The Benefits of Using Encrypted Email Services for Your Data Privacy
Introduction
A few weeks ago, my account in DBA was suspended due to fraud prevention. An internal team in DBA somehow concluded that the item I was selling might be fake and they needed to lock my account. As a good internet citizen, I quickly established contact with them to fix the issue and restore my access.
I was very surprised when they asked for copies of my ID and CPR number to send them back. These are very sensitive documents and sending them via email was a bit too risky. I tried to explain to them that we were not using any encryption, so our messages were not secure and could be exposed while in transit.
The DBA representative said that it was a company policy to receive all relevant information regarding cases to their own email inbox. What baffled me in this case was that he was just following the protocol, and he could not even consider or agree with the idea that maybe they were asking too much.
A similar story, involving the Lithuanian Embassy in Copenhagen, happened a month ago. I received a new passport that was not technically activated yet. The embassy had a rule that I had to report about the passport in five days. That required filling out a form with passport data and sending a screenshot via email or mail as well.
The Problem
A problem arises in both cases. Once we press the Send button and without any encryption (end-to-end) in place, we can only guess what happens to email packets traveling through the vast space of the internet.
To illustrate this a bit, I have found a good and simple video by Steve Cope that explains how email is sent and received. In my scenario, I used a web-based client to access Tuta’s email service. Tuta is a German based company that created a secure email solution with encryption possibilities for everyone.
However, for the first time use with external recipients, a password must be exchanged to encrypt email communication. With the DBA and embassy examples, there was no way to do it, so I could even see a warning from Tuta about the lack of encryption in my communication flow.
And just to mention a few important facts, the SMTP protocol is a backbone protocol of email communication. However, the protocol itself does not have any security features out of the box. So, a TLS protocol is used. According to LuxSci, most providers (85%) support TLS as of July 2022.
If only TLS is your choice and you lack end-to-end encryption, the protocol will be only applied in transit. Once, email arrives to the destination server, the contents of the email are not encrypted anymore. Any employee that has access to the support inbox can technically open my email with confidential information. Now, imagine if it was a hacker who managed to somehow hack the email server?
Solutions
I have two suggestions for better security. Either we use end-to-end encryption for our email communication when it involves sensitive files, or some entities must provide a way to upload data securely.
If you want to enhance your email security, I highly recommend you to try Tuta or Proton Mail. These services work out of the box. No complicated setups. If we both agree to use them, our email communications are encrypted by default.
When it comes to secure data uploads, this depends on the company and its willingness to change.
Now go and send that secure email.