Short of the unhealthy interest of a three letter government agency, in which case you probably have bigger problems than worrying about whether your data is encrypted, there are still good reasons to consider a few simple measures to ensure privacy in communications. Many of us are familiar with the by now somewhat shop-worn point that people who still use the postal service tend to prefer putting their personal letters and bill payments into envelopes rather than pasting them on a postcard for general review. Ironically, perhaps, the same people who would hesitate to have the postman reviewing their medical report are quite happy to leave their unencrypted email to reside on the servers of the Google or Yahoo corporations after it bounces halfway around the world from one server to the next. In addition, all this unencrypted data quietly residing on the Internet can become easy prey should the heirs of J. Edgar Hoover cast the same suspicious eye on you that he cast on David Halberstam and Martin Luther King, Jr. See http://en.wikipedia.org/wiki/Carnivore_(software).

Aside from whether the jack-booted thugs are on their way to come a knocking at the door, imagine the boss at your fortune 500 company has sent out a global email trumpeting the latest way to make money off of sub-prime mortgages, and you decide to send a snarky comment to your best friend about the progression of your boss's Alzheimer's. Then you hit the "reply all" button and realize that it is time to polish up your resume. Alternatively, if snarky remark had been encrypted, only best friend could read it, no matter where it is was sent.

And who has not received an email from the ex Foreign Minister of Nigeria explaining that a small advance contribution can liberate millions of untraceable funds, eighty percent of which will be turned over to you? Laughable that anyone would fall for such a transparent scam, but wouldn't it be reassuring to be confident that emails from your friends really are from your friends and not from the ex Foreign Minister of Nigeria pretending to be your friend. By requiring each person to have a unique private key, encryption reliably identifies the sender of a a signed or encrypted email.

Public key encryption requires a public key and a private key. In sending a message, the sender uses his private key and the recipient's public key to encrypt the message. Upon receipt, the recipient decrypts the message with the private key corresponding to his public key. While the public key, as the name implies, is widely circulated, the private key is held only by the owner, kept secret, and generally protected by a password. Verifying the identity of a key owner generally depends initially upon personal verification between users, but ultimately upon a "web of trust" built up as users' sign each other's keys. It seems to be generally conceded that used carefully, public key encryption systems such as GPG are capable of withstanding all but the most determined of institutional attacks, but that special care is necessary to create strong passwords, guard private keys, and verify relationships in the web of trust. See http://blogs.techrepublic.com.com/security/?p=412 .

Although only in limited use by private individuals, high quality public key cryptography is widely available to the public for free, supplemented by low cost refinements that increase its convenience. Among these are PGP/GPG (supplemented as needed by the public hushmail implementation) and SSL certificates providing S/MIME encryption.

Gnu Privacy Guard (GPG)

Gnu Privacy Guard (GPG) is a free program that encrypts files using the OpenPGP standard. It offers additional security because the source code (instructions for the computer) are freely available and can be examined by anyone with sufficient expertise to ensure that there are no back doors or other flaws in the program. Although GPG is standard on Linux platforms, Windows users need to install a Windows variety of the program such as gnupg.exe or gpg4win.exe.

My preferred standalone email client is Mozilla's Thunderbird, which provides for encrypting email using either GPG or S/MIME. Instructions on downloading and installing gnugpg.exe, creating and importing keys, and installing the Thunderbird Enigmail add-on in order to use GPG can be found at http://enigmail.mozdev.org/documentation/quickstart-ch1.php#id2532629 .

After downloading and installing gnupg.exe, you need to open a command window from Start>Run; type "cmd" in the "Run" window and hit return.

Use the "cd" command to change directories to c:\\Program Files\GNU\GnuPG, then

On the command line, type, as needed,

gpg --help to get help
gpg --gen-key to create your public and private keys
gpg --import to import previously generated keys

Although there are a host of other command line options for gpg, the most useful functions for sending email will all be available within Thunderbird once Enigmail is installed.

After downloading Enigmail, one may wish to take advantage of one of the other features of GPG, which is its ability to verify the authenticity of downloaded software. To do so, first download and import the Enigmail public key as follows:

C:\Program Files\GNU\GnuPG\gpg --import enigmail-key.asc

Then, download the signature file from the website and the Enigmail file itself, and run

C:\Program Files\GNU\GnuPG\gpg --verify enigmail-0.95.7-tb+sm.xpi.asc enigmail-0.95.7-tb+sm.xpi

Enigmail, which is simply a Thunderbird .xpi file, is easily installed by anyone familiar with Mozilla simply by opening the extension in Thunderbird from Tools>Add-on>Install, otherwise see the more detailed instructions referenced above. Once installed, the new buttons on the Thunderbird toolbar allow you to easily encrypt, decrypt, sign, and verify signatures on your mail. (One note: mail signed with GPG should be sent in text format rather than HTML).

Hushmail

So far this solution works fine for desktops and laptops where one can install GPG, but increasingly people are using cellphones to send email to and fro over easily intercepted wireless connections. Although PGP Corporation (http://www.pgp.com) experimented briefly with a PGP client for the Palm Pilot, in general I have not found support for GPG on mobile mail clients. However, increasingly cellphones also have web browsing capability, and one method of addressing the problem of unencrypted email can be found at http://www.hushmail.com. Hushmail is essentially a web-based email server with GPG installed; it lets you create a free account and send encrypted email. For $50 (or more) a year, it will also let you integrate your hushmail account with your desktop or laptop GPG account, so you can access your hushmail account from the web on your cellphone, laptop, or desktop, and also from Thunderbird on your laptop or desktop.

S/MIME

An alternative to GPG is to create a personal SSL certificate, have it signed by a recognized certificate authority, and use it for encryption and signature of email. Depending on the purpose of the certificate, the process of creation can sometimes be a bit involved, and Certificate Authorities will sometimes charge a hefty fee to issue a signed certificate. (The signature from a trusted authority ensures a recipient of your email, for example, that you really are who you say you are. However, there is at least one good free Certificate Authority -- CACert.org.) CACert.org will issue a certificate suitable for email use for six months at no charge, and all that is required is registration at their site and the completion of a few web forms.

Go to www.cacert.org and click "Root Certificate" and then click Root Certificate (PEM Format) and Intermediate Certificate (PEM Format). This will set up your Certificate Authorities for use by your browser and for export to your mail client. Click each of the three boxes to indicate that you trust the certificate. In Firefox, go to Options>Advanced>Encryption>View Certificates and click on Cacert Class 3 Root under Root CA. Click View>Export and save as an X.509 Certificate with chain. Repeat for CA Cert Signing Authority. In Thunderbird, go to Tools>Options>Advanced>Certificates>View Certificates>Authorities>Import and Import each of your saved Certificate Authorities, again checking off the boxes to indicate that they are trusted.

Now sign up for a free account at www.cacert.org (although as a public service organization, they do accept donations). Once your email is confirmed and your account set up, go to Client Certificates and follow the directions to set one up for your email. Click on your certificate to install it in your browser. (You will now be able to sign into cacert.org using your certificate rather than your password if you wish). In Firefox, you can now go to Options>Advanced>Certificates>View Certificates>Your Certificates>Backup and save your personal certificate as a PKCS12 file (filename.p12), and then reverse the process to import your certificate into Thunderbird. You now have a personal SSL certificate in Thunderbird that can be used to create an S/MIME signature or encrypt your email. Of course, before you can send anyone encrypted mail, you will need to have them send you a copy of their certificate.

Responses? Questions? Suggestions? Send me encrypted mail at williamson [dot] day [at] hushmail [dot] com.

GPG Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mIsESa9tNAMEALhjNmAm3UT7CD2S9o101AJNw2pZf49pjuV7LKG4gG7ewOEwc5Ym
ZutDxO2MOqaC3WrnO8JbS1vrX/X/trCnF6JRbOgOSKq8wzWFhylKZ1zrvJdOVcsj
D5XyvqcTXuRxOcUa2lyIFNBW8KdKDiF0p9/1aZiYVYVMowEBmVmUtjIpAAQLtDsi
d2lsbGlhbXNvbi5kYXlAaHVzaG1haWwuY29tIiA8d2lsbGlhbXNvbi5kYXlAaHVz
aG1haWwuY29tPoiqBBADAgAUBhUICQoDAgYLCQgHCgQFAkmvbTQACgkQcFwBLeix
UqYhIAP+M+5IrzTAmq1coLUZ4RJXSlVoBl6mdGy2shoOhcgyHxJROyKIR3/0pZCh
3uA+95bfvDssTXHU1EIYaYoGfvS9e6djnivoTZbHGS+kwKvg+fmIvqiSBtf1usyU
GYBxTTaagOVf6nsqz73Fv9qjOxn+dys4rmQYYMGqH5T/HBFGEvqIRgQQEQIABgUC
Sa9tPAAKCRB6AvnnJ0y2KRqJAKCV2lmIyHULUUhul810yXV6AE1hxwCfWpDBjrUP
swxOeQqlCY5+CoK7sCKItwQfAwIAIQIHARcMgBGKYGVvwmNLnNqipzx6AvnnJ0y2
KQUCSa9tNAAKCRBwXAEt6LFSphZRA/wKWbc8ACrnzDcjYNd6s2hguz4JExYGR7D1
+/3eaMURY7C5BlKvUmJYoo2HREOsgMIYAACPvXxPaNwJTN4qrMySvYKMHOb9WOpW
IgfkC09nNpqEsaldBdj091pj7KRdqJp3L8FXBTBQXWoG9mAN5SwZbB8TBeY8CyQo
At1WJpcaYLkBCwRJr200AggAoNR4a/kQg8XBecS3lIUDDRI654TP1jO4ZfEpwlr5
qrax2dEkXHQvsShTjYmgHBA+3tqChL192ftiL2IsvlMApz+XuK/g0zA6raI6NiNG
b/hqK9aW/JwdEXcoC2RIybRqgri/IDmHp2yaYogLxHyPKBjdRZdXK6oqcr1oYvOo
02RKUQhLEin96TjMP04Suzbp6vDjzMqL2I42Ug47JemwC9pS+/pDCCAPX3q//dQN
r4NqQB37E9AT1yuJPLlTMglzkp9mBmR4UEQHjJQlf87xsh/RZnOFNlXFcrC0srv7
tFLRQeMSh7J6ZSlskukIrN6zuu5xhnFVJuNbeg3zNuS7twAEC4icBBgDAgAGBQJJ
r207AAoJEHBcAS3osVKmVTkD/2aDPPCHHoB95XaBeOCpGrViphsu4sjKA4kH4T3t
5YfWPsXtJD/vitYnQeehv/TIhRvfy9IXjjNLqCDXP5GLucFTnXDasnYp5Y03GONY
lCw7jBP39BWR8Zrh7BUjYb7Tyv0+7555nDLcsiHLhf0YBGX/IKzyqcxfQjZs0hwh
E9eM
=a0/2
-----END PGP PUBLIC KEY BLOCK-----

UPDATE 3/16/09: It looks as though you can use the gpg4win package to install a plugin for Outlook 2003. (Outlook 2007 is apparently not supported yet.) Their site is located at http://www.gpg4win.org/. I have not had a chance to try it out yet, but a detailed instruction manual is available at http://www.gpg4win.de/handbuecher/novices.html. People who have a serious need for encryption can also buy a commercial implementation of PGP (the commercial version of GPG) such as PGP Home at http://na.store.pgp.com/desktop_home.html for $99. For web-based mail, you probably need something like hushmail as a practical matter, and hushmail also appears to offer Outlook integration in the paid version. Mostly, objections to GPG are not that it is insecure (although many people do not choose a strong enough password) but that 1) the learning curve is too steep, 2) it is too much of a hassle, 3) it may raise questions about what you have to hide if you are using encryption, or 4) anything you have to encrypt should not be sent from an insecure location like work, anyway. You pays your money, and you takes your choice.