DIY Cyber Audit: #2 E-mail
All you need to know about e-mail at a glance
Email is something that’s critical to get right. Almost every online account allows for accounts to be recovered (or stolen!) through email. This means that it’s the most important account to secure. Rotating your e-mail password more often than other accounts can definitely make a difference in the long run.
Beyond just being able to steal accounts, a hijacked email can also be used to spread scams and malware to others. Taking account security seriously is important!
Choose a Great Provider
Choosing a provider can be difficult. Even when one finds a great one, it’s not worth entirely relying on a single provider. If you run your own website, e-mail hosting can sometimes be included with web hosting. Of course, there’s always the option of running it yourself. That however, has its own challenges, but there are many advantages.
Email Provider Recommendations:
Criteria to consider:
Privacy
There are limits to how private e-mail can be, but it’s at least worth selecting a provider that isn’t profiting off scanning your mail.
Things to consider for privacy:How long the provider has been in business
Reputation of the provider
Jurisdiction
Business model and funding sources
End-to-End Encryption
Features
Different options may have some variation in offerings. Important features can be:
Webmail
Storage size
Custom Domains
Disposable aliases
Multiple accounts/mailboxes
Encryption / PGP Support
Client (IMAP & POP) Support
Forwarding and Filters
I personally believe the best-case scenario for mass e-mail providers are responsibly run local non-profit enterprises. As online communication has become more central to people’s lives, competitive local infrastructure needs to take a more central role. While on the total other end of the spectrum, there also needs to be a place for less personal, but still quite small, providers that operate indiscriminately. Both have a very important place in safeguarding online freedom from a variety of threats.
Email Encryption
Every e-mail provider is going to market itself as secure. Secure from what? One may ask. Security is about proactive measures taken against particular problems. Nothing is 100% secure. Many security features proudly proclaimed by big tech services are really just about protecting information in transit as it goes from your machine to theirs. It’s very difficult for a provider to protect you from themselves, even when there’s desire to. There is always a degree of trust involved with hosting your data on somebody else’s computer.
Domestic government (and corporate) surveillance is a serious concern as well. Many of us in the so-called “Free World” have to be concerned about the 5 prying eyes. With all this in mind, I would never put too much faith email security guarantees. Even in the best of circumstances,treat e-mail like you would a postcard in the mail; not for anything particularly sensitive or private.
Strategy 1: Inbox Level
There are many end-to-end encrypted (“zero knowledge”) mailboxes provided by larger privacy-focused email providers. How it works is that in addition to your emails being secured in transit, they are also encrypted when they are stored. This means that as long as your account/password are secure, your email’s content can only be read by you. This often comes at the cost of lack of third-party client support.
This strategy has advantages, but mostly it’s ease-of-use. It saves you the time of having to manage your own encryption keys, meaning that others should be able to send you encrypted emails right away. The downside of this strategy is that you’re still placing a significant amount of trust on the provider, especially if you’re using it for sensitive information.
Strategy 2: Message Level
When using your own email client, you can choose to proactively encrypt emails with PGP. For recipients who’ve already setup their keys, some clients will be able to auto-discover the correct key for you so it can be fairly convenient. This strategy ensures that the email is secure as long as the recipients keys are, from all other parties. If your recipient already publishes their PGP key. (Here’s mine)
Metadata headaches
Regardless of which strategy you use, due to how e-mail works it’s impossible to conceal who you are sending it to, and many other details. Encrypted mail will protect the contents of the mail, but not extra information like when it was sent. For those who absolutely need to keep their contacts a secret, like investigative reporters, there are better options than e-mail.
Using an e-mail Client
Using Free Open Source Software clients put you back in charge of your mail. While webmail and apps can be very convenient, they can often be very opinionated on how you should interact with your mail. Mail clients are a very important tool. Some will provide privacy features like blocking e-mail trackers, and other useful tools like custom filtering.
Instead of leaving your mail on a server forever, you can move them to your computer for offline access. Every client will have it’s own features, but having the capability to encrypt emails with PGP is a non-trivial advantage.
I’m a huge fan of Mozilla Thunderbird though there are other e-mail clients, Privacy Guides has an excellent list of recommendations.
Configuring Your Client
It may seem intimidating, but if you have an uncommon mail provider, or roll you own email you may need to configure your client. This requires a few more options than just a username/password. To understand what the options mean you have to realize that you’re setting up two things:
Incoming Server:
Which needs:
The mail server’s hostname (such as pop.example.com)
Choosing either IMAP or POP as the protocol, this changes how the server handles mail that’s delivered.
The port number the server is running on
your email & password
Security settings
Outgoing Server:
Which needs:
The SMTP (Simple Mail Transfer Protocol) server’s hostname
The server’s port number
Your email & password
Security settings
You’ll want to consult your e-mail providers documentation for the specific values. Contacting customer service may help. These settings are what’s required to configure any mail client, though some will be able to fill in some of the details when you provide your email address.
Delta Chat
Delta Chat is a mail client that looks and functions as an end-to-end encrypted messaging app. It’s an absolutely brilliant technique. Despite none of my contacts being (currently) willing to take it seriously, I actually believe that delta chat is one of the more underrated online messengers.
In theory, it should be very easy to adopt because it doesn’t require anyone to create any new accounts. It handles encryption key management for you, and uses your own inbox for storage. Of course, it can also send regular emails to those who don’t have it yet. For those who find signal requiring a phone number to be too much, I consider delta chat a must-have.
Inbox Cleaning
Junk mail piles up. Over the years, it can be easy to accumulate more and more spam and incoming mail that becomes unmanageable. This causes a lot of people to essentially ignore their e-mails all-together. If you’re not quite at the point of just abandoning that particular email and starting fresh, there’s a lot you can do to reduce the amount of unsanctioned messages.
Folders and Filtering
Odds are, a lot of regular incoming correspondence is expected in advance. This means that you can create sub-folders for particular domains, and use filters to sort your mail for you.This can keep the important stuff at hand, while allowing you to sort through the rest at your convenience.
Unsubscribe Without Mercy
Getting your email added or removed from marketing lists can really add-up over time. Reducing your incoming emails to what you specifically want can make a massive impact.
You can clean a busy inbox with this process:
Find an example of something you no longer wish to receive
Hit the “unsubscribe” button (usually near the bottom) on the email and get removed from the list
Search for messages from that sender and delete them all
Repeat every so often
Eventually, you’ll find you’re entirely free of unwanted incoming e-mails except for outright spam.
The Spam War
If you’re getting a great number of spam, it’s a sign that your email has appeared on many kinds of lists. Not having it published publicly can help, but fighting spam is a team effort. It’s worth your time to report egregious examples, but eventually you’ll want to setup your own filters for it. Where possible, if you have a filter that’s working well, I’d recommend having it also mark the message as spam.
Both Canadians, and Americans can report spam to law enforcement.
This guide is a work in progress.
Any questions, comments, or support you can offer goes a long way!
Trackers
There are two common types of e-mails you can send/receive. Plain text, which as the name implies is just text and is therefore entirely free of trackers. Emails can also be HTML, like web pages. This allows for them to look appealing, include images, and unfortunately trackers!
When you load an e-mail that loads content (like images) from a remote server, those assets can be used to send information. This can be used to get all kinds of engagement stats about how even you as an individual respond to particular messages. A troubling consequence of this is that those running phishing campaigns are able to use that information to come up with more compelling scams.
One can argue that marketing data isn’t all bad. As far as I can tell, the vast majority of my readers are reading through e-mail on substack. While it’s possible that you may be reading this post on the website, my plausible analytics would seem to imply otherwise. That means if this is being read by privacy conscious readers or those on RSS readers, I ultimately get almost no feedback from that segment of the audience without deliberate effort on their part. This isn’t unique to me, but applies to everyone, everywhere on the Internet.
The Feedback Trap
If you’ll pardon the tangent, this is the root of why Substack is such a powerful platform. By leveraging friction-less e-mail signups, with detailed analytics, the platform is able to give writers immediate, valuable feedback in addition to other services like paid subscriptions. Just like regular social media, that feedback itself is addictive for some. This can be a great thing, I can easily see how it would forge incredible writers out of curious minds.
The downside of this is that those who make the effort not to collect so much information about their audience inherently give up the advantages of all that feedback. This means that for even the slightest privacy conscious user, the corporate internet is entirely unable to cater to your preferences. I speculate that this creates vastly diverging incentives: the gradual enshittification of every corporate platform, and an independent web that’s responsive to actual connections and thoughtful interaction.
That’s quite a conundrum… What should be done about it?
For privacy conscious users: (if you’re reading this, this is likely you!)
Do your best to proactively give those who you support thoughtful feedback. Encouragement, informed questions, thoughts, or even polite criticism can make all the difference in the long-term direction of a project.
Take the time to engage deeply with whatever material you find valuable, and return the favor by either sharing it with others or simply thanking the author.
Another option is to proactively ruin analytics data with something like adnauseum.
For writers and other online “content creators”:
Don’t take your analytics as the entire story. It’s highly likely that you have a broader (possibly much larger) audience that isn’t represented in them.
Take the time to preserve your work in a future-proof way. Offline backups are excellent, even if it’s just a disorganized folder. You may never know when you, or somebody else might find your effort invaluable. You can often save your posts with the Internet Archive
Give those who casually follow your work, or do so through privacy-respecting means the ability to give you feedback directly. Even if it’s just a contact form / infrequently checked e-mail inbox.
The problem with email is its inherent insecurity; you can only protect against corporate tracking, not government surveillance. Whatever you do, if you want to ensure utmost privacy for what you have to communicate, it's best to avoid using email altogether—or ideally, abstain from digital mediums entirely.
For those of us that have our entire lives enmeshed with google, I can’t even begin to think to go through my 300+ subs to all kinds of services where my gmail account exists. Also, if I get a new email, would I then forward all gmails into it until the phase out process is over? I have about ten email accounts. This process seems daunting. I have never taken advantage of filtering or any of the benefits google even offers. I don’t think I’ll miss much by going with a different client. Just time consuming. And seeing that my friends are now receiving a warning label that my account is suspicious with my emails, I might have to start the process...