E-mail Encryption Instructions

As a psychologist, Dr. Sturgeon Freitas follows professional standards that require her to keep patient information confidential. In addition to these standards, she is also subject to the federal government's HIPAA laws. Among other things, these laws require that any protected health information she sends over a public network (like the Internet) be encrypted so it cannot be read in transit by third parties. Any information revealed in confidence as part of a session with Dr. Sturgeon Freitas is covered by these rules in addition to her professional obligation to ensure confidentiality.

E-mail exchanges are generally not encrypted by default. Third parties like Internet service providers and free e-mail hosting companies (e.g. Yahoo!, Google, Hotmail, etc.) can and do read e-mails in transit routinely. Mostly what this means is that machines scan users' e-mails looking for keywords, and the results of these scans are used for targeting advertising at the users of the e-mail accounts. There are, however, no guarantees that human beings aren't reading e-mails for other purposes, and even targeted advertising can inadvertently imply confidential information.

What this means for Dr. Sturgeon Freitas' patients is that e-mail exchanges with her are governed by federal laws that make them difficult to conduct. In most situations, she is forbidden by law from discussing confidential information in an e-mail exchange. If you try to discuss your treatment with Dr. Sturgeon Freitas via e-mail and she says she is unable to respond without encryption, please understand that she is simply complying with federal law for your own protection.

With that said, it is possible to set up encryption in e-mail to allow for e-mail exchanges that comply with federal law and professional standards. Setting up these tools can be tricky, but once they are in place encrypted e-mail exchanges can be as easy to conduct as unencrypted ones.

Here are instructions for using Mozilla Thunderbird as an e-mail client for encrypted e-mail on a Windows-based computer. All of the software required for this procedure (except for Windows, of course) is free of cost. These instructions can be modified for other operating systems as well, as all the required tools are available on other operating systems like Apple's OS X and the many Linux distributions. Please note that other tools can be used instead, including Microsoft's Outlook, but their installation and configuration is outside the scope of this document.

These instructions require an e-mail account that can be accessed through a traditional mail client. Many popular free e-mail hosting sites, like Yahoo! Mail, do not allow standard e-mail clients to access their services. Google's free e-mail service, Gmail, does allow standard e-mail clients and does work with Thunderbird. You can also use a Firefox browser extension to use encryption in Gmail through the web interface. If your e-mail account won't work with encryption, you might want to open a Gmail account before proceeding.

Installing Mozilla Thunderbird with Encryption

Installing Mozilla Thunderbird

  1. Go to the Mozilla Thunderbird web page. Click on the Download link and follow the instructions to install the Thunderbird e-mail client.
  2. Open Thunderbird. On the import wizard, select "Don't import anything" and click Next.
  3. In the Mail Account Setup dialog, enter your name, e-mail address and (if you like) password, then choose Continue.
  4. Thunderbird will attempt to configure itself for your e-mail servers based on your e-mail address. (It can automatically configure itself for Gmail.) If you don't see "Thunderbird has found the settings for your email account", click Manual Setup and make changes as needed. When your configuration is correct, choose Create Account.

Verify that Thunderbird is working correctly with your e-mail account before proceeding to the next step.

Installing GNU Privacy Guard

Go to the download page for GNU Privacy Guard (GPG), an implementation of OpenPGP that actually does the work of encrypting and decrypting your e-mails. Find the link for downloading the Windows installer and click it. Once the installer is downloaded, run it with all the default options.

Installing the Enigmail Extension for Thunderbird

  1. Restart Thunderbird if necessary.
  2. Choose the Tools menu bar item, then select Add-ons.
  3. Choose Enigmail in the list of recommended add-ons, then click the Add to Thunderbird button.
  4. Click Install Now.
  5. Click the Restart Thunderbird button.
  6. In the restarted Thunderbird client, choose the OpenPGP menu, then select Setup Wizard.
  7. Choose Next to use the setup wizard.
  8. Select No to prevent Thunderbird from signing all of your outgoing mail, then click the Next button.
  9. Choose Next twice to accept some default options.
  10. Thunderbird will now create a key so that you can accept encrypted e-mail from others. You will need a password to decrypt their e-mails. Enter a password you can easily remember twice and choose Next. If necessary, write down this password. If you lose it, you will lose the ability to decrypt your encrypted e-mails.
  11. Choose Next on the summary screen. When they key generation process is completed, you may generate a revokation certificate (used to invalidate your key in case someone else gains control of your key) if you like.
  12. Choose Next, then Finish to complete the setup process.

Sending Encrypted E-mail

If you want to e-mail Dr. Sturgeon Freitas anything you would want kept confidential, you are strongly advised to use e-mail encryption. Follow these instructions to write her securely. It is assumed you have Thunderbird installed and configured as described above.

  1. Write Dr. Sturgeon Freitas an e-mail using this form requesting that she send you her private key, which you will use to write to her in a way that only she can read. Be sure to include your e-mail address.
  2. Dr. Sturgeon Freitas will send you her private key in an e-mail. In Thunderbird, right-click on the key attachment (which has the file extension .asc) and choose Import OpenPGP Key. When the confirmation dialog appears, click OK.
  3. Write your message to Dr. Sturgeon Freitas. Before sending it, click the key icon in the lower right corner of the editor window to specify that you want the e-mail encrypted.
  4. Click the Send icon to send the message. Warnings may appear if your message contains any HTML formatting. If you are concerned about them, follow the instructions included in the warning.

Receiving Encrypted E-mail

Dr. Sturgeon Freitas can send you encrypted e-mails, but only if she has your public key. Follow these instructions to send your public key to her.

  1. Write Dr. Sturgeon Freitas an e-mail using this form requesting to send her your public key, which she will use to write to you in a way that only you can read. Be sure to include your e-mail address. (You might want to request her public key as described above so you can communicate what you want with her securely.)
  2. When you receive a response, write to her at the e-mail address on the message. Before you send the message, click on the OpenPGP menu and select Attach My Public Key.
  3. Dr. Sturgeon Freitas will talk to you by telephone or in person to verify that the request for confidential communications did in fact come from you. She may request additional information about your request at this time if necessary.
  4. Once she has verified your e-mail address and key, Dr. Sturgeon Freitas will reply to your e-mail using the public key you provided. Your e-mail client will ask you for your password before displaying the message. Type it in when prompted to decrypt the message.