3. Email providers

[cybersecurity]

Let's start off with something fairly easy: getting your email off of US soil. If you're using a Europe based provider, they can't be subpoenaed into handing over your data. That is exactly the result we are after.  A US company, like Google, can be forced to hand over your data even if that data is not stored in the US, according to this article. Just another reason to avoid them like the plague.

Here are some good and mostly free options; keep in mind that a good, reliable and secure email provider is in my view well worth a few dollars. Most of the free providers also offer a paid option with more features, more storage, and so on.
These providers generally offer an English-language interface; one less thing to worry about.

All of those listed below offer built-in encryption, that you don't have to know anything about in order to use. You may feel that you do not actually need that, but it's a valuable layer of security. Then again, if your goal is just to get away from Google and/or get your email into a place where the US government can't easily reach, you have a lot more options (see links below).

OpenMailbox (FR)	Free	Encryption, POPmail, IMAP	1 GB storage
ProtonMail (CH)	Free	Encryption, webmail	0.5 GB storage
Tutanota (DE)	Free	Encryption, webmail	1 GB storage
Mailfence (BE)	Free	Encryption, webmail, POPmail, IMAP	0.2 GB storage
StartMail (NL)	€ 49,50/year	Encryption, webmail, IMAP	10 GB storage

You'll find more options listed here and here. These lists also show providers that do not offer built-in encryption.

Some of you are probably familiar with Lavabit. That is a privacy-concious provider whom the US government tried to force into giving up their data (and its encryption keys) in 2013 because they had an account that belonged to Snowden. The owner responded by pulling the plug and did not give up the data. Now they are (soon to be) back. I would trust these people but their service is on the geeky/techy side. They are preparing to offer 5GB of storage for $30 a year and they are quite serious about security. Not bad!

If you have your own domain name, another option to get e-mail service is by using the service offered by your domain hosting provider, if they offer that; of course, they may be using servers in the US, so you'd need to check that first. But for some of us, that's a good option, with the added advantage that your email address never needs to change for the rest of your life if you don't want it to.


Bonus!

Need a free throwaway email address for one hour only, with no records kept? Here you go.

Protection level and limitations

How much does having a EU provider protect you? That's hard to say. If you have a provider that you trust, the chance that they will hand your data over to the US government is definitely smaller, because they can't be forced to do that as easily as a US-based company can. So that is a certain level of security.

However, there are some reasons why 'they' can still get your data:
- The receiver may use a US provider, who may be forced to hand its data over.

This would of course give them only a access to segment of your sent emails. Sure, they can probably puzzle all your email traffic together this way, but it's harder and more expensive than just asking Gmail to give them the whole batch.

- Data has to travel somehow. It needs to travel through US servers to reach you, and can be read on the way.

If your provider uses secure POP, secure IMAP and secure SMTP (usually done through something called TLS) then your data is encrypted on the way from your computer to your email provider's server and back. That helps, for sure. Pay attention to whether your provider of choice offers TLS or its predecessor, SSL. You don't need to know how they work, just make sure that they offer them so you can use them. It's generally a server setting in your email program.
Webmail is generally protected by the HTTPS protocol (S for Secure).

It's good to realise that you are by definition leaving a trail when you're sending email. Anything you can do to obfuscate that trail helps keep you a little bit more secure. But using a non-US email provider is not a panacaea.
End-to-end encryption offers a lot more protection, but for most of us, that's just not feasible, at least not all the time. If you're interested, Enigmail combined with PGP (Pretty Good Privacy) is a good option for POP and IMAP, and runs as an add-on in Thunderbird and SeaMonkey Mail.

What are POPmail, IMAP and webmail?

• Webmail is email that you read and write on a webpage, as shown by your browser of choice (such as Firefox). Can be useful to those who want to use email on the go, on computers that aren't their own. No e-mail software is needed.
• POPmail is email that you download into your own computer, using e-mail software such as Thunderbird (or Outlook, but let's not go there). Can be useful to those who want to keep control over their stored emails. Be sure to make backups now and then.
• IMAP is email that you view through e-mail software but that lives on your provider's server, not yours. Can be useful to those who use several computers for their email and want to keep things synched, yet prefer email software over webmail.

Using e-mail software (also called an e-mail client) has the advantage that you can add a digital signature as well as encryption.


This blog post has been edited on November 13 and 16, based on feedback from readers. Thank you!
New links have been added on December 3.
More links added on February 8 2017.

Back to Index