The more I’ve been working in IT, the more I’ve seen security disasters and the more I’ve become self-conscious about privacy and security. One of the largest pieces of our digital presence are our e-mail addresses. I’ve wanted to secure my e-mails and my privacy for a long time but the hassle of going through it always seemed overwhelming. At last I decided to make this happen. Here are some thoughts and a description of the challenges/roadblocks I have encountered, what motivated me and what needs to be thought after.
What made me move away from Google
Government snooping
I’ve been using gmail for a long time, since the early days when you had to get an invite from someone else to participate in the beta. Don’t get me wrong, Gmail has been a convenient service and a faithful helper like many Google services. However as time went on I became more and more conscious about privacy and security issues, as well as blanket surveillance programs by many governments, especially from the US government. Since Google data is with a high likelihood stored in the USA, and Google is a US company, the likelihood that Google would have to submit to any US judiciary order to disclose data or to participate in mass surveillance agreements with US intelligence agencies is very high. There was recently a case where data stored by Google outside of the US should be subject to US laws and should even be “temporarily repatriated” for analysis purposes. While the USA is the most prominent state in the world performing blanket surveillance activities, it’s not the only one, far from it. Almost every nation does it with more or less success. Yes, every nation. Even Ethiopia!
Advertisements and E-mail scanning
Another issue with Google is the fact that while their services are mostly free (except the capacity I pay yearly for Google Drive) they monetise mainly on advertisement and well, “if you ain’t paying for the product, you’re the product”. I am concerned with any access to my personal communications for advertising purposes. My father died of cancer in the end of 2015 and suffered a long time. Most of my communications with my family were handled either through video calls or chat (Facebook). I wonder what would happen if I was using my mail, would I get sponsored content for pain relievers or for alternative cures? Of course I didn’t get anything as such, but the thought is unnerving. Microsoft had made a video some ages ago that was mocking Google for scanning for intimate data. At the time my reaction was to shrug off and mock Microsoft, but the reality isn’t far from the exaggerated video.
Encryption? Yes but…
Finally, the lack of encryption on the backend (stored data) is another factor. You can talk about privacy and data security as much as you want, you can force HTTPS traffic, claim that the connection between the user and your servers is secure, but if you store everything on your systems in clear text then you’re not protecting the privacy of your users (disclaimer: I never said or implied that Google ever made a statement of protecting users privacy). I acknowledge that for a company such as Google, which provides a free service to their users, there is a need to seek efficiencies and storing trillions of emails / objects / attachments wouldn’t be efficient without the use of deduplication mechanisms (mechanisms which would be rendered irrelevant if each mailbox would be encrypted with its own key).
A path filled with challenges
Google goes at great lengths to offer a service that is convenient and makes you reluctant to leave. It took me a long time to mature this decision. I am an early adopter of Google Inbox and the way data is classified (Bills, Trips, etc.) is amazing. Yet this comes at the cost of making your data available to Google for scanning purposes (even if it is automated).
Once you accept the fact that you’ll pay this price to gain ownership of your data, the journey to your freedom is likely to be slowed by several challenges:
- Your e-mail address is likely the logon handle for many web services
- You’re subscribed to zillions of newsletters
- You probably are signed up for many services that you’ve forgotten about
- You’ve exchanged emails with so many people that you can’t keep track
Let’s cover these in detail.
E-mail used as a logon handle
Most services use your e-mail address as the logon handle. Out of 100+ accounts, it turned out that 4 out of 5 would allow me to change my email and logon information without hassle. I was pleasantly surprised that most services now ask for a confirmation. The problem lies with those 1 out of 5 services which do not allow you to do so. My recommendation is to contact their customer support and ask for advice. Obviously, do this only if they are important to you, otherwise this makes the accounts candidate for sanitisation.
A special mention goes to Slack. Being part of 6 slack teams made the change an absolute mess of back and forth emails/verifications etc. There should be a way to use a single ID across slack teams. Maybe I didn’t explore that sufficiently. In any case thanks for nothing, Slack.
Account sanitisation
One topic I was discussing earlier in 2016 was my approach to personal security and the use of a good password manager. While password managers are great tools, they’re only as efficient as you are to keep tracks of the accounts you have created here and there, and from time to time a review of your existing accounts is needed. Ask yourself if you need an account to this service or to that service. If the answer is no or maybe, then you’re better off deleting your account.
I do this for two reasons: first of all, I reduce the complexity of managing many accounts. Secondly, in light with the many security breaches, having less accounts means having a narrower attack surface. Not only should you absolutely ensure that you use random, different passwords for each individual site, but you should also make sure that you share your personal information only on a “need-to-know” basis. Reducing number of accounts reduces your attack surface and reduces the likelihood that your personal information will be leaked in case of a site hack/breach.
Sanitisation doesn’t stops with eliminating unneeded accounts. Whenever you can, unsubscribe to mailing lists and make sure only relevant content is delivered to you.
Letting humans know
This one seems tricky but is not as hard as it seems. First of all, you should set an auto-reply message that informs sender of the e-mail change. You will receive bounce-back messages from automated services but hey, it’s part of the deal.
Secondly, you should inform your important contacts (family, customers, friends, communities etc.) that you are moving. A proactive e-mail sent to these groups will help. Pay very close attention to official outlets such as taxes offices, social insurance, accountants, banks etc. It’s better to handle this proactively then have to deal with that in the hassle of urgency.
You can double down by making announcements where appropriate (be cautious when using social media to make sure you have the right reach; avoid public posts on Facebook or Twitter).
Transition
The transition from one mailbox to another is a potentially long term activity. You will need to keep an eye on the older mailbox for months to make sure you don’t miss anything important. I recommend to empty the mailbox and keep it dormant in case anything important and unforeseen comes through.
Bonus: additional info for Apple users
If you’re an Apple user, and you use your mail identity as your login information / Apple ID, this can be changed. But you need to proceed with caution, as I learned at my own expense. First of all, you should sign-off from iCloud and iTunes on all of your devices. When doing so, ensure that any data is replicated to your iCloud storage. Once you’re done with this, you can go ahead and rename as needed. If you don’t, you’ll be stuck in a sort of loophole where you can’t logoff and are also prevented to logon/authenticate, as iCloud and associated services expect a password for an account that was renamed.
Outcomes
While overall I am very satisfied with the move, there are still some things that I am not 100% happy about.
Two-factor authentication
One of these is the fact that ProtonMail, while offering a two-factor authentication method, is not supporting the FIDO U2F (Universal 2-Factor) protocol, and I’ll develop this section into a more general rant. I like the concept of using a unique physical device as a second factor authentication token to secure my access. SMS as a second factor isn’t bad but your device could be compromised by malware or a sniffer. Also, I’m not a big fan of the various authenticator apps. As usual choices by various providers/vendors are detrimental to the customer. For example Cloudflare 2FA (Two-factor authentication) works with Authy, ProtonMail supports Authy and Google Authenticator, AWS supports phones and Authenticator. That’s a mess for end users who need to juggle between 2FA methods which makes the use of 2FA cumbersome unless you’re truly security-conscious and put security beyond convenience. In my case I hope that ProtonMail will soon support the FIDO U2F protocol.
Mailbox encryption and interoperability
Another thing which would benefit from improvements is the handling of PGP keys. In the case of ProtonMail, you cannot import keys created elsewhere. You can export your mailbox key, but that means that this key sort of becomes an authoritative identity. My vision is that you should be able to generate your PGP key pair independently of ProtonMail and import them into ProtonMail or whatever other service that you have decided to trust. For example I use keybase.io and my public PGP key is readily available to anyone who would want to send me encrypted information. I use my keybase.io PGP key with Facebook. Whenever I get an FB notification, the notification is sent in encrypted format to my ProtonMail inbox. If I had the ability to use my keybase.io PGP key to encrypt my mailbox, ProtonMail should not just be able to store the data in an encrypted format, but also to automatically decrypt encrypted emails that are sent to me and that were encrypted using my public key.
Max’s Opinion
Changing e-mail provider (especially moving out from Google Mail) sucks but I see it as a necessary evil. Google mantra of “not being evil” is not sufficient enough to ensure your own individual privacy. I think of Google as a benevolent big brother that could become an evil, all-seeing-eye of Sauron under the wrong influence or under constraint. Also, consider from a philosophical perspective that benevolence for the masses may not equal benevolence for a single individual, as the interest of the masses may go against our own individual interests.
As I grow older and see the outcome of data leaks after data leaks, the legitimate need for privacy and data ownership has outweighed the comfort of an easy-to-use service and has led me to this perilous transition. I consider the right to privacy as a basic human right that we should all defend. I must also say that my passive support for the EFF (Electronic Frontier Foundation) in the last few years, which turned into active support and membership earlier in 2016 has also been fundamental to this approach. The EFF defends your digital freedom. If you have some spare bucks I encourage you to support them as well.
Planning is paramount. Plan your exit well and carefully.
Everyone has a different scale and perception to any external factors. If the comfort of using Gmail is far greater than you perceive the security risks, you might just want to stick with Gmail. What matters is that you are the one in control of your decisions, and that you decide with all cards in hands.
If there is one thing to retain from this exercise and this article: planning is paramount. Plan your exit well and carefully. Keep track of your accounts and your progress in a spreadsheet or any other form of document you may deem appropriate. And remember: do not store passwords in clear form! Use a password manager.
Good luck!