Gmail uses https (encryption) by default.
posted by empath at 4:55 AM on June 5, 2013

(although that doesn't mean that they don't have spyware or keyloggers on his computer)
posted by empath at 4:56 AM on June 5, 2013

Given that our own government is suspected of having the ability to read any email they want, I would assume that the Saudi's, who are even less concerned about stuff like civil rights and personal privacy, also have the ability.
posted by COD at 5:23 AM on June 5, 2013

Isn't the trick here to not send e-mails to each other, but to share an e-mail account and leave a drafts on the server to each other?
posted by three blind mice at 5:26 AM on June 5, 2013 [1 favorite]

Gmail uses https (encryption) by default

That only encrypts the connection between the user and Google's servers, preventing the login credentials from being stolen (assuming no MITM attack). The email itself is stored unencrypted and I assume Google will reveal its contents if asked by governments/law enforcement. HTTPS by itself will not keep the student safe:

There are two levels of security that protect against such e-mail interception. The first one is making sure the connection to your e-mail server is secured by an encryption mechanism. The second is by encrypting the message itself, to prevent anyone other than the recipient from understanding the content.

is it possible to encrypt and to plausibly preserve academic formatting?

Yes, encryption is completely reversible, if you encrypt a PDF file or ZIP archive you'll get the exact same file on decryption. Be sure to digitally sign it as well so the recipient can be sure the file really came from you and was not modified during transit.


Help an idiot understand

You necessarily have to understand public key cryptography basics if you want to be reasonably secure, and that will require some reading. There are lots of OpenPGP tutorials online, here's a couple but other MeFites may have better suggestions.
posted by Bangaioh at 5:26 AM on June 5, 2013

is it possible to encrypt and to plausibly preserve academic formatting?

I do not see why not. I am old enough to remember PGP keys being part and parcel of Usenet .sig files. I recommend using a public key encryption such as PGP.
posted by Tanizaki at 5:27 AM on June 5, 2013

Email is sent unencrypted from email server to email server. Even if you use HTTPS to send your message to google, google is liable to bounce it around in plain (unencrypted) text. Don't trust it. In addition, Google would probably cave if it were presented with a warrant or local equivalent.

If you encrypt something with GPG, it's going to be obvious that it is encrypted.
posted by wayland at 5:47 AM on June 5, 2013 [1 favorite]

The problem with the convenience of using gmail for email is that you are outsourcing administration of the service to a third party. That means that a legal request by the Saudi government for access to the student's account is likely to be honored.

Running your own mail server (and giving both of you accounts on it) means that e-mail never transits from one mail server to another in cleartext. Using SSL for all your communications to the mail server can secure your mail from casual snooping. Using SSL with the right server/client configuration can be extremely secure. The SSL problem is mainly one of governments being able to obtain wildcard SSL certs, but at that level of interest, there are lots of attack vectors.

Sadly, running your own secure mail server is somewhat more difficult than it ought to be. I suspect that it may become more popular if the US sees stuff like CALEA-II pop up.
posted by jgreco at 5:48 AM on June 5, 2013 [1 favorite]

This thread is closed to new comments.