Security focus: How does mail metadata protection work?

This is a quick overview for security people. You may prefer an IT administrator's viewpoint.

GoodCrypto protects email metadata in transit by using encryption, mixing, and padding. It follows Ed Snowden's recommendations to resist both network and traffic analysis.

First each message is encrypted to the recipient using GPG if we have their key. On a regular schedule, GoodCrypto mixes all the individual encrypted messages going from group to group into a single padded PGP MIME message, encrypted again with the group's GPG key. At the other end GoodCrypto reverses the process.

Mixing resists traditional network analysis. Bundling and encryption resist social network analysis. The periodic group message is padded to a fixed size. The regular schedule and fixed size resist traffic analysis. One bit is known to be leaked: The two groups might be exchanging private email.

Email is perfect for this form of protection because we already expect some delay. Few people notice a half hour average delay in email. Instant messaging doesn't work with this kind of packetization. It wouldn't be instant. Phone and video calls have the same limitation. Voice or video mail would work well, and could even be routed over email.

The default packet size is a MB, enough for an entire book of text. A MB per hour adds up to less than a GB per month for each group to group connection. At server prices one GB usually costs nothing today. Most groups don't write more than a book an hour, but if yours does you can change the defaults.

Metadata encryption is an extra GPG layer applied to the bundled messages. This is in addition to the user to user GPG encryption already provided by GoodCrypto. The inner layer protects content. The outer layer protects metadata and content.

When SMTP servers use TLS they provide yet another layer of encryption. Some people believe a single layer is enough. This is called an Eggshell Defense because it is so fragile. Encryption fails over time. We don't know when each layer will fail, but with a defense in depth we have a very good chance that at least one layer will survive long enough to fix or replace the others. When a single layer of defense fails you are completely unprotected. Multiple strong layers make a catastrophic failure very unlikely, so you are much safer.

Individual messages are encrypted and periodically mixed into a single message. The bundled message is padded and encrypted again. This provides very good metadata protection to resist both network and traffic analysis.