A Better email Provider 2019-12-30
Recently a friend was telling me that she has a GMail account and was thinking of finding a better email provider. One that perhaps doesn't try to associate her email account with the web sites she visits or that feeds her ads based on the content of her emails. email privacy is kind of a complicated beast, let's see if we can break it down a bit.
How email works
Imagine for a moment that you want to send me an email. You are sitting at your PC and I am sitting at mine. You open your email client application, type up something funny, and hit send. Then what? Well, the message goes to your mail server. That mail server is managed by the organization that you get your email from (such as Google for example). That mail server then asks "Where is the mail server for the snork.ca domain?". DNS will tell it the answer, and it will pass the message on to my mail server. Then I will open my email client application, which connects to my server, and I'll see your message.
It is important to note that the traffic between you and your email provider is probably encrypted. This should be true whether you use an email client application like Thunderbird or webmail like GMail in your browser. This is because in order to send your message you probably have to authenticate yourself. With webmail you do that when you login and with an email client your name/password typically get sent as part of sending the message. Obviously it makes sense that your password would not be sent clear text, and a side bonus is that your message content is also encrypted as it travels to your mail server in case anyone (perhaps your ISP) wanted to "sniff" your message as it traveled through their network. However, the message itself is not encrypted, and as a result... your email provider can see the content. So can my mail server. On a side note, when the message travels between your mail server and my mail server it may or may not be encrypted. This too is only during transport and the message is still easily read by either mail server. The actual path your message takes may also include other intermediate mail servers (such as virus or spam detection servers) which can also read your message.
TLDR; unless you use encryption software to encrypt your message specifically for the recipient, the mail servers between you and the recipient can easily read your message content.
How to encrypt email content
If you want to encrypt your message so that it is unreadable by the various servers it will go through, then you need to use an end-to-end encryption application such as GPG. The trouble with this system is that it requires both ends of the communication to use the same encryption type. If I use something other than GPG then I won't be able to read your GPG-encrypted message. In fact, the real problem here is that almost nobody uses any kind of encryption software for their email. So you HAVE to send them clear text messages and you are right back where you started. Seriously, I have been trying to get people to use proper email encryption for years and it just doesn't take.
This "I don't know how to use encryption software" stuff is a problem with privacy minded email hosts as well. Some email providers (Proton is an example I have tested in the past) have a solution that still doesn't work. When you send a message with Proton to another Proton user, the message is encrypted and sent to their mailbox. But if you send a message to someone who is NOT using Proton (almost everyone in the world) you can have the message stored encrypted on the Proton web server and a LINK is sent to the user. Your recipient then clicks on the link, may have to enter a password, and can then see the message. This is a mess and people are not going to be interested in clicking links to Proton's web site to keep receiving your messages.
TLDR; people refuse to use message content encryption and clear text messages are inevitable.
So now what?
Since you pretty much have to accept that humans are simply not going to manage their own encryption, the best you can hope for is clear text messages that are less likely to be examined by wankers like Google. Remember though, when you communicate via email with a GMail/Hotmail/Yahoo! user (that's a lot of people) your messages will be sitting in their mailbox too. So to minimize [as best you can] the creepy access to your message content, I'd suggest switching to an email provider that sucks less. I like a lot of what they have to say over at privacytools.io, so I am gonna go through their suggested list and see what I come up with.
To begin with, the list at the privacytool.io link above has a couple of pretty expensive email providers. Since my hope is to persuade some readers to actually switch from free providers lke Google, I am not going to bother testing the ones that are more than $24 annually. Frankly, if you're not willing to pay the cost of one coffee per month for better email privacy, then you're probably not serious enough to dump Google anyways. Now, here is my own table of what I think are important features in an email provider:
Provider | IMAP | POP | Webmail | Space | Base Price |
---|---|---|---|---|---|
Disroot | Yes | Yes | Yes | 1GB | Donation |
Mailbox.org | Yes | Yes | Yes | 2GB | 2€/Month |
Posteo | Yes | Yes | Yes | 2GB | 1€/Month |
Protonmail | Yes | No | Yes | 500MB | Free |
Autistici/Inventati | Yes | Yes | Yes | No Quota | Donation |
Notes
Disroot registrations were temporarily disabled when I tried to sign up so I was unable to test an actual account. I did like the looks of their terms and policies though. The Mailbox.org webmail layout is a little clunky, but I would prefer to use POP anyways. Mailbox.org also has a 30-day free trial that does NOT require a credit card to try out. I think that Mailfence only offers IMAP, POP, and SMTP to paying customers and their lowest tier is 2.50€ per month which is just over my cost limit to be on the list. I may email them to confirm whether or not this is the case. Though Protonmail is free and offers IMAP, I still see the lack of POP access to mail as a significant limitation. POP is great for users who wish to download their mail to get it off the server... you should be backing up your PC [or other device] anyways right? Runbox is just over my $24 per year price limit, but supposedly has a Light Web Interface which doesn't work for me. If you really wanted a light web interface maybe you'd be interested in that one for a couple extra bucks. Tutanota does not offer IMAP or POP which means less control over email for users. The others listed at privacytools.io were expensive enough that I think many GMail users would simply turn away from them. Autistici is not on the privacytols.io web site but is a privacy minded organization I have had an email account with for a few years. I like their policies and attitudes towards corporate stoogery.
Frankly I am tempted to wait and see what Disroot looks like. The other offerings didn't impress the hell out of me and Disroot's donation based fee structure is the most likely to entice GMail/Hotmail/Yahoo! users away. Besides, keeping an eye on their temporary registration lockout will give me an idea of their reliability. To be continued...