least, our lives are open books. Apart from my email, what my cell phone and credit card companies know about me tells the intimate journey of my everyday life. The government has ready access to all of this information and my Gmail – and all of yours as well. That pales in comparison to what you’ve shared with Facebook – I stopped using it socially in 2013. Our cultural norms of privacy simply haven’t kept up with the Internet and smartphones.
There needs to be fundamental changes to the way privacy and security is built-into email platforms, devices and applications. I’m talking to you Google, Microsoft, Apple – Facebook!
As technologists, we’ve not yet risen to the challenge of digital privacy and we’ve allowed our employers and our political leaders to auction it off to the highest bidder. There’s so much work for us to do — and to do well — for the average person to regain privacy.