Back in June last year, confidential documents leaked by Edward Snowden indicated that major email and cloud storage providers like Google, Microsoft, and others were part of the NSA’s top secret surveillance program called PRISM. And if that wasn’t enough, there have been numerous reports of companies snooping on their customers themselves.
All these revelations have made Internet privacy a burning issue, with many privacy-conscious users now turning to services that claim to be secure from prying eyes of the NSA and law enforcement. In this article, we take a look at some of the privacy-focused email and cloud storage services that have either sprung up or gained popularity in the wake of what has popularly been referred to as the Summer of Snowden.
Secure email services
Lavaboom is a Germany-based email service founded this year by Felix Müller-Irion. Designed to provide end-to-end encryption using OpenPGP, the service allows users to encrypt and decrypt messages locally, instead of doing it on its own servers. The company calls it “zero-knowledge” architecture, as secret keys are in possession of users, Lavaboom just acts as a carrier.
Lavaboom, which is currently in private beta, offers both free and paid versions. While the former has a 250 MB mailbox limit and two-factor authentication, a premium subscription costs €8 (~$11) per month, and provides 1GB storage along with a three-factor authentication option.
While Lavaboom touts itself as a secure email provider, it clearly says it’s not NSA-proof. In the words of co-founder Bill Franklin, "If Barack Obama considers you a terrorist, it's likely you will be hacked.” Also, since there currently exists no way to encrypt metadata, information like subject lines, sender and receiver email addresses, timestamps, and more will still be unencrypted.
On the upside, there's the advantage of being base in Germany, which has better privacy laws than the US and where the NSA has no jurisdiction. Local agencies can issue warrants only for individual data, not the entire user base, and these must be approved by the German high court.
Lastly and most importantly, Lavaboom assures that in case it is forced to turn over user data, the company has a mechanism in place that will destroy their hard disks in a matter of minutes and turn them into “little more than coasters”.
After the Snowden revelations surfaced last year, Andy Yen, a PhD student working at CERN took to Facebook to share his concerns over privacy, triggering a vivid discussion over the issue. Soon thereafter, a group of scientists including Yen, came together to create Protonmail.
Just like Lavaboom, Protonmail also provides end-to-end encryption, and allows users to encrypt messages in their web browser before the information reaches the company’s servers, which are housed in Switzerland.
When you send an encrypted message to somebody who is not on Protonmail, they receive a link that loads the encrypted message onto their browser, which they can decrypt using a decryption password that you have previously shared with them. Of course, you can also send unencrypted messages to Gmail, Yahoo, Outlook, and others, just like regular email.
According to Yen, the reason the team chose Switzerland is that the government agencies there cannot force the company to expose their system, something which is guaranteed by the Swiss Federal Act on the Surveillance of Postal and Telecommunications Traffic (SPTT).
Another interesting thing worth mentioning is that instead of going for venture funding, and likely be subject to pressures form investors, Protonmail went for crowd funding and has already raised more than $550,000, which is well over their initial goal of $100,000.
Protonmail offers both free and premium accounts. While the former has a 100 MB storage limit, $149 gets you a year of ProtonMail+ with 1GB extra storage. The email service is currently in open beta, which means that it is available to the general public, although there is currently a waiting list for accounts as the service is scaling gradually.
Tutanota, which means “secure message” in Latin, is also a Germany-based privacy-focused email service offering end-to-end encryption. Its parent company Tutao was founded in 2012 by three former students from Leibniz University Hannover.
While much of the functionality Tutanota provides is similar to Lavaboom and Protonmail, it also offers a Microsoft Outlook add-in, Tutanota Starter, that encrypts emails directly in Outlook. In addition, the service has also released its source code on GitHub, claiming to be the first operational, secure e-mail application to go open source.
Like other secure email services, Tutanota currently can’t encrypt the metadata, but the company says it has some ideas on how to address the issue. The service seems to be well-tested, as it has already passed vulnerability testing from leading security firm SySS GmbH.
Launched internationally in July this year, Tutanota currently offers 1GB of storage for free, although the company says that it has plans to offer premium versions with additional storage in the future. The company is also planning to launch apps for Android and iOS soon.
While secure email services like Lavaboom, Protonmail, Tutanota, and more boast of end-to-end encryption, the fact remains that there currently exists no way to encrypt metadata, which includes the subject line, the sender and receiver email addresses, and more.
Ladar Levison, owner of shut-down secure email service Lavabit, has taken up the challenge and is collaborating with the folks at Silent Circle and convicted hacker Stephen Watt to come up with a solution to the problem. Dubbed Dark Mail, the project aims to encrypt both content and metadata of email messages as well as attachments.
How they are doing it? By rewriting the protocols of email. The project consists of various components including an email client called Volcano, server software called Magma Classic and Magma Dark, and the Dark Mail protocol, which is being written from scratch.
The Dark Mail system is modeled on Tor, and would primarily include two servers in the email transaction: the sender’s server and the receiver’s server. Each knows nothing about the other party except for the domain, not who sent or is receiving the emessage.
In layman’s terms, a message traveling in the Dark Mail system would be like an envelope that, on the outside, is only addressed to and from post offices, making it nearly impossible for spying agencies to know who sent it or received it. "Done right, this should make it technologically impossible to conduct mass surveillance," Levison says.
Both Levison and Watt want the project to work with existing email programs. Levison has also started a Kickstarter campaign, which has already raised more than $200,000, compared to its initial goal of $196,608. The project, which was also discussed at this year’s DEF CON hacker conference in Las Vegas, is expected to take another six months to complete.
Secure cloud storage services
Spideroak is a US-based cloud storage company that offers client-side encryption, which means that it allows you to encrypt data locally. The encryption keys, as well as the password through which the keys are generated, are stored on your device, ensuring that no one, including company employees, can view your data.
Back in August, the company implemented a warrant canary, which means that if it receives a government request for user data along with a gag order, the company can’t say anything about it, but it can stop saying everything is okay using a special 'status' page.
Spideroak has also released an open source software that aims to provide developers a simple way to build secure applications. Dubbed Crypton, the software is essentially a framework that lets applications encrypt information within a web browser before it is sent to a remote server.
Spideroak supports Windows, OS X, and Linux, and has mobile apps for iOS and Android. The service provides 2GB storage free for life, and 100GB for $10/month or $100/year. Extra storage can be also purchased in 100GB increments for the same price.
Like Spideroak, Tresorit also offers end-to-end encryption, with keys stored locally on users’ devices. The Switzerland-based company, which was founded in 2011 by Hungarian programmers Istvan Lam, Szilveszter Szebeni, and Gyorgy Szilagyi, officially launched its secure cloud storage service after emerging from its beta in April this year.
The key selling point of Tresorit is that it relies on what the company calls “one of the strongest encryption algorithms on the market”, which makes it possible to store and share data without the company’s servers getting access to the content.
Tresorit claims unmatched security, and to prove this, the company in April last year organized a hackathon, offering $25k to anyone who could break their cloud storage encryption. Hackers from some top universities like Stanford, MIT, Harvard, Princeton, and more, participated in the event, but nobody could hack the service. The bounty has now been increased to $50k.
The company recently added a DRM feature that provides more control for businesses by extending security to documents once they have been shared and during collaboration. This means that you can now modify or remove access to your encrypted content anytime, even if someone has already synced it to their computer. The feature also gives you access to more granular permissions; you can limit copying, printing, screenshotting, and more.
Tresorit supports all major platforms, including Windows, Mac, Android, iOS, Windows Phone, and BlackBerry, and offers three types of pricing options: the Basic plan offers 5GB free storage, while the Pro and the Business plans start at 20GB and 100GB, and are priced at 5.99€ ($7.56) per month and 14.99€ ($18.92) per user per month, respectively.
Honorable mention: BitTorrent Sync
While not exactly a cloud storage service, Sync relies on BitTorrent's peer-to-peer technology to securely sync files and folders to multiple devices without a server from a third-party ever having access to your files. The approach means users won’t have the convenience of keeping a copy of their documents stored online and accessible from any devices besides your own, but it also offers the advantage of no storage limits and an extra layer of security.
Users can create their own redundant backup on multiple devices with minimal effort, or share files with others privately using an auto-generated secret key. Sync is available for Windows, OS X, Linux, iOS, Android, Windows Phone, NAS devices and more
While there is no denying that end-to-end encryption beefs up security and helps protect data from being snooped by third parties, it’s definitely not a silver bullet that can guarantee a completely secure way to communicate on the Internet. That said, it’s always a good idea to go for services that offer an extra layer of security because after all it's likely you’ll use them for storing and sending sensitive data like your own personal information.
Header image via Shutterstock