Washington – A new push to encrypt e-mail, keeping messages free from government snooping, is gaining momentum.
One new e-mail service promising “end-to-end” encryption launched on Friday, and others are being developed while major services such as Google Gmail and Yahoo Mail have stepped up security measures.
A major catalyst for e-mail encryption were revelations about widespread online surveillance in documents leaked by Edward Snowden, the former National Security Agency contractor.
“A lot of people were upset with those revelations, and that coalesced into this effort,” said Jason Stockman, a co-developer of ProtonMail, a new encrypted e-mail service which launched on Friday with collaboration of scientists from Harvard, the Massachusetts Institute of Technology and the European research lab Cern.
Stockman said ProtonMail aims to be as user-friendly as the major commercial services, but with extra security, and with its servers located in Switzerland to make it more difficult for US law enforcement to access.
Encryption is a tool that can help dissident activists avoid detection in places like China or Iran, but the movement has also gained credence in the US among those who want to stay clear of snooping from the NSA or other intelligence services.
“Our vision is to make encryption and privacy mainstream by making it easy to use,” Stockman said. “There’s no installation. Everything happens behind the scenes automatically.”
Even though e-mail encryption using special codes or keys, a system known as PGP, has been around for two decades, “it was so complicated”, and did not gain widespread adoption, Stockman said.
After testing over the past few months, ProtonMail went public using a “freemium” model – a basic account will be free with some added features for a paid account.
“As our users from China, Iran, Russia, and other countries around the world have shown us in the past months, ProtonMail is an important tool for freedom of speech and we are happy to finally be able to provide this to the whole world,” the company said in a blog post.
Google and Yahoo recently announced efforts to encrypt their e-mail communications, but some specialists say the effort falls short.
“These big companies don’t want to encrypt your stuff because they spy on you, too,” said Bruce Schneier, a well-known cryptographer and author who is chief technology officer for CO3 Systems.
“Hopefully, the NSA debate is creating incentives for people to build more encryption.”
Stockman said that with services like Gmail, even if data is encrypted, “they have the key right next to it… if you have the key and lock next to each other, so it’s pretty much useless.”
By locating in Switzerland, ProtonMail hopes to avoid the legal woes of services like Lavabit – widely believed to be used by Snowden – which shut down rather than hand over data to the US government, and which now faces a contempt of court order.
Even if a Swiss court ordered data to be turned over, Stockman said, “We would hand over piles of encrypted data. We don’t have a key. We never see the password.”
Lavabit founder Ladar Levison meanwhile hopes to launch a new service with other developers in a coalition known as the Dark Mail Alliance.
Levison said he hopes to have a new encrypted e-mail system in testing within a few months and widely available later this year.
“The goal is to make it ubiquitous, so people don’t have to turn it on,” he said.
But he added that the technical hurdles are formidable, because the more user-friendly the system becomes, “the more susceptible it is to a sophisticated attacker with fake or spoofed key information”.
Levison said he hopes Dark Mail will become a new open standard that can be adopted by other e-mail services.
Encrypted mobile phone
Jon Callas, a cryptographer who developed the PGP standard and later co-founded the secure communications firm Silent Circle, cited challenges in making a system that is both secure and ubiquitous.
“If you are a bank you have to have an e-mail system that complies with banking regulations,” Callas said, which could allow, for example, certain e-mails to be subject to regulatory or court review.
“Many of the services on the internet started with zero security. We want to start with a system that is totally secure and let people dial it down.”
The new e-mail system would complement Silent Circle’s existing secure messaging system and encrypted mobile phone, which was launched earlier this year.
“If we start competing for customers on the basis of maximum privacy, that’s good for everybody,” Callas said.