Calls: Send in your ideas. Deadline April 1, 2024

Autocrypt for Thunderbird

Make email encryption extremely simple

Autocrypt is a specification that provides guidance for e-mail clients on how to achieve a seamless user experience. It does so by transparently exchanging keys, almost entirely automating public key management. This reduces the UI to "single click for encryption". The project will create an extension for the Thunderbird e-mail client that brings this experience to its users. The goal is to provide a new extension with a streamlined user experience that requires as little user interaction as possible, without "poweruser" features and performing practical user testing to identify open pain points. The extension will be based on OpenPGP.js, since this can be packaged directly. This will simplify installation and maintenance a great deal.

Why does this actually matter to end users?

Email was designed without privacy or security in mind, which is amazing for such a popular service. When you send an email, anyone that can gain access to your mail server or the mail server of the recipient can read your mail, from top to bottom. And copy it, for later usage. It is often compared to sending a post card, and of course in many cases there may be little harm in others reading what the weather is like in Paris. But what if you want to use email to send something confidential, something you do not want to share with others? Like a love letter, a political rant or an important contract? And what if you can't actually trust the mail man, for instance because the other party is using a free email service known to search through everything? Or what if you don' t like the fact that your writings are stored in a country you have never been, with different laws that may not be compatible with your thoughts about the world? Or what if you live in a country that has an unhealthy interest in bringing down certain political voices, or are part of a cultural minority that is at risk?

Computer specialists have been protecting their email with encryption for decades. This is the equivalent of putting your message very carefully in the blender, pressing the button before anyone else has read your mesage, shredding it up and sending a packet of shreds over to the other end. The amazing thing about cryptography is that you can magically (or rather mathematically) make it possible for your secret love - and not anyone else - to recreate the message from the shreds, and know it was you - and not anyone else - that sent it. For the rest of the world, the message would be meaningless garble pretty much forever.

However, the solution they came up with is not easy for normal people to work with. You need a lot of patience and technical skill to make use of it. Many people have tried, and could not get it to work or gave up because it hindered them. It was in fact too hard to turn it on by default. This means that most people are probably not even aware that it is possible to protect the contents of their email with cryptography. And so, unfortunately, normal citizens and business have been left behind - exposed to people reading their email messages, and (in the absence of other security measures) potentially also receiving fake or manipulated messages.

Autocrypt is a major contribution to make it far more convenient for people to use cryptography with email. It provides a specification for software to do most of the hard work (hence the portmanteau Autocrypt, which comes from Automatically Encrypt), and thus help also normal users protect the privacy and security of their mail. In the project funded by NGI Zero, they will create a plugin for one of the most popular desktop email clients, Thunderbird. The plugin spots whether the other side is 'autocrypt' aware, and if so will start working straightaway to shred up your mail. Don' t worry: the message comes back at the other end, and you will be safe knowing that noone else can read your mail. Obviously, after this, more email clients will need to gain these superpowers!

Run by Confidential Technologies GmbH

Logo NLnet: abstract logo of four people seen from above Logo NGI Zero: letterlogo shaped like a tag

This project was funded through the NGI0 PET Fund, a fund established by NLnet with financial support from the European Commission's Next Generation Internet programme, under the aegis of DG Communications Networks, Content and Technology under grant agreement No 825310.