Serious security

1. We require a second factor

The foundation of computer security since primordial times has been the user name / password combination. But we’ve known for a long time now that it’s simply not good enough. People have a really hard time with passwords, so they tend to reuse them — even when they know that they’re not supposed to. It’s simply too hard to remember a bunch of strong, secure passwords.

So people end up with the same password on Twitter as they use with their bank as they use with some perhaps slightly more sketchy community site. And then one of those sites invariably gets hacked, and now all those passwords are available on the dark web.

You could have had a great password, but it doesn’t matter if it, along with 300 million other passwords, just got dumped for anyone to exploit. Now that great password will not just unlock the site you first used it on, but also every other site you reused it on. Your internet security is no better than the weakest site where you’ve used the same password.

You can fix part of the problem by using a unique password for every single site, and the only sane way to do that is by using a password manager. We recommend 1Password, but there are lots of choices (Apple now even has one built in). Even so, protecting email with just a password is not enough.

The big step up is two-factor authentication (known as 2FA). That’s when you combine something you know (a password) with something you have (a key, which is often times your phone). This means that even if someone guesses your password, they can’t get into your account. The thief also needs to get ahold of that second factor, the key, which commonly lives on your phone, which itself is typically protected by biometric security (face scanning or fingerprints).

So that’s why HEY requires two-factor authentication for all paying customers. It’s a bit of a hassle to set up, and it comes with the risk that you could lose that “something you have” key, which requires a lengthy, annoying reset process. But given how important the security of your email is, it’s worth the hassle.

HEY uses the industry standard TOTP protocol, which can be used by a slew of second-factor authentication apps. We recommend the Microsoft Authenticator, but you can use 1Password, LastPass, Authy, Google Authenticator, Duo, or any other key generator that supports TOTP. Just make sure you trust the vendor!

On top of this, we also support WebAuthn (the newer U2F approach), which is the next level of security, after TOTP. This is the standard for hardware security keys, like Yubico Keys. That’s not required for HEY, but it’s a nice extra layer for those who really want to lock down.

2. Encryption at-rest, at-work, and in-transit, but not end-to-end

The first thing people often think about when they think about security is encryption. Someone really savvy might have heard about end-to-end encryption, which is the gold standard. That means the service or app can’t ever access the data, because they simply don’t hold the keys to decrypt it. You might have read about the legal stand-off between the FBI and Apple on this very issue.

But email was never designed to be end-to-end encrypted, because with email you don’t get to control what app or service the recipient uses. That’s both the curse and the magic of email. It would take changing thousands of email apps, millions of email servers, and nearly fifty years of inertia and established protocols to support end-to-end encryption in an easy, consistent, and guaranteed manner. As you can imagine, that’s not likely to happen.

That’s why none of the attempts to do end-to-end encryption over email have gotten very far or gained much traction. Either they rely on everyone using the same service/app (good luck converting everyone you email with to use the same setup as you!). Or the emails aren’t really emails, but links to a website where the encryption is then applied. Or you use a clunky external tool to encrypt and decrypt the messages (like PGP). This really only works if you’re willing to give up on email as we commonly understand it. If you absolutely must have end-to-end encrypted email, checkout something like ProtonMail. They have our utmost respect for giving it a go!

But HEY takes a different approach. We accept that end-to-end encryption is not a realistic goal for mainstream email service. This means HEY is not a good avenue for certain forms of high-risk exchanges. If you’re working on human-rights issues in oppressive states, national security matters in any state, or otherwise face extremely sophisticated opponents, or if your life in any way depends on the sanctity of your end-to-end encryption, don’t use email. We highly recommend you look into messaging tools like Signal, but also that you generally educate yourself on operational security.

This is what tradespeople call “threat modeling”. Someone trying to protect their email from your garden-variety scammers and spammers have different needs from those protecting themselves from nation states have different needs from those guarding against abusive spouses. Know your threat, and pick your trade offs accordingly.

With that admission and explanation out of the way, let’s talk about what we actually do encrypt at HEY. Because even if you can’t go end-to-end, encryption still plays a vital role in our approach. That’s why we encrypt data in three ways at HEY: At-rest, at-work, and in-transit.

At-rest encryption means that all our databases, files, and other storages of content have their files encrypted when they’re backed up or otherwise sitting idle. If someone was somehow able to get ahold of a backup of the database, it’d be useless, because they wouldn’t have the key to decrypt it.

At-work encryption means that our main database also deals with encrypted data while it’s working. We’re particularly proud of this bit, as this is not a common approach. It means that every content field in our database is encrypted with its own key, which is then encrypted with a master key. This allows us to introspect, service, and operate HEY without having programmers and administrators inadvertently exposed to private data during the course of their work. They see the metadata connecting everything, so they can resolve bugs, improve performance, and perform maintenance, but they don’t see the content of your emails.

Finally, HEY uses the industry standard TLS encryption when sending email to recipients. Email unfortunately does not have a way to require in-transit encryption, if you want to ensure delivery in all cases. But all the major, modern email services support TLS, so you’re overwhelmingly likely to have your emails encrypted in transit when sending from HEY.

3. Employee access is limited and audited

Even with all this encryption, HEY still technically holds the key to all email, because there’s no end-to-end encryption, as discussed above. That’s the same as it is with any major email service provider, whether it be Google’s Gmail or Microsoft’s Outlook, or anyone else but a tiny, niche set of players who are trying to make end-to-end encryption work.

This means that ultimately someone at HEY could access your data, if they jumped through all the right hoops. Again, that’s the same situation with all email services that don’t use end-to-end encryption. So we tackle this situation head-on at HEY by first locking down access: Only the people who need access to improve or operate the system have access. And when they do their routine maintenance, debugging, or servicing of the system, they’re led through an auditing access path that requires them to state the valid consent or justification for the specific access session.

This access path is then audited by a second group within the company on a weekly basis. They review justifications and logs from all access, and thereby serves as a check and balance on all access. If an employee ever wrongly accesses customer data through this system, they will be caught, and will face penalties ranging from termination to prosecution. In the twenty years we’ve been in business, this has to the best of our knowledge not happened once at our company, but no matter. Relying on trust and good faith alone is insufficient. We lockdown, we audit, we verify.

4. We’ve been audited by external security firms

It’s all well and good for us to detail all the steps we’ve taken to protect the privacy and security of your HEY account. The protocols, the technology, the approach. But how do you know we’ve actually done what we said we’d do, and that we did a good job?

You could just trust us, which would be nice, but you’d be more than forgiven if you didn’t! That’s why we engaged two separate, external security firms to review our application security. We hired Trail of Bits to review our encryption approach, and Doyensec to perform a broad application review. You can check their reports below and the actions we took:

• Trail of Bits report from June 2020 and the actions we took.
• Doyensec report from July 2020 and the actions we took.

We are also committing to scheduling external security audits on a regular basis going forward. Security is never just a checkbox, and a review can’t just be a one-off either.