I’ve been looking at legitimate email encryption over the course of several months. My whole purpose was to try and find a legitimate encryption tool for small firms. Even though I’m not wildly concerned about encrypted email messages (most people don’t send that many message which demand encryption), I still think that all attorneys should have a viable encryption option if necessary.
I thought I found a solution for Google Apps with a product called Google Apps Message Encryption. Unfortunately, GAME isn’t a viable solution for firms with less than 150 users. Of course, I’ve already discussed Viivo, which I’m quite pleased with, but really only encrypts files, not messages.
As I explored further, I saw several mentions of a product called Virtru.
How Virtru works
Virtru works across platforms, including offering Gmail, Chrome, and Outlook extensions. More importantly, Virtru includes an Android app (there’s an iOS app).
Virtru offers business email encryption for Google Apps (currently in beta).
Virtru is very likeable because it’s very easy to set up and seems to work well at protecting the important information.
Once you’ve activated Virtru with your Google Apps account, you’ll see an encryption switch with every new email you compose.
Simply flick the switch to turn on Virtru encryption.
Virtru separates your email composition screen into non-encrypted and encrypted sections. The non-encrypted section allows you to give a customized introductory message to the recipient.
I’d recommend using the customized intro, especially for less tech savvy users. I sent an encrypted email to Mrs. The Droid Lawyer without telling her, and she freaked out with fear that the message was hazardous.
Virtru also blocks unauthorized users. If you’re not supposed to receive the message, you won’t be able to open the email message.
Android app review: Virtru
The Virtru Android app is just as easy to use. Virtru sets up a link to your Google Apps account and functions similar to Google’s own Gmail app.
Open a new email (or send a reply), then turn on the encryption settings to send the message.
Virtru offers message expiration and forwarding restrictions for both Android and Google Apps encryption.
Depending on the case type, forwarding restriction could be handy to protect against improper prying relatives, friends, or employees.
If you weren’t aware, Google encrypts all information transferred across its servers. This means data is encrypted in transit, but not at rest. A lot of people complain that Google’s not doing enough — data should be protected at rest and in transit so governments don’t have access — but I’m not going to debate that issue.
Similarly, Virtru’s encryption only works in transit, but remains encrypted until the other side uses Virtru’s secure server to view the message. This is obviously the preferred method, but certainly doesn’t fully guarantee that someone can’t read the end data.
Update: Virtru contacted me after the post and gave me the following new insight:
You mention in your article that Virtru encrypts in transit. This is true, but we also encrypt at rest. Emails and drafts are encrypted right on your machine as soon as you start typing.
The email and attachments are fully encrypted while sitting on the SMTP servers of any hop in the chain and are only decrypted in memory to show the user. As soon as they close the app, the key is gone and the email/attachment remains encrypted on the device at rest.
Virtru doesn’t have any of your messages or files — your content will be on your device or in the hands of another provider — so if the government wants to read your files, it can’t get them from us.
The government would need those keys if it wanted to read any encrypted files it does obtain. Without them, the files are useless.
We won’t provide your keys to anyone without your consent — unless we are ordered to divulge them by a judge with jurisdiction over us. If we are ordered to divulge them, we will fight for you to have notice and an opportunity to object.
Virtru doesn’t have access to the content of your emails, files, or other data — it only has the keys. Virtru won’t be able to read your content because it doesn’t have content — and others (including the government) will be unable to read your content because they won’t have the keys.
If we receive a request from the United States government, we will respond by saying that we will not comply with any request other than a court order from a court with jurisdiction over us. We will then notify you that we have received such a request unless we are prohibited by law from doing so, so that you may have an opportunity to defend your rights to keep your data confidential.
Some statutes permit the government to obtain content (such as stored emails) on a lesser showing than probable cause. Virtru believes the Fourth Amendment should and does provide greater protection than these statutes for the content of email, files, and other data — particularly when such data is encrypted — and would argue this position in court in an appropriate case if necessary.
If Virtru received an order for encryption keys under either of these provisions of FISA or under any other legal theory that was not based on individualized court orders, it would vigorously contest it.
Virtru seems concerned about security, and more importantly, notifying its users of government requests for information.
Perhaps an option
If you’re looking for a viable option for encrypting email messages, Virtru is a good option. Best of all, Virtru is free to use, or you can upgrade to the pro (starting at $4/month) package. Overall, Virtru’s getting 4.5 of 5 stars.