Privacy conscious email providers

[681081b2c1a17Kolya]

Some learnings from my recent attempt to move to a privacy conscious email provider:

Posteo.de
- archaic webmail interface, no dark mode
- no apps available, you can use any mail client though (eg FairEmail on Android and Sylpheed on Windows)
- posteo logs you out of webmail every hour with no way to change that, their support cites "security reasons"
- 12 EUR/year

Protonmail.com
- modern design incl. dark themes
- apps for Android, iOS
- free for normal use
- IMAP access requires a paid account: 48 EUR/year (personal plan)
- IMAP also requires a local server application called "Bridge" that handles encryption

[Protonmail.png expired]
[Posteo.png expired]

[681081b2c1d14Nameless Voice]

The ProtonMail Android app still doesn't support conversations, making it basically unsuable.
I didn't understand how anyone took them seriously when I first tried it back in 2018, and I certainly don't understand how they still haven't added conversations in 2021.  (Though at least the webmail version appears to have them now, so some small progress I guess.)

[681081b2c1f2eKolya]

I don't know if it makes the app unusable, but yeah, it's a pretty basic feature.
Conversations may be made more difficult by protonmail's encryption, as this page seems to suggest.

ProtonMail cannot read the contents of emails because all messages are stored using zero-access encryption. We therefore use advanced heuristics on the email headers, subject line, and conversation participants to match and thread messages.

The main problem here probably is that conversations were never part of the email protocol, but always a tacked on feature.

[681081b2c206dNameless Voice]

Unusable for my purposes, anyway (which is to actually be able to have conversations with people via email.)

[681081b2c21a4Kolya]

@Nameless Voice


[Protonmail working on new app 2021-08-17.png expired]

[681081b2c26fbsarge945]

I use ProtonMail (I have the paid version) and it generally works for my purposes.

Lack of conversations sucks, I agree, but I think the client-side e2e encryption makes it worth it, since encryption on the server side is basically useless, fake security, especially if it's hosted in a five-eyes country. ProtonMail is hosted in Switzerland, which I know doesn't have any agreements etc with other governments, I don't know what Germany's policies are though.

But I'm the sort of person who plays with VeraCrypt vaults for fun. You could say I'm a little paranoid.

Interestingly I have nothing to hide. But I hide it anyway. I guess at this point I'm more concerned about advertisers knowing too much and trying to manipulate me into buying stuff when I'm emotionally vulnerable, rather than evil governments reading over my memes and random Amazon receipts.

[681081b2c290bKolya]

Germany is not part of the Five Eyes alliance, it is however part of the 14 Eyes. Protonmail even has an in-depth explanation about these alliances but you can find various other explanations. Notably Switzerland is not part of any of them (that we know of).

[681081b2c2a1bsarge945]

Good read!

I'm scared

[681081b2c2d6dHikari]

https://www.youtube.com/watch?v=IeXaYR4ed9c

[681081b2c311cKolya]

Protonmail's claim of end to end encryption might be misleading promotion to someone without any technical knowledge.
What Protonmail is referring to isn't your mail exchange with the rest of the unencrypted world (because they can't encrypt that obviously) but the storage of and your access to your mails on their servers.
https://protonmail.com/security-details

The article (and its domain) that the creator of the video refers to doesn't exist anymore by the way. Whatever that means.
https://privacy-watchdog.io/truth-about-protonmail/

A lot of more well known sites have reviews of protonmail and it's security though.
https://www.techspot.com/news/82776-protonmail-review-secure-email-really-secure.html
https://www.wired.com/2015/10/mr-robot-uses-protonmail-still-isnt-fully-secure/
https://www.bleepingcomputer.com/tag/protonmail/
https://cybernews.com/secure-email-providers/tutanota-vs-protonmail/

[681081b2c3275sarge945]

I guess "ProtonMail is encrypted end to end so nobody can see your emails" is the same sort of oversold oversimplification we see with VPN ads on YouTube videos which claim to "hide your online privacy and make you anonymous online"

[681081b2c3665Kolya]

Yes, it leaves out the important fact that most of your mails, to anyone without a protonmail account, are still postcards.

Also there is the fact that Protonmail logged IP addresses of a person lately on a request by Europol.

French original article: https://secoursrouge.org/france-suisse-securite-it-protonmail-a-communique-a-la-police-ladresse-ip-de-militant%c2%b7es-anti-gentrification/
German article: https://netzpolitik.org/2021/auf-anordnung-von-europol-protonmail-gab-ip-adressen-von-nutzerinnen-heraus/
English article: https://www.tech-gate.org/usa/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities-techcrunch/

So I guess the moral of the story is: If you need to communicate securely don't use email, regardless of the service.

[681081b2c43b0fox]

Just a little historic tidbit regarding the neutrality of Switzerland:
https://en.wikipedia.org/wiki/Crypto_AG

And if you haven't heared about ANOM & EncroChat yet, that's one hell of an entertaining story too.

The actual moral of the story is that you should never assume to have full privacy when you use any common electronic communication device. The odds are way against it.

[681081b2c4600fox]

Not that it comes as any surprise but this just in...

propublica.org: "How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users"

"WhatsApp assures users that no one can see their messages — but the company has an extensive monitoring operation and regularly shares personal information with prosecutors."

[681081b2c4db5sarge945]

The actual moral of the story is that you should never assume to have full privacy when you use any common electronic communication device. The odds are way against it.

The counter to this is if you COMPLETELY self host, eg run your own xmpp server with end to end encryption. Then, unless the person you're talking to betrays you, you have a high degree of safety unless you make a mistake.

Although there definitely are ways to stay safe even when using police-friendly services. Dropbox could give the entire contents of my account to the police, they still aren't going to crack my password vault.

You can still use regular email providers like Gmail and use PGP for encryption. Again, they can have my account but they won't get those emails.

This is especially important because the law is very strict when going after individuals, but very loose when going after their data via a third party.

The real moral of the story is: trust nobody. If a company says they are protecting your privacy, they are lying.

Computer security is, above all else, a lesson in self reliance. You have to learn for yourself what to do, trust nobody else, and do the work to protect yourself. It's a humbling and maturing experience, in my opinion, and the real problem seems to be that most people care so little about privacy (probably because they haven't taken the time to seriously think about it) that they don't want to take the time to learn it. They just want to put their credit card in the magic payment box for the super cool company that will "keep them safe". The irony being they true computer security is free, as all the best tools are necessarily open source anyway.

Of course, keep in mind, nothing is really secure against the "torture him until he tells you the password" cracking method, but at least in most civilized countries, some basic encryption is enough to thwart snooping.

I always find it interesting whenever I see a pedophile bust on the news, it always goes down the same way - they seize their PC and find compromising images on it. It makes me think how many more there are out there who aren't getting charged because they know how to use VeraCrypt. Not that I support these people in any way, it's just interesting to me how easy people make it to destroy themselves. Usually the same people who complain about government snooping in the first place.

[681081b2c58a9fox]

The counter to this is if you COMPLETELY self host, eg run your own xmpp server with end to end encryption. Then, unless the person you're talking to betrays you, you have a high degree of safety unless you make a mistake.

That's a lot of ifs.

I always find it interesting whenever I see a pedophile bust on the news, it always goes down the same way - they seize their PC and find compromising images on it. It makes me think how many more there are out there who aren't getting charged because they know how to use VeraCrypt. Not that I support these people in any way, it's just interesting to me how easy people make it to destroy themselves. Usually the same people who complain about government snooping in the first place.

I take objection to that notion because it associates privacy activists with pedophiles. Not cool.

[681081b2c5aacHikari]

https://www.youtube.com/watch?v=QCx_G_R0UmQ
Anyone have any thoughts on this?

[681081b2c5e0cfox]

[681081b2c64b5Hikari]

Well I was more 'Is this real or just tinfoil hat man making mountain out of mole hill.'

But on the face of it Not a very good look for protonmail.

[681081b2c668eKolya]

@Hikari See my post above.

[681081b2c824dsarge945]

I take objection to that notion because it associates privacy activists with pedophiles. Not cool.

Criminals use privacy tools for the same reasons that dissidents do. Accepting that bad people will also benefit from it is part of advocating for privacy. It also makes sense why criminals will also advocate for it.

But I wasn't confusing pedophiles with privacy advocates. I was wondering why so many of them don't take basic steps to protect themselves.

I guess you could say my overall comment about people complaining about surveillance while doing nothing to protect themselves from it is conflating pedophiles with privacy advocates, because it was part of the same paragraph. That was my bad.

[681081b2c8736fox]

Yes, criminals gain direct use from anonymity. That is one thing. People complaining about governments eroding citizen privacy, is another. Linking one to the other and thereby eroding the credibility of the complaints is a common and powerful method to undermine the discussion. Linking them to the most vile and immoral kind of people is going for maximum damage and once it successfully put the shadow of a doubt in peoples' heads, it will remain there permanently. It's PsyOps101.

Not saying you did it on purpose but you should be aware of it. It's the practical implementation of the bullshit argument "If you have nothing to hide, you have nothing to lose.".

[681081b2c8bc6Kolya]

In order to leave Protonmail I had to upgrade to a paid account first (use the $5/month option, which is a bit hidden).
Then install the import/export tool and export all my mail as mbox folders.
Then in Protonmail/settings/dashboard downgrade to a free account again (hidden again). Allegedly they will refund the money. We'll see about that.

The best part of this was as usual my mail program Sylpheed, which allowed me to import those mbox files via IMAP directly to gmail and mark them all as read easily.

[681081b2c94b1sarge945]

The best part of this was as usual my mail program Sylpheed, which allowed me to import those mbox files via IMAP directly to gmail and mark them all as read easily.

Why does Sylpheed look uncannily like Claws Mail