GDPR - Email Encryption

This is a complicated topic with grey areas and a lot of confusion. The below is our answer to a question on the topic. Note that we are not lawyers, so you should check with a lawyer if you are unsure, but note that even many lawyers currently aren't sure how GDPR will work.

>  The GDPR legislation says that emails going out should be encrypted.

As far as I can tell, GDPR does not say this... If it did, hardly anyone would be able to send emails ever again!

Eg:

https://www.theguardian.com/technology/askjack/2018/mar/29/gdpr-email-data-protection-regulations-secure

https://ion.icaew.com/itcounts/b/weblog/posts/do-i-have-to-encrypt-personal-data-to-comply-with-gdpr

>  Am I right in saying all emails Vpop3 sends out is encrypted. 
>   
>  If not what should we do to encrypt emails?

Encryption is a very complicated topic. Don't expect a simple answer.

Emails sent by VPOP3 are encrypted as they are being sent ("session encryption"), as long as the mail server they are sending them to supports encryption and VPOP3's Mail Sender is set to use encryption (the default is that it will if your ISP's server supports encryption).

Then, the mail server which VPOP3 is sending the message to will store the message in an unencrypted form. Then, that will probably (but not definitely) send the messages using session encryption as long as the mail server it is sending the message to supports encryption. That mail server will, again, store the message in an unencrypted form. If the message has further to go, then the same will apply, until it reaches the recipient who may or may not download the message using session encryption.

So:
 - your Outlook stores the message unencrypted
 - it possibly sends it to VPOP3 using session encryption, as long as you are using VPOP3 Enterprise and have an SSL certificate installed in your VPOP3, and VPOP3 and your Outlook is configured to use encryption
 - VPOP3 stores the message unencrypted
 - VPOP3 sends the message to your ISP using session encryption, as long as your VPOP3 is set to do so, and your ISP's mail server supports encryption
 - Your ISP stores the message unencrypted
 - Your ISP sends the message to the recipient's ISP using session encryption, as long as the recipient's ISP supports it (which you have no easy way of knowing, and will be different for different recipients)
 - The recipient's ISP stores the message unencrypted
 - The recipient downloads the message from their ISP using session encryption, as long as the recipient's ISP supports it and the recipient's email software is configured to do so (which you have no easy way of knowing, and will be different for different recipients)
 - The recipient's email client will almost certainly store the message unencrypted

With the above system, the messages are possibly encrypted as they are being transmitted over the wire. That means they cannot be snooped on by someone sniffing unsecured Wifi for example. However, they are stored in an unencrypted form on all intermediate servers, so the ISPs could view the messages, and if you mistakenly send the message to the wrong person, then that person will be able to read the message.


VPOP3 does not do end-to-end encryption. You need to use something like PGP (and the recipient needs to use it also) to do end-to-end encryption. With end-to-end encryption, only the recipient can decrypt the message (even the sender cannot do so) because it is encrypted using their personal public key, and it needs their private key (which is private) to decrypt it. This is very complicated to set up (eg you need to have a secure way to transfer encryption keys between users - email is not adequate as that can be faked or spied on because you're not using encryption because you haven't yet exchanged keys).

There are also 'secure email' systems which essentially require emails to be uploaded to a web site which only the recipient has the login for. Again these have a requirement for the recipient to generate the login separately (you can't send the login details with the email, otherwise if you send it to the wrong person, you are sending the wrong person the login details as well). Also, these require trusting your sensitive information to a third party (the 'secure email website provider') who will be able to access your email data themselves. Even if they store the data encrypted, they must be able to decrypt it themselves otherwise they would not be able to show the message to the recipient in an unencrypted form.

You could password protect documents before sending them by email, but, again, you need to ensure that the password is transmitted separately - sending that by email as well defeats the whole thing.

GDPR is about a risk-based approach to security. If you are sending someone an order confirmation or invoice or answering a sales query, then end-to-end encryption is probably over the top, but if you are sending private medical records, then end-to-end encryption is a good idea.