Email for business vs. Email for friends

Been using Gmail, GMX and Lavabit until recently. Now I have deleted all my Gmail and GMX accounts, Lavabit, unfortunately, got shut down.

For business I get a lot of unencrypted email sent by companies, partly with my personal details and address in it (order confirmations mostly). What email provider is best to use for this sort of communication?

There is no way, unfortunately, to ask all these companies to start using encryption for this type of email, however it would be a dream come true if companies would do this.

What free or paid provider is decent enough to receive these sort of emails? My main business is in Europe, so perhaps a service that has servers outside of the US?

I hate Gmail for the fact they scan your emails for keywords. Never used FaceBook and half a year into using Gmail for the business emails mentioned above, I searched for the email ID, without the @gmail at the end, and searches showed a FaceBook page with a person's name being very very similar to mine, though I never have and will use FaceBook. Made me very angry. So ideally I want to avoid something like this in the future.

Altogether it seems with all the surveillance going on, having a normal email provider for either business or friends, without wanting other people to read the contents or scan for keywords for ads is not possible at all. Given this fact, what email provider would you recommend, free or paid, for receiving and sending everyday business emails?

About email for friends? How do you do it? Most of my friends don't want to use encryption, so either I don't email with them any more or the contents are not personal at all. Though it would be nice to be able to send photos or exchange news about life in private with them without them having to do too much IT work. What is your approach to this situation?

Any help or input is very much welcome. I am still in the process of deciding for a new email provider. Many thanks for your help.

edit: What about runbox.com, are they OK?

 

Sounds like you're pretty security conscious. Honestly there isn't going to be a 3rd party service that is ultimately secure, because, well, it's a third party email service. This is precisely why Silent Circle shut theirs down.

You might see these:

Bitmessage's NSA-Proof E-Mail
Private Email Services
Best Online Privacy Email Services & How To Use PGP


But really, it sounds like the way for you to go is host your own...

NSA-proof your e-mail in 2 hours

 

Thanks for your reply!

Even if I host my own, as soon as I get an order confirmation from a company anyone can read it and has my details and address in it, no? I mean as soon as such an email leaves the company's server it can be read, no?

Or as long as anyone with a Gmail account writes to my own hosted email, again this email can be read by just anyone, and if I reply to a Gmail account, that reply is stored on Gmail servers forever.

So what is the use scenario for my own hosted email then? It would only make sense if I purely use it with people that have encryption set. So all the companies I deal with, the online stores I buy from and sell to and all the others fall out of this scheme, no?

So even if I sign up to CounterMail, those companies sending out the order confirmations will still send my info out in the open, if I want it or not.

With regards to that fact, what email service should/could be used then? Pretty much anyone, as, fact is, those shops/companies will still send out emails in plain text.

I am security conscious but also need to be able to send and receive email, if not for friends at least for those businesses I deal with. What can be done there?

From the NSA-proof your email link, the bit I don't understand in the beginning is, email going over TLS. Does this mean if my email is received over TLS it is encrypted already (on the wire level)?

 

Not necessarily. That's what the bit about TLS is about.

I'm not sure what you mean "just anyone." You're someone. I'm pretty damn sure you can't read my gmail. Google can. But no, "just anyone" can't.

If it's Google/government you're worried about, then yes, any unencrypted messages that hit Google's servers, Google (and government) can read. So any plaintext message that is sent to or from Google's servers, can be read.

Um. The one you specifically gave:

"For business I get a lot of unencrypted email sent by companies, partly with my personal details and address in it (order confirmations mostly). What email provider is best to use for this sort of communication?"

No, provided they send over TLS, and unless your enemy has access to their servers (and they are unencrypted), this is not the case.

Whether they send emails plaintext or encrypt the actual message before sending, it's not going to make a difference. If your enemy has access to their servers, there isn't much of a way to ensure a secure message. If the enemy does not have access to the company servers, then it doesn't matter if they encrypt the message itself, so long as they send over TLS, which is a practice that is becoming more and more commonplace.

Host the business's email for them and encrypt your servers. Short of that, there's nothing you can do to ensure they won't leak your information. Communication is a two-way street. The only end you can control is your own. If you can't trust someone else with your communication, then you shouldn't be communicating the sensitive information with them.

I'm sorry, but no one has yet figured a way to magically control other people and what information they reveal.

 

Truly impressed by your reply. Thank you very much for taking the time.

I think I have not really understood the basics of email in this case.

TLS, if used, sends the message in an encrypted format from start point A to destination Z, where several forward points B, C, D, etc will get the message but only in encrypted format. This is how I understand the use of TLS so far. This is correct, right?

Given the situation the companies (Amazon, Ebay, various clothes and online music stores) I buy from (and these are normal everyday goods, we are not talking sensitive information or illegal goods of any kind) do not use TLS to send me order confirmations how is hosting my own email going to protect me from some administrators at forward points B, C, D, etc reading the contents of those order confirmations?

Are there at all forward points B, C, D, etc when I host my own email or will the outgoing message connect directly to my server skipping all other forwards point?

Regardless of if there are forward points or not, how is hosting my own email better when the sender does not use TLS? As long as the message travels to my server and is not sent via TLS it is like sending a postcard, no? The only better thing will be that I have physical control of the data on my server, nevertheless when in transit it can be read and copied like a postcard, no?

Is there a way to block incoming email that is not sent with TLS? (hopefully then an incentive for companies to start using TLS for emails with customers) Like an add-on for Thunderbird? How can I know if incoming email is sent of TLS or not? In the email header? If so, where there?

Since I am far from setting up hosting my own email, can something similar be done with either a paid or free email service? Does CounterMail for example help in this situation?

Can something similar be done with setting up a simple domain and then hosting the email under that domain? What email hosting services could be used for receiving email that is not sent over TLS? Are there solid email hosting services out there?

I don't know if I should be worried about Google or government reading my email, what I really do not like though is that a FaceBook account is linked to my (now deleted) email ID despite me never having used FB. So clearly either Google or someone else must have leaked my personal info and somehow linked it to a FB account. Something like this I want to avoid in the future.

You mention "Host the business's email for them and encrypt your servers." I cannot host email for the companies I get order confirmations from really, so not sure what you suggest here.

Beginning to grasp this on a deeper level, sorry for the many questions, your replies help me tremendously. Any further help is truly appreciated. Seems I might not have to dig so deep after all when all I want is some very basic privacy when buying or selling goods on various platforms online.

 

It is *possible* for email to be delivered securely, from the source, through all intermediary, and to the destination server - IF STARTTLS is configured on every single one. This is nigh impossible to verify, and if even one intermediary server says "I can't do that", the email drops back to plain old port 25 unencrypted.

PGP is the only way to insure that the mail can be read only by the sender and you.

But running your own server does protect against fishing expeditions on stored content - and that's a big one. You'll know if someone wants to look through your email sitting in your house - hopefully.

I run my own and it's been flawless. The one hiccup was when my ISP started blocking port 25 (they didn't used to, and started without warning). So now, in addition to a dynamic dns, you might need a mail forwarder or "reflector". I get mine through No-IP.com, pretty cheap.

But yeah, without PGP it's possible some intermediary server operator, or "wire sniffer" can see your address.

PD

 

I'm not completely sure what you mean by "forward points". But yes, the bottom line is the message is encrypted "over the wire", as in, during transport. So anyone eavesdropping on your traffic should not be able to determine what exactly it is. See the "description" section.

How have you determined this, exactly?

Hosting your own email isn't going to protect you from any sort of eavesdropping on traffic as it is sent to you. That's not its purpose. I never suggested otherwise.

It depends on what you mean by "forward points".

If you host the mail yourself, you only run the risk of it being snooped while in transit. If you let Google host your mail, they have a copy that can be mined at any time.

Yes this is possible. Here Google offers instructions on how to do this for customers using their Google Apps service.

I'm not very familiar with Countermail, but given the whole point of hosting your own mail is to cut out the middle man, I don't see how it's feasible to have a 3rd party service setting people up with their own hosting. I'm not saying it doesn't exist, I'm just saying I don't know of one, and it kind of defeats the purpose anyway.

Again, this is precisely why Lavabit (and subsequently Silent Circle) shut their email services down.

Again, this is defeating the whole purpose. You're also focusing on the potential eavesdropping, and neglecting the data mining. The odds of anyone catching your specific consequential traffic in transit are much lower than grabbing it at rest. Unless you're already on a watch list and being monitored specifically, there's a greater chance your email archives are going to be the source for mining material.

The concern in terms of privacy and security comes from the ability to go back through all of your communications if and when you become a target.

This is what Snowden was talking about in the comment I quoted here.

I'm not sure what you mean. It sounds like you're simply saying that you used a Google ID, and then deleted it, and later found out that someone with a name similar to yours snatched up that same ID. Are you saying the ID and your name are in no way similar? Like, your name is Frank, and your email ID is "justinbieberlover732"? If that's the case, then yeah, your name got associated with that ID somehow. This usually happens when you use an email in an official capacity and a company that you correspond with shares your info with a 3rd party. Or even more likely, you simply filled out information somewhere and put your name and that email address on the same form together. The fact that the company was going to share that info was probably in the fine print that you didn't read.

However, if you're name is "Frank Smith" and the ID you had was "FrankS71", and then you found someone by the name of "Frank Smithson" using that same ID...I don't really find that extremely odd. I wouldn't even necessarily think that qualifies as a coincidence.

Well, if you can't host their email for them, then I guess you can't guarantee they won't leak your info.

If that's all you're looking for, I wouldn't worry so much about confirmation emails being unencrypted during transit. As Schneier says, security is a chain, and it's only as strong as its weakest link. And any attacker is going to shoot for the lowest hanging fruit. I recently mentioned in a different thread how it's pretty easy to get ahold of purchase records. Anyone interested in you as a target is going to go after that first. They'll look at your bank statements and credit card statements, and try to get into your personal accounts before attempting to grab traffic over the wire. Granted, it has been suggested that the NSA and others on that level have been grabbing email traffic at random and storing it, but again, if you become a target, they're not going to have to mine your email to find out what you've been buying and selling online.

Now, there are of course ways to purchase and sell online outside of the normal bank/credit card payment channels...which would mean the Internet traffic would be the only way to identify you. In that case, if you're really that interested in keeping the transactions private, you shouldn't be using personally identifiable information in the purchase anyway. Use a disposable email address, or at least an anonymous one. Use a fake name. Make it so that it doesn't matter if anyone can read the confirmation email.

Bottom line is, you're probably worrying about the wrong things. If your activity isn't that big of a deal, confirmation emails sent unencrypted in transit are pretty low on the totem poll of concerns you should be devoting so much time to.

That being said, I fully recognize and appreciate that "not that big of a deal" is quite a flexible and relative term, as illustrated by my posts here and here. With the "three felonies per day" phenomenon, and the ever-broadening definition of terms like "terrorist", if someone has enough resources to gather enough info on your life, and enough motivation to go after you, they could almost certainly turn it upside down, even if you're Mother Theresa.

And in light of that, it is certainly tough to judge what is meaningless and what isn't...what needs to be kept extra private and what doesn't. So it's a call only you can make. Every person's risk tolerance and means to satisfy it are different. Only you can determine your security balance...as I'm sure you're discovering, with each layer of security, comes a greater cost and inconvenience.

 

JackmanG, truly many thanks for your detailed reply. This really sorted all of my questions. Many many thanks to you for explaining and going into such detail.

Best Regards

 

I am assuming not, are they? Do the majority of the companies care to send their information to customers over complete TLS start to end? Most smaller online shops are happy to get their email working at all.

Just to clarify this. I made a Gmail account let's say "SwimRouterProxy1984@gmail.com" and used it for buying and selling goods with my real name. My real name I cannot tell but let's just say it was Manuel Gonzales McSmitherson. Let's now also assume there is no one else that has SwimRouterProxy@gmail.com and let's assume Manuel Gonzales McSmitherson is a not so common name. So after about 6 month of using the gmail and searching for it online, so searching for "SwimRouterProxy1984" one single search result came up, that one being a Facebook account of the name "Manuela Gonzales Smith" so quite similar to my name. Since I do not use Facebook and kept the gmail only for ordering and selling on various sites, either my info leaked and got connected to that Facebook account or someone snooped on me or, what is more likely, info got exposed to a 3rd party. I am very cautious where I supply what and do keep email addresses apart very strictly so this was very unusual to see for me to happen.

Just felt like adding this to complete the discussion really and to answer your questions as well. Thanks for your input. With your input I managed to change my perspective on email privacy and what to look out for for the things I use email for.

 

I haven't seen any data on this, and I'm not sure where it might come from, but I know I've heard of major ones like Gmail supporting it. If you're interested, obviously you could run a search, or send test emails and observe the logs.

The point is simply assuming one way or the other isn't very proficient.

Did you happen to see this?...

You Might Have an Invisible Facebook Account Even if You Never Signed Up

Yeah it's all a matter of personal preference in that balance between risk tolerance and inconvenience/cost. If it's something that is of interest/importance to you, just keep a pulse on various news in the security community and you'll learn a lot.

You might set up an account at Feedly or Feedspot and subscribe to a few good tech sites. Just reading this kind of stuff regularly will up your tech IQ considerably, and give you a much better handle on things. A few suggestions:

http://Schneier.com
http://www.hacker10.com
http://null-byte.wonderhowto.com
http://gigaom.com/tag/cybersecurity
http://arstechnica.com/security
http://techcrunch.com
http://lifehacker.com/tag/security
http://torrentfreak.com