How to prevent the NSA from reading your email

It always seems to take some sort of  major meltdown for people to bother to think seriously about security and privacy. Whether you’re afraid of being erroneously targeted for typing the word “bomb” one too many times or you just don’t want someone sniffing through your private correspondence, there are steps you can take to make it effectively impossible for the sneakiest hacker – or the savviest NSA agent, as the case may be – to monitor your missives.

Encryption is essential

When done correctly, encryption is all but impossible to break (yes, yes, every encryption scheme is technically breakable, but in today’s reality, good encryption is for all intents and purposes unbreakable). And while nearly 70 percent of companies use encryption to store sensitive data, many companies and individuals don’t bother to take these same measures for email. Even though every single day we likely send sensitive or personal data such as credit card and social security numbers, confidential corporate details and all types of personal correspondence.

By its very DNA, encryption is a confusing thing. Even those users who do take the extra step of using encryption to safeguard their email mistakenly assume that encrypting their messages in transit is enough to keep out prying eyes. But there are actually three distinct steps to take that can ensure you lock out snoopers.

Step 1: Create a safe route

If you use a mail client for email, you’ll want to make sure that you enable SSL (Secure Sockets Layer) encryption within the settings or preferences of your individual email account (you may need to check with your ISP or IT to make sure it is supported). SSL encrypts traffic between you and your mail server, and so prevents breaches referred to as “man in the middle” attacks (where someone grabs your email while it’s in transit).

Similarly, many individuals – and increasingly many companies – use programs like Google’s Gmail for the majority of their emailing. Most such web-based programs support secure connections using a Hypertext Transfer Protocol Secure (HTTPS) connection. The little S on the end shows that your traffic is encrypted, and so is virtually impossible for the connection between you and the mail server to be compromised. You can always confirm you are connected securely by finding the padlock icon or the “https://” in the browser address bar of whatever browser-based mail program you use(e.g.

Without such a secure connection, using web-based email is like sitting at a Starbucks doing a private call on your speakerphone – you’re broadcasting your communication for anyone to hear. (And just in case you actually are sitting at a Starbucks or anywhere else accessing a third party’s Wi-Fi, remember that you are potentially using an unsecured network every single time.)

Step 2: Give email some armor

A secure connection to the server is critical, but it doesn’t encrypt the message itself. That means that all those emails you send via Gmail, iCloud, Yahoo, and Outlook among others are sitting free and clear on servers that, as we’ve learned, the NSA has free and easy access to.  That’s where adding encryption software like OpenPGP (Pretty Good Privacy) or S/MIME (Secure/Multipurpose Internet Mail Extensions) or third-party OpenPGP-based add-ons such as Mailvelope come in. These encrypt your email message itself, not just the route along the way.

However, encrypting email messages does not come without some (hefty) inconvenience. Before a message is sent, senders and receivers first have to exchange public key certificates and install each others’ in their respective browsers or email clients. As you can imagine, setting up all your contacts with corresponding public keys is cumbersome. So you need to set some rules.

For business use, companies should set policies that define which type of emails must be encrypted. For individuals, you’ll essentially need to do the same – decide who and what is important enough that you are willing to endure some up-front efforts in exchange for your peace of mind.

And it’s worth noting that since most encryption programs don’t cover the metadata of your messages – everything from the subject line and above – you might want to think about how much sensitive information you’re typing into that header field.

Step 3: Lock all the doors

Going through the above steps is important, however forgetting about what happens to all those sent and received messages afterwards is like locking your house but leaving the windows open. Emails residing on desktops, laptops and mobile devices may still be at risk without a proactive “data at rest” encryption plan (unless you implement something like OpenPGP and S/MIME for all of your emails). If you  understandably find solutions like PGP too weighty, though, there is a middle-ground.

Windows Encrypted File System (EFS) feature allows users to encrypt email storage files (such as .PST and .OST) on desktops and laptops; similarly, Mac users can use built-in FileVault which encrypts the entire hard drive on the fly. And some mobile operating systems like iOS provide out-of-the-box device level encryption.

As an alternative, check out one of the specialized webmail applications like that use encryption for all email, and can work with custom domain names as well.

Raj Sabhlok is president of  Zoho Corp., the parent company of and ManageEngine. Follow him  on Twitter @rajsabhlok.

Have an idea for a post you’d like to contribute to GigaOm? Click here for our guidelines and contact info.

Photo courtesy ollyy/