Our press release announcing the new version of Enlocked just went out of the wire this morning. Peter Swire, a global leader on privacy and member of our advisory board, summed it up well, saying:
“With its next generation of secure email services, Enlocked has brought to market the easiest way for doctors, attorneys, accountants and other business people who must send private information to patients, clients or customers; to be certain that it will be seen solely by the designated recipients.”
The latest version of Enlocked maintains the ease-of-use in previous releases (some have even said it is even simpler now), while raising the bar on security. By performing all encryption locally on the user’s device, using a key protected with a passphrase that we never know, Enlocked makes no compromises in security. We just make it a lot easier for anyone to use, whether that’s on a computer from any browser or email client, or on your mobile device. You can learn more about how Enlocked works here.
To celebrate availability of the new version, we are also announcing a special limited time offer for new users. Enlocked has always let users read unlimited messages for free, and send up to 10 messages each month. Now, for new users who sign up before July 31, 2014, we will upgrade your account to our gold level letting you send up to 2,000 messages every month. That would normally cost $19.99 a month, saving you about $100!
Here’s the sign up page.
(it’s easy to register, just enter your email address, choose a password, and confirm your email with a link we send… no credit card required)
When Google does anything, people notice. So, last week when they announced plans to release a chrome plugin that would allow access to PGP encryption / decryption from inside the Gmail web client, it seemed everyone was pretty quick to hail it as a major step forward in email privacy.
While Google is to be commended for bringing to market a way to protect users’ digital communications from prying eyes – as long as its Chrome plugin is used and the sender and receiver use Gmail – the company, with all its technological heft, missed the mark on the elements that have slowed broad adoption of PGP encryption/decryption… it’s too complicated. PGP has been a solid encrypton technology for two decades. However, throughout those twenty+ years there have been two consequential impediments to broader use:
[Note: for interesting background on these issues, and other long-term challenges with PGP usability, see the peer-reviewed and often cited paper "Why Johnny Can’t Encrypt", or the follow-on "Why Johnny Still Can’t Encrypt"]
Nothing in what Google announced with End-To-End helps with the first issue. Further, while Google would like to see everyone use Gmail, running in a Chrome browser, the Company ignores the reality that email will continue to operate in a multi-platform infrastructure (with back-ends based on Exchange, Yahoo, AOL, national / regional ISPs, etc.; and, accessed by iPhones, Android tablets, Outlook, and a range of web browsers). As a result, this plugin won’t change a thing.
The widespread adoption of email encryption requires an approach that solves these two critical issues. The team at Enlocked has spent a lot of time developing a solution that let’s you send emails to anyone without needing to exchange keys first, and without having to worry about what the recipients use to read their email. It’s simple, secure, and it works today.
— Andy Feit. CEO
Over the last month we completed the roll out a major new release of Enlocked across all of our supported platforms… the new release is the result of a significant engineering effort, and is built on an entirely new architecture.
The question some of our loyal users might ask is, why?
And the answer to that for them — and for anyone new to Enlocked who may be looking for a secure way to send private email communications — is that things changed a lot in the world of privacy over the last year.
When we first created Enlocked, the idea was to make email encryption easy enough for anyone to use, across all their devices. There were plenty of complex things out there, which required installing software, exchanging keys, and didn’t work across mobile devices…. but the complexity of email encryption has prevented widespread adoption for decades. The reviews of the original Enlocked showed that we did achieve our ease of use goals.
But, there was always a trade off. In order to make it simple, we did some things that required users to trust us with access to their email inbox, a copy of their key, and to see their message briefly on our server while it was being encrypted or decrypted. Before the disclosures last summer of privacy breaches by the NSA and others, most people felt that trusting a dedicated security provider was reasonable — although to be fair, some did not, and we knew Enlocked would not be for everyone.
Things have changed, and we have changed as well. The new version of Enlocked maintains the ease of use we are known for, but has some distinct advantages for those concerned with achieving the utmost in privacy for their email:
As we developed this new architecture, the design theme was "no compromise security". While we wanted to keep things just as easy to use, and to work across the broad range of email services and devices people use, every decision we made was to maximize privacy.
To learn more about how the new Enlocked works, check it out here.
A couple of weeks ago, we quietly rolled out our biggest changes to the Enlocked system yet. Perhaps some of you noticed, but if we did our jobs well it should have been very transparent. While the changes were subtle, they were based on some usability testing we did over the summer, aimed at improving the experience for first time users. We have seen that in some cases, messages sent to people who have never used Enlocked before, do not get read. And while for a few of these there may be a valid reason, the fact that someone took the time to send an encrypted message should mean the information is valuable. As we understood more about where potential new users were dropping out, we could then make changes to minimize this issue. Ultimately, for our sending users, the more often their recipients are able to easily read the message, the better!
So, what did we change? Well, here are some of the bigger items, with a little background on what drove the decision.
We’re already seeing positive results from these changes, and we’d love to hear your thoughts. Are there other things you think we could do to improve the system? If you would like to submit feedback, you can use the new community forum on the Enlocked site, or if you would rather share your thoughts privately, drop us an email. You can even encrypt it :-)
Well, if you’ve been poking around in Enlocked Anywhere, you may have noticed a new capability we’re testing and expect to officially announce shortly. We call it Ensafe, and it lets users encrypt messages in their Gmail account even if they were originally sent in the clear (yes, right now it is Gmail only… stay tuned if you use another email provider). So, all those older emails that you want to keep for your files, but would rather not have anyone read if they hacked your account, can now be easily encrypted. Or, if someone sends you a message that contains sensitive information, put it in an encrypted folder and even Google administrators won’t be able to read it (nor someone who borrows your phone and opens up your mail).
To set up Ensafe to encrypt a “folder” (or in Google language, messages with a certain “label”), for now you will need to go to the Enlocked website and use the web interface, Enlocked Anywhere. Simply click on the “Lock” icon above your messages. This will take you to the Ensafe configuration page. Now, simply select the folders you want to encrypt. It’s that easy. If a folder is currently encrypted you can simply uncheck the box and the messages will restored to their original state. In a future update of our browser plugins and mobile apps, we’ll provide the ability to manage Ensafe from the client side.
Note that for performance reasons, the encryption task will be done in the background, and depending on the size of your archived folder it may take several minutes, or even longer. Also, there are certain system folders / labels that cannot be encrypted with Ensafe, including your Inbox, Sent, Trash, and Drafts (notice in the screen shot above, they are grayed out).
We’re excited to release this new capability… and are thrilled with the reception it is already receiving from several of our users who have either asked for such a feature and have been beta testing it for us, or found it on their own and figured it out. Let us know what YOU think…
Some of our more adventurous users have already discovered the secondary password feature. For those that may wonder what it is, or if you even need it, this post will give you an overview and then you can decide whether to set it up on your account.
First of all, to find the optional secondary password, you will need to use the Enlocked web application. Go to the Enlocked website, and click on Enlocked Anywhere in the menu bar. The system will ask you to authenticate yourself (unless you already did recently), and once you do, Enlocked displays your recent encrypted email messages.
To set up your secondary password, click on the “gear” icon to get to settings, and then you can check the box next to “Use a secondary password”. The system will ask you to enter and confirm the password you want to use, and to set up a security question / answer in case you forget your password later.
So, now that you know how to do it, let’s go over why you might want to use this in the first place.
Since our announcement, we’ve heard from a lot of people who just didn’t realize how insecure their personal email really was. They’ve been assuming that as long as nobody knew their email password, or their recipient’s, it should be safe.
But, that assumption is simply wrong. One of the things that makes email work so well, is that you don’t need to know anything about what the other user(s) you are sending to have for an email system, or anything about the network in between. The message just gets there. And the reality is that in order for that to work, your email is being sent entirely in the clear, readable by anyone with access to the network/servers along the way.
Now, you’re probably thinking that with all the email flying around the internet, who really has time to look for my little message that happens to contain a credit card number, or social security number. Well, the good news for the hackers out there (and therefore, the bad news for the rest of us), is that they don’t have to read everything. The bad guys have a number of ways to automate this whole process:
Your archived messages are actually even easier for some people to get to. The system administrators on your email servers can access any message they want. While service providers try to screen employees to prevent this insider threat, it does happen. And of course, if someone steals your laptop or smartphone, any messages stored in the clear are readable. You might even use the browser save password feature so that if someone can get onto your system, just by going to your email site (you likely even bookmarked it for them!) they will be logged in automatically. And how many of us have old email archives saved as an outlook .PST file, just waiting for someone to open???
Encrypting your email helps with all of these. Even in the worst case of an admin being able to access your email, if it is encrypted they won’t be able to read it. And if that admin tries to reset your password to gain access to the enlocked keys, if you’ve used our secondary password feature your even protected from that.
Cool. We formally launched the Enlocked service yesterday. It still says “beta” on the web site, but hey, so did Gmail for the first few YEARS.
We’d like to thank those of you who participated in our early testing, and hope you will continue to enjoy Enlocked. We got many positive responses from people who were thrilled to finally have access to a simple solution for email security. We knew that people cared about their privacy, but just couldn’t go through all the work to get software installed on all their devices. And then expect the people that get their messages to do the same just to read it.
The great thing about enlocked is that once you read the encrypted email sent to you, you can use enlocked easily - just look for the “send secured” button added to your email client (in iphone you need to use the enlocked app to compose emails) and send your secured email to anyone - even if they don’t have enlocked yet!
Please send us any feedback or ideas you might have, our goal is to help you send and receive secured email to and from anybody on all of your devices – we really want to know how we are doing.
Thanks all for helping us make it a great product launch!
You use email to communicate with family, with service providers (doctors, lawyers, accountants), with business associates. But, we’d bet that at least a few times a week, you choose NOT to send something via email, and for that sensitive piece of information you use some other method. Even a fax is safer than email in some ways (our next blog will talk about how email is easily breached) as a fax is at least only readable at the sending and receiving site. More likely, you’re calling someone to provide that private information directly, slowing you down, creating the inevitable phone tag. And then they write it down anyway, for anyone to find.
Wouldn’t it be nice if you could use email to send that message, knowing it couldn’t be read along the way, it couldn’t be read if someone stole your laptop or smartphone, and it was no more work to send or read an encrypted message than a plain text one?
Then, they could save that information in their email, knowing it was safe, but also knowing it was accessible the next time they needed it. For most of us, email has become our primary communication vehicle, yet it is still one of the least secure channels. More on that in our next post.
— Andy Feit, VP of Marketing