I disagree with the author right from the start, It appears the author wants an email service that is anonymous, free, and let's him access it through a VPN. I don't think that makes sence (how does the provider make money?) and I think it's not what 95% of the public needs.
If you rely on your email for vital services your want email provide to operate like an (idealised) bank - store my private information with respect, and to be able to retrieve email even if my PC or account is stolen, and I am happy to pay for the privilege. Furthermore, handing over real money gives you standing to sue in the court of law if the provider doesn't uphold their side of the bargain. I don't mind providing real ID if it's a trustworthy institution with a real address and a phone number I can dial for customer support.
By contrast if you Gmail is hijacked, there is no-one you can call for help and they can also ban you with no warning for no reason. You have almost no legal recourse on their misbehaviour because they can do anything for any reason and it's free.
I was further surprised to read that the author sees no daylight between free Gmail, outlook, outlook Premium with your own domain (paid service), business office 365, etc. I don't think it's fair to call them all data collectors and the difference between then are not trivial.
I am not claiming the author is misinformed or hasn't done his homework - just that this take is from the perspective of 'internet of anonymity' of 2000's, not 'internet of service I can trust my life with' that we deserve.
> It appears the author wants an email service that is anonymous, free, and let's him access it through a VPN. I don't think that makes sence (how does the provider make money?) and I think it's not what 95% of the public needs.
The author also appears to want an email service that doesn’t store your email or have a spam filter, because they are offended by these parts of FastMail’s privacy policy:
> We process mail sent and received from your account to block spam and fraud.
> We also collect the email content you create, upload, or receive from others
It seems to me that what the author wants does not resemble email, which is why they are so unhappy with so many email providers. Perhaps they would be happier with some form of E2E-encrypted instant messaging. In any case, getting angry at email providers for storing your email seems like a waste of time and energy.
Doing this with mailcow on an hetzner vps for 3 years now (semi-personal). Works flawless.
Accepted by Gmail and Microsoft365 - and I can pull up the logs and see if a mail was delivered to a mailbox.
This approach would also be unacceptable to the author of the article, as it is not possible to use Hetzner without them storing your personal details. From Hetzner’s privacy policy:
> When you register an account with us, we collect and process certain personal data from you as your registration data. For example, we need your name, address information, telephone number, payment information and your email address to process your order.
Maybe the article would be more clear if the author articulated:
1) What is my use case for email?
2) Who am I emailing with?
3) What are the threats and malicious actors I’m concerned about?
I think this brings up something not addressed... It seems that free SMTP hosting services are incredibly ill-suited to the privacy requirements of the author. Signal or Wire perhaps?
There is no guarantee that your emails remain private in-transit. Email is totally insufficient for sending unencrypted secrets, so it shouldn't be thought safe to store them either. Many email clients will cache your mail unencrypted on your disk as well.
It's actually better that people start to treat their mailboxes as somewhat ephemeral, as communicating that you are you encourages use of things like PGP signatures. And then people can send encrypted email for things that are worth keeping secret.
"Email is totally insufficient for sending unencrypted secrets, so it shouldn't be thought safe to store them either. Many email clients will cache your mail unencrypted on your disk as well."
Suppose myself and the recipient are using x509 certs with outlook and our laptops have encrypted disks with bitlocker or equivalent - my impression is that it mostly covers the basis, is that unjustified?
"It's actually better that people start to treat their mailboxes as somewhat ephemeral, as communicating that you are you encourages use of things like PGP signatures"
Correct me if I misunderstood you, but I don't think emails should be ephemeral. I am have currently several emails from my landlord, the police, etc. that I have to keep for years as evidence in case of a future dispute. While I cannot prove that they are not fake, it's the same for physical letters, yet both are admissible in court as evidence. If I tried to get more reliable proof out of either of them, they might send me a hand-signed letter by post but they'd never figure out PGP.
> Suppose myself and the recipient are using x509 certs with outlook and our laptops have encrypted disks with bitlocker or equivalent - my impression is that it mostly covers the basis, is that unjustified?
The risk is that someone steals your laptop while you're signed in and then your disk encryption doesn't do squat. There are ways to deal with this, but very few people are actually doing them.
> Correct me if I misunderstood you, but I don't think emails should be ephemeral. I am have currently several emails from my landlord, the police, etc. that I have to keep for years as evidence in case of a future dispute. While I cannot prove that they are not fake, it's the same for physical letters, yet both are admissible in court as evidence. If I tried to get more reliable proof out of either of them, they might send me a hand-signed letter by post but they'd never figure out PGP.
You did not misunderstand me, but emails absolutely should be considered ephemeral. Google can kill your gmail accounts. Providers come and go. Email chain of custody is difficult and in most cases are easily faked.
Email is an absolutely shit system to use for any kind of identity work. And yet we do, at our own peril. Billions have been lost to email fraud.
You're offloading all of your risk upstream and basically hoping and praying that your provider or however many relay services in between don't default SMTP sans-TLS. Or that rogue employees don't go reading your shit. You're one misconfigured server from showing your ass all over the internet.
Remember that Google literally uses the contents of your gmail to market to you. Google being a company with a highly-politicized employee base with lots of motivated engineers & product people looking to "change the world".
> PGP is still fucking awesome and should always be used for any sensitive communication (best case scenario: all for every contact you can get to use it) - in addition to secure providers and all the other stuff we should be doing.
Sorry, I actually live in the real world, not whatever fantasy land the author comes from.
I once had x509 email cert and I am yet to find a bank/government office/company/another software developer that could use it. PGP is even worse, software support is non-existant, etc.
Most Government departments can support receiving and validating such certs now because they are using Exchange/Outlook, even if they don't know it. The funny part is when they modify emails with "THIS IS AN EXTERNAL SENDER", breaking the cert, and users just click through because the are used to it.
Some open source projects that communicate primarily via email do make use of PGP signatures. Sourcehut has guidelines around how to use them on their lists and the aerc email client supports sending them and has a keyring for validation.
While I won't list them out here, the author takes some, frankly, crazy statements if you read through the whole thing.
In addition, it seems unfortunate that some common sense measures against spam were simply unacceptable to the author. If you want to have a usable email, you have to have basic antispam protection.
I was mostly taken by the author's stance that "storing" a customer's data is somehow unacceptable. This quote was the big one:
"[Quoting Fastmail:] We also store information from your address book, calendar, notes and files on our servers.
[The author writes:] Is there anything you guys don't store?"
Is not the purpose of an e-mail provider to...store e-mail? On their servers? For me to access? I am very confused, and I genuinely mean that. Most of the author's complaints come from storing the data that I have paid them to store and then taking actions on that data in response to what I have asked them to do.
Just in the last couple of days I set up Fastmail with a personal domain. At the moment I am more concerned with divorcing myself from Google than I am about privacy. It seems to me self-hosting is the only option if you are concerned about privacy. Using an email hosting service requires trusting that service to do what they claim so by definition none of them are sufficient. Eventually I plan on self-hosting but that's been on the to-do list for years now. One step at a time.
Self-hosting is impractical at this point in time. I had a self-hosted setup for my company, a couple of years ago, with correct DKIM and DMARC and whatever else goes into an email setup, and my emails still ended up in major providers' spam folders.
> I used to want to self-host it but (IMO) running a secure, reliable email server is just too difficult these days.
I disagree. I am running my own small email server for years on Debian stable without any issues except the initial configuration. Freedombox has a mail server on their roadmap. It automates the configuration. You can even buy a small appliance (Olimex A20) ready to go.
Of course, the tradeoffs would be different for someone else.
For me email is simultaneously important enough I don't want to risk me messing it up and uninteresting enough that i done want to spend the time really getting it right.
The Freedombox mail server would be just as much of a black box to me as Fastmail except Fastmail comes with a SLA and someone else to fight fires.
For now at least - $100/year to have someone else look after it for me is the right tradeoff for me.
One serious problem is that email, apart from a means of communication, is also a means of authentication. Taking away a person's email address could easily mean that they will have to spend a tremendous amount of time changing it with various parties that have it in their records. At least those of them that can actually accept to talk to you (e.g. your bank or the IRS).
An non-optimal approach would be to actually own the domain name of one's email address and then use one of those providers listed there as the "backend" mailbox, by forwarding the "real" email address to the "backend" mail address. Most domain name providers will actually provide this kind of email forwarding for free. And it would be much much easier to switch between the backends. Or even use two of them simultaneously.
I've owned a domain for 20 years and always had my mail hosted by one of the web hosting companies. I've used a couple hosting providers, but to be honest, I'm not certain how they've handled my mail in terms of privacy. It never seemed "non-optimal" to own the domain. I still think using gmail or other free services is a bad idea, but i don't generally say it out loud much anymore. People react negatively because they don't want to consider whether the services they depend on are misusing their personal information.
I have read some horror stories from people who have lost control of their domain. Now you have a hostile actor holding it for ransom and able to receive your mail. I really like having full control of my MX record but that's something I keep in the back of mind. Whenever I think of it I go and top off my registration up to 10 years so I don't have to worry about auto-renew failing.
Thank you, I meant non-optimal in the sense that using a (possibly free) email provider as a "backend" might mean that the emails are eventually accessible by third parties.
Having your own domain like that mostly shields from the provider locking you out of your email on a whim, but certainly doesn't help much with privacy.
An SMTP server capable of responding to a forward would also be capable of responding to the original message, and would be accessible via the MX record. The only reason I see to introduce the additional server in the middle would be because the final destination is not always online or otherwise unreliable, and even then only if the forwarding server is more forgiving than typical mail senders.
Email on its own should NOT be used for authentication/validation and collectively we should push to move past it.
Password reset emails are pretty terrible if not combined with something like TOTP.
So push everyone to start using TOTP. For communication that matters, signing keys is better than nothing.
I know PGP isn't that great, but for now we don't have better. Organizations that care about this are pushing on this, but for "general use" we'll probably never get there.
Incidentally, many services are now requiring a cellphone to send some one time password via SMS. Your phone number is something that you actually pay for and can transfer between carriers as you see fit. So in that sense, it's much more predictably controllable and, more importantly, under the legal jurisdiction of your own country.
OTP via SMS is not safe enough for any person/organization who might be targetted by a motivated attacker.
TOTP gives you better control over risk (good hygiene is achievable), whereas depending on SMS is outsourcing your risk management to low-paid carrier employees.
I don't think good hygiene is achievable in practice – some phishing websites are extremely deceiving.
I wouldn't bet on myself, a technically capable professional, being able to distinguish some of them, especially in a planned attack: for example when trying to login to a dashboard after being woken up by a page middle of the night, I might not notice a homograph attack.
TOTP is better than SMS, both are better than second factor, but it's a great idea to mandate U2F/Webauthn if you can.
It's not written for the layman but it's interesting to read about how terrible Proton Mail is for privacy since that's the one most people think about first. The assessment begins with the following and just gets worse.
"SMS is the only option (unless you want to donate, which would reveal your personal information of course); therefore their claim that "ProtonMail does not require any personally identifiable information to register" is a shameless lie. Update: a contact told me that Proton now includes the option to solve a recaptcha (still an evil) for confirmation; however, the option disappears while using a VPN. They must really want that damn phone number if you are using anonymizers! And the claim that you can sign up without personal data is still false."
I never understood this logic - if your email provider is trustworthy, why do you need to hide your identity from them?
If they are not, how can you trust them with your emails?
In my mind, email is a utility like telephone and water supply - I don't hide from them, they are meant to keep my identity secure.
I didn’t read the full list, but I found it interesting that the writer noted that some providers store the sending and delivery IPs without acknowledging these are in the email headers. Doesn’t this mean that every provider fails that test, but only some disclosed that?
A related point: for a very long time, Gmail has removed the sender’s IP address from mail headers. If you receive an email in Gmail, you can’t get the sender’s IP address from the headers (or from anywhere in that email).
There are also email providers who, when sending your email out, remove your IP address from the header and substitute it with their own IP address for better privacy.
I haven’t checked the latter with Gmail, but it certainly does the former. You can verify it by sending an email from an address hosted by another provider to Gmail and checking the headers in the received email in Gmail. The headers will not have your (sender) IP address.
Ok so free email not only needs to have no ad or data monetization but also no analytics. That’s possible although I’m not actually sure you want to use a third party email service with no analytics since that means it will be hard for them to understand bugs and things of that nature.
To me the requirement to not allow Tor or VPN with Captcha is just completely insane. So you’re expecting a free email service to have no monetization but also allow you to infinitely abuse its free services? Just host your own email rather than calling providers shit because they don’t allow unlimited abuse of their free email accounts (which can get them blacklisted).
I do think it’s somewhat reasonable to expect Protonmail to be able to support a pro-privacy payment method like Monero to allow a “truly anonymous” sign up that at least costs money to prevent rampant spamming but at that point things are getting into “who cares” territory, as in, the company behind protonmail doesn’t give enough of a shit about the 48 users who would love to use the service if only they supported accounting creation via Tor and Monero to justify spending engineering or even legal time on making that work.
This should really mention Mailvelope for those that insist on doing webmail. Only does inline PGP but that is the best you can do with a browser plugin.
The guts of Mailvelope actually come from Protonmail (OpenPGP.js).
FWIW I’ve been using Apples email since the .Mac days (13 years) and its been completely reliable. You really need to use the native apps though, the web interface isn’t very good.
I don't see zoho mail on that list though, they seem to be a popular email provider for businesses that don't want to go the usual Google/Microsoft route.
Having used Zoho, the best thing I can say about their service is that it's not gmail. It's a very mediocre offering. Most email is but they have an all-in-one service that's entirely "meh."
The navigation was difficult, configuration and user management was a complicated mess, the service desk was slow and difficult to use, etc. So, by "meh," what I really mean is "No compelling differentiators and not well organized, making it an entirely unremarkable offering."
You could always roll your own, works great for my personal domain. I do use a third-party provider for spam filtering, I did have to find someone I trust.
Adding https://www.migadu.com/privacy/ to the list (migrated after trying to use Tutanota and Protonmail for a short while but they did not fit into my workflow). Full GDPR compliance and:
> Beyond technical requirements for establishing a working session on our website and webmail, we do not use cookies or any form of tracking.
> We do not collect data for the purpose of user behavior and do not integrate any website analytics.
The only 2 parties they give data to are Stripe or Paypal.
Never had a problem with large providers (YMMV, my domain is 5y+ and I have forwarding from Gmail set up) but had occasional greylisting issues with large enterprise systems (but I had the same with my work email account so that's nothing out of ordinary).
If you rely on your email for vital services your want email provide to operate like an (idealised) bank - store my private information with respect, and to be able to retrieve email even if my PC or account is stolen, and I am happy to pay for the privilege. Furthermore, handing over real money gives you standing to sue in the court of law if the provider doesn't uphold their side of the bargain. I don't mind providing real ID if it's a trustworthy institution with a real address and a phone number I can dial for customer support.
By contrast if you Gmail is hijacked, there is no-one you can call for help and they can also ban you with no warning for no reason. You have almost no legal recourse on their misbehaviour because they can do anything for any reason and it's free.
I was further surprised to read that the author sees no daylight between free Gmail, outlook, outlook Premium with your own domain (paid service), business office 365, etc. I don't think it's fair to call them all data collectors and the difference between then are not trivial.
I am not claiming the author is misinformed or hasn't done his homework - just that this take is from the perspective of 'internet of anonymity' of 2000's, not 'internet of service I can trust my life with' that we deserve.