E-mails are convenient, easy to use, and popular, but they are not a secure way to share sensitive information. Here’s why:
- Limited encryption: Most standard email providers do not offer end-to-end encryption for your data. This means that while your connection to their server might be encrypted, the email content on their servers is typically accessible to the provider, and therefore, potentially to anyone who gains unauthorized access to the server.
- Outbound insecurity: When you send an email from a secure provider to a standard one like Gmail, the message is unencrypted in a way that allows Google to access its content on the recipient’s server, even if Google encrypts data at rest on their servers with keys they control.
- Inbound vulnerability: Even if you use a secure email service, if someone emails you from a non-encrypted service, a copy of that message remains unencrypted (similar to the above) on the sender’s server and is accessible to anyone with server access.
End-to-end encryption is only effective between users of the same service.
Secure e-mail providers
Services like Proton Mail and Tuta offer end-to-end encryption, but this is fully effective only when both sender and receiver use the same service. If you send an e-mail to a non-secure provider like Gmail, the message will be unencrypted on Google’s servers. It’s often possible to send password-protected emails to external users, but this requires more effort from the sender, and the recipient must somehow receive the password securely.
Better alternatives
- OpenPGP: You can use OpenPGP to encrypt the content of your e-mails. However, the metadata (sender, receiver, subject) remains unencrypted and can be tracked. Metadata can reveal communication patterns and potentially identify involved parties.
- Secure messaging apps: The best option for sharing sensitive data is to use a secure messaging app that offers end-to-end encryption by default. Popular choices include:
- Signal
- SimpleX
- Session
- Threema
- Briar
- Wire
By using these alternatives, you can ensure that your sensitive information remains private and secure.