When American firm Silent Circle
shut down its Silent Mail encrypted-email serviceearlier this month, it claimed that “e-mail as we know it today is fundamentally broken from a privacy perspective”.
Now the company has been elaborating on the claim in response to questions about why it couldn’t just use an asymmetric key cryptography plug-in for email applications to secure communications between its users.
In short, it’s all about the metadata.
“If the goal is simply to encrypt the body of the message there are services and products that accomplish this,” explained Silent Circle’s technical operations manager Louis Kowolowski in a blog post.
“If your goal is to not have metadata leakage in your otherwise secure communications, you may wish to avoid email altogether. Email leaks the information about who is communicating, and how often. This information may be just as damaging as the content of the email.”
As examples, Kowolowski noted that companies wanting to protect their intellectual property or individuals sending tax returns may be happy to use traditional PGP/SMIME technology to encrypt the body of their messages, but that “a freedom fighter working on an oppressive country” would be just as concerned about the metadata.
He went into more depth about how encrypted emails can still yield plenty of valuable metadata for interested parties, providing more context for Silent Circle’s decision to shut down Silent Mail days after one of its peers, Lavabit, also closed.
“In the past, securing the body of the message was sufficient. The tools and techniques used for snooping were not on a large enough scale to allow the metadata to be useful,” wrote Kowolowski.
“With the tapping of backbone internet providers, interested parties can now see all traffic on the internet. The days where it was possible for two people to have a truly private conversation over email, if they ever existed, are long over.”
His words may serve as a warning for anyone thinking of switching to other non-US-based secure email services like Hushmail, Neomailbox and Countermail, although as Kowolowski made clear, email may remain a suitable form of communication for people and companies who care more about encrypting the body of their messages than the metadata around it.
Metadata of various kinds has been at the heart of the ongoing revelations about surveillance by the US National Security Agency (NSA) this summer, from the first story on 6 June about the NSA collecting “telephony metadata” from calls made by millions of customers of US telecoms provider Verizon.
An NSA metadata-collection program called ShellTrumpet was later revealed to have “processed its One Trillionth metadata record” in December 2012, with Observer writer John Naughton later noting that “the metadata is what the spooks want for the simple reason that it’s machine-readable and therefore searchable. It’s what makes comprehensive internet-scale surveillance possible.”
For its part, Silent Circle is focusing on its Silent Phone, Silent Text and Silent Eyes services for voice, video and text/picture messaging. “We don’t have the encrypted data and we don’t collect metadata about your conversations,” explained the company in its blog post announcing Silent Mail’s closure.
This article originally appeared on guardian.co.uk