An illustration of an envelope protected by a padlock for an article on encrypted mail.

A year ago Google agreed to stop scanning the emails in Gmail users’ inboxes for info that could be useful in targeting ads. But a recent report in the Wall Street Journal reveals that consumers still have good reason to want to boost the privacy of their email accounts.  

According to the Wall Street Journal article, hundreds of outside software developers have continued to routinely access the inboxes of millions of Gmail users who signed up for email-based services that provide price comparisons, travel planning tools, and other benefits.

More on Protecting Your Privacy

“There are lots of services that want to connect to your Google ecosystem,” says Robert Richter, program manager for privacy and security testing at Consumer Reports. While there’s no indication that Google or the developers abused their access to consumers’ emails, he says, consumers should still be cautious about what they share with online services. “If an outside party asks you to connect to your email, think about who they are and the service they’re giving you before saying yes.”

In its policy guidelines, Google requires developers to request permission before collecting personal information and to clearly disclose how that data is used. “There should be no surprises for Google users: hidden features, services, or actions that are inconsistent with the marketed purpose of your application may lead Google to suspend your ability to access Google API services,” the company states. (APIs, or application program interfaces, allow outside developers to integrate Google tools and data with their own products.)

If you’d like to see which apps are linked to your Gmail account, you can use Google’s Security Checkup tool.

Like many consumers, you may wish to continue using such apps without worrying too much about the privacy of each communication. But sometimes you may want to convey truly sensitive information. And you can do that by using encryption tools, which scramble your messages so that they can be read only by the intended recipient.

Setting up encryption used to be a complicated process, but that has changed. “It’s gotten so much easier in the last few years,” says Gabriella Coleman, the Wolfe Chair in Scientific and Technological Literacy at McGill University in Montreal. “It’s pretty unbelievable.”

Here are three of the most convenient and effective tools available.

  • Virtru is a service that encrypts Gmail messages sent using the Chrome browser. It’s used mainly for business communications, but there’s also a free version for individuals. Once you download the company’s Chrome browser extension, you have the option of encrypting any email before you send it. That slows the process, though, so you’ll probably want to do it only if you’re sending tax, medical, or other sensitive information. Recipients don’t need to have the extension to open the email; they just click on a button in the message, which leads them through a brief series of steps. 
  • ProtonMail is a dedicated email service that offers encrypted email by way of Android, iOS, and web apps. The basic service is free, but you’re limited to 150 messages per day. Premium tiers, which start at a little more than $5 per month, progressively increase the number of messages you can send. You can also set emails to expire after a certain amount of time—when the time is up, the message will be deleted from the recipient’s inbox. Consumers may want to keep their old email account through Google or another mainstream provider and add a ProtonMail account just for sensitive communications.
  • Signal isn’t an email plug-in like Virtru or an encrypted email provider like ProtonMail. Instead, it’s an encrypted text messaging service for use with mobile devices. We’re including it because it’s a favorite of privacy experts, and some people may find it the simplest tool for secure communications. “Honestly, anyone who wants to have an encrypted conversation should use the secure messaging program Signal,” says Bruce Schneier, a cryptographer and computer security expert. “And if they’re living under a government where having Signal on your phone is in itself incriminating, they should use WhatsApp,” a more mainstream encrypted messaging service. You can configure Signal so that messages are automatically deleted after they’ve been read.