The booming encryption market

One amazing bi-product of the nearly regular deluge of internet surveillance stories has been the zeal at which start-ups promising easy encrypted communication have been sprouting everywhere. They’ve had no better marketing partner than government.

I’ve no reason to move on from my own preferred encryption rigging, but there’s been quite a post-Snowden gold rush going on, all based around the notion that “encryption is hard.” Here are some contenders to make it easier on you:

  • There’s Mailpile, an open source “web mail client” in the form of a Chrome plugin that promises to take some of the pain out of end-to-end encryption.
  • Lavaboom picked up the mantle dropped by Ladar Levison, and offers email accounts with both free and paid versions. It promises encryption as “easy as sending a regular email,” a three-way authentication system (for paid accounts) and promises to be “the only zero-knowledge email provider.”
  • Protonmail is hot on their heals, also promising zero knowledge (less than zero, anyone?) and extols their own dead-simple way of using email encryption. If you want to email someone who doesn’t use encryption, they’d receive a link to the encrypted message and use a password to unlock it which you’ll have to get them through other means. They also have little add ons like “self-destructing messages” and a nice Swiss legal jurisdiction, which they use as a feature. When launched, it promises free access, but if you want to get your hands on a hot beta account sooner,  you can donate through their Indiegogo page.
  • A list like this wouldn’t be complete without mentioning Google’s own efforts to make email encryption a snap to use with your Gmail account right in your Chrome browser.  That’s what its own open source plugin End-To-End vows to do.
  • StartMail, is another account (paid) provider that’s not yet launched yet but accepting invitations. It promises to be the “encryption made easy” solution on the block. StartMail is being built by the privacy-first search engine makers of StartPage and Ixquick.  It’s kind of worth pointing out that the same developers created two different search site’s each promising to be more private than the other.
  • Enlocked is a service you can buy to encrypt your emails using their various apps for different devices. Key exchanges and encryption are then automated for you, so long as both users are using Enlocked’s proprietary system. If you want to email someone who isn’t using it, well, you can invite them. You can send 10 Enlocked encrypted messages per month on the free deal. For $9.99 you can send 100 messages with their encryption process.  And onward and upwards.
  •  Mkryptor seems like a thing that turns your email into an encrypted PDF attachment for your recipient. It offers know need for you to manage any keys, doesn’t require any PGP certificates, and the  recipient needs to have no special technology to open anything. The receiver will need to know the password to open it. I’m assuming this means it has to go through their server to do the leg work.
  • MiniLock is so new it doesn’t have a website. It’s to be a free, open source browser plugin that Wired enthuses could become “the first truly idiot-proof public key encryption program.”  It’s a drag-and-drop tool that you’d simply drop files through and they’ll come out encrypted on the other side. You’re recipient can then decrypt them, I guess using the same thing or any other PGP thing they have.
  • Getting slightly off topic, AlertBoot offers full disk encryption of any and every device you may have through a proprietary  centralised cloud service. All your keys and methods to manage securing it all are accessible via a web interface. It’s CEO Tim Maliyil says, “I secure your data for you so you can focus on your work.”
  • Kebase is an experiment in PGP key authentication (making sure you’re talking to who you think you’re talking to). It’s an app and a service developed by a couple of OKcupid creators. It’s an interesting notion in cross-checking public identities for the purpose of setting up an encrypted line of communication.  It can also provide key signing and decrypting, but for that you’ll have to trust Keybase services with a copy of your private (thought locally encrypted) key.
  • Whiteout promises tough, end-to-end encrypted email on any device. The app is open source and uses the OpenPGP protocol. Whiteout plans to trot out their hosted email accounts later, which will integrate with the app, but you can use your own email address. It claims no message will be stored online “in the clear.”

That list could have gone on much longer. I’ve tried as much as possible to avoid critiques of any particular item. I’m on waiting lists to try out a couple of them, so I don’t think they’re all entirely without qualities (though a few of them are). But I want to challenge one notions that they all seem to market: that sending an encrypted email is a difficult thing to do.

End-to-end encryption is NOT hard. It’s just counter-intuitive to how we expect internet things to work. You have to sit down and learn how to use it for a bit before starting. You have to remember to do a couple of things before sending that email. You have to think… though not that much, really.  Here’s how you can start now, for free, and securely.

If you want to communicate more securely online, then you need to think about what it is you’re using, and what you want to do with it. What’s the potential and limits of the thing you’re going to use? What’s it’s intended use, and how will you use it? The secret to going stealth isn’t technological, but in thinking about it. So I won’t say which of the above I think you should use or avoid.

So how can you choose the real cure instead of the potential snake oil? Here’s what I’d think about when deciding what I’d use if I really wanted a thing to be transmitted or stored securely:

1) Is it open source? You don’t need to be a programmer, but the source code of the technology should be auditable, available for peer review and have an active development community. What are others in the field saying about it? How else can you know that it’s delivering on what it’s promising?

2) Is the encryption and decryption happening on the client side? This means a file is encrypted on your computer before it goes anywhere online. And you don’t decypt something until you’ve downloaded it and have it offline.  Anything else means it’s left your computer unsecured and reached a server somewhere before it was encrypted (using what?)There’s a lot of connections between you and that service. I think it’s amazing that this is still seriously offered by anyone.

3) Where are the keys? Similar to the question above, really. PGP works with key pairs and a passphrase. You have a public key you can share with the world, and it’s how people exchange keys to communicate privately. Your private key should never go anywhere online (hint: it’s private). You’re personal pass is how you unlock and lock things using your key and the public key of the other person. If an online service is holding your private key, then it’s not that private.

4) Is it extendible? I’m using this slightly different than the open source question above.  I don’t like having a lot of different apps and things on my computer. It slows it down, each one has to be updated for new security patches, each one can contain possible security holes. The more you’re running, the more you have to maintain. What I like about GPG4Win and PGPtools is how much comes in a small package, and how synced it becomes. That’s ease.

5) Do you have to trust someone else to keep your information secure? If yes, then this is the opposite of keeping your information secure.

6) Should you be doing that in your web browser? It’s not bad to use your browser for more than reading blogs and watching cat videos. You can do nearly everything in the browser now. Browser-based encryption uses javascript, which isn’t without controversy.  Reddit’s a good place to watch that debate unfold now and again. It’s not a debate that’s sorted, though, but consider how many other plugins and add-ons you may have running in your version of Chrome or Firefox or whatever. What are they doing? How secure is your browser and wouldn’t it be better to keep some things out of it? I’m not saying… I’m jut saying.

7) Is your encryption based on open standards? Sort of like the open source question above. More likely than not, you’re not a cryptography expert. OpenPGP is a way of making sure the cryptography you’re using is peer reviewed and actively tested.

Some of technology above tick these boxes, and some don’t. There may be other criteria I should have mentioned here. Let me know what I need to add.  The market wants to make you think you can’t do this on your own.  Really, though, that’s that idea that got us in this mess. Encryption isn’t difficult. Saying it is plays into the hands of those who’d prefer you didn’t bother.