When I was young, my mom helped me create an email account. I was glad when this finally happened so that I could sign up for accounts, communicate with my friends, and click the “forget my password” button as many times as I needed to without asking my mom. While I was glad when this finally happened, I do have one regret from this: my first email account was a Gmail account, an email which is far from private.
Now, don’t get me wrong; Gmail is an amazing email service, and nearly all of Google’s products which they haven’t killed off work great! My main concern is privacy. Google is an advertising company, which means that if they provide free email, it must be subsidized by something else. Google has admitted in the past to scanning users’ emails for ads in the past, and while they say they’ve stopped, there’s no way to guarantee this, as they still have access to all of your emails.
In addition, say that Google, who has access to all of my “private” emails, decides that “people we ideologically disagree with can’t use our email services” and bans me from their email platform. Companies like Amazon and Twitter have already been doing this, so is it a stretch to say that Google’s ideals may change in the future? I’d just like to stick with a company that I know won’t kick me off their platform if dressing up as a Jedi Knight somehow becomes offensive in the future.
To be clear, Amazon and Twitter are private companies, and they are perfectly within their rights to kick people they don’t like off of their platforms. It’s just that, if I’m not hosting my own email, I’d like a company that’s shown itself to be trustworthy to host it for me. In the modern world, people can’t afford to lose access to their email addresses, as it would block them from signing into their accounts, responding to job offers, or anything of the sort.
Since emails are a major means of communication, I’d like my emails to be as private and as trustworthy as possible. This, I began my hunt for a private email provider.
My requirements
I started off by listing everything I wanted in an email provider. Ultimately, I decided that I wanted an email provider that:
- Is more private than Gmail;
- Is secure (preferably proven to be secure);
- Is trustworthy;
- Supports PGP encryption and signatures and gives me access to my private key. This way, in the case of a data breach, my data will still be secure;
- Allows me to use a custom domain. That way, if whichever provider I choose does something that shows itself to be untrustworthy or chooses to kick me off of their platform, I can switch relatively easily;
- Lets me use IMAP/POP and SMTP to access my emails. That way, I am not stuck in using only one email client (like I am with Tutanota);
- Is available in the US;
- Is reasonably priced. I understand that servers cost money, and I’m willing to pay a bit to support a good business, especially one I use for something as essential as my emails. People pay tens of thousands of dollars for cars, and given the prevalence of email in the modern day, it is arguably just as important as a car.
With these requirements in mind, I started looking into private email providers. I started off looking into two main providers: Startmail and mailbox.org. Two more options came up as I was investigating (Lavabit and Protonmail) and I ultimately ended up choosing Protonmail.
All quotes from this article were accurate as of July of 2021 and seem to be the same in December 2021. However, I won’t be constantly checking this, so this information may be outdated by the time you read this article. Please look at the original sources and check that they’re still accurate!
Startmail
Startmail was the first private email provider I looked at. A friend had heard about them in a podcast, so I decided to start by looking here.
I quickly noticed that Startmail had a white paper detailing their security and privacy practices published on their website, and this immediately put them on a good foot. As a person who reads through websites’ terms and conditions, I read through their white paper, privacy policy, and other documentation to learn more about them. Their white paper describes a secure, mostly-private email system that, if implemented and used correctly, could be secure.
As I was reading, however, I noticed a few small problems in their documentation. From a technical side, their white paper seems great, but it had a few small problems.
For example, according to their white paper (as of July 2021, still the same in December 2021):
Because of our User Vault system, we do not have to store users’ passwords. Instead of checking a user’s password, we simply use it to attempt to open the Vault. If this succeeds, the password was correct.
https://www.startmail.com/en/whitepaper/
However, according to their privacy policy (check under the “StartMail gives you Ironclad Data Protection” section):
We only store passwords in hashed form on our servers.
https://www.startmail.com/en/privacy/
This seems to be a contradiction: in one place, they say they don’t need to store our passwords, but in another, they say they store a hash (an encoded version of) of our passwords.
I reached out to their support team Saturday evening with this and 7 other questions, and they responded Monday morning, showing that they have a great customer support team – kudos for that! The responses were all satisfactory to me, but there was one major thing that worried me in their response:
We store them hashed indeed, the privacy policy is more recent. The current white paper reflects an earlier system phase from a few years ago. We’re working on an updated version.
From an email from their support team, emphasis mine
I was surprised about this, and looking at their white paper, I saw that it was last updated in 2016. This worried me; why hadn’t it been updated recently if changes had been made to their system? I looked into this and saw someone on a Reddit comment mention that Startmail had been working on an updated white paper for some time now. I couldn’t find this post again while researching for this blog post, however, so take this with a rather large grain of salt. This was a problem for me, as there was no way to verify that their white paper was still accurate. Because of this, their whole white paper was left in question.
Another problem I noticed is that, if you’re signed up to access your emails via IMAP, Startmail can then access all of your emails. As long as IMAP is enabled, Startmail holds a key that can be used to decrypt all of your emails. A malicious company could use this to completely negate all of the privacy measures they’d so painstakingly put in place. This (to me) wasn’t a concern, as their whitepaper addressed their reasons for this and gave a good explanation, but it’s still something to note.
Besides this, however, I loved Startmail’s transparency and their user interface. They had a great customer support team who responded to even complicated requests quickly. I also liked how they provided unlimited aliases, as this would let me cancel my subscription to Anonaddy, saving me money on that service. This made up for the difference in price between itself and mailbox.org. Finally, they have a (closed) bug bounty program, which means that they will pay specific people who find security holes in their service. The hope is that a good hacker will find a problem and report it to Startmail in exchange for some money. This way, all the vulnerabilities are found and fixed before a bad hacker finds them and uses them for a malicious purpose.
Even with all this, however, Startmail still had a competitor to meet…
mailbox.org
mailbox.org (their lowercase, not mine) was the primary competitor in my mind to Startmail. While their interface was very, very clunky, there was one major benefit they had over Startmail.
Their encrypted inbox feature can automatically encrypt any emails sent to you, even if they were sent without PGP encryption. These emails would be encrypted with a public key you provide, even if mailbox.org doesn’t have your private key. This means that after maibox.org’s servers receive your emails, they can no longer access them under any circumstances, whereas Startmail could access your emails if you’re logged into your account.
As I was planning on generating my own PGP key, I would want to keep my credentials private rather than trusting them to a third party. This highly recommended mailbox.org to me. My main problem with them, however, is that their interface was much worse than Startmail’s and that their settings pane, while great and detailed, was very confusing. I liked having all of the options available, but I could never find the options I was looking for.
mailbox.org does offer a number of other cloud services (including video calling, an office suite, and encrypted cloud storage); however, as my plan was to host my own Nextcloud instance, this didn’t effect my choice too much. I also reasoned that if mailbox.org is working on so many different services, they wouldn’t be focusing as much manpower on their email service specifically.
They also advertise that they provide secure email aliases. I’ll need to do a little bit of explaining before I can properly describe what this means. Two email providers (like Gmail and Outlook) connect, a protocol called TLS makes sure that the email is going to the proper email server and that it hasn’t been modified. For example, if I send an email to example@gmail.com, I want to be sure that it’s sent to Google’s email servers and not intercepted by some hacker along the way. This doesn’t guarantee that the email will only be readable by Example; Google’s servers can still read the email. It just guarantees that any hackers who have bugged the internet on the way can’t read it. mailbox.org provides a way to force emails to be sent and received securely using TLS. TLS, however, is a feature by default for most email providers. This feature could be useful if you’re dealing with many different legacy email servers which aren’t configured properly, but most people you email should use TLS by default. If you’re emailing with a service which doesn’t support TLS, then this likely means their email protocols are severely out-of-date and you should use caution contacting them.
Also, as a note, their website says that “We get only the best grades from external security experts” for their encryption. The tests they show only refer to the security of your connection to mailbox.org and mailbox.org’s connection to other email providers (like Gmail), not to the encryption of your emails being stored on their servers.
Lavabit
Around this time, I heard about a third provider: Lavabit. Lavabit was the private email provider used by Edward Snowden, so that alone gave it a large dose of trust in my eyes. In addition, their owner had preferred to shut down their email service in the past rather than give over Snowden’s data, so I knew that Lavabit could be trusted.
I had one main problem with their current email service: their source code. They are open source (meaning anyone can see the source code they’ve written), but their server’s code hasn’t been updated since November of 2020. I didn’t know if this meant that they had stopped developing their server or if they had been forced to stop releasing it because of a governmental gag order, but neither option boded well for them.
If they had stopped development, then who knows what security vulnerabilities had popped up over the past year? I wouldn’t be willing to entrust my email security to out-of-date software. If they had been forced by a government order to intercept messages, then my emails could be intercepted by the service for other reasons, thus defeating my purpose of using a private email service. I treated their Github repository as a warrant canary, and I considered this a sign that their service had been gagged by the government. I have no evidence to back this up other than an un-updated code repository, but since the Government went after this service in the past, I don’t see any reason why they wouldn’t go after it again.
I had reached out to their support team via email asking if they were still maintaining their server code, but as I expected, I didn’t receive a response. This either means that they have a really bad support team (as of December 2021, they still haven’t responded to my initial request) or that they have been legally gagged.
Ultimately, I decided to pass on them, as this issue concerned me too much.
Protonmail
While I was investigating these options, a supposed “scandal” was going on with Protonmail, another private email provider. In this scandal, Protonmail was compelled by Swiss law to track and report a user’s IP address to the government as part of an investigation. This ultimately led that person being arrested.
While many saw this as a reason to leave Protonmail, I saw it as a reason to join. Rather than looking at what they did give over (the user’s IP address), I looked at what Protonmail was unable to give over. They didn’t give over his emails, contacts, private keys, or any other personal data. It seems that it would have been easier for the government to find him if they simply requested this data but they didn’t. I took this as a sign that this data wasn’t requested from Protonmail because they weren’t able to provide it.
Ultimately, request this showed me that Protonmail could be trusted. Even in the face of a government request, the fact that they weren’t able to give this data over shows that they themselves don’t have access to this data. In addition, their response was very clear in saying what they did and didn’t give over in this legal case.
While digdeeper.neocities.org points out some potential problems for people who are absolutely paranoid about privacy and analytics, I’m not at that point yet, so I decided that Protonmail would be a sufficient provider.
In addition, like mailbox.org, they are expanding their range of services beyond simply email; however, the benefit of proven privacy won out for me and I ultimately chose Protonmail.
Thus, ironically enough, Protonmail’s scandal is what caused me to chose them as my private email provider. Don’t just read the headlines, people – read the body of news articles, too!
Conclusion
Ultimately, I chose Protonmail because they had proven that they upheld users’ privacy. Protonmail claims to be secure and private, and through a scandal, they showed to me that they uphold these ideals. Startmail and mailbox.org still seem to be good providers, but to my knowledge neither of them have been held under the gun like Protonmail had, and I preferred Protonmail’s proven privacy to other providers’ unproven (that I know of) claims. Lavabit could be great, but their public source code hasn’t been updated recently, so I assumed this was a sign of something worse going on in the background.
Ultimately, I would suggest Protonmail to anyone looking for a private email provider. I’m not being paid/sponsored/anything of the sort to say any of this, but I encourage you to continue to do your own research. After all, to you, I am still a random person on the internet. Things may have changed by the time you read this article! The internet is a fast-moving place, and it’s always important to keep up with what’s going on in the digital world.
If you were going to buy a car, you’d check out more than one website about car reviews. Do the same for your email provider!
On December 6, 2021, I reached out to Startmail, mailbox.org, Lavabit, and Protonmail to ask for their input on this article. Protonmail chose not to comment, mentioning that they “do not routinely comment on third-party content”. Startmail has promised a response, and I will update this article once I receive it. mailbox.org responded, and I have implemented their feedback into their section of the post. I haven’t yet received a response from Lavabit, but if I do, I will use their feedback to improve their section of the post.