eMail privacy

With the increasing reports of ID theft, email hijacking, government surveillance, email providers giving 3rd parties access to users accounts, and instant messaging platforms being hacked, email and messaging privacy is becoming more important every day.  There have been numerous privacy scandals with large email providers over the past few years, prompting many to look for the best secure email that respects user privacy.

Also, graphic email clients (e.g., Gmail, Outlook, Thunderbird, AppleMail) that download and display rich content such as photos, pdf docs, audio files, etc. and URL links within the email body, this content can contain invisible embedded “tracking code” which allow third parties to track your activity through your email address.   EFF has a great web page that explains this more fully. along with steps to take to help protect your privacy.

And “free” email providers like Gmail are some of the most flagrant violators of your privacy.  Here are just a few examples of how some “free” email services are violating your privacy and selling you out to third parties:

  • Gmail was caught giving third parties full access to user emails.
  • Advertisers are allowed to scan Yahoo and AOL accounts to “identify and segment potential customers by picking up on contextual buying signals, and past purchases”.
  • Declassified documents from the PRISM surveillance program reveal that many large email providers give US surveillance agencies unilateral access to their servers to perform “extensive, in-depth surveillance on live communications and stored information”.
  • Yahoo was also caught scanning emails in real-time for US surveillance agencies in 2016.
  • Facebook’s WhatsApp messenger app was hacked in early 2019 by NSO, an Israeli security company.

If you are using one of these popular, “free” email providers, you are likely getting sold out to advertisers and surveillance agencies without your consent, or the ability to “opt out”.   If you have any concern about how your email privacy may be compromised, I advise you to consider switching to an email provider and email application platform that guarantees your privacy.applications that be 

1.  Secure messaging apps

Secure messaging apps utilize very strong encryption standards and work well for teams or inpidual use on various operating systems and devices.  Secure messaging apps are a great alternative to email, which has numerous inherent flaws and vulnerabilities, unless you’re using an encrypted email service such as the ones listed below.  

Signal – At this time (Sept 2019), Signal is rated as the most secure messaging platforms available.  Signal uses an open source encryption protocol that is recognized as the most secure messaging app protocol currently in use. It’s encryption ability includes everything most users need – SMS, video and voice calls, group chats, file sharing, disappearing messages, etc., with a system that helps verify the identity of your contacts. Folks like Edward Snowden and the EFF recommend using Signal to avoid surveillance.  It’s easy to use and works on iOS and Android making friends and family much more likely to convert.

2.  Private / Encrypted Email

Email is notoriously insecure. Even if you're connecting to your email server over an SSL or TLS connection, there's a good chance that your message can be intercepted on the way to the intended recipient.

Insecure email providers like Gmail, Yahoo, and iCloud are all bad options when it comes to privacy and security. You regularly read about these providers and their users getting hacked, giving third parties access to emails, and/or cooperating with surveillance authorities (PRISM program).

So if you want to send private messages over email, you're going to need to add a layer of encryption.  One way is to incorporate a third-party open source encryption tool such as GnuPG into the email application you already use.  However, GPG-based email encryption tools are not widely used, nor understood y normal users.  So it is unlikely that many of your email community will know how to implement and use it securely.

GnuPG – When you and your recipient use GnuPG (or equivalent tools), you can easily prevent simple snooping. Of course, it's always possible for vulnerabilities to emerge, but imperfect protection is always better than no protection at all.

However, if you want ease-of-use with a high degree of privacy, protection, and reliability, subscribe to a commercial encrypted email provider service such as ProtonMail (which is the service that I use). There are several established, reliable service providers capable of providing global secure email capability.  Note that while there are free, secure email service providers available, they often do not include features offered by the premium versions of a service.  So if you value your privacy and can afford it, I recommend premium subscription.  I have listed below three of the better providers with a brief description of each and links to their websites.  

ProtonMail – ProtonMail was the first in a post-Snowden “new-wave” of webmail services that aim to provide all the functionality of Gmail and its ilk, but which respect users’ privacy and provide full end-to-end encryption (e2ee) for emails.  Swiss-based ProtonMail, founded by scientists from CERN, utilizes strong end-to-end encryption standards for email and stores all messages and attachments encrypted at rest (but not email subject lines).  ProtonMail includes:  the ability to send “self-destructing messages;” Address Verification to ensure Public Keys received from other user haven’t been tampered with; full PGP support; the ability to send encrypted emails to non-ProtonMail users; Android and iOS mobile apps; ProtonMail Bridge, which allows ProtonMail to integrate with other email services that support the IMAP and SMTP protocols; ability to import non-ProtonMail emails into your ProtonMail account; encrypted search; conversation view; multi-user support on mobile devices; encrypted calendar.  ProtonMail also offers ProtonVPN service which can be subscribed separately or included with a ProtonMail subscription.  

HushMail – Hushmail is a great option for anyone looking to gain access to similar features to ProtonMail in a service that has been around for nearly twenty full years. Based out of Vancouver, Hushmail is an encrypted service, using a password system to both send and receive emails from Hushmail platforms.  Message sent to other Hushmail users are automatically e2e encrypted.  If your recipient doesn’t have a Hushmail account, you can still send encrypted emails from your account, but you’ll have to turn it on manually in your email. Once you’ve sent the encrypted message, non-Hushmail users will receive a prompt in their email, inviting them to a secure web page where they can view your message or documents.  Hushmail uses OpenPGP encryption to protect the contents of the email and SSL/TLS secure connections between computers and the Hushmail servers to access your content

Tutanota – With over two million users, Tutanota is one of the most popular and regularly recommended secure email services. It uses end-to-end encryption, two-factor authentication, and has an A+ SSL certificate. These factors—plus the fact that it's an externally-auditedopen source tool—make its security ProtonMail's equal and Posteo's superior.   Like Posteo, Tutanota was one of the world's first services to implement DNS-based Authentication of Named Entities (DANE) in order to secure users against hackers impersonating them or their email recipients.  Since Tutanota uses end-to-end encryption, this means that when you email to someone using a service that isn't end-to-end encrypted, like Gmail, the email arrives password protected as an extra layer of security, and the recipient's replies are managed through a one-time-use version of Tutanota that encrypts their response.

3.  Multiple Email Addresses

When you sign-up for user accounts across the web, using a different email address for each site is a good way to throw unscrupulous third-parties off of your trail. If you're merely creating a throwaway account on a whim, consider using disposable email accounts from sites like Mailinator or YopMail. Anybody can access those inboxes though, so use discretion. If you actually want to maintain legitimate accounts on sites like Facebook or Twitter, you can create numerous free email accounts, and then configure email forwarding to funnel all of the messages into a single inbox. It's a lot of additional work, but it also offers the benefit of being able to easily detect which sites are selling your information to spammers.