When we first heard of Edward Snowden in June 2013, we heard of the collection of metadata at Verizon. It took us a while to figure out if that was troubling.
Now we know that it is. Who calls whom at what time and how often reveals many things that we may want to keep private. How often I call my doctor, priest, psychiatrist, or astrological hotline is my business and none of yours.
The same goes for Email where people now are asking for privacy solutions, as they have understood how personal and private this information is and that they can’t trust the promises of technology and service providers. People naturally have turned to PGP for email encryption as the widely accepted standard for protecting their private messages.
But, guess what, PGP only encrypts the body of your message. Subject line, sender, recipient, time, IP address, and a host of other technical details are transmitted in the clear.
Trouble is that they have to be in order to make their way to the intended recipient across public networks. Much like a letter that you post will have a recipient address and a return address and a post office stamp that your postman and your neighbor can inspect. So while the content of your letter will be private while sender and recipient will not be anonymous.
So the big question becomes if this is a problem or not. Three things to consider:
It’s a problem depending on what you’re afraid of. Me, I’m afraid of somebody breaking into my Gmail account and posting 10-year old messages on the web for everybody to see. Every now and then I stumble across some old message and am embarrassed by what I wrote. Nothing more, nothing less. Thankfully not in the league of Colin Powell and Corina Cretu, but still. Wouldn’t want to see the old stuff in public. And this is just embarrassment in retrospect. I don’t even know what might be embarrassing or problematic in the future. Think of being denied entry into some country where you criticized an emerging party in an email ten years ago. And now that party is in power and they have read that email. That’s the kind of stuff that worries me. Turns out that PGP encryption of my message text takes care of this very nicely. So I’ll have some of that PGP encryption and pronto.
Of course I’m interested in exposing even less for embarrassment or misuse. So an email provider that is very specific on metadata retention is certainly interesting. They really have no need to keep a complete record of who I communicated with and about what once the messages have been delivered. So transparency about data retention, ideally audited by independent and trustworthy experts, and completely open communication on attempted breakins and governmental requests for data access would absolutely win my business. Full disclosure: We’re working on that…
Since this is such a big issue we can reasonably expect for the technology industry to address the issue of encrypting metadata for email. The so-called Darkmail alliance has gotten quite a bit of press last year and may come up with an exciting technology change. We haven’t heard much from them recently so it’s a bit hard to say more. And of course it will be useful only if it turns out to be a genuine standard adopted by multiple technology and service providers.
In the meantime it’s probably best to apply the old 80/20 rule. If I can encrypt 80 percent of my email content with 20 percent of the effort then that’s good enough for me. That is why PGP wins for the foreseeable future.