This is a continuation of my series on De-Googling your life, which involves disentangling from and de-centering Big Tech.
So far in this series I’ve covered calendars, browsers, VPNs, search engines, and maps. This post will be covering email.
Email is one of the least secure methods of communicating, even compared to a platform such as a secure messaging app. For example, when sending a message with Signal, it is encrypted, sent, received encrypted, and then the recipient replies with another encrypted message. Signal becomes a container as an app that allows for end-to-end encryption.
However, email addresses are just addresses. There is no inherent infrastructure around the email address itself.
When someone has your home address, there are a multitude of ways that they could get a message to you. They could send a letter through the mail, slide a note under your door, or even stand outside your door and yell the message.
Some methods of sending messages are more secure than others. Someone can steal a package from your porch, a neighbor can read a letter that is in your mailbox, or anyone can overhear if someone else is yelling you a message through your door.
Email has many of these similar elements and vulnerabilities. It is digital, but there are a variety of different methods to send and receive emails. Some use email clients, others use web browsers, and there are countless email providers such as Gmail, Yahoo, or Outlook.
There is also the server to send the email once it is crafted in the client or browser. Not all email clients are created equal.
For the writing stage, you could use an email client that encrypts your email while you write it. For the next portion, fortunately for us, most email is sent over secure servers. But after all of that, if the person receiving your email does not use a service that encrypts email while it is sitting in their inbox, your email is now exposed with no protections.
If you had to send a fragile glass statue to a friend, you might wrap it with the utmost care and then place it gingerly in a padded box. You could then use a reputable shipper that respects your fragile signs and delivers it with caution. But if your friend receives it and simply tosses it on the table, shattering the glass statue, all of your efforts to be careful will have collapsed.
Sending an email is a similar process. Each component of the process needs to be private and secure for the email to go from end to end in a private and secure manner. If even one part is careless, then the entire process is compromised.
If email is to remain private and secure between the sender and receiver, which everyone should be thinking about, then all parties need to be thinking about privacy and security. It becomes a contract between parties.
If I send something securely, then I ask that the recipient receive it securely.
Services like Gmail have encryption while an email sits in the inbox, but Gmail also has a key so they can decrypt that email if they want or if they are asked to by another entity.
Above all else, Big Tech companies are data companies that want as much of our data as possible, they are not privacy and security companies.
For De-Googling email, I want to mention two companies that started off with privacy-focused email as their primary product, Tuta and Proton. Because they are privacy focused, not, for instance, feature focused, they are dedicated to focusing on making email as secure and private as possible.
Both have free options with open source components. Tuta does not require a secondary email when signing up.
Here is where the idea of the container comes in again. When sending email from a Proton email user to another Proton user, it is encrypted while the sender is crafting it, encrypted on the way, and then encrypted when it arrives in the recipient’s inbox. By all parties using Proton, there is an end-to-end encrypted container.
Not everyone uses the same email service however, which Proton understands, so they offer the option to go through additional steps for the sender and recipient to exchange a key through a program called PGP (Pretty Good Privacy). A key is exchanged to ensure emails can only be decrypted by those who have the key. This is slightly more technical and does require extra actions, which is why Proton encourages people to send from Proton or Proton because all of this is built in.
I was able to hear directly from people who work at Proton about a couple of concerns regarding incidents that made many in the privacy and security community question the integrity of their product.
Proton has the IP address from which you created your account. In once instance in 2021, they were asked to give over this information to French authorities when it was requested about an individual not because French authorities requested it, but because Swiss authorities did. Proton servers are located in Switzerland, which is one of the more protected countries when it comes to data sharing. However, they are still under Swiss jurisdiction, so while they may be able to avoid requests by other countries, they still abide by Swiss law. If anonymity and greater privacy are desired, I recommend not only using a VPN but also their Tor Onion site, even when using Proton, especially when creating your account.
Proton can also have your backup email address on file, since this is one of the recovery methods. If you wish to remain more private, consider using a backup email that is also secure and private instead of something like a Gmail account, which can then be the vulnerability in your secure container.
Either way, Proton cannot read the contents of your email because that is encrypted even to them. They also cannot retrieve your password because they have zero knowledge of your password. This is where email or phone numbers can be registered as backups.
An extremely important point to keep in mind, is that the subject line itself is NOT end-to-end encrypted. Email content and attachments are, but not the subject line.
More recently, the Proton’s CEO Andy Yen also sent out a social media post endorsing one of the picks of this administration, specifically Gail Slater as the Assistant Attorney General of the Antitrust Division at the Department of Justice. The Proton staff I heard from stated that Proton has been advocating for antitrust legislation for years because of how it challenges corporate monopolies.
While there are some questionable ways that this position surfaced, I still believe in the open source and end-to-end technology itself.
No single product is perfect, and we should not be seeking perfection regardless. We should always take multiple layers of precautions, and, as I’ve mentioned in past posts, take a variety pack approach by spreading out our access and use of platforms, apps, and products.
These are my recommendations for right now because things are always changing.
As always, there are more secure and private options of every de-Google method that I’ve recommended in this series. However, I am making recommendations while keeping in mind who I believe are the majority of the people that are receiving this post. I am sharing what I believe will be the most highly adopted and is the most accessible.
Do your own research, stay as private and secure as possible out there. More to come.
Comments are closed.