Lawyers, Encrypted Email, and Gmail – Part 2 of 2: The Tools
See Part 1: Lawyers, Encrypted Email, and Gmail: Encryption, for a discussion on ethics opinions, Gmail and an introduction to third-party options.
Encryption refers to the process of encoding a message so that only authorized parties can read it. In relation to electronic information like e-mail, encryption uses a set of keys or passwords to make the content of the message unreadable to anyone who does not have the proper key.
Third Party Encryption options for Gmail
Larger firms can use stand-alone applications third-party vendors like CipherCloud and ZixCorp. For smaller firms and solo attorneys, offerings like SecureGmail and Mailvelope, two free plug-ins for the Chrome Web browser that integrate tightly with Gmail to create and send encrypted messages, may be a more cost effective solution.
SecureGmail is available from the developer’s web site or in the Chrome Webstore. SecureGmail is compatible with free Gmail accounts, as well as paid Google Apps accounts. It can be used across multiple accounts accessed from the same Chrome browser.
Once installed in your browser, SecureGmail adds a button with a lock icon next to the existing Gmail “Compose” button (see above). Click the lock button to begin composing a message to send with encryption.
SecureGmail’s composition window (on the right) is very similar to the “regular” Gmail composition window (on the left), with the exception of the red border at the top of the SecureGmail window (rather than the standard black) and the “Send Encrypted” button that takes the place of the standard “Send” button. All other functions of the compose window are available.
Once you’ve composed the message and clicked the “Send encrypted” button you’ll be prompted to enter an encryption password, along with the option of adding a hint to jog the recipient’s memory. SecureGmail uses symmetric (or secret) key encryption – meaning that the recipient must enter the same encryption password to decrypt the content of the message. (As opposed to asymmetric, or public key, encryption which utilizes a public key that can be freely shared with anyone who wishes to send the recipient an email, but only the recipient would have the [different but] corresponding key to decrypt the message.) So, your recipient must already know the encryption password required to decrypt the message or be able to figure it out based on the hint. You would want to give the recipient the password in advance – perhaps in person or on the phone. For obvious reasons, you would not want to send the password via an unencrypted email.
If the recipient has already installed SecureGmail, the content will first appear as a long string of seemingly random numbers and letters. At the top of the message is a link for the recipient to click to enter the password. If you opted to include a hint, it is also displayed at the top of the message.
If the recipient has not installed SecureGmail, there will be a link prompting them to install it at the top of the message.
The encryption is handled on your computer so the unencrypted content of your message is never sent anywhere. When using SecureGmail’s “Secure” compose mode, draft versions of the e-mail message, ordinarily auto-saved to Gmail servers, are not autosaved to the Gmail servers so no unencrypted record of its text exists. In fact, drafts cannot be saved at all in the Secure composition mode.
One drawback of SecureGmail is that the recipient cannot hit the reply button in Gmail to send back an encrypted reply. They must click the lock button in their browser and compose a new encrypted message to you. Other hurdles to using SecureGmail might be that the recipient must also have SecureGmail installed in their Chrome browser and they must be using Gmail.
The free Mailvelope plug-in for the Chrome Web browser is designed to work with multiple webmail providers, including Yahoo and Outlook.com, in addition to Gmail. The plug-in is available from the Chrome Webstore.
A version is in development for Firefox.
Mailvelope utilizes asymmetric (public key) encryption. So, you must know your recipient’s public encryption key to use when you send them a message. The recipient would then use their private key to decrypt the content of the message.
Once installed in your browser, Mailvelope adds a small lock and key button in the upper right-hand corner of the browser window – to the right of the address bar.
The initial set-up of Mailvelope is a bit more involved that SecureGmail. Mailvelope first requires you to generate your set of public and private keys. This is accomplished by clicking the lock and key icon>Options>Generate Keys. This will create the public key you would share with others and the private key you would keep secret to decrypt the messages encrypted with your public key. One advantage of these extra steps is that you can choose the length of your key, up to 4096 bits. Longer keys are harder to crack.
Once you’ve created your key set, the next step is to share your public key with people so they can use it to send you encrypted messages. To do this you would click “Display Keys” in the left-hand column, then select your key from the list. Next you would click the blue “Export” button above your key, and then select “Send Public Key by Email” from the drop-down menu.
In order to send encrypted messages to others, you will have to obtain their public keys and import them into Mailvelope by clicking the import keys link on the left-hand side of the options screen (see above) and following the directions on that page. Once you’ve imported someone’s public key, you can begin sending them encrypted messages.
Mailvelope adds a new “pencil and paper” button into your Gmail message composition window. Click that button to open Mailvelope’s own secure composition window. This window keeps unencrypted drafts of your message from being stored on Google Gmail servers.
Once you’ve composed the message you want to encrypt in Mailvelope window, click the lock icon in the upper right-hand corner of the window to select a recipient (or multiple recipients) from the list of people whose keys you have previously imported.
Then click “OK” to encrypt the content of the message and then “Transfer” to move the encrypted content back to the Gmail compose window in order to send it.
Next you would add the recipient’s email in the “To” field, add a subject line, and click “Send.” The recipient would then use their private key to decrypt the message. Note that the subject lines of encrypted messages are generally not encrypted.
One of the reasons more people don’t encrypt their messages is that it can be daunting to set up for those who don’t like to look under the hood of their technology. While neither of these two products offer perfect solutions, they do give lawyers an easier option to add one more layer of protection to the information they send via email – making the practice a bit less onerous.
ABOUT THE AUTHORS:
Carole Levitt, Esq. President and founder of Internet for Lawyers (a CLE seminar company), has over thirty years of combined experience in the legal field as a California attorney, Internet trainer, Law Librarian and Legal Research and Writing Professor. Ms. Levitt has served on the ABA’s Law Practice Management Section’s Publishing Board since 2004 and served on the Section’s Executive Council from 2007—2011.
Mark Rosch Vice-President, Internet for Lawyers, is the developer and manager of Internet for Lawyers’ (IFL) website, Facebook Company page, and online education services. He also is the editor of IFL’s newsletter, The Internet Legal Research Update. Mr. Rosch serves on the ABA’s Law Practice Management Section’s TECHSHOW Planning Board.