[dropcap]W[/dropcap]e talk a lot about privacy and anonymity at TOWR, and for good reason. Today we’ll look at the criteria for a solid email service, and list seven secure email services that meet that criteria. If you’re still of the opinion that you “have nothing to hide” and don’t care if the government or hackers look at your emails or accounts, then you should consider Glenn Greenwald’s advice:
Over the last 16 months, as I’ve debated this issue around the world, every single time somebody has said to me, “I don’t really worry about invasions of privacy because I don’t have anything to hide.” I always say the same thing to them. I get out a pen, I write down my email address. I say, “Here’s my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you’re doing online, read what I want to read and publish whatever I find interesting. After all, if you’re not a bad person, if you’re doing nothing wrong, you should have nothing to hide.” Not a single person has taken me up on that offer.
(For those who are looking for more ways to answer the “I don’t have anything to hide” argument, you can read this thread on reddit. It’s got some fantastic counterpoints.) If you’re on board, let’s get started.
Criteria 1: The provider is not based in the US or UK.
The number one thing you should look for in an email provider is that they do not base themselves in the US or the UK. Provisions in the Patriot Act and the Foreign Intelligence Surveillance Act force US companies to hand over user data. What’s more, National Security Letters are accompanied by gag orders, which forbid the provider from even talking about the demand for information. On top of that, the US, UK, Canada, Australia, and New Zealand share information between their intelligence services and use each other to spy on their own citizens. As a result, use a any email service based in the US or UK, and you are hanging yourself out to dry. Your email provider is simply being used as yet another intelligence collection platform and surveillance tool.
Criteria 2: The provider should use end to end encryption.
The second criteria you should look for is something called SMTP TLS. The very simple version of this goes something as follows:
- Computer A connects to Computer B (no security)
- Computer B says “Hello” (no security)
- Computer A says “Lets talk securely over TLS” (no security)
- Computer A and B agree on how to do this (secure)
- The rest of the conversation is encrypted (secure)
What does the above process accomplish?
- The meat of the conversation is encrypted
- Computer A can verify the identity of Computer B (by examining its SSL certificate, which is required for this dialog)
- The conversation cannot be eavesdropped upon (without Computer A knowing)
- The conversation cannot be modified by a third party
- Other information cannot be injected into the conversation by third parties.
If you want a more technical explanation, you can go here.
3. The provider accepts Bitcoin payments.
Some providers accept Bitcoin, which allows you to purchase a mailbox anonymously—unlike places like Gmail and others, who want a phone number and a host of other personal information. Combine a Bitcoin payment with a Tor connection and VPN (or even a virtual machine if you are serious), and you can send and receive emails with a lot more privacy.
If terms like Tor, VPN, and virtual machine go over your head, that’s okay. We all started at the beginning, and TOWR literally exists to help people like you. Feel free to come to an event like the Cryptoparty to find out more and learn in a casual environment.
4. The provider does not require personal information.
Whichever service you choose, you should not have to give personal information. Username, password. That’s all they should be asking for. Have you tried to make a Gmail, Facebook, or Yahoo account lately? You’ll see the difference pretty easily. It goes back to the “need to know” concept. Does your email provider need to know your address, phone number, etc.? That’s not even counting the collection of metadata and even content of your emails in order to provide you with “targeted advertising.” The less an email service asks about you, the better.
Now that we’ve laid out our criteria, it’s time to look at which email providers make the cut. The following providers have built-in encryption, operate outside the US and UK, and accept Bitcoin as payment.
GhostMail – A new provider based in Switzerland, they allow 1GB of storage. GhostMail also has self-destructing chat, two-factor login, and a 1GB encrypted cloud storage. They ask for no personal details. According to their website, their servers are also located 30 meters underground in a nuclear bunker.
OpenMailbox – Based in France. They allow allow 1GB of free storage, accept Bitcoin, and have built-in encryption.
ProtonMail – Another one based in Switzerland. They offer less storage (500 MB), but they also allow encryption of emails sent to outside providers through a passphrase. In addition, you’ll need two passwords: one to login to your account, and another to decrypt your mailbox. Protonmail has become so popular that new accounts are put on a waiting list. It takes about 2-3 weeks after signup to get your account invite.
Tutanota – This provider is in Germany. They offer 1GB storage free, and also have apps for your phone. If you do decide to use this service on your smartphone, I would keep all patriot activities out of that account and just use it as your everyday email. Tutanota also accepts Bitcoin and has built-in encryption like the others on this list.
Mailbox.org – Also in Germany, this provider is 12 euros per year but offers 2GB of storage and will take Bitcoin. They also allow three aliases and 100MB encrypted cloud storage for office documents, as well as full-PGP encryption of the mailbox itself.
NeoMailbox – Based in Switzerland. Offers 1GB storage, as well as unlimited aliases, SSL, OpenPGP encryption and IP protection. The unlimited aliases mean you can create as many one-time use email addresses as you like. NeoMailbox also has private surfing as well. For a package with both email and anonymous surfing, you’re looking at $89.95/year. For just the email, it’s $50.
Countermail – Hosted in Sweden. They have diskless servers; in other words, they boot from a CD and don’t have hard drives. In addition, they offer a USB key option, which means you’ll be sent a USB key that MUST be inserted in your computer in order for you to log in. Lastly, Countermail allows you to try their service for free for one week. You can make an email address and use it with all its features for a week, and after that time if you choose to continue, it’ll cost you $59 for the year.
Some of you might be asking why Startmail didn’t make this list. While some folks prefer it, they do not accept Bitcoin. This means in order to use them anonymously, you’d need to use a Vanilla Visa or something similar.
Check out one of the providers above and see what you think. Privacy requires change; it requires you to stop doing what you’re doing, and start doing it right. With these and other tools, you can get going in the right direction. Feel free to let us know in comments if you know of a provider better than these, or if you have questions.