Domestic vs. International Email Service for Security and Privacy

Yes, it's hard when you're transitioning. My path was chaotic, for sure. But for those starting out, I have some advice. As a first step, start using a VPN service. Use a popular one, not one of the ones that only privacy geeks use. Look on TorrentFreak, and see what's recommended. Then start using Tor browser through the VPN. That hides Tor use from your ISP. Then sign up for another VPN service via Tor, and pay with Bitcoins. Run the VPN client in an Ubuntu VM in VirtualBox, and connect through the first VPN that's running in the host machine. My guides hosted by iVPN explain all that.

Or you can use LockBox's approach if you're willing to work through public WiFi hotspots. It's probably more secure, but there's the extra complication of physical OPSEC.

Although you need not abandon your old accounts, you must not use them with your new privacy setup. And you must not give away on the old accounts that you're using a new privacy setup.

Don't cross the streams! First rule of Fight Club!

 

Thanks once again to everyone for the thoughts. I appreciate the discussion and conversation for thinking through these issues.

*

@Socio Well put, I think I've been caught up in a bit of that sort of confusion also. It's hard to balance all the factors against each other.

I do think the VPN question is a bit easier to figure out and there are good options for anonymizing most of one's internet traffic (you have to rely on reputations and trusting people who you think know what they're talking about--as we do with most things in life--but it's not impossible or entirely a bad way to do things). Email is more complicated precisely because it's not just internet traffic, it's messages with clear personally identifying information in that also leaves the data stream you have some control over (with VPNs, etc.) and in essence enters the willy nilly unsecured data streams of everyone else you deal with in life who can't be bothered with these things.

*

Yeah, I guess I may already be on a list. That aside, what good does sending unencrypted email through a VPN do? It will just be intercepted when it comes out of the email server, no?

Fair enough, but for unencrypted email all we have is obscurity and legal protections (such as they are). And this is what my question has been about. For the unencrypted email that we all have to do with most people and organizations in our daily life, what are the good options (if any)? Does domestic vs. international services make a difference? Are there other good options in this area?

Yes, one can separate things one truly wants to be private or anonymous from everyday life. But my question in this thread really isn't about that. I have a good idea how to make something private and anonymous when I need/want to. My question is about vanilla everday life (which for email is almost all of my email). Are there better and worse privacy options for that?

I don't want my vanilla everyday life hoovered up into the corporate and state agency archives for marketing/security analysis. It may be mundane, but it's my private life. I care about that. I should be able to keep it private. So are there any good options? Is Tutanota, Countermail, or Protonmail worth it for that stuff? Or are they worse? Or are there just no good choices short of trying to convince and teach my Mom how to do encryption?

 

Sorry, I wasn't really getting it. Yes, for that email, it's arguably best to use domestic services. If your ISP offers decent service, use that. Gmail is probably the best from a technical perspective, but also probably the least private. VFEmail is US-based, provides solid service and support, and isn't over-the-top privacy-centric.

 

Completely agree that the country and jurisdiction aspect is something of a red herring - this is like looking for patterns in tea-leaves to guide your decision, which is admittedly hard/imperfect. If you look at recent posts in the Eff site, it nicely illustrates how imperfect the legislation is in the US with the Freedom Act, struggling even to deal with Section 702, let alone all the other authorities they abuse.

I remember (this is illustrating my antiquity) - sending off for Chairman Mao's Little Red book from the Chinese Embassy - a group of us schoolkids did it. There was a little hullabaloo from the teachers because they thought the authorities might descend on the school. But no, I think using the encrypting web mail services (e.g. Protonmail, Tutanota) is one of those things, and if you are going to do it, you have to be aware that there is a team in NSA dedicated to subverting it - that will apply to any of those services or software. And to be fair, they do not claim that it will prevent those people from subverting your communications. Even there, the authorities benefit from spreading FUD. If, in fact, our security services are out of control to the extent we might fear at worst, then we have way more to worry about than anodyne personal email.

The other aspect I'd like to stress is, objectively from what you've said, your security is going to be better than almost all your correspondents. So helping them improve their basic stance and opsec might be the best use of your time.

 

If your ISP traffic is being archived (possible if the NSA put you on a watchlist), then a VPN will prevent the email from being read as it's sent, unless of course the traffic from the VPN exit is also being archived (very possible with a US server in a mainstream data center) or your VPN is tapped via court order (unlikely). If the email server is in Switzerland or someplace that isn't too buddy-buddy with the NSA, it won't intercepted at that point (short of a court order to the provider or provider's ISP based on a mutual legal assistance treaty, unlikely), but once it reaches your American recipient using gmail or yahoo, it will likely go through a keyword scan and be archived by the NSA.

 

Thanks for the idea with VFEmail. I didn't realize they were in the U.S. Their Metadata Mitigator feature looks interesting.

Hmm, so you think there's still some benefit to overseas email services, for unencrypted email? I was sort of looking forward to just abandoning all of my U.S. based services. But, as I've been saying, I'm not sure it's the best idea.

Maybe there's no good answer to this question about unencrypted email, other than, as deBoetie suggests, trying to get people I communicate with regularly to use encryption (it's been a hard sell so far).

Of course, if I'm already on a list just because I visit Wilders and use Linux (now that I know that "Linux" is a dangerous key word), then maybe it is even more irrelevant where my unencrypted email service is located.

 

If the email service is going to be used mainly to communicate with family/friends that use gmail/yahoo, and will be linked to things like your credit card account, Paypal, etc., I'd say that it's an exercise in futility. The main reason is that, unfortunately, it looks a bit suspicious to most people to see an account like that- they might jump to conclusions and label you as a paranoid or criminal. Also it probably makes you a bit more interesting to spy agencies, and they will still be able to intercept everything at the recipient's end anyways.

For slightly more privacy than a service like Gmail, which is known to search through emails to serve advertising, I'd go with something slightly less mainstream but not necessarily privacy-oriented and obscure, gmx.com and Yandex Mail seem like the best options. They're not going to make you stand out much, while still not being as in bed with the NSA as the likes of Google, afaik.

 

Yes, if I am specifically targeted by some state agency I can see that for unencrypted email there is probably nothing to do (even perhaps for encrypted email, depending on the agency).

But if I am (naively?) assuming I am not a specific target and just want to avoid mass dragnet archiving of unencrypted email, then presumably my email would not get archived when it arrives at some other persons Gmail account (unless we assume that all email is being archived legally or not). I guess you are assuming that anyone with a Tutanota, Countermail, Protonmail, etc., account is being targeted? And of course the original point of this thread was weather anyone with an extra-U.S. account is subject to mass archiving and scanning, as their emails enter and exit the U.S.

VFEmail's Metadata Mitigator feature (https://www.vfemail.net/faq.php#twentyone>) in their paid accounts is interesting though, since it removes any personally identifying metadata, perhaps making one's email less likely to be scanned, unless we assume all email is being scanned. What do people think of the Metadata Mitigator?

Anyway, perhaps there is no way with email to avoid mass scanning and archiving, other than strong encryption. My head is starting to spin, thinking through the factors and counter-factors.

 

Setting up your own email server can avoid some of the archiving. You will be in control of the archiving on your end but you have no control of what happens at the recipients end and what email service they use. If both sender and recipient use their own servers and encrypt, that would be fairly secure. A closed loop system that would be vulnerable to intercepted packets but there would be no big corporate servers keeping copies.