DIY Cyber Audit: #2 E-mail
All you need to know about e-mail at a glance
Email is something thatโs critical to get right. Almost every online account allows for accounts to be recovered (or stolen!) through email. This means that itโs the most important account to secure. Rotating your e-mail password more often than other accounts can definitely make a difference in the long run.
Beyond just being able to steal accounts, a hijacked email can also be used to spread scams and malware to others. Taking account security seriously is important!
Choose a Great Provider
Choosing a provider can be difficult. Even when one finds a great one, itโs not worth entirely relying on a single provider. If you run your own website, e-mail hosting can sometimes be included with web hosting. Of course, thereโs always the option of running it yourself. That however, has its own challenges, but there are many advantages.
Email Provider Recommendations:
Criteria to consider:
Privacy
There are limits to how private e-mail can be, but itโs at least worth selecting a provider that isnโt profiting off scanning your mail.
Things to consider for privacy:How long the provider has been in business
Reputation of the provider
Jurisdiction
Business model and funding sources
End-to-End Encryption
Features
Different options may have some variation in offerings. Important features can be:
Webmail
Storage size
Custom Domains
Disposable aliases
Multiple accounts/mailboxes
Encryption / PGP Support
Client (IMAP & POP) Support
Forwarding and Filters
I personally believe the best-case scenario for mass e-mail providers are responsibly run local non-profit enterprises. As online communication has become more central to peopleโs lives, competitive local infrastructure needs to take a more central role. While on the total other end of the spectrum, there also needs to be a place for less personal, but still quite small, providers that operate indiscriminately. Both have a very important place in safeguarding online freedom from a variety of threats.
Email Encryption
Every e-mail provider is going to market itself as secure. Secure from what? One may ask. Security is about proactive measures taken against particular problems. Nothing is 100% secure. Many security features proudly proclaimed by big tech services are really just about protecting information in transit as it goes from your machine to theirs. Itโs very difficult for a provider to protect you from themselves, even when thereโs desire to. There is always a degree of trust involved with hosting your data on somebody elseโs computer.
Domestic government (and corporate) surveillance is a serious concern as well. Many of us in the so-called โFree Worldโ have to be concerned about the 5 prying eyes. With all this in mind, I would never put too much faith email security guarantees. Even in the best of circumstances,treat e-mail like you would a postcard in the mail; not for anything particularly sensitive or private.
Strategy 1: Inbox Level
There are many end-to-end encrypted (โzero knowledgeโ) mailboxes provided by larger privacy-focused email providers. How it works is that in addition to your emails being secured in transit, they are also encrypted when they are stored. This means that as long as your account/password are secure, your emailโs content can only be read by you. This often comes at the cost of lack of third-party client support.
This strategy has advantages, but mostly itโs ease-of-use. It saves you the time of having to manage your own encryption keys, meaning that others should be able to send you encrypted emails right away. The downside of this strategy is that youโre still placing a significant amount of trust on the provider, especially if youโre using it for sensitive information.
Strategy 2: Message Level
When using your own email client, you can choose to proactively encrypt emails with PGP. For recipients whoโve already setup their keys, some clients will be able to auto-discover the correct key for you so it can be fairly convenient. This strategy ensures that the email is secure as long as the recipients keys are, from all other parties. If your recipient already publishes their PGP key. (Hereโs mine)
Metadata headaches
Regardless of which strategy you use, due to how e-mail works itโs impossible to conceal who you are sending it to, and many other details. Encrypted mail will protect the contents of the mail, but not extra information like when it was sent. For those who absolutely need to keep their contacts a secret, like investigative reporters, there are better options than e-mail.
Using an e-mail Client
Using Free Open Source Software clients put you back in charge of your mail. While webmail and apps can be very convenient, they can often be very opinionated on how you should interact with your mail. Mail clients are a very important tool. Some will provide privacy features like blocking e-mail trackers, and other useful tools like custom filtering.
Instead of leaving your mail on a server forever, you can move them to your computer for offline access. Every client will have itโs own features, but having the capability to encrypt emails with PGP is a non-trivial advantage.
Iโm a huge fan of Mozilla Thunderbird though there are other e-mail clients, Privacy Guides has an excellent list of recommendations.
Configuring Your Client
It may seem intimidating, but if you have an uncommon mail provider, or roll you own email you may need to configure your client. This requires a few more options than just a username/password. To understand what the options mean you have to realize that youโre setting up two things:
Incoming Server:
Which needs:
The mail serverโs hostname (such as pop.example.com)
Choosing either IMAP or POP as the protocol, this changes how the server handles mail thatโs delivered.
The port number the server is running on
your email & password
Security settings
Outgoing Server:
Which needs:
The SMTP (Simple Mail Transfer Protocol) serverโs hostname
The serverโs port number
Your email & password
Security settings
Youโll want to consult your e-mail providers documentation for the specific values. Contacting customer service may help. These settings are whatโs required to configure any mail client, though some will be able to fill in some of the details when you provide your email address.
Delta Chat
Delta Chat is a mail client that looks and functions as an end-to-end encrypted messaging app. Itโs an absolutely brilliant technique. Despite none of my contacts being (currently) willing to take it seriously, I actually believe that delta chat is one of the more underrated online messengers.
In theory, it should be very easy to adopt because it doesnโt require anyone to create any new accounts. It handles encryption key management for you, and uses your own inbox for storage. Of course, it can also send regular emails to those who donโt have it yet. For those who find signal requiring a phone number to be too much, I consider delta chat a must-have.
Inbox Cleaning
Junk mail piles up. Over the years, it can be easy to accumulate more and more spam and incoming mail that becomes unmanageable. This causes a lot of people to essentially ignore their e-mails all-together. If youโre not quite at the point of just abandoning that particular email and starting fresh, thereโs a lot you can do to reduce the amount of unsanctioned messages.
Folders and Filtering
Odds are, a lot of regular incoming correspondence is expected in advance. This means that you can create sub-folders for particular domains, and use filters to sort your mail for you.This can keep the important stuff at hand, while allowing you to sort through the rest at your convenience.
Unsubscribe Without Mercy
Getting your email added or removed from marketing lists can really add-up over time. Reducing your incoming emails to what you specifically want can make a massive impact.
You can clean a busy inbox with this process:
Find an example of something you no longer wish to receive
Hit the โunsubscribeโ button (usually near the bottom) on the email and get removed from the list
Search for messages from that sender and delete them all
Repeat every so often
Eventually, youโll find youโre entirely free of unwanted incoming e-mails except for outright spam.
The Spam War
If youโre getting a great number of spam, itโs a sign that your email has appeared on many kinds of lists. Not having it published publicly can help, but fighting spam is a team effort. Itโs worth your time to report egregious examples, but eventually youโll want to setup your own filters for it. Where possible, if you have a filter thatโs working well, Iโd recommend having it also mark the message as spam.
Both Canadians, and Americans can report spam to law enforcement.
This guide is a work in progress.
Any questions, comments, or support you can offer goes a long way!
Trackers
There are two common types of e-mails you can send/receive. Plain text, which as the name implies is just text and is therefore entirely free of trackers. Emails can also be HTML, like web pages. This allows for them to look appealing, include images, and unfortunately trackers!
When you load an e-mail that loads content (like images) from a remote server, those assets can be used to send information. This can be used to get all kinds of engagement stats about how even you as an individual respond to particular messages. A troubling consequence of this is that those running phishing campaigns are able to use that information to come up with more compelling scams.
One can argue that marketing data isnโt all bad. As far as I can tell, the vast majority of my readers are reading through e-mail on substack. While itโs possible that you may be reading this post on the website, my plausible analytics would seem to imply otherwise. That means if this is being read by privacy conscious readers or those on RSS readers, I ultimately get almost no feedback from that segment of the audience without deliberate effort on their part. This isnโt unique to me, but applies to everyone, everywhere on the Internet.
The Feedback Trap
If youโll pardon the tangent, this is the root of why Substack is such a powerful platform. By leveraging friction-less e-mail signups, with detailed analytics, the platform is able to give writers immediate, valuable feedback in addition to other services like paid subscriptions. Just like regular social media, that feedback itself is addictive for some. This can be a great thing, I can easily see how it would forge incredible writers out of curious minds.
The downside of this is that those who make the effort not to collect so much information about their audience inherently give up the advantages of all that feedback. This means that for even the slightest privacy conscious user, the corporate internet is entirely unable to cater to your preferences. I speculate that this creates vastly diverging incentives: the gradual enshittification of every corporate platform, and an independent web thatโs responsive to actual connections and thoughtful interaction.
Thatโs quite a conundrumโฆ What should be done about it?
For privacy conscious users: (if youโre reading this, this is likely you!)
Do your best to proactively give those who you support thoughtful feedback. Encouragement, informed questions, thoughts, or even polite criticism can make all the difference in the long-term direction of a project.
Take the time to engage deeply with whatever material you find valuable, and return the favor by either sharing it with others or simply thanking the author.
Another option is to proactively ruin analytics data with something like adnauseum.
For writers and other online โcontent creatorsโ:
Donโt take your analytics as the entire story. Itโs highly likely that you have a broader (possibly much larger) audience that isnโt represented in them.
Take the time to preserve your work in a future-proof way. Offline backups are excellent, even if itโs just a disorganized folder. You may never know when you, or somebody else might find your effort invaluable. You can often save your posts with the Internet Archive
Give those who casually follow your work, or do so through privacy-respecting means the ability to give you feedback directly. Even if itโs just a contact form / infrequently checked e-mail inbox.
The problem with email is its inherent insecurity; you can only protect against corporate tracking, not government surveillance. Whatever you do, if you want to ensure utmost privacy for what you have to communicate, it's best to avoid using email altogetherโor ideally, abstain from digital mediums entirely.
For those of us that have our entire lives enmeshed with google, I canโt even begin to think to go through my 300+ subs to all kinds of services where my gmail account exists. Also, if I get a new email, would I then forward all gmails into it until the phase out process is over? I have about ten email accounts. This process seems daunting. I have never taken advantage of filtering or any of the benefits google even offers. I donโt think Iโll miss much by going with a different client. Just time consuming. And seeing that my friends are now receiving a warning label that my account is suspicious with my emails, I might have to start the process...