"The days where it was possible for two people to have a truly private conversation over email, if they ever existed, are long over," writes the technical operations manager at Silent Circle, formerly the provider of a secure email service. Silent Circle shut down its email service earlier this month as a precautionary measure, announcing that the growing surveillance powers of the National Security Agency made it impossible to keep its promises to users.
The move followed the shutdown of Lavabit, a similar service reportedly used by NSA leaker Edward Snowden. Lavabit founder Ladar Levison implied publicly that he had received government orders to turn over data and was being forced to "become complicit in crimes against the American people or walk away."
Why is email so hard to secure? Silent Circle's Louis Kowolowski tried to explain more in a blog post on Friday. Desktop clients are more secure than webmail, but even then there is some information that cannot be protected. It is possible, with effort, to secure the content of a message — but metadata cannot be encrypted if the email service is to be compatible with current messaging protocols.
Why is email so hard to secure?
That means data such as the sender's IP address; the to, from and subject fields; and the time and timezone can be pulled, along with whether or not encryption was used and what kind.
With an order known as an NSL, or National Security Letter, the government can require email providers to hand over this information and adhere to a gag order.
"Email leaks the information about who is communicating, and how often," Kowolowski writes. "This information may be just as damaging as the content of the email. For example, a freedom fighter working in an oppressive country, trying to get the word out."
It's now looking like text, phone, and instant messaging are easier to secure than email. Silent Circle continues to offer Silent Phone and Silent Text. There are other services that still promise privacy, including Wickr's secure multimedia messages that self-destruct and RedPhone's end-to-end voice encryption. But it seems that these days "secure" email services have a choice of either giving up on protecting their users' data — or giving up information to the feds.