behind the news

Easy email encryption

LEAP hopes its open-source, encrypted email will be useful for journalists and newsrooms
January 10, 2014

Email, that daily workflow staple, is becoming a real problem in this post-Snowden era. Or rather, it always has been an issue–but many of us are just becoming aware of just how big of one it is. Service providers can be forced to hand over customer data to government agencies or might shut down to avoid doing so; accounts can get hacked; communications can be intercepted–we all know now what goes on in the NSA. But the most widely trusted method of encryption, industry veteran Pretty Good Privacy, has a pretty steep learning curve, both in understanding the abstract concepts involved and the actual step-by-step process. Why can’t it just be easy?

This is the challenge that the LEAP Encryption Access Project might just meet. Established by a grant from the Open Technology Fund, LEAP is a nonprofit group of developers working to make encrypted digital communication easy, and free. It has a core staff of five developers working full-time on the project and another handful working part time, and eventually they hope it will be run by volunteers, with its source code overseen by anyone and everyone. But the beta version should be ready to try out in the next few weeks.

LEAP isn’t itself an email service provider. It’s encryption software that you download and install and then use in conjunction with an email client like Thunderbird, Apple Mail, or Outlook. But what makes LEAP different from other secure email setups, like the PGP interface Enigmail for instance, is that it automates the key-exchange part of the encryption process, which is probably the most cumbersome component. LEAP also makes sure that the service provider never has access to your data, because the encrypting and de-encrypting all happens on your computer. Significantly, LEAP also encrypts message metadata in addition to the content of the messages themselves.

Unfortunately, all this security does have a slight trade-off. The LEAP setup means that you won’t be able to log in to your email through a typical Web browser; you have to access it through the software on your computer. Just like the good old days of about a decade ago, you’ll have to download all of your messages onto your computer to read them. The unencrypted versions will also be backed up on the cloud. But what you lose in convenience, you gain in control: The service provider you use to send your email won’t be able to read your mail.

The director of the project, Elijah Sparrow, says the public beta will be available in February, and he wants to invite journalists to try it out–with a caveat.

“We’re really eager to have journalists see LEAP, but we want to be quite certain that everything is secure before they actually use it [for reporting],” says Sparrow. “We’re trying to do everything and be cautious, which is very laborious and slow. But I think there will be long-term benefits to being uncompromising.”

Sign up for CJR's daily email

The stakes are undeniably high–not least for journalists working with sensitive material. “Like free speech, the right to whisper is a necessary precondition for a free society,” reads the LEAP website. “Without it, civil society and political freedom become impossible. As the importance of digital communication for civic participation increases, so does the importance of the ability to digitally whisper.”

Journalism advocacy groups have taken note. Along with its initial grant from the Open Technology Fund, LEAP is also benefiting from a two-month fundraising campaign currently underway at the Freedom of the Press Foundation. The foundation is making a push for several different encryption tools and projects for journalists, including messaging services RedPhone and TextSecure, the “incognito operating system” Tails, Tor, and its own anonymous submission software, SecureDrop.

When asked why the group chose LEAP to be one of the recipients of its outreach efforts, FPF Director Trevor Timm replied that there are many worthy projects out there, but that a couple factors sent LEAP to the top of the list. One was that the developers on the team are all experienced and well-respected in the field; many of them come from the venerable and bold RiseUp project. LEAP’s scope and rapid timeline recommended it to them, too.

“Their next-generation email service is also very close to being ready, ready for public testing possibly within weeks,” Timm wrote in an email. “This was also important to us. We wanted donors to give to projects that can be used right away, or in the near future, rather than years down the road.”

Adding on to the email encryption, and a secure Internet proxy, LEAP also plans to release secure chat, mobile messaging, and file encryption software. Another important goal, says Sparrow, is to make LEAP compatible with legacy email providers, so that whole newsrooms could switch over to encrypted email.

“They could use their existing email addresses, but it would be a way to enforce organizational security,” he explains. Using one email system for day-to-day work and another one for sensitive material isn’t really a good plan. For one thing, you never really know when a conversation is going to suddenly require extra layers of security; for another, switching over can raise a red flag.

“Particularly in more repressive contexts, if you use ‘security’ when you need it, we know from a bunch of evidence that it makes you stand out, and it makes those particular messages stand out,” says Sparrow. “Our goal with everything we do is to figure out some way to trick and cajole and entice people into using a more secure system all the time.”

Lauren Kirchner is a freelance writer covering digital security for CJR. Find her on Twitter at @lkirchner