Last updated: November 19, 2020

If you’re running a company and you’re not using secure email and chat providers, then you’re tempting fate.

Why?

Because email is a 30-year-old technology that’s inherently insecure, since it’s transmitted in clear text and stored in multiple hops between destination and recipient, where its contents may be intercepted, altered, copied, stored, etc. In other words, naked email is like a postcard for anyone to read, copy, or alter before it reaches the recipient. It’s not a safe form of communication for confidential information. Not even close. According to Infowatch global data leakage report, email is the second largest channel for data leaks.

Consider this: unless 100% of your staff are using an encrypted email solution, it would not be hard for a competitor or any entry-level hacker to get access to all your company emails. If they did, they could spoof emails sent from your company and send instructions or whatever they want to your customers/clients. Despite all that, emails are still legally binding. Scary, right?

Think you only have to worry when you’re on public Wifi? Think again. It’s startlingly easy to listen in to every keystroke and file sent on either private or public networks. And don’t even get me started on SMS and unencrypted messaging!

Think that sounds crazy? Read this.

If you want to get serious about your company’s online privacy, here are a few concepts it’s very important for you to understand:

  1. Zero-knowledge encryption”: This means that the master password, (the PEK: private encryption key) is stored on your device, not on the company’s servers. That way employees of the company whose service you’re using can not read your data, even if they wanted to or were required to do so by law. But remember: if you forget your password, you’re sh*t out of luck. [It is also known as no-knowledge, private key, PEK, or personal encryption.]
  2. End-to-end encryption”: This is essential — it basically means that your data stays encrypted the entire time and is not changed to a readable format at any time.
  3. Public source code”: This means that the app’s code can, in theory, be publicly audited, which increases the chances that any potential backdoors can be found. Watch out: some companies pretend to be “open source” by making part, but not all, of their code publicly viewable.

If you want to get deeper down the rabbit hole, you can learn about the different types of encryption (some are pretty useless, and the NSA has cracked most). Orrrr you can save yourself the time and just look for software that employs AES-256 encryption, is open-source (so that the software is audited for back-doors) and zero-knowledge.

It’s also important to understand that each country has different data privacy laws, and many countries share information. America is among the worst, and thanks to the Patriot Act, any company based in the USA is required to have a secret-access backdoor for the NSA or any other legal entity that wants it. Plus, the NSA has been systematically and aggressively weakening online security and cracking encryptions for decades.

And it’s not just the NSA. Governments the world over are racing to introduce legislation that allows to them to monitor and store every email, phone call and Instant Message, every web page visited, and every VoIP conversation made by every single one of their citizens. FYI: Switzerland is among the best countries for privacy.

What that means is that no data stored by an American company or on an American server is ever safe or private.

Pile on the recent revelations about Google never deleting your data (that’s right — they keep a copy of all the Google documents, spreadsheets and emails you delete… indefinitely!) and how easy it is to hack a Google account then download all that data (including the deleted files, your detailed location and browsing history, contacts, etc.) and it’s high time we all started taking our online safety a lot more seriously.

Want to see the data these companies are accumulating about you? Find out here.

Know this: There is no such thing as “I have nothing to hide”. Everyone has something to hide, and unless you want to be barred from the US without a disclosed reason , be wrongly arrested, get doxed, be the victim of identity theft, have your bank account emptied, have your info leaked or your porn habits made public, or be blackmailed with it, you better listen up.

Here are the best services you can use to keep your data safe and private:

TWO-FACTOR AUTHENTICATION

The first step to making it so someone else can’t hack and login to your account, is to start using Authy. It’s an app that gives you a code that you’ll type into websites as you’re logging in. Not all websites allow 2FA (two-factor authentication) using an authentication app, but you should set this up for all the sites that do. It’s much, much safer than getting the code via email or SMS. Here’s a guide on how to use Authy. And here’s why you shouldn’t use Google Authenticator .

PASSWORD SECURITY

Using a password manager will keep you from needing to remember or type in your password each time you visit a website or login to an app. They keep you safe from spyware key-loggers, which are hard to find and remove from devices, and they keep you from saving all your passwords in less-than-secure ways, like in your browser or a notebook.

It’s very important that you make sure to create a different, long, complicated password for each website or app. No-no’s include auto-filling passwords (as it allows spoof websites to capture login info) and using the same password on multiple websites (since if one of them is hacked, a malicious bot can then automatically try the same login info on thousands of other websites).

  • If you’re a company or serious about security, Bitwarden’s self-hosted version is definitely the way to go (but not their hosted version, since it’s US-based). It’s got the added bonus of team sharing and being both zero-knowledge and open-source (so it’s zero-knowledge claim has been verified).
  • As a consumer, I love that 1Password is easy to use and has a (paid) feature where I can share passwords with family members in our ‘shared vault’.
  • If you want a non-USA solution, Sticky Passwords is a highly-rated and full-featured password manager based in the Czech Republic. Swiss-based zero-knowledge SecureSafe’s bare-bones password manager is another option, if you’re worried about the NSA spying on you.

ENCRYPTED CHAT

  • Signal is one of the most secure encrypted mobile messaging apps out there. It’s owned by a nonprofit and replaces your native SMS provider (you connect to the app via your phone number) and has a user-friendly interface (including a desktop app) that shows you when a message is delivered then read. If you need to send confidential information to clients/customers (like passwords or account numbers), ask them to install and communicate via this app. It’s open source and as secure as it gets. Signal supports secure group chats (though not yet with audio or video) and you can even make your message self-destruct. (And yes, it’s much more private than WhatsApp or Telegram.)

Unlike Signal, messaging apps like Wire and Threema allow you to sign up without tying your account to a phone number, a significant feature for those seeking some level of anonymity in addition to security.

  • Threema (Switzerland) is open-source, doesn’t require phone numbers, is 100% secure, and has a version that is designed for business. Threema Work has a handy administrator panel where the admin can revoke privileges, manage users contact lists, etc.
  • Another option is Wire (Switzerland), which was cofounded by one of the original engineers behind Skype. Similar to Threema , you connect to other Wire users via username instead of phone number. Unlike Threema, which has a small cost, Wire is free, but unfortunately there are no admins, so in a group chat any member can remove any other member. It does, however, allow for video conferences and multi-person voice calls. Create a group, hit call, and everyone’s phone rings — with the assurance that conference call’s secrets will be protected. It also allows for multiple Wire accounts to connect in the app, so you can have separate work and personal accounts without having to login and logout each time you want to switch.
  • Less secure but worth mentioning is Element (London/UK). It’s a free web + mobile communication app that integrates with open systems including Slack, Gitter, IRC, HipChat, Lync, Twitter, SMS and more, allowing you to create chat rooms for your team/projects, make VOIP and video calls, and send files over one, clean, encrypted platform. They also have a self-hosted option, since the UK is not known for having good data privacy laws.

Chat programs to avoid: Skype (has a NSA backdoor), Whatsapp (here’s why), Hangouts/Allo (and anything by Google, since both the NSA and Google monitor and keep a copy of everything you do in Google’s apps) and Telegram (has several privacy-related flaws).

ENCRYPTED EMAIL

I’ll warn you upfront: encrypted email only works if both the sender and the receiver have an encryption solution. To keep it simple, you’ll want to get the people you’re emailing confidential stuff to, to download the same plugin, or get on the same email provider.

  • The most practical solution is FlowCrypt for Gmail (Prague), simply because your recipient is likely already using Gmail, and this requires 10 seconds of set-up. It will encrypt the emails you send using FlowCrypt and prevent Google (or anyone else) from reading them. FlowCrypt is easy to use, has publicly-viewable code, and you can use private keys to make it extra secure. They have a browser plugin and mobile apps, too. Their ‘Chrome’ plugin works with Brave (a privacy-forward browser that can run all Chrome plugins).
  • Mailbox.org (Germany) is the grand-daddy of secure email services, and offers a full and mature suite of email, Office-like, calendar, etc. products. Mailbox.org is dedicated to anonymity: It’s possible to sign up for an account with no personal information, using Bitcoin, on the service’s own Tor relay. Mail headers are also anonymized to hide the location and devices of users and their recipients.
  • Like Mailfence, Tutanota and ProtonMail, Mailbox.org is compatible with OpenPGP, allowing users to send encrypted mail even to non-Mailbox.org recipients. Emails sent to users that don’t use Mailbox.org or an OpenPGP-compatible service will automatically be suspended in a guest inbox where the user can access the message and respond through a disposable link.
  • MsgSafe (Panama) offers free privacy-focused end-to-end encrypted email (which you can use with your own domain, for a small fee), text chat, voice and video calls — all with a beautiful interface. They also provide iPhone and Android apps. They also offer a solution that works with your existing providers and doesn’t require you install additional software or understand complicated encryption technologies. Even if the recipient isn’t on a secure platform, MsgSafe still makes it more secure.
  • Protonmail (Switzerland) offers free @pm.me email address’ but (since they have no control over what other email providers do with your emails), remember that encrypted emails are only fully protected between Protonmail users. You can use your work email if you set up an ‘email forward’ of your work email, and upgrade to allow sending via POP. Protonmail has their own mobile app which comes with a bunch of additional security features, and you can set your emails to self-destruct after a specified time period.
  • Posteo (Berlin/Germany) starts at a buck a month and is easy to use with any number of email apps. Both also come with an encrypted contacts manager and Posteo also comes with an encrypted calendar, notes, and a built-in migration service (to easily move your emails, calendar, and contacts from Gmail, iCloud, Outlook, etc.) Like any other encrypted email service, using Posteo with your own domain name requires a bit of finagling.
  • Others to check out: Mailfence (Belgium) and Tutanota (Germany).

Email software to avoid: Any company with a US office or server and any software that doesn’t use zero-knowledge encryption. That includes Gmail (unless you’re using FlowCrypt), Yahoo mail, Outlook, etc. all spy on your emails and give government and legal agencies access to your account. Here are the (Security) Differences Between Protonmail and Gmail.

ONLINE ANONYMITY

The easiest way to use a VPN on your desktop and mobile is through the Opera browser, which comes with a free, built-in VPN (just turn it on in the settings), tracker and ad blockers.

Alternatively, you can get stand-alone VPN software. Using a VPN is essential — run it on your computer, tablet and mobile devices. It encrypts then routes all your internet activity through their servers, hiding your identity and location. Make sure to run a VPN on all your devices at all times (set it to auto-connect), so peeping Tom’s (like amateur hackers, websites you visit, the guy who set up the Wifi network, and your internet provider) can’t see what you’re typing, what websites you’re visiting, or your location.

Here’s more about how VPNs work, and how to tell if your VPN is really encrypting your activity. Be cautious when selecting a VPN, as there are a number of fake VPN’s out there set up simply to spy on you. Already using a VPN? Check if it’s on this list of safe/ reputable VPNs .

TEAM COLLABORATION

  • Stackfield (German) and SharePlace (France) are privacy-first secure team collaboration tools that come with full-featured mobile and desktop apps. You’ll get a suite of project management tools, shared calendars, task lists, document creation and collaboration, secure group chats, time tracking, etc. — all with end-to-end encryption .
  • Kdrive by Infomaniak (Switzerland) is a Google Drive and Office alternative, and works with those formats. You can collaborate in real-time, add comments to your documents, discuss a project in the built-in chat feature and easily approve changes made by your team with the help of the revision tool. Work offline or on mobile. Add a password to your docs. Invite your partners, customers and users to send you files to your kDrive even if they don’t have an Infomaniak account. It’s not free, but it is inexpensive.

Team collaboration services to avoid: Any company with a US office or server and any provider that isn’t zero-knowledge encrypted. That includes BaseCamp, Asana, and Slack.

PHONES & VIDEO CONFERENCING

  • Kmeet by Infomaniac (Switzerland) offers a free, unlimited, and secure videoconferencing solution. Your data is secured in Switzerland, communications are encrypted and meetings can be password-protected. You can also easily Record your meetings on their secure kDrive and easily share your meetings with your contacts. Infomaniac also has a full suite of other encrypted services.
  • Jitsi (Australia) is an easy-to-use option for phone and video conferencing — and it’s free. It is a shockingly easy-to-use encrypted 1-on-1 or group video and VOIP conferencing solution with sidebar text chat. Just go to meet.jit.si (or use their mobile app) and type in a chat room name (which you can customize and use forever) and hit go. No account or software needed. No complicated and changing codes to send. It’s really that simple. The chat room gives you an invite link with an optional password, a call-in number, or you can even invite someone by entering their phone number and have them join the chat via audio-only. You can invite as many people as you want, record the conference call, screen-share, or even embed Jitsi into your website. All that and it’s also 100% open-source! #winning
  • If you use want to keep using your existing VOIP solution, you can run your VPN at the same time, or try to secure it using Zfone.
  • Wire (which, unfortunately, has an office in the USA) has a sleek app and up-to 4 person video conferencing with encrypted file sharing and screen-sharing. Conferencing costs $7/user/month. You can also do secure-audio conference calls with up to 10 people, and encrypted group text chats with up to 128 people.

PRIVACY-FIRST WEB BROWSERS

  • If you don’t want to leave a trail around the web that leads back to you, Opera, Brave, Tor, Firefox and EPIC are web browsers that don’t allow tracking.
  • On mobile, Opera, DuckDuckGo, Firefox, and Brave are browsers that don’t track your activity.

Web browsers to avoid: Uninstall Chrome and Edge/Explorer — immediately. There’s no private way to use these browsers (or any other Google or Microsoft service). Even in “incognito”/private mode they still track you and save your history to their servers — forever. If you refuse to uninstall Chrome, then install these add-ons: uBlock Origin , Disconnect , Ghostery , and Privacy Badger .

ANTIVIRUS

I know you already have an anti-virus, but they’re not all created equal. Make sure yours is ranked well on this list of third-party tested antivirus software. (We’re currently using Avira.)

FIREWALL

Fingbox is a gadget that you plug into your router (it’s super simple) and it provides a firewall for your home (or business) network, giving security and control for your connected devices and Wifi. Via the mobile and desktop apps, you can automatically block intruders, hackers and unknown devices before they join your network, get open port and network vulnerability alerts, turn your Internet off completely (via the app or on a set schedule, like at night), and identify and control everything that is connected to your Wifi / Internet network.

ENCRYPTED CLOUD STORAGE & BACKUPS

A common way that hackers make money is by hacking and then encrypting your computer, so that unless you pay them a ransom, you’ll lose all your data. That’s why you need to have an encrypted backup solution that constantly auto-syncs (that means that every time you add or change a file on your computer, the software automatically notices that and backs it up in the cloud).

Use an encrypted app to share files and to back up / sync your computer hard drive and mobile in case you have problems like drive failure, accidental file deletion, computer theft, ransomware, etc. Here are the ones we recommend. They’re cheap, encrypted, easy to use, and absolutely essential.

  • Sync.com is by far the most popular encrypted file storage solution — for a reason. It is zero-knowledge (so nobody can gain access but you — not even the government or Sync.com employees), cheap, and has features like granular file permissions and collaboration, easy-to-use desktop and mobile file sync apps to make backups simple, etc. The company is based in Canada and has possibly the best customer service I’ve ever encountered. Sync.com is one of the few cloud storage services to maintain zero-knowledge encryption even for shared files. Besides that, Sync.com also has an option for two-factor authentication and incorporates file sharing features to bolster security like passwords, expiry dates and download limits for file links.
  • SpiderOak and BackBlaze are zero-knowledge backup solutions that sync your computer. The bad news is that they’re based in the USA so the Patriot Act applies. There’s debate about whether that matters with zero-knowledge encryption (it probably doesn’t), but it’s still important to point out. For BackBlaze to give you zero-knowledge, you need to set a PEK. Both have pretty crappy mobile apps, so I recommend using them just to back up your laptop/desktop computers, and using Sync.com for mobile.
  • JottaCloud is based in Norway, and although they’re not zero-knowledge (so there’s definitely some trust involved), your data is encrypted in transit and they publish a Warrant Canary. Their app interface is gorgeous, and especially good for photo and video backups.
  • If you’d prefer to keep your files local, then use BoxCryptor to encrypt your files locally (on your computer). It comes with added compatibility for Android and iOS, and it’ll protect you against ransomware (so long as you have an external backup).

Avoid any backup or storage service with ties to the USA or that doesn’t employ zero-knowledge encryption.

Using these services should be company policy for businesses that don’t want to give any teenager with minimal hacking skills open access to their emails and files.

Google replacement for business:

If you want to avoid Google-style spying, but don’t really care about encryption, then ZOHO is your best option. It has all the features of Google Drive, Calendar, Gmail, etc. plus a great CRM, social media management tools (similar to Hootsuite), a password manager, and lots of cool business features. They claim to take privacy more seriously than the big players like Google, Yahoo, Apple, etc. and have at-rest encryption, but since their servers are US-based and they have the keys (ie. it’s not zero-knowledge), the US government and law enforcement can still easily gain access without notifying you.

Have you been using Gmail or Chrome?

Here are some important Google privacy settings to tweak:

…and more settings to tinker with:

  • Facebook Ad Profile and Settings (under ‘Your Information’, turn everything off and delete everything, and under ‘Ad Settings’, turn it all off)
  • Linkedin tracking and information / ad sharing settings.
  • Your Online Choices lists tracking companies and allows you to disable the tracking (click on your country, then Ad Choices, then disable all of them)

If you want to learn more, check out:

And if you really can’t get off Google, at least employ Google Advanced Protection to help keep hackers out of your account (but remember: this won’t keep government agencies out!)

Juice Rocket provides cyber security consulting services, in case you need more information.

(Article written by Hilary Rowland, CSO at Juice Rocket.)