Privacy-conscious email providers to keep your correspondence safe
Since Edward Snowden's revelations about American intelligence listening programs, the public has become aware that message confidentiality and privacy on the Internet are not guaranteed. While the debate was raging (should we improve security at the expense of privacy?), more revelations were made and bills were multiplying. Services to escape mass surveillance and preserve one's privacy developed. Why and how do you opt for a secure email service today? What offerings are available? Here's a list to help you make this choice.
ProtonMail is an encrypted webmail service created in 2013 at the European Organization for Nuclear Research (CERN). The service distinguishes itself from other mail providers (such as Gmail and Outlook.com) by allowing users to encrypt emails end-to-end. The service can be used via a web browser on a computer (via webmail) or via dedicated iOS and Android applications. ProtonMail is managed by Proton Technologies AG, a company based in the canton of Geneva, Switzerland. Its servers are located at two locations in Switzerland, which is outside the jurisdiction of the United States and the European Union. As of December 2015, ProtonMail had 1 million users. Initially available by invitation only, the service has been open to all since March 2016. The service is also accessible through the Tor network.
Location: Switzerland Price: ProtonMail offers a free version and three paid plans from 5€ to 30€ a month.
Tutanota automatically encrypts all data on your device. Your emails and contacts remain private. You can easily communicate with your friends through end-to-end encrypted emails. The subject and attachments of your emails are also encrypted. Tutanota uses open source encryption to secure your email account and is licensed under GPL v3 - essential for a security service. It being open source means that it allows security experts to verify the code that protects your emails.
Location: Germany Price: Tutanota offers a free version and a paid version at 1€ per month. You can also buy more storage and aliases.
Posteo is an independent email provider for whom durability, security, data protection and ease of use are essential. Posteo operates entirely without advertising and 100% with the green energy provided by Greenpeace Energy. In the era of Internet surveillance, Posteo protects the privacy of its users with its innovative encryption and security concept.
Location: Germany Price: The service costs 1€ per month.
StartMail was launched in 2013 by Startpage / ixquick, whose reputation is well known. Its "mission" is to ensure the confidentiality of its members by allowing them to communicate privately, without being spied on by governments. After a beta version on Invitation, StartMail is accessible to everyone in paid version.
Location: Netherlands Price: For individuals and businesses, the service costs $ 59.95 a year.
Mailfence is a messaging company that favours the respect of privacy by encrypting communications between your computer and its servers via an SSL certificate issued by a European company. Storage of data and backups takes place exclusively in Belgium. There is no activity monitoring, no backdoors to your account, and there is total control over its servers. The service claims to provide full protection against the NSA and PRISM.
Location: Belgium Price: Mailfence offers a free version and two paid versions starting from 2€50 per month.
Disroot is a project based in Amsterdam, that is maintained by volunteers and depends on the support of its community. They offer 4GB of free storage, accept Bitcoin, and offer built in encryption. Disroot is definitely a company worth checking out, as they have a great platform with a tremendous amount of options.
Location: Netherlands Price: Disroot is completely free
Kolab Now is another open-source email service with servers fully hosted and managed in Switzerland (just like Proton Mail), so your private data is never read by any other party. The service targets small- and medium-sized enterprises, in particular those wishing to transmit privileged or confidential information by e-mail. Just like Posteo, Kolab Now makes money by billing its users directly and has two plans for an individual account. Other features include an integrated note-taking application, email tagging support, contacts and calendar, shared folders, and more.
Location: Switzerland Price: Two paid plans starting at $5 a month.
Mailbox is a Germany-based provider of email messaging, calendars, storage space and document editing services. Document editing is a big plus: it replaces Google Drive or Microsoft 365 Microsoft Outlook.
Location: Germany Price: The service costs 1€ per month but offers a free 30-day trial version.
Runbox is an independent public company based in Oslo, Norway. The Runbox email service was launched in September 2000. The company in its present form was founded in March 2011 and is owned by employees and members of the Board of Directors (76.2% in 2014) and close associates. As a Norwegian public limited company, Runbox Solutions is regulated by strong Norwegian consumer and privacy laws.
Location: Norway Price: The service offers several packages starting from $19.95 a year.
Neomailbox is a fast, secure and reliable email service with IP anonymity, protection against spam and viruses, unlimited disposable addresses, and more.
Location: Switzerland Price: The service is charged from $49.95 per year (you can pay more for more storage).
OpenMailBox is an online solution that offers the hosting of free e-mail addresses for a wide audience who want to benefit from a quality service driven by a free and independent philosophy. Protection of users' privacy is emphasized, which is why OpenMailBox makes every effort to guarantee the security of the data entrusted to them.
Location: France Price: The service offers a free version as well as a paid plan at 4.99€ per month.
Countermail is another email service provider with several unique features. It uses the OpenPGP encryption protocol with 4096 keys to protect your data and also offers end-to-end encryption. It offers a secure USB stick option that makes it impossible to access your account without your USB stick being inserted into a USB port. CounterMail supports Linux, Mac OS X, and Windows. It also supports IMAP if you want to use your own email client.
Location: Sweden Price: You can try Countermail for free for a week, after which prices start at $6.33 a month.
Riseup provides online communication tools for individuals and groups who advocate for liberating social change. It's a project to create democratic alternatives and practice self-determination by controlling your own secure means of communication.
Location: USA Price: The service is completely free.
Be aware that “Services based in the United States are not recommended because of the country’s surveillance programs, use of National Security Letters (NSLs) and accompanying gag orders, which forbid the recipient from talking about the request. This combination allows the government to secretly force companies to grant complete access to customer data and transform the service into a tool of mass surveillance.” – PrivacyTools.io
Comments on 'Privacy-conscious email providers to keep your correspondence safe'
Thanks @Pox for the overview. Just noticed that Tutanota is now also available on F-Droid, which is great if you want to move away from Google: https://tutanota.com/blog/posts/open-source-email
As pointed out by @anonsubmitter, US-based services are a concern, so RiseUp should be added to the list of risky picks for those with state-level interests.
There is a so-called "canary" warrant, of sorts, with some rather bizarre omissions, according to this self-published question on their canary page:
" Q: Why does the new Canary not mention gag orders, FISA court orders, National Security Letters, etc?
" A: Our initial Canary strategy was only harming users by freaking them out unnecessarily when minor events happened. A Canary is supposed to signal important risk information to users, but there is also danger in signaling the wrong thing to users or leading to general fear and confusion for no good reason. The current Canary is limited to significant events that could compromise the security of Riseup users. "
I am also less than impressed with RiseUp's "About Us" page, which does not give any real names for its "alumni", presumably staff. Nine identities are given under "the collective", and but under cutesy bird names, in Latin. Only one gives a contact method, via a GPG key. Given the recent exposure of GPG and other related crypto tools as fundamentally flawed, this suggests a rather casual approach to privacy.
See, https://motherboard.vice.com/en_us/article/3k4nd9/pgp-gpg-efail-vulnerability
A Crunchbase profile on RiseUp gives Micah Anderson as the founder, a rather shy individual who is alone among fellow directors over at privacy-focused Calyx Institute in not having a board photo. Makes sense for a privacy guy .. I guess?
See https://www.calyxinstitute.org/about/board
Finally, there are questions raised about RiseUp operating a TOR exit node, here .. https://arxiv.org/pdf/1803.05201.pdf .. PDF may take a moment or three to load. Search ctrl+F to search for RiseUp.
Thank you. I added a warning about RiseUp and any other US-based service.
Update: As might be expected, there are several rabbit holes to dive down into.
In the interests of fairness, here is an article claiming to debunk the last link from Arxiv: https://dustri.org/b/debunking-osint-analysis-of-the-tor-foundation-and-a-few-words-about-tors-directory-authorities.html
The debunker criticises the many spelling and grammatical errors, but as the lead author is French I found that less interesting than the fact that the debunker article does not make any reference to Micah Anderson (mentioned in my comment above).
For those wanting to read more - and whether or not they should trust RiseUp and its involvement with TOR nodes, see author Yasha Levine at: https://surveillancevalley.com/blog/internet-privacy-funded-by-spies-cia
For a bit more back and forth on Levine's book: https://caucus99percent.com/content/concerning-yasha-levine%E2%80%99s-%E2%80%98fact-checking-tor-project%E2%80%99s-government-ties%E2%80%99
cock.li is another http://vc.gg
he seems to be a privacy / security focused kid (and probably a 4channer)
lavabit is another; they claim to be the first
The guy who runs cock.li is an American citizen, so even though he has moved to Romania, cock.li still follows US laws. There was a recording that he operator of cock.li posted in one of his transparency reports that pretty much shows that cock.li is within jurisdiction for US gag orders (though he found a workaround for now by having him take the call about the subpoena and gag order while he was live on Mumble and broadcasted it to everyone on his Mumble server). And if it's under US jurisdiction it's also vulnerable to National Security Letters.
There is also a small amount of logging: https://cock.li/privacy The IP logging isn't a deal breaker for me, but the email service technically being under American jurisdiction is.
Lavabit is based in the US and is thus vulnerable to National Security Letters and gag orders. A National Security Letter is a legal demand from a law enforcement agency, for example "give us backdoor access to your online service". A gag order means that disclosing information about a specific law enforcement request is illegal for the website operator. Both of these were experienced by Lavabit and led to them having to shut down in the first place.
Cock.li and Lavabit are not bad email services, quite the opposite. They are however under an extremely bad legal jurisdiction.
You forgot Yahoo! :))
No I didn't forget. Yahoo is not what you would call a secure and privacy-conscious email provider. :)
Wooooosh! (The ":))" indicates that it was a joke!)
I wasn't sure but I figured it was a pun. :)
Fantastic and insightful list, also very timely. Thank you, POX!
It makes sense that a lot of these companies are Swiss-based since Switzerland is out of the 14 eyes and is not a member of EU.
So, do you plan on adding
Librem Mail ?
The reason I ask is because the whole Librem suite seems pretty new. Saw it 'advertised' on your Twitter and I'm wondering what the word on the street about them is, given that their website honestly seems barren of important info regarding their products.
At $7.99/monthly for the whole suite -- mail + VPN + social network + chat -- they seem like a really great option, if only I knew more!
So, POX, any thoughts? Thanks in advance for all the contributions you make to this community.
EDIT: while we're on the subject: how the H do I get in touch with someone from the Librem One team? I can't see a contact e-mail ANYWHERE on their website. Cheers!
[Edited by coralinecastell, August 25]
I haven't used Librem One with Librem Mail yet, but yes I might add it to this list if it's proven to be a good secure and privacy-focused email service. I think you can contact them on their website.
Reply written
Thank you so much, POX! I somehow missed that section.
Reply written