Using common email providers like Gmail, Yahoo or Hotmail is very dangerous for an investigative journalist because most email applications offer little security and privacy standards. Tools like Gmail are attractive for hackers because these sites are so popular. Consequently, it is necessary that you secure the transportation and content of your email. This happens through two stages:
Before using any email service, check the availability of 1) Secure Sockets Layer (SSL) or 2) Transport Layer Security (TLS). Do not use mail provider that does not offer these services. SSL and TLS ensure the encryption of your emails via online transmission from one server to another. However, the email will be stored as a non-encrypted pure text file on both of the servers. This means that server administrators can access your emails, read them or change them.
For the encryption of the content of an email, ‘Pretty Good Privacy’ (PGP) offers a very secure solution. If you encrypt your emails via PGP, no one except the recipient can access it. The bad news is that it is not easy to implement, and therefore not widely employed.
Despite these limitations, PGP is a cryptographic system generating two keys, a public one and a private. Simplified, the public key is needed to encrypt the email, the private key to decrypt it. The public key, as the name indicates, is accessible by everybody, whereas the private key is only owned by the user. If you want to send a PGP-encrypted email to another person, you need his public PGP key to encrypt the email. You get this key either from the recipient or from a public key server. The receiver can open it with his private key and its respective password. For more information about how PGP works, watch this video:
To use PGP, your email client has to support the service. Recommendable email clients are ‘Thunderbird’ or the popular ‘Microsoft Outlook’ that offer add-ons for PGP. If you want to use PGP with a different email client, like Gmail, try ‘Mailvelope’. However, be aware that with these common email providers, PGP cannot hide the sender, recipient or the subject of the email.
Another recommended email provider that offers an end-to-end encrypted service is ProtonMail. The service is designed as a zero-knowledge system, using client-side encryption to protect emails and user data before they are sent to ProtonMail servers. The servers are located in data-secure Switzerland, the encryption is based on SSL, PGP and the code is open source. The difference between ‘Thunderbird’ and the similar tool ‘Evolution’ is that ProtonMail is an actual email provider and not only a client.