One of the first moves people recommend someone to do who's new to privacy is to switch to a privacy conscious email provider due to how easy it is. For those currently sitting on a GMail, Outlook, Yahoo, AOL, or any other major free email account, it's a critical step.
However, I've noticed that people tend to make a drive by remark about getting a private email account but fail to explain why it's important and what kind of privacy it does, and doesn't, provide. Hopefully we can flesh out some details surrounding email, what makes an email provider private (or not), and a few recommendations.
Why you should get an email account with a privacy conscious provider
The reasoning behind migrating is fairly straight forward. Your email accounts are being monitored, scanned, and stored away in neat little profiles indefinitely.
Up until late 2017, Google was scanning every email traveling through its servers to not only collect all of that data but to use to personalize ads based on your conversations. They have since stopped using that data for targeted advertising but it doesn't prevent them from scanning your email to extract keyword data for use in other Google products and services and to improve its machine learning capabilities. It's not just the words on the screen either. Attachments are scanned to check for "signs of suspicious content before you receive them" and to ensure you aren't receiving a virus.
Even better, Google allows third parties to capture your emails and all of their content. And these aren't just automated systems scanning them either, it's real people.
One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Path’s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the company’s software, people familiar with the episode say.
In another case, employees of Edison Software, another Gmail developer that makes a mobile app for reading and organizing email, personally reviewed the emails of hundreds of users to build a new feature, says Mikael Berner, the company’s CEO.
Microsoft is no different. Dating back to the early 2010s, Microsoft was scanning emails not for the sake of advertisements, but to "fight spam". They greatly criticized Google for doing the same thing, but claimed it was entirely different since they weren't doing it to tailor ads.
For Stefan Weitz, Microsoft’s (MSFT) senior director of online services, this is all a matter of “semantics.” The intent of Google’s (GOOG) “going through” email is what makes that “going through” a bad thing, compared to Microsoft’s “going through,” which is entirely benign, he said in an interview Tuesday.
Things haven't changed as the years went on. In early 2017, Microsoft released an update to Cortana to make her a better personal assistant. She'd scan your emails for calendar events, tasks, and to dos, all in the background, and pop up reminders right on your desktop, all for the sake of "convenience". So not only are they being scanned as soon as they come through the servers, Windows itself will scan them as well.
When Yahoo isn't busy having their services repeatedly breached, they, too, are scanning emails. While email scanning has been going on in some form for the last decade, in 2015 they built a tool for scanning user emails for specific content provided by the US government. Fast forward a couple years to 2017, they were explicitly looking for advertisers to sell all the data they gathered from consumer email.
Yahoo’s owner, the Oath unit of Verizon Communications Inc., has been pitching a service to advertisers that analyzes more than 200 million Yahoo Mail inboxes and the rich user data they contain, searching for clues about what products those users might buy, said people who have attended Oath’s presentations as well as current and former employees of the company.
[...] Oath’s email scanning appears to go a step further than Google’s former system, by creating interest profiles of users based on the data in their email and using that intelligence to target them elsewhere on the web.
Paying customers weren't safe from the data collection either and it was all justified because "email is an expensive system".
“Email is an expensive system,” Mr. Sharp said. “I think it’s reasonable and ethical to expect the value exchange, if you’ve got this mail service and there is advertising going on.”
[...] He said Yahoo offers an ad-free email service for which customers pay $3.49 a month. It also scans the emails sent in that service.
As we can all see, free doesn't really mean free. Just because you aren't handing over any money doesn't mean they aren't taking something more valuable.
What kind of privacy do these privacy email services provide
Alright, so the free email accounts are bad but what makes these ones better?
To start, privacy focused providers don't scan your emails at all. Not for ads, not to build profiles, not to gather statistics, not to fight spam, nothing. In fact, many of the top providers are zero knowledge providers, meaning they can't read your emails even if they wanted to.
Some of them also provide end to end encryption when you're emailing someone on the same service, similar to how iMessage works when one iPhone user messages another. This great because it's hassle free and requires no user interaction while adding another layer to your privacy.
And along with email, many services allow contact and calendar syncing just like the big, free players do and in many cases, this is encrypted as well.
What don't these type of accounts provide
Email itself wasn't built to be a way to communicate private and, generally, it still isn't. If you use a private email provider but all of the people you're emailing use GMail, you're still having data collected about you (albeit on a smaller scale) because the entire email chain goes through Google's servers. Yes, you can use something like PGP to encrypt emails manually, but it's a hassle to manage consistently and the large majority of people aren't going to go through the process just to read your email.
This is the single largest problem with email currently. Billions (with a b) of users use the free email services provided by the largest privacy offenders in the world which means the chances are that the people you're emailing use them. Getting people to create a privacy based email account is easy, but getting them to switch over and actually use it consistently can be pretty tough.
After reading that you might think "well, then what's the point?". The point is that you're not allowing these companies to continue building detailed profiles about you. After all, Google might see a singular conversation or two with a friend or colleague, but they aren't seeing all of your receipts, bills, account registrations, newsletters, "junk" mail, work related items, school related items, medical info, or rare, yet sensitive content such as communications with a lawyer.
Just flip through your email and look at all information sitting there and know that every single letter and attachment has been read and saved in their database indefinitely. Few people would enjoy a stranger logging into their account, flipping through every email, and then saving all of them on their computer but this is exactly what Microsoft, Yahoo, and Google are doing.
Recommended providers (in order)
I feel Posteo is the all around best option for someone wanting a privacy centric email account. They are inexpensive (~$12/yr), they are funded by its users and have zero debt (which shows long term stability), they anonymize all payments made and can pay in cash, and are zero knowledge at the click of a button for email, contacts, and calendar. Posteo also supports IMAP which will let you use your email client of choice on all platforms.
The biggest downsides for some are that you can't use a custom domain and there is no free option. If you don't know what a custom domain is in relation to email, then this limitation won't matter at all.
Even though some people aren't a huge fan of the name, they're a great option. They run a freemium model for their service, meaning while they offer a free tier, it's supported by paying users. This is a great option for someone who wants or needs a free option while still getting the benefits of things like end to end encryption with other tutanota users and zero knowledge email, payment methods, contacts, etc.
If you need a little more features with their service, they offer paid tiers starting at a reasonable rate as well starting at ~$12/yr.
Biggest downside is that they don't offer IMAP/POP3 support because it's not secure, which limits the use of apps to what Tutanota provides, and the free tier is pretty bare bones relative to paid options.
We believe that simply adding IMAP/Pop support is not an option because then your emails would be stored in plain text on your device. With Tutanota we want to make sure that your data is always secured to the maximum and that you as a user do not have to take any action to achieve this high level of security.
They do offer their own clients on all platforms to use at no cost, however.
Like the others, Mailbox provides an ad free experience that doesn't scan your emails.
Also, unlike the other services, you get a 30 day free trial with a reasonable ~$12/yr cost afterwards. Mailbox also has the most "normal" sounding domain with @mailbox.org if that's something you're concerned about.
The biggest downsides are that it's a bit tough to turn on and use the zero knowledge option. It's there, but it's not as seamless as the other providers.
Before someone says "what about X service?", there are a plethora of privacy respecting options available and they all have their pros and cons. These three recommendations listed aren't the only ones to pick from and are simply what I feel are the top three options for everyday use.
The most notable omission that people who are in the know will notice is likely ProtonMail. They are arguably the most well known of the private email services but due to their high starting cost (~$50/yr), inability to use anything but their own bridge application to get IMAP support, no wide spread calendar support (in beta for some users), and a few other missing features makes me unable to recommend it over the other providers.
And as I mentioned earlier in the post, email simply isn't a private form of communication. Always be mindful of what you include in your emails when sending to people using "free" services.
If you're interested in other providers that put privacy first, check out these options.
Want to join the discussion? Check out this post, and others, over at the CupWire subreddit and leave a comment.