GO
Loading...

CNBC Explains: How to encrypt your email

Angered by the revelations that NSA is sweeping up data from millions of emails and phone calls while courts hem and haw over whether it's legal, or just annoyed by the targeted ads from Google and Yahoo, some email users are looking for ways to keep private emails and text messages safe from prying eyes.

The answer is encryption—though there's a price to pay, as it requires a little work. But you don't have to be Edward Snowden to set up a basic encrypted email account. "It's doable, but it's just not convenient," said Gary Davis, vice president of global consumer marketing at McAfee, which makes both antivirus and anti-spyware software.

Here's a primer on how to hide your communication trail from the NSA.


Gregor Schuster | Photographer's Choice RF | Getty Images

First, it's important to make the distinction between security and privacy. If the network is compromised or you picked an easy password, then there's not much any encryption program can do. That said, there are several ways to make sure a snooper is at least slowed down.

Most people are familiar with HTTPS sites—that stands for Hypertext Transfer Protocol Secure. When you log onto the website of a bank or even an email server, HTTPS provides a "secure tunnel" to the site visited and encrypts the communications between the computer (or smart device) and the server. Even though the connection to Google Mail, for example, is encrypted, once the email is sent, it is "in the clear." So HTTPS is useful for stopping man-in-the-middle attacks—the kind where the person in a coffee shop is monitoring Internet connections and eavesdropping, but it won't stop the spy agencies from reading your mail.

(Read more: CNBC Explains: Obamacare minimums)

Another way to reduce your email footprint is to keep email on the desktop. Desktop email takes the email off the server and stores it on your local computer. A lot of older mail programs actually operated this way; some newer ones have a "delete from the server" option. Davis noted that many use Web-based email and don't think twice about leaving all those messages in the cloud. "Use a desktop client," he said. "Use one with IMAP," and then use IMAP to delete messages from the server every time. IMAP—or Internet Message Access Protocol over SSL—is a common feature that supports downloading messages this way via a secure connection.

Users who find themselves in coffee shops or other free Wi-Fi areas might want to invest in a Web-based virtual private network—or VPN. VPNs create a secure tunnel to the site or server. "Users are at highest risk of being snooped upon when they are using free Wi-Fi," said Chet Wisniewski, senior security researcher at Sophos, a maker of antivirus and security systems.

Using a 3G or 4G connection from a smart device to access the Internet isn't necessarily safer unless it, too, is accessing the Web via a VPN. Some corporations set VPN clients up on employees' smartphones (especially if they deal in sensitive information). VPNs work well on both 3G- and 4G-enabled devices, though on a 3G it might be a bit slow. Home Wi-Fi is somewhat safer than using Wi-Fi or cell phone connections in a public place, simply because the odds of a random hacker listening are smaller and most home networks require passwords to access (you did set up a password, right?). But the same precautions apply.

(Read more: Syrian group hacks Skype)

For the more paranoid set, there's the Onion Router, or Tor, which offers both privacy and encryption (Snowden used it, though he also used a lot of cloak-and-dagger stuff that most people couldn't handle.) When you connect to the Internet via the Tor network, the information is encrypted and then sent through several different servers. That makes it nearly impossible to trace where a packet of information is coming from—the user is anonymous. The Tor browser bundle is available for both Macs and PCs.

The Tor network even has its own set of websites that are accessible only via a Tor client on a desktop. It was good enough for criminal networks; the recently shuttered Silk Road site used it. Tor is so good, even the NSA can't de-anonymize people en masse—yet. That said, Tor offers anonymity, but the transmitted information can still be picked up via malware on the desktop or as it enters and exits the network. So it's still vulnerable, at least in a limited way.

Another downside of Tor is the speed of the connection. The Tor network is a bunch of servers like any other, not owned by any one authority or company. There's also not much capacity there. If enough people signed up to use Tor without a corresponding increase in the number of servers, the whole thing would act like dial-up.

(Read more: ACLU sues US government over surveillance)

For simple email, there are several programs available. You may have heard about Lavabit just after the Snowden leaks. It was one of the encrypted email services that "self-destructed" rather than comply with government requests for access to its user data.

Lavabit was actually used by Edward Snowden to invite people to a conference on human rights.

The old man of the lot is PGP, for Pretty Good Privacy, first developed in 1991. PGP uses a system of public and private keys, or asymmetric encryption. The public key is sent out to everyone you might want to communicate with, and the private key is kept secret. Messages can be encrypted with the public key, but only decrypted with the private key. Symantec distributes one version of the PGP software, but there are open-source apps using the same standard for download. Good, user-friendly ones are GPGMail for Macs or GPG4win for Windows.

Google mail offers an encryption product called SecureGmail.

Leaving aside whether one trusts Google or not, SecureGmail is different from PGP in that it uses symmetric key cryptography. That means that if you want to communicate with another person securely, both parties have to share the same key.

PGP still exists even though services like Lavabit no longer do, because it's not centralized—there's no way to stop it even if the NSA wanted to. It would be like stopping people from using textedit or Word. It's also not the latest and greatest in encryption technology, so there's some who theorize that the NSA can crack it, but there is no proof. Remember, too, that encryption programs aren't that complicated to write—the math is actually stuff you learned in sixth grade but with bigger numbers.

(Read more: The next big hacker target: your cell phone)

For encryption to be really useful, though, both parties communicating have to be using it, and on top of that, most people find Web-based email too useful to give up entirely. Mailpile is a Web-based encrypted email client designed to address that. The idea is to encrypt the messages on the Web, the way Google Mail does, but not to leave all the messages on the server in the cloud. An alpha version of the software is slated for release in January.

All that said, email isn't the only way to communicate. Silent Circle, a National Harbor, Md.–based company, offers encrypted phone calls, texts and even a Skype-like video call service. Silent Circle also used to offer an encrypted email service but discontinued it.

Silent Circle offers a subscription service geared to mobile devices such as smartphones. The encryption keys are a "one-time pad"—used and then discarded. When a user fires up Silent Circle on her phone, the software links to a private network, a secure tunnel to a server in Canada or Switzerland. Once the message (or phone call) arrives there, it is routed to the ordinary public network to complete its journey. The encryption happens on the device itself. So anyone who tries eavesdropping on the call won't be able to pick up the key. For example, if the Chinese government wanted to listen to a Silent Circle user's call, they won't be able to do it unless they had some way of accessing the call in the U.S.

Speaking of which, if the recipient is a Silent Circle subscriber and in the U.S., the NSA wont be able to listen to that end of the conversation, either. Silent Circle also offers secure calls in the other direction, using a normal 10-digit phone number that links up to Silent Circle's server.

Silent Circle's selling point is that the cryptography is distributed. Not even Silent Circle can read the messages sent over its network, as they aren't stored.

Other phone encryption programs include Open Whispersystems, which offers an app called RedPhone that encrypts texts and calls on Android devices (the company says it's working on an iPhone version).

With all these products out there, it's important to emphasize that good encryption depends on the snooper not being able to crack the code in a reasonable amount of time. The NSA reportedly stores encrypted messages for five years on the assumption that eventually the computing power will be there. So the people designing code schemes have to stay ahead—Silent Circle, for instance, is moving to more advanced mathematical techniques to do just that, according to Spencer Snedecor, chief revenue officer.

Of course, there's always hoping that the eavesdroppers don't know your language. "Learn Klingon. It defeats all but the most hard core of sci-fi stalkers," Wisniewski said.

By Jesse Emspak, Special to CNBC.com

Contact CNBC Explains

  • CNBC NEWSLETTERS

    Get the best of CNBC in your inbox

    › Learn More

Latest Special Reports

Central Banking Explained

Corporate Accounting Explained