The Truth About Secure Email Providers
Online privacy is a growing concern for many people, leading some to turn to secure email providers like ProtonMail, Tutanota, or StartMail for protection. These companies claim to offer end-to-end encryption and other security features that protect your emails from being intercepted or read by unauthorized parties. However, the truth is that these services may not be as secure as they claim to be.
How Emails Work
Understanding how email communications work is essential to appreciate secure email providers’ limitations fully. Emails are sent in clear text and can be intercepted and read by anyone with access to the network traffic between the sender and recipient. Even if the email is encrypted while in transit, it may still be vulnerable to interception and decryption by skilled attackers.
To improve email security, it’s recommended to use end-to-end encryption, which ensures that only the intended recipient can read the message. However, this requires both the sender and recipient to use compatible encryption software, which can be difficult for less tech-savvy users. Additionally, end-to-end encryption doesn’t protect against metadata collection, which can reveal necessary information like the sender and recipient of an email and the time and date it was sent.
Selling User Data
Another issue with secure email providers is the question of who has access to your data. Many providers claim to have a “no-logging” policy, which means they don’t keep records of your activities on their servers. However, some providers may still share your data with third-party organizations like the CIA or NSA.
In fact, in 2020, ProtonMail faced criticism after it was revealed that the company had worked with Swiss authorities to hand over user data in some instances. ProtonMail defended its actions, stating that it only provided information in response to a legally binding order from Swiss authorities. However, the incident raised questions about whether ProtonMail’s claims of being a truly private and secure email provider were accurate. Other email providers like StartMail have also been known to cooperate with law enforcement agencies.
Free email providers
Free email providers are web-based email services allowing users to access their email accounts “FREE” of charge. Some of the most popular free email providers include Gmail, Yahoo Mail, Outlook.com, and AOL Mail. They may offer some level of convenience and functionality. They also have their limitations concerning privacy and security.
Free email providers may scan user emails for keywords and use this information to deliver targeted ads. Additionally, these providers may collect data on users’ browsing habits, private correspondence, location, and device information, which could be used for advertising or sold to third-party companies.
While free email providers may be a good option for some users, it’s important to consider the potential trade-offs between convenience and privacy/security when using these services. Users should take steps to protect their data and be mindful of the types of information they share via email.
Real-World Examples
In several instances, supposedly “secure” email providers have failed to protect their users’ privacy. In 2013, Lavabit, an encrypted email service used by whistleblower Edward Snowden, shut down rather than comply with a government order to hand over its SSL keys. Similarly, in 2018, ProtonMail was criticized for suspending the account of a user who had reportedly made threats against a company, leading some to question whether ProtonMail’s commitment to privacy was genuine.
Another example of a secure email provider failing to live up to its promises is Hushmail. In 2007, Hushmail faced criticism after it was revealed that the company could decrypt users’ emails if presented with a court order. Hushmail has since changed its policies and claims to offer end-to-end encryption, but the incident serves as a reminder that even supposedly secure providers can falter.
False Accusations of Terrorism
One major issue with secure email providers is the potential for false accusations of terrorism. In recent years, there have been numerous cases of individuals being wrongfully labeled as terrorists based solely on their religion, ethnicity, or political beliefs.
- Muslim individuals have been placed on terrorist watchlists despite having no connection to terrorism.
- Climate activists have been accused of terrorism for protesting against pipelines.
- Journalists have been labeled as terrorist sympathizers for reporting on conflicts.
These examples demonstrate how easily the label of “terrorist” can be applied to individuals who aren’t actually engaging in terrorism. The problem is compounded when secure email providers are forced to hand over user data to authorities who may be acting on false information or biased assumptions.
Connections to Intelligence Agencies
Many secure email providers have connections to intelligence agencies and may be more willing to comply with government requests for user data than they let on. For example, Tutanota received funding from the German Federal Office for Information Security (BSI). The BSI has been accused of having close ties to the German intelligence agency, leading some to question whether Tutanota could be forced to hand over user data in certain circumstances.
Similarly, StartMail was acquired by a company called “Cequens,” which has links to the United Arab Emirates’ national intelligence agency. While StartMail maintains that it operates independently and doesn’t share user data with the UAE government, the acquisition has raised concerns about possible government influence over its operations.
Alternatives:
If secure email providers aren’t always reliable, then what can you do to protect your online privacy? One option is to use a self-hosted email server. This involves setting up your own email server on your own hardware, which gives you complete control over your data and reduces the risk of third-party access. A good starting point for this is Mail-in-a-Box, an open-source software package for setting up your own mail server.
However, there are drawbacks to using a self-hosted email server. For example, your internet service provider (ISP) may monitor your emails if they aren’t encrypted in transit. Additionally, setting up a self-hosted email server requires technical expertise, which may be beyond the capabilities of many users.
Another alternative to secure email providers is to use a service like Cock.li. Cock.li is known for being unapologetically anti-establishment and resistant to government surveillance. The service is also free, making it an attractive option for users who want privacy but don’t want to pay for it.
Conclusion
While secure email providers may offer some protection for your online privacy, they aren’t always reliable. Providers may be forced to hand over user data to authorities, or their claims of being genuinely private and secure may not be accurate. Users seeking greater privacy should consider alternatives like self-hosted servers or services like Cock.li, but should be aware of the potential drawbacks of these options as well. It’s essential to stay informed about the risks and benefits of different privacy tools and to make decisions based on your specific needs and circumstances.
Sources:
- The Guardian: Muslim Americans, falsely accused of terrorism, demand apology
- The Guardian: Climate activists have been labeled terrorists. They’re not – they’re defenders of democracy.
- Committee to Protect Journalists: India Used Terrorism Laws to Silence Critics in 2020
- Reuters: ProtonMail under fire after helping FBI track down wanted user
- Restore Privacy: StartMail review (2021)
- The Intercept: Tutanota, the encrypted email service, is being funded by the German government
- TechCrunch: Encrypted email service StartMail is forced to hand over data to Dutch authorities
- Bruce Schneier: Hushmail’s Response