|Who's reading your emails?|
Microsoft has set up a new website to poke fun at Google's email service Gmail. They claim Google goes through every Gmail that's sent or received, looking for keywords so they can target Gmail users with paid ads. And there's no way to opt out of this invasion of your privacy.
Here are the things Microsoft states they do not do, but Gmail does:
- Go through the contents of your sent and received email messages to display targeted ads
- Go through the contents of your incoming email from other email services for the purpose of targeting ads
- Go through the contents of your entire inbox for the purpose of targeting ads
In the name of full disclosure I use both Google Gmail and Microsoft Live or Hotmail. Both are rock solid in the service they provide, but Microsoft has a great point. If you notice when you read your emails using Gmail, the ads on the side mysteriously correspond to the subject of your emails. According to a recent study 88% of people resent email service providers reading their private emails to serve advertisements. Below is raw data from the GfK Roper Study on Email Privacy
The truth of the matter though is a bit more troubling than simply having some embarrassing or annoying ads displaying while you are reading your email. Anytime a service is free you are not the customer, you are the product. Both services sell your information, Microsoft may be more discreet about it, but they still do it one way or another. Also by storing all your data in the cloud you make yourself vulnerable to government warrantless searches and civil lawsuits. After all if General Petraeus isn't safe from email snoopers, what chance do you have if you don't take precautions? In fact the US Circuit Court has already ruled that any data you have stored in a cloud service for more than 6 months is fair game and doesn't require a search warrant.
What can I do?
There are a number of steps to regain your privacy, but the cost is a bit of convenience. Here are some recommended steps as laid out by Electronic Freedom Foundation [EFF.org]:
- Delete emails from your provider's server as soon as you first access the messages, and store your sent and draft emails locally in your email client software, rather than with your provider.
- In order to minimize the number of emails stored with your provider — be they received, sent, or draft — avoid using webmail if at all possible, or, if you do use a webmail account, avoid the web interface and instead configure your email client software to send and receive emails directly via POP.
- Encrypt your emails whenever possible.
The single most powerful step you can take to protect the privacy of your email is to not store it with your email provider. Rather than leave email on your provider's server, you should configure your email software to immediately delete incoming emails from your provider's server as you download those messages to your computer — and also make sure that your email software is configured to store your draft and sent email on your computer rather than with the provider.
Encrypting emails all the way from the sender to the receiver has historically been difficult, although the tools for achieving this kind of end-to-end encryption are getting better and easier to use. Pretty Good Privacy (PGP) and its free cousin GNU Privacy Guard (GnuPG) are the standard tools for doing this. Both of these programs can provide protection for your email in transit and also protect your stored data. Major email clients such as Microsoft Outlook and Mozilla Thunderbird can be configured to work smoothly with encryption software, making it a simple matter of clicking a button to sign, verify, encrypt and decrypt email messages.
The great thing about end-to-end encryption is that it ensures that the contents of your emails will be protected not only against interception on the wire, but also against some of the threats to the contents of copies of your emails stored on your machine or third party machines.
There are two catches with GnuPG/PGP. The first is that they only work if the other parties you are corresponding with also use them. Inevitably, many of the people you exchange email with will not use GPG/PGP, though it can be deployed amongst your friends or within an organization.
The second catch is that you need to find and verify public keys for the people you are sending email to, to ensure that eavesdroppers cannot trick you into using the wrong key. This trickery is known as a "man in the middle" attack.
Probably the easiest way to start using GnuPG is to use Mozilla Thunderbird with the Enigmail plugin. You can find the quick start guide for installing and configuring Enigmail here.