TL;DR: Absolutely turn on two factor authentication, but that doesn’t fix an inherently broken protocol.
Do you remember paper interoffice memos? If not, let me help you out. This is a simplification, but one of the major motivations behind the creation of email was to replace interoffice memos. There is no super secret for your eyes only envelope around them. It was just totally super exciting that the message about the cover page for the TPS reports could get to all the people in all the branch offices so super super fast. Yay! But people are beautiful and we stole this business protocol and made it our binder clip scorpion to carry office gripes and polenta recipes, forgetting that we knew what it was.
Every email gets rendered from an ugly looking original source. Remind yourself or learn how to find it in your email client now. What you’ll see is exactly the state the message traveled in all around the internet, open and exposed for all sorts of computers to take a gander. What other computers? To get a clearer view, take the header – the part before the message starts – and pop it in to Google’s Message Header Analyzer. Our naked messages bounce around a bunch of strange computers at the speed of light, pooping copies. Oh, and those other computers have crap-tastic security themselves. And the US government doesn’t even need a warrant to read old email. That’s kinda hilarious ridiculously bad.
I love the poetry of JonahBrucker-Cohen’s Email Miles response to emails meandering nakedness. He reacted to the presence of the email header data by creating an odometer that keeps track of the distance emails have traveled. There is a now broken 2006 project done by a collective calling itself Butterfat that uses a google-maps mashup to display the path of one message. Imagine what it would mean to engage with email as if every message was a little tiny piece of performance art. You too can choose to be more intrigued than horrified.
I’ll get more into PGP encryption in future posts, but not everyone will have that. Getting an account that can handle encryption the “easy way” by just signing up for something like ProtonMail has it’s problems. Really the answer to sending a message that needs to be secure isn’t “download this app to fix your email” it is “don’t use email to send that message.” And that’s the real first step. Withdraw blind trust. The security is a process not a product essay by Bruce Schneier from the year 2000 cannot be read too many times.
I’m not advocating that anyone stop using email altogether, but please do so with a new mind set (and 2FA enabled). Tools match a purpose and we’ve been trying to use tweezers as a sledge hammer. It’s okay. People still love getting postcards. Pick a nice stamp. Go ahead and change your email signature to that pretentious Plato quote or that ascii hand fliping the bird. It’s for posterity, after all.