Email privacy

[rollers]

I have been using Gmail for some time now, with https switched on a two factor authentication, so I guess its about as secure as it can be without using PGP or the like.
One thing that does bother me is the adverts that google put down the right hand side of the page, its quite obvious from whatever email I have open that they are sweeping through every mail and giving me adverts dependant on the mail content.
Do all free email providers do this? If not are there any that are free or reasonable cost that won't harvest my email contents?

Thanks

[TheWindBringeth]

It is generally impossible to know what an email provider does with the information they are exposed to. Practically speaking, I think the risks of the provider using information from your emails for secondary purposes (profiling, advertising, etc) is considerably higher for free email providers especially if they are otherwise involved in the targeted advertising business. You'd obviously want to take a close look at why it is they are providing free email, how they are paying the bills, and their business model if that applies.

If you access the net via ISP, that ISP may provide their own email service which you could consider. Many consumer/residential oriented ISPs offer a secure connection between the user's machine and their internal servers, but don't make use of encryption when exchanging email with email servers belonging to other parties.

There are many other providers of email service, be it stand-alone or that which comes with a shared webhosting account, VPS, etc. Some of those plans, even if you add the costs of your own domain name (which can come in handy), are what I would consider relatively inexpensive. Certain options, including the ability to setup numerous email aliases, access log files, etc are extremely handy too). It has been awhile since I last shopped that market so I can't offer a recommendation. However, I would encourage people to consider such an approach. Of course, the same first sentence above applies so you'd want to carefully consider who would have access to the server. Be aware of resellers, hosting companies that run their offerings on someone else's cloud, etc.

[rollers]

Hi and thanks very much for your reply. What you say makes sense. I will have a look at some of the other suppliers and alleged more private ones, such as hushmail etc. I have nothing in my emails that I would consider highly confidential, its just that I don't like the idea of others sifting through them. Its a bit like finding out that someone has been through your bins looking for information on you.
I read somewhere that normal email is about as private as sending a post card...........can be read by anyone en route etc. I did go to the trouble of setting up an email encryption certificate, but the only problem there is that no one else uses them :-)
Thanks again, and I will do some reading and research on the more private providers.
Rollers

[TheWindBringeth]

Quote:

Originally Posted by rollers

I read somewhere that normal email is about as private as sending a post card...........can be read by anyone en route etc.

That is a reasonable way to view it in that the sender's "post office" can view the full message and the receiver's "post office" can view the full message. When it comes to transporting the message between two post offices though, the message can either be protected (via encryption) or not protected (in which case additional, intermediary transport companies carrying the message can read it). Such protection is a purely voluntary thing that will only work if 1) the recipient post office offers it, and 2) the sender's post office then chooses to use it. The common mechanism is the SMTP STARTTLS command.

[mirimir]

Quote:

Originally Posted by rollers

I will have a look at some of the other suppliers and alleged more private ones, such as hushmail etc.

Hushmail. Countermail is private, however.

[chronomatic]

Quote:

Originally Posted by rollers

I have been using Gmail for some time now, with https switched on a two factor authentication,

All that does is protect your e-mail while it is being transported from google to you. It does nothing to encrypt the message on Google's servers or from you to your contact. Anyone in between Google's server and your contact can read the message unless you and your contact encrypt them independently.

So you would either have to use PGP with your contacts or use a paid service like Hushmail or countermail (neither of which I trust, but it's better than nothing). PGP is the best way to do it, but I understand your frustration in that few people use it.

[tuatara]

Google is a party you can trust :

Google had previously admitted to spying on users:
http://www.zdnet.com/blog/security/g...passwords/7538

There is no other party in the world that tries to get and store more personal data from you then they do.

Setting up a secure connection to Google mail is a contradiction ...

[HAN]

chronomatic is dead on! Using https and 2 factor authentication anywhere (Google or anyone else) only protects the connection between the user and the email server. It does nothing for the email as it goes in transit from server to server across the web.

My theory is never use email for anything financial, private or highly personal. Period!

[chronomatic]

Quote:

Originally Posted by HAN

My theory is never use email for anything financial, private or highly personal. Period!

Not unless you encrypt it end-to-end using something like PGP. However, getting your contacts to generate and use PGP keys is like pulling teeth.

[mirimir]

Quote:

Originally Posted by chronomatic

Not unless you encrypt it end-to-end using something like PGP. However, getting your contacts to generate and use PGP keys is like pulling teeth.

Indeed. And not just people. Few service providers use encrypted email, even VPN providers. It's crazy. Several hosting providers have actually emailed root passwords to me!

I don't get it. Thunderbird with Enigmail is really quite easy to use. Key management does require some understanding, but instructions are available. Once you put your key on a public keyserver, anyone can find it. Although it's best to exchange keys in person, they are at least specific to email address. Perhaps someone who can't be bothered with encrypted email could say what stops them.

[chronomatic]

Quote:

Originally Posted by mirimir

I don't get it. Thunderbird with Enigmail is really quite easy to use.

Yep. I use thunderbird/Enigmail every day and once you get it setup, it is a matter of clicking "encrypt/sign" before you send the e-mail. You can even set it up to always encrypt to certain contacts.

Quote:

Key management does require some understanding, but instructions are available.

It depends on what you want to do. If you are in a large WOT, then key management does take a little knowledge. But in most cases, where one guy wants to communicate with another guy, all that it requires is keeping your private key safe (i.e. using a strong password).

Quote:

Once you put your key on a public keyserver, anyone can find it. Although it's best to exchange keys in person, they are at least specific to email address.

If you are not worried about MiTM attacks, then using keyservers are fine. If you want to be really sure the key belongs to your contact, you need to verify the key offline somehow.

Quote:

Perhaps someone who can't be bothered with encrypted email could say what stops them.

I would say laziness. Most people feel they have nothing to hide. But I also think most people just aren't aware how easy it is to snoop on unencrypted communications over the Internet. Nor are they aware of how many "hops" most communications take on their way from point A to point B.

[TheWindBringeth]

Quote:

Originally Posted by chronomatic

Most people feel they have nothing to hide.

I've heard some people express that opinion, but never understood them doing so. I understand children up to a certain age not having anything to hide and perhaps some people in extreme situations, but beyond that I think essentially 100% of people not only have many things to hide but actually engage in selective information sharing/hiding on a daily basis.

• I recently asked my 11 year old niece what she thought of a popular young male singer and because her parents were in the room she whispered her answer to me. She wanted to hide her feelings from her parents, which I think is natural for someone of that age.
• The other day I saw a teenager at the ATM, and they took steps to hide their PIN entry from those of us who were around. Which is exactly what everyone should do.
• I was at a craft store a couple of weeks ago and the sales person asked the buyer in front of me for their address and telephone number. The buyer, not wanting to be added to any advertising lists, chose to hide their information from the store and whoever the store would share information with. A sound decision.

Those are but three simple examples of the times when it is both extremely common and perfectly reasonable to hide something. Once you factor in that adults tend to have some personal possessions they want to protect, financial and health information they want to protect, information about others they want or are legally obligated to protect, etc it to me makes no sense to say "I have nothing to hide". In fact, I think the older one gets the more one tends to shift away from selectively hiding information to selectively sharing it. Some where along the line I think "something to hide" has in the minds of some become synonymous with "something illegal or unsavory to hide". I don't think that truly makes sense though.