EVERYTHING ABOUT EMAIL ENCRYPTION AND HOW IT PROTECTS YOUR PRIVACY

Secure communication without the RIGHT encryption is like an airplane without wings

That tells you encryption is essential, but how exactly? And what do you need to know about encryption so you’re empowered to protect your privacy, always and everywhere? Scroll down for a crash course in encryption and gain the knowledge needed for choosing the right email solution.

spy

What is encryption?

To illustrate, imagine you’re a secret agent, a spy travelling the world day in day out. Your job is to go to one country, collect information – any James Bond movie plot works perfectly here – and then fly somewhere else to relay that information.

Of course, you’re a spy and most of your work will be done undercover. As such you’re a master of disguise. One moment you look like a CEO on a business trip, the next you blend in like a tourist asking for directions, whatever it takes to guard the information you carry.

That, in a nutshell, is what encryption is: it’s the process of encoding information, the same way a secret agent might disguise themselves.

So whenever you send and receive any kind of information online, think of that information like a secret agent, and then consider how to make sure your secret agent never gets caught along the way.

 
Blogpost_02

Encryption for dummies (and pizza lovers!)

Everything you need to know about end-to-end encryption with zero knowledge to protect your data and your online security. Explained with the help of pizzas!

Read now

Why encryption is essential?

Encryption dates back thousands of years. One could even argue it’s as old as writing itself, perhaps because of our innate right to privacy. Before the age of technology, encryption took the form of coded messages.

Of course, present day computing power has yielded encoding too complicated for a human brain to wrap itself around, but the underlying principle is very much the same:

When you want to send a message securely, you encode it. Only someone with the decryption key – the information that tells you how to decrypt something – will be able to receive and see this message.

Without encryption, it would be next to impossible to use the internet securely, the same way a secret agent would be lost without their ability to disguise themselves.

Prevents breaches
No one likes a breach: encryption protects your data and stops your business from getting hurt.

Increases consumer trust
No chance of a leak means your consumers can trust you with their sensitive data.

Gains you a competitive advantage
Customer data breaches average at a cost of $200 million! By offering encryption you gain an edge over the competition.

Protects your remote workers
Remote workers are often not as protected as those at the office, encryption offers an extra layer of security.

What is email encryption and why is it important?

Email encryption encrypts, or disguises, your email to protect them from being read by anyone who isn't the recipient (whether that is the government or a crafty hacker). Email encryption is essential for secure communication, especially if you deal with sensitive information (or decide to log onto the public WiFi of your local library).

Much like opening someone's post (illegal, by the way), it is extremely easy for anyone to read an email, even those who are not part of the conversation. 

Alright, got it! Email encryption is important, so what encryption should you use, and what parts of your email should be encrypted?

Consider the following:

Is your email encrypted when sent between internet connections?

Is the content of your email protected?

Who has access to the encryption keys?

Are your emails stored encrypted?

encyrption pill

Email encryption: Are you taking the red or blue pill?

(Email) Encryption means making information unreadable to anyone who is not authorized. It is like The Matrix, where you need a pill (or a decryption key) to read the underlying information, does that mean that there's only one way to encrypt?

How encryption protects your data

Types of email encryption

There are multiple ways (protocols, as they’re called) to encrypt emails. It’s important to know what each of these achieve and what they lack. As you’ll see, not all encryption is created equal.

  • Encryption in transit

  • Encryption at rest

  • End to end encryption

  • Zero knowledge end to end encryption

Encryption in transit

As the name suggests, encryption in transit protects your data while it’s transferring from A to B. It’s the disguise a secret agent would wear while travelling. It’s perfect for sending encoded information all across the world without anyone detecting a thing.

Of course, it begs the question: what happens when the journey’s completed?

encryption in transitt

Encryption at rest

Encryption at rest again is an aptly named encryption protocol: it encodes your email while it’s at rest. It’s the fake identity a secret agent might have in their day to day life.

Encryption in Transit and Encryption at Rest both fall short of protecting your data adequately. Their shortcomings are fairly obvious when you think of them in terms of a secret agent who can only hide their true identity either when they’re travelling or when they’re at home.

Encryption at rest

End to end encryption

The point of a secret identity is that your disguise holds up everywhere you go. Likewise, encryption from start to finish (end-to-end encryption) is therefore often considered to be perfectly safe.

While end-to-end encryption is widely used, it is founded on a dangerous assumption: trust. It's the assumption that the person you're sending it to is trustworthy (and haven't we all made the mistake of sending an email to the wrong recipient?). There goes your secret mission, unveiled by a stranger.

end to end

Zero knowledge end to end encryption

Imagine being a spy and having to relay your information. Your code word is ‘blue’, you ask him to confirm, and he gives you the color ‘green’. This makes him untrustworthy and it means that he won't get the secret information. Crisis averted!

This is in essence how zero knowledge end-to-end encryption works. Not only is your information encoded, it makes sure that only the intended audience holds the key to unlock the information. The onus is on the recipient to prove that they have the decryption key and are authorized to access your email's content.

zero-knowledge-end-to-end-pp

End-to-end encryption vs Zero-knowledge end-to-end encryption

Let's have a look at the journey of your data as it surfs the web and decide at which points it’s vulnerable. Obviously, encryption in transit and at rest both fall short of offering full protection, but many people mistakenly believe this issue is resolved using end to end encryption.

Data protection is not only a matter of when and where it’s encrypted, but also where the encryption key is stored. After all, encrypted data is only useful if you have the encryption key. 

This is where the biggest difference between end-to-end encryption and zero knowledge end-to-end encryption comes into play.

With “simple” end-to-end encryption, the encryption key is commonly stored in the cloud with the data itself. This keeps it safe from unauthorized access, but it does not keep it safe from authorities. At their request, American authorities can simply subpoena any and all data stored in an American cloud, along with the encryption key meant to decipher the data.

In other words: end-to-end encryption might help protect against data breaches or hacking attempts, but it doesn’t protect your privacy. To achieve the latter, you’ll need to rely on an encryption solution where they encryption key is not stored in the cloud: zero knowledge end-to-end encryption.

When you want to send a message, you encrypt it.

Only the person with the decryption key can see your message.

Ontwerp zonder titel (10)
encryption

SmartLockr uses
zero-knowledge end-to-end encryption

Why? This is the encryption that protects your files and emails through the entire process.

Only our customers have access to the decryption keys so that no third party can access the decrypted data, not even us. Safe, sane and secure. That's SmartLockr.

From old spy movies to the modern world: your data, your privacy and the authorities?

You protect your data from unauthorised people. These could be hackers, disgruntled employees or perhaps even jealous spouses, but what if authorities want to access your data?

It’s easy to see why a hacker wouldn’t have the right to see your data, but does the same apply to a government? A secret agent wouldn’t be allowed to withold data from their government. Does the same apply to your data?

The short answer is: it depends.

spy

Can the US government access my data?

The short answer: yes, absolutely. If you use a US cloud provider (Microsoft, Google, Amazon). The question of who can access your data is partly a question of where your data is stored. This in turn is often a question of who stores your data for you.

An important gamechanger entered the scene in 2018: the US CLOUD Act, a law passed by the US government which states that the US government can subpoena any data stored in an American cloud.

Now before you go on Googling non-US cloud providers: it doesn't mean that using the cloud is unsafe. The important thing is that you use the right type of encryption. Let's dive into some of the necessary terms:

Free whitepaper: Is it safe to store data in a US-based Cloud provider?

Free whitepaper: Is it safe to store data in a US-based Cloud provider?

Is it possible to use the cloud safely? What does encryption mean when it comes to data security in the cloud? Get answers to this and much more.

Download the whitepaper here

What is the CLOUD Act?

The CLOUD Act is a US state law that allows US government agencies to request data stored on US-based cloud services, even if the cloud may be stored in Europe or elsewhere.

If your data exists in a cloud owned by a US-based company, they are obliged to disclose it to the authorities. 



What is the Privacy Shield?

The Privacy Shield was a trade agreement that, until summer 2020, allowed transatlantic data transfers between the EU and the US. When the CLOUD Act came into force, a case was filed with the European Court of Justice. The Court then ruled that the Privacy Shield did not provide an adequate level of protection for such an exchange of data to proceed. 

What is Schrems II?


The CLOUD Act doesn't sound very GDPR-friendly and you're right in thinking it's not. Schrems II is a ruling that the Privacy Shield is not an adequate level of protection for transatlantic data transfers between the US and Europe.

This ruling came about largely because the US CLOUD Act is in direct conflict with the GDPR.
 

What are CLOUD Act and Screens II? And what impact do they have on the AVG and its citizens? That and much more we explain in this blog

Cloud Act vs GDPR: How does the CLOUD Act affect the EU?

In order to comply with the GDPR, some adaptions are necessary to avoid the CLOUD Act. Because the CLOUD Act allows US authorities to request data from US-based cloud providers, encryption keys must be stored separately from these cloud providers. Because the key is missing, the data cannot be read by the American authorities and is therefore useless. 

How do you protect yourself from the Cloud Act?

Get encrypted data protection
Encrypted data protection is the best way to protect your information from the CLOUD Act. By using the right encryption, your information becomes unreadable and in turn worthless to the prying eyes of American authorities.

Store your encryption keys correctly
With zero knowledge encryption, neither the cloud provider nor the data protection provider has access to your encryption keys. Neither can disclose your data to an outside party, at least not a decrypted visible version of said data. 

clouds

"If the data is going to be stored on a US cloud provider, then you can use encryption, where the encryption keys are being kept separate from the provider."

- Alexander Hanff, Data privacy and GDPR expert

CLOUD Act vs. GDPR - How to protect your data with the data and privacy expert, Alexander Hanff

Does Schrems II mean that organizations are violating the GDPR? What can you store in the cloud? Is it possible to get the benefits of the cloud, with proper data protection?

See our webinar and get answers to all these questions!

Watch our FREE webinar
Webinar - CloudAct vs GdPR - June 2021-thumb

What to look for in an email encryption solution?

Think of your data like it’s James Bond and you’re the Queen of England. Keeping your James Bond safe and secure should be your top priority, so you’ll have to check if the encryption your data enjoys achieves this.

smartlockr encryption


Secure communication needs encryption. But this does not mean that all encryption is secure. Many email providers (e.g. Outlook, Gmail) have an option to encrypt your emails, but it is not secure if you handle sensitive information. Both of these options use TLS encryption that, when used alone, it means that only the transmission channel is encrypted. This leaves the message vulnerable before and after it is sent. In addition, Gmail and Microsoft store the cryptographic keys in the cloud, which means you are not protected against the CLOUD Act.

To best protect your data, SmartLockr uses these features.

Zero knowledge end-to-end encryption
It ensures that only the authorized recipient has access to the encryption keys, which are stored separately from the provider. No one, not even the provider, can access your encrypted data. 

Ease of use
Human error is the biggest cause for data leaks. If your safety solution isn't user-friendly, chances are your employees won't use it, negating its efficiency. Make sure to choose a solution that is user-friendly!

Multi-platform compatible
If you want to work safely, you should be able to do so on a Windows, Android, Mac or iOS. Make sure that your encryption solution supports all platforms.

Awareness
Choose a supplier who knows what they're doing. Make sure they can answer all of your questions about encryption and that they are up-to-date on any security risks. Additionally, ensure that their encryption solution is updated regularly.

Scalability
If your company grows, your solution should be made to fit that growth without requiring a new solution altogether.

 

Discover a user-friendly encryption solution for secure, encrypted email