Why Email Is Still the Most Important Thing to Encrypt

Signal and Telegram dominate the privacy conversation. Meanwhile, most people's Gmail inbox contains their bank statements, their doctor's notes, their legal agreements, and the password reset link for every account they own. Email isn't glamorous — it's just the root of everything.

There is a reasonable case that email is the worst communication technology in widespread use. It was designed in 1971. It has no native encryption. Spam is a permanent feature, not a bug. The protocol is baroque and the edge cases are numerous. Everyone who works in security has an opinion about it, and the opinion is rarely positive.

None of that changes the fact that email is the root identity of the modern internet. And if your root identity is unencrypted, the chat app you use is an interesting detail.

Email Is Your Identity

Take a moment to consider what your primary email address actually controls. For most people, the list looks roughly like this:

Every bank and financial account
Every social media account
Healthcare portals and medical records
Tax filing services
Legal documents and contracts
Work credentials and HR records
Every app and subscription you've ever signed up for
Cloud storage containing your photos, files, and documents
And crucially: the password reset mechanism for all of the above

Your email address isn't a communication channel. It's a master key. Whoever controls your inbox controls your digital identity — not just what you say, but who you are online.

A compromised Signal account is a serious problem. A compromised Gmail account is a catastrophe. Within hours, an attacker can reset passwords, drain accounts, change recovery information, and lock you out of everything that matters — all via the inbox that was sitting there, unencrypted, on Google's servers.

The Asymmetry That Chat Apps Ignore

The encrypted messaging industry has focused almost entirely on chat. This makes sense from a product perspective — real-time encrypted messaging is technically interesting, demonstrably useful, and relatively easy to present to users. Signal, WhatsApp, Telegram, and their competitors have collectively convinced hundreds of millions of people to use encrypted chat.

The problem is that these apps exist at the periphery of most people's digital lives. They handle casual communication: plans for the weekend, links, voice messages. The genuinely sensitive material — employment contracts, investment decisions, medical diagnoses, legal disputes — mostly travels over email. And almost none of that email is encrypted.

The apps with the best security are protecting conversations about where to have dinner. The app people actually use for sensitive things — email — has essentially no encryption.

This isn't an argument against encrypted chat. It's an argument that the industry has optimized for the wrong problem. Chat encryption is a solved problem with several excellent implementations. Email encryption remains rare and is often treated as niche or technical — when it's actually the more urgent issue.

Why Nobody Encrypts Their Email (And Why That's Changing)

PGP — Pretty Good Privacy — was invented in 1991 and is the dominant standard for email encryption. For most of its history, actually using PGP required:

Generating a keypair and understanding what it does
Distributing your public key via keyservers or direct exchange
Installing and configuring plugins for your email client
Convincing your correspondents to go through the same process
Managing key expiry, revocation, and the web of trust

This is a reasonable workflow for a cryptographer. It's unreasonable to expect normal people to do it as a prerequisite for private communication. PGP's usability problems aren't theoretical — they directly explain why, 35 years after its invention, essentially no one uses it outside of technical communities.

The key insight behind modern encrypted email services like ProtonMail — and Haven — is that PGP the protocol and PGP the manual key management experience are separable. The cryptographic standard is sound. The user experience built around it was a historical accident, not an inherent requirement.

Haven generates and manages PGP keys automatically. When you create an account, your key is generated on your device and the private key never leaves your control. When you receive an email from another Haven user, it's automatically decrypted. When you send to a non-Haven recipient, you can attach your public key for them to use. The underlying protocol is unchanged — the requirement to understand it is gone.

The Fragmentation Problem

There is a critique of encrypted email that goes: "Signal is better than encrypted email anyway, so who cares?" It's not wrong on the technical merits — Signal's forward secrecy and ephemeral message capabilities are genuinely stronger than PGP email's properties. But it ignores a practical reality that anyone trying to communicate privately has encountered.

You cannot get everyone to use the same chat app. Not your parents, not your lawyer, not the doctor who needs to send you test results, not the accountant handling your taxes. People have been trying to convince their contacts to use Signal since 2013. After over a decade, most people still have the same conversation across four or five different apps depending on who they're talking to — and none of those apps is the one they'd choose if they got to pick for everyone.

Email doesn't have this problem. Everyone has email. It's the one protocol your grandmother, your bank, your employer, and your doctor all share. You don't have to convince anyone to set up an account on a new platform. You just have to send them an email.

Encrypted email reaches people where they already are. That has real value — possibly more practical value than a more technically sophisticated tool that requires recruiting everyone you want to communicate with.

The Email + Chat Combination

The strongest version of private communication isn't email or chat — it's both, unified under a single encrypted identity. Email handles communication with people not yet using encrypted tools, formal records, and the long-tail contacts you can't move to a dedicated app. Chat handles real-time coordination with people who've made the same choice you have.

The problem with the current landscape is that these two modes are separated. You use ProtonMail or Haven for email, then switch to Signal for chat — maintaining two separate identities, two separate key systems, two separate trust models. Every time you move from email to a chat app, you're introducing an identity transition that's invisible to the conversation but carries real security implications.

Haven's design is premised on the idea that your encrypted email identity and your encrypted chat identity should be the same thing. The same key pair, the same account, the same trust model. When you message someone on Haven, you're talking to the same identity you'd send encrypted email to. There's no seam.

Start Where the Risk Is Highest

If you're making decisions about where to spend effort on personal privacy, the order of priority is clear: secure your email first. It's the highest-value target and the most neglected one.

Use a strong, unique password and hardware-backed two-factor authentication on your email account at minimum. Consider moving to an end-to-end encrypted provider. Think carefully about what's sitting in your inbox — documents, financial records, legal agreements — and whether you'd be comfortable with a stranger reading them.

Signal can wait until Monday. Your Gmail account can't.