Article Lead Image

Here’s the step-by-step guide to NSA-proofing your email

Drew Crawford's post points out that perhaps the biggest flaw in online security today is how little users understand of it.


Joe Kloc


Posted on Jul 16, 2013   Updated on Jun 1, 2021, 11:22 am CDT

Since former NSA contractor Edward Snowden revealed the agency’s large-scale online surveillance program, known as PRISM, email privacy has been of particular concern to many  Americans. 

As inconvenient as it might be, staying off of Facebook or Skype is doable. But email, at this point, is all but necessary not only for one’s personal life but for their professional success. In 2012, for example, businesses sent almost 90 billion emails per day. 

Unfortunately most of these emails are kept by Silicon Valley companies that participate in PRISM. In 2013, reported the research firm Litmus, all but 11 percent of email clients are owned by Apple, Microsoft and Google. This raises the question, if one can’t live without email, then is there anyway to maintain privacy in the age of PRISM?

According to software developer Drew Crawford, “NSA-proofing” one’s email can be accomplished in about two hours. “If you are still using GMail (or Yahoo, or arbitrary U.S.-based email company) in August,” Crawford wrote on a detailed blogpost of how to set up an encrypted email server, “your right to complain about the NSA spying on you is revoked.”

Crawford’s explanation—which goes into too much technical detail to explain here—essentially points to the fact that the major vulnerability of PRISM-tapped emails are that they are hosted by companies vulnerable to court orders. 

To address the issue, Crawford fleshes out the step-by-step process users must go through to host their own emails on encrypted servers. For someone without much familiarity with coding, the task is a slog that requires them to detangle sentences like “you might want to lower the TTL on your MX records to the smallest possible setting.”

True, that technical language will probably prove too much of a barrier for many. But Crawford’s post serves to point out that the largest flaw in online security is perhaps a lack of programming literacy. If we don’t know what’s going on when we click “send” on an email, how can we have any reasonable assurance those transactions are private?

“Today we kill your excuses,” Crawford wrote. “Because I’m going to show you exactly how to do it, it’s going to take about two hours to set up, and it’s a ‘set it and forget it’ kind of setup. … Pick a weekend, get it done.”

In some sense, however, the push for individual education about how information is stored on the Internet may have come too late. No matter how secure the emails are on one server, the process is only truly secure if both emailing parties are using such precautions. If the Litmus survey is correct that at least 89 percent of email traffic happens on services participating in PRISM, it’s difficult to imagine a meaningful number of people will be taking the very technical—if brief—steps to ensure their privacy anytime soon.

As for Crawford, his entire blog gives an internal server error this morning, which has Reddit a little worried: “Looks like the NSA got him already,” deadcow5 speculated.

Illustration by Fernando Alfonso III 

Share this article
*First Published: Jul 16, 2013, 8:10 am CDT