Anyone who is interested in internet privacy has probably come to the realization by now that email is not inherently secure. It is sent through untrusted points on the internet, in plain readable text, and arrives at a questionably secure server to finally be read. Because email has evolved to be used for information we’d rather keep private, there’s a growing interest in the extent to which email services will protect our data. In this article, we delve into the privacy policies and privacy factors of some of the most popular email services.
See also: How to encrypt email
Which are the best emails for privacy & security?
For those of you who just want the final scores, here they are. The scores and the methodology we used will make more sense if you read the entire article.
|Provider||Score||Scans your email||Offers TLS encryption||Encrypted email at rest||Access to decryption keys||Offers built-in email encrytion (PGP)||States share data except for support||Processes payments in-house|
|Start Mail||4||Not stated. To combat spam "we cannot provide full details of the measures we employ"||Yes||Yes||Not clear. States it will comply with Dutch law requests. Doesn't seem possible if it cannot decrypt.||Yes||No||No. Uses Ogone.|
|Tutanota||4||Not explicitly stated but encryption happens locally so it would seem impossible. ||Yes||Yes ||No.||Yes||No. "We will not disclose your personal data including your email address to third parties categorically."||No. Uses Braintree.|
|Proton Mail||3||Yes. Unencrypted incoming and outgoing for spam.||Yes||Yes||No||Yes||No. "We will only disclose the limited user data we possess if we receive notice from the Geneva Public Prosecutor's office or the Swiss Federal Police."||No, but accepts Bitcoin.|
|Hush Mail||1||Not stated.||Yes||No. Email is stored as it comes in. If unencrypted, then stored unencryped.||No, but can enable it when required by law.||Yes||No||No. Uses unnamed third party payment processor.|
|Fast Mail||0||Yes for spam. Incoming spam protection can be disabled.||Yes||Yes||Yes. Inferred from spam scanning process.||No||No||No. Uses Stripe, Pin, and Paypal.|
|GMail||0||Yes for advertising and spam purposes.||Yes||Not stated||N/A||No||Will share for advertising.||Yes. Google Payments.|
|AOL Mail||-1||Not if AOL "communication tools" are used.||Yes||Not stated||N/A||No||Will share for a variety of reasons.||Not stated|
|Outlook||-1||Yes. Inferred from "we do not use what you say in email, chat, video calls or voice mail, or your documents, photos or other personal files to target ads to you."||Yes||Not stated||N/A||No||Will share for a variety of reasons.||Not stated|
|Yahoo Mail||-1||Yes for advertising and spam.||Yes||Not stated||N/A||No||Will share for advertising.||Not stated, but lists Paypal as a third party so presume not.|
|Yandex||-1||Yes for advertising purposes.||Yes||Not stated||N/A||No||Will share for a variety of reasons.||Not stated|
Email has multiple privacy attack vectors
In order to understand how emails can be made private, it is important to understand how email works to begin with. When you write or reply to an email, you do so on some kind of email client that can sometimes be referred to as a mail user agent (MUA). When you click the send button, that email leaves your client and is sent to your email service’s mail transfer agent (MTA). From there the email is sent through the internet to your recipient’s MTA, which places it in her inbox. She can then read it at some later date using her MUA of choice.
In practice, your email client can be a program installed locally on your computer or phone such as Outlook, Thunderbird, or Apple Mail. Many of us also use Webmail now as well, which is the practice of accessing your email through a web browser. In all situations, the email client still has to connect to an MTA in order to send your email on its way.
The privacy of your email in transit
The part of the journey between MTAs has no security and no encryption built in – your email is sent in plain text across the hostile internet unless you take precautions. Your email service can implement some of those precautions on your behalf, such as using support for TLS encryption on their MTAs to send and receive email. However, since not all email services support TLS, every mail server will gracefully discard TLS encryption and deliver your email in plain text if the receiving side cannot use encryption. Therefore, you have no real control over whether your email is sent over the internet encrypted or not. Even worse, you usually have no easy way to tell in advance if encryption will be used in transport. Therefore, counting on TLS encryption between MTAs is not a reliable method of securing your email in transit.
The only reliable way of protecting your email in transit is to encrypt it before sending. This process used to be so complicated that only the nerds of the web and professors could figure it out. Today, a growing number of secure email services offer very simple ways to encrypt your emails, and we’ve included that capability in our audit.
The privacy of your email at rest
Regardless of how your email is transmitted to your recipient, once it arrives it will sit on the recipient’s email service’s servers for some period of time. Whenever email is not in transit, it is considered at rest. Earlier email protocols such as POP (Post Office Protocol) required email clients to pull emails off the server onto the recipient’s local computer periodically. This meant that emails were only on the server temporarily and were removed once the recipient checked their email. This was good for email services because they did not have to provide massive amounts of storage to hold their customers’ emails indefinitely. However, it was bad for customers because their email only existed on the last computer that checked their email, making it hard to reference an email at the office if you downloaded it at your house. To fix this, the IMAP (Internet Messaging Access Protocol) was born.
IMAP is an email retrieval method that does not automatically remove the email from the server when it is retrieved. Email clients using IMAP send commands to the server so that emails can be marked as read, deleted, or moved to another folder on the mail server itself. This means we can see all our emails in the same state on all our devices — emails are no longer downloaded to the last computer that checked in. This is now the expected state of email and is of great convenience to email users, but it has an ominous downside: your emails can live forever on your email provider’s servers.
As an example, I looked at an old GMail account that I no longer use. It has emails dating back to 2005.
Email at rest on your email provider’s servers is a great privacy risk. Bad guys that gain access to your email account now have an incredibly rich trove of information about you dating back possibly a decade or more. Law enforcement agencies with warrants (or no warrants, depending on your country) can compel email services to turn over all that data as well. Discarded hard drives and other computing equipment are sometimes wiped incompletely and can contain troves of email. Therefore, a second consideration of any email privacy assessment has to include how the email service handles your email at rest. We include that factor in our audit, as well as noting whether the email provider has the ability to decrypt your email at rest if asked.
What privacy factors did we look at?
The final list looks like this:
|Does the provider read or scan your emails?||(-1 points)|
|Do the mail servers offer TLS encryption for email in transit?||(+1 point)|
|Is your email encrypted at rest?||(+1 point)|
|Does the provider have access to your keys to decrypt your email?||(-1 points)|
|Are there easy-to-use tools to send and receive encrypted emails?||(+1 point)|
|Does the provider use their own in-house payment processor or outsource it?||(+1 point)|
We looked at some secure email services such as Proton Mail, Tutanota, Hush Mail, and Start Mail, as well as the popular mainstream email services. Those include Gmail, Fast Mail, Yahoo, Outlook.com, AOL, and Yandex.
The scoring system we used is based on the points listed above. Each service starts with zero points and has points added or deducted based on the features they provide. If a feature is not stated by the service, then it scores 0 points which means it does not affect the score in either direction. A perfect score is 5 points and negative scores are possible.
|Start Mail||4/5||Only avoided a perfect score by not using an in-house payment processor.|
|Tutanota||4/5||Fell short on the outsourced payment processing. The Tutanota web interface does not support two-factor authentication which is a serious drawback. However, Tutatnota’s beta webmail interface does support 2FA so that shortcoming should be remedied in the near future.|
|Proton Mail||3/5||Proton Mail states that it scans your unencrypted incoming and outgoing emails. The stated purpose of this is as a spam remediation tool.|
|Hush Mail||1/5||Hush Mail is the only secure email provider that does not necessarily store your email at rest encrypted. If email is delivered in plain text, it is stored as such and not encrypted. Hush Mail also lost points for being able to access your decryption keys if asked to, although it does not do this during day to day operations.|
|Fast Mail||0/5||I expected Fast Mail to score in the negatives, but it gained a point for encrypting emails at rest which is a feature that is not common among “normal” email services.|
|Gmail||0/5||Gmail managed to stay out of the negative scores solely by gaining a point for not outsourcing its payments. I think we all know by now that GMail is not a suitable service for those looking to keep their emails private.|
|Outlook.com||-0.2||Outlooks lost points for scanning communications, perhaps not even limited to email, and using that data for advertising purposes.|
|AOL Mail||-1/5||AOL lost points for using email data for a variety of reasons and scanning emails in some cases.|
|Yahoo Mail||-1/5||Yahoo lost points for scanning emails and using the data for advertising.|
|Yandex||-1/5||Yandex lost points for scanning emails and using that data for a variety of reasons.|
Links to documents used in the assessment
10.Yahoo Mail (Oath): https://policies.yahoo.com/us/en/yahoo/privacy/products/mail/
13.AOL (Oath): http://privacy.aol.com/privacy-policy/