I can’t stop thinking about encryption.
Right after Google announced plans to release an extension to its Chrome browser called “End-To-End”, with the goal of facilitating easier email encryption, I found a postcard on the sidewalk. The postcard was addressed to a house three doors down from where I found it, so I simply took it there and dropped it in their mailbox. But, in the process of searching for the address, I inadvertently read the greeting — “Dear Aunt Sally.”
Having no interest in Aunt Sally, I read no further — but I could have — and that is the point of this blog. Unencrypted email can be less secure than sending a post card via snail mail.
Not All Email is Equal
Much of the email we send would not be classified as sensitive and need not be encrypted. That’s a good thing, because according to Google almost half of the emails sent between its Gmail server and other email providers is not encrypted.
The reason is that, although Google encrypts with a method called “transit encryption,” which basically puts an electronic envelope around the email, transit encryption only works if both the receiving and sending web-based email providers use it. Google is encouraging people to pressure their email providers to use transit encryption on 100% of email. So, if transit encryption is used on both ends by each web-based email provider then your mail is protected from prying eyes just like a letter sent via the U.S. Postal Service.
But here is where the similarity ends. The Post Office can’t open that envelope and read your mail. Web-based email providers can and do read your mail.
Of course, it’s an automated process using search algorithms, and the purpose is to do targeted advertising, or to scan for malware. No human eyes peruse your email. Your email provider also has to read your mail if you request a mail search, so in many cases transit encryption is the desired protection.
What About Really Sensitive Email?
Some data sent by email should only be seen by the sender and the recipient. In the past, it was mostly large enterprises, like banks, and government agencies that needed highly encrypted emails. But now, most small- to medium-sized businesses (SMBs) handle proprietary and confidential data.
Medical records as required by HIPAA, banking and billing information, credit card numbers, legal documents, customer contact lists, social security numbers, passport numbers, etc. There is a long list of material just too sensitive to be sent using only transit encryption.
RELATED: Who Needs to be HIPAA Compliant?
For this, you need end-to-end encryption, which is a lot more complicated than transit encryption. It offers another layer of security by encrypting email data as it leaves a user’s browser, and then decrypting it at the recipient’s end. To do this requires key certificates—secret codes that have the power to unlock data.
Key Certificates Are Valuable
Basically, end-to-end encryption takes that mail envelope and puts it into a locked safe, with the combination known only to the sender and receiver. Managing and controlling access to those key certificates is the tricky part.
The more encryption used, the more keys must be managed or controlled. This is important to prevent keys from being lost or stolen because once data is encrypted the key becomes as valuable as the data itself. That’s why end-to-end email, which has been available for some time using various software tools, has failed to become mainstream.
These tools require a great deal of technical knowledge and manual effort. Google says that it hopes that its End-to-End browser extension for Chrome, which is still in the testing and evaluating stage, will make it easier for anyone to send end-to-end encrypted email through not only Gmail, but any web-based email provider.