Skip to Content

Why E-mail Can’t Be Completely Private

The closure of two “ultra-private” e-mail services shows just how weak the system really is.
August 14, 2013

When Lavabit—an e-mail service used by National Security Agency leaker Edward Snowden—suspended service last week amid hints that it had received a government demand for information, a competing service called Silent Circle made a draconian decision: to obliterate all of its customers’ stored e-mail.

The episode pointed out two fundamental weaknesses in e-mail. First, even if an e-mail service encrypts messages for secrecy, as Lavabit and Silent Circle did, the e-mail headers and routing protocols reveal who the senders and receivers are, and that information can be valuable in its own right. And second, the passcodes used as keys to decrypt messages can be requested by the government (if held by the e-mail company) or simply stolen by sophisticated malware.

When e-mail was created 40 years ago, security or anonymity wasn’t part of the design. The routing and labeling protocols plainly state what computer sent it or forwarded it, what computer received it, and what time all this happened. “There are far too many leaks of information and metadata intrinsically in the e-mail protocols themselves,” says Mike Janke, CEO of Silent Circle, whose customers include people in companies and government agencies with secrets to protect. “It doesn’t matter what you try to do with e-mail, there are these inherent weaknesses. So we got rid of Silent Mail [the company’s e-mail service]. We deleted all of it, burned it, and threw it in the ocean with locks and chains on it. People lost all their e-mail, but the response went from ‘Why would you do this?’ to ‘Thanks for doing this.’ “

Lavabit and Silent Circle and some other providers have offered a straightforward proposition: they will keep your e-mail encrypted at all times, except when you are reading and writing it on your own computer. This is in contrast to services like Gmail, which encrypts e-mail only for the trip over the network but stores the messages “in the clear” in its servers and mines that data to serve you ads.

Lavabit’s founder, Ladar Levinson, says he suspended operations rather than be “complicit in crimes against the American people.” Levinson could not be reached for comment but told the New York Times that he was under a gag order, implying that he received a National Security Letter, in which the FBI or NSA demands information for an investigation relevant to national security and requires the recipient to not reveal even having received the letter. In contrast to Silent Circle, the Lavabit data has not been deleted, he says.

Janke says that news triggered an emergency conversation with Phil Zimmermann, a Silent Circle founder who in 1991 created the e-mail encryption protocol known as PGP for “pretty good privacy” (see “An App Keeps Spies Away from Your iPhone”). “Once we saw what happened with Lavabit, we realized it wasn’t days, it was hours that we had to make a decision,” Janke says. But he adds that he never did receive a request.

The problem—besides the metadata that accompanies all e-mail—was that 98 percent of Silent Mail customers opted to let Silent Circle hold the encryption keys, which made using the service much easier. When users manage their own keys, they have to log into a special system to exchange cryptographic keys with each person they want to e-mail with. By possessing the keys to manage this process, the company could decrypt the messages if forced to. “If we got a legitimate request, we could in fact turn it over,” Janke says (see “NSA Chief Says U.S. Phone and Web Surveillance Sets Standard for Other Countries”).

Silent Circle remains in business, because fewer than 5 percent of its customers were using the now-deleted mail service. Most of them use other Silent Circle services that encrypt phone, text, and video content. This allows users to, for example, send an encrypted file via text message and even attach a time limit so that it will be deleted from both the sending and receiving devices after some period.

Yet these services also can be undermined by malware that can steal encryption keys stored on computers or grab data that has been decrypted by the user. “It is very difficult to be malware-protected,” says Radu Sion, a computer scientist and security expert at Stony Brook University. “A highly determined adversary—I don’t want to say the government here—will have access to any machine in the world.”

Existing e-mail services could become a little more private by encrypting header information. The techniques are well understood, but there is limited demand for them, Sion says. “The public is not asking for it since people don’t care about privacy, really,” he says. “And the cloud e-mail providers make lots of money by mining your messages.”

Meanwhile, Silent Circle is working on replacing its defunct e-mail service with a system that doesn’t rely on traditional e-mail protocols and keeps no messages or metadata within the company’s grasp. It is based on a protocol often used for instant messages and other applications. Janke says the goal is for this to not be e-mail, but “for all intents and purposes it looks, feels, and acts like e-mail.”

Keep Reading

Most Popular

conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other
conceptual illustration of a heart with an arrow going in on one side and a cursor coming out on the other

Forget dating apps: Here’s how the net’s newest matchmakers help you find love

Fed up with apps, people looking for romance are finding inspiration on Twitter, TikTok—and even email newsletters.

computation concept
computation concept

How AI is reinventing what computers are

Three key ways artificial intelligence is changing what it means to compute.

still from Embodied Intelligence video
still from Embodied Intelligence video

These weird virtual creatures evolve their bodies to solve problems

They show how intelligence and body plans are closely linked—and could unlock AI for robots.

We reviewed three at-home covid tests. The results were mixed.

Over-the-counter coronavirus tests are finally available in the US. Some are more accurate and easier to use than others.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.