email privacy
- Thread starter mikefamig
- Start date
When you have mail hosting with a provider, they do not sell the information or parse your mail to spam you. You do need to do private registration so that people don't solicit you from your domain registration information.mikefamig said:
Over the last several years, I've moved my domains away from GoDaddy in favor of NameCheap.com. They recently added free private registration so your domain contact info is not public. They also can provide the mail hosting pretty cheap. https://www.namecheap.com/hosting/email.aspx
jeditekunum
Active Member
I think there is more to worry about than the hosting of your email account. That's just the "last resting place" of messages. In most cases email flows through multiple servers controlled by multiple entities. Harvesting can happen anywhere in the path!
In my setup I do have my own virtual server in the cloud that is where my email rests. All my email clients talk to this. But that server does not talk point-to-point between me and the other party. It seems that it could but it doesn't and here is why.
First off I would have to harden my server with all kinds of spam filtering in order to allow it to "publicly" accept incoming messages directly. That's a big hassle and eventually most people are going to toss in the towel trying to keep that useful. That means the only way messages come in is via an email relay. I've got 3 allowed email relays for incoming messages: namecheap.com, godaddy.com, and gmail.com. All because I have a domain hosted there or an anonymous account forwarding to someone in my household. At minimum there is 1 hop for any email and do I trust them to not be snooping? Not a chance. On the plus side they do all the filtering.
Secondly, outgoing email has to be accepted by the recipient server. Anything beyond my simple kind of setup is going to check the validity of MY server. Odds are that this check will likely call me suspect if not outright spam source (because my IP subnet, which I can't control, is shared with many others). So the likelihood is high that some substantial amount of outgoing email will be rejected (and returned to me). My current solution is to use smtp2go.com as they provide free relay for low volume purposes. My email server must login to them to send. Could they snoop? Absolutely.
Bottom line - its all relative and its futile to think there is any absolute or near-absolute security of plain text email. Its simply not possible.
If you really must have secure communication you absolutely must encrypt messages from end-to-end using something like gpgtools.org. Even then, the harvesters can still gain some info from the metadata (sender and recipients).
In my setup I do have my own virtual server in the cloud that is where my email rests. All my email clients talk to this. But that server does not talk point-to-point between me and the other party. It seems that it could but it doesn't and here is why.
First off I would have to harden my server with all kinds of spam filtering in order to allow it to "publicly" accept incoming messages directly. That's a big hassle and eventually most people are going to toss in the towel trying to keep that useful. That means the only way messages come in is via an email relay. I've got 3 allowed email relays for incoming messages: namecheap.com, godaddy.com, and gmail.com. All because I have a domain hosted there or an anonymous account forwarding to someone in my household. At minimum there is 1 hop for any email and do I trust them to not be snooping? Not a chance. On the plus side they do all the filtering.
Secondly, outgoing email has to be accepted by the recipient server. Anything beyond my simple kind of setup is going to check the validity of MY server. Odds are that this check will likely call me suspect if not outright spam source (because my IP subnet, which I can't control, is shared with many others). So the likelihood is high that some substantial amount of outgoing email will be rejected (and returned to me). My current solution is to use smtp2go.com as they provide free relay for low volume purposes. My email server must login to them to send. Could they snoop? Absolutely.
Bottom line - its all relative and its futile to think there is any absolute or near-absolute security of plain text email. Its simply not possible.
If you really must have secure communication you absolutely must encrypt messages from end-to-end using something like gpgtools.org. Even then, the harvesters can still gain some info from the metadata (sender and recipients).
jeditekunum
Active Member
Given some comments in this thread about various "secure" email services, I should clarify.
With these services you have to ask yourself where the boundary between encrypted and unencrypted lies. And, more importantly, who controls it.
If you are using something like gpgtools.org as a plugin to a native email client then YOU control the client app and the plugin. The service (server/host) does not provide any special encryption capability. Any service will do just fine. (You're still trusting software provided by somebody else but at least they are presumably independent from the service provider. Is there zero chance they are harvesting you? Well, technically, no.)
If you are using the service directly in a web browser then they will claim that the boundary is still in your control - in your browser. Technically that is correct however who is providing the code that is running in your browser and when? Its the service - every single time you visit that account. So now, again, you're trusting them to provide the software to decrypt. Are you certain they aren't capturing your password????
Finally, the HUGE thing with these secure services is that the party on the other end must ALSO be running a secure email service or client. AND, you trust their service!
When was the last time you got an encrypted email? Grandma have that setup on her iPad? Companies you do business with? Government? I've literally NEVER run into anybody that wanted to (or even could) communicate with me this way (and I'm a retired software professional). NOT EVEN MY LAWYER OR BANKER. They've got their own special services they use in the rare event that they realize something should be secure (which is almost never).
I'll conclude with more about metadata harvesting. The normally hidden email headers that go along with your message tells everyone in the path where your message came from down to your IP address. Just like web browsing, they can associate that with you. In other words, they can know who you are communicating with even when the message content is encrypted.
With these services you have to ask yourself where the boundary between encrypted and unencrypted lies. And, more importantly, who controls it.
If you are using something like gpgtools.org as a plugin to a native email client then YOU control the client app and the plugin. The service (server/host) does not provide any special encryption capability. Any service will do just fine. (You're still trusting software provided by somebody else but at least they are presumably independent from the service provider. Is there zero chance they are harvesting you? Well, technically, no.)
If you are using the service directly in a web browser then they will claim that the boundary is still in your control - in your browser. Technically that is correct however who is providing the code that is running in your browser and when? Its the service - every single time you visit that account. So now, again, you're trusting them to provide the software to decrypt. Are you certain they aren't capturing your password????
Finally, the HUGE thing with these secure services is that the party on the other end must ALSO be running a secure email service or client. AND, you trust their service!
When was the last time you got an encrypted email? Grandma have that setup on her iPad? Companies you do business with? Government? I've literally NEVER run into anybody that wanted to (or even could) communicate with me this way (and I'm a retired software professional). NOT EVEN MY LAWYER OR BANKER. They've got their own special services they use in the rare event that they realize something should be secure (which is almost never).
I'll conclude with more about metadata harvesting. The normally hidden email headers that go along with your message tells everyone in the path where your message came from down to your IP address. Just like web browsing, they can associate that with you. In other words, they can know who you are communicating with even when the message content is encrypted.
pete_c
Guru
@mike
Do a traceroute to watch the hops to your email server via your regular connection, VPN connection and TOR connection.
Do a reverse lookup of the hops (routers).
First in / out hop is always your modem and next is your ISP router which is doing the harvesting these days for business purposes.
To get out to the internet your modem at home (router) is configured with your modem mac address, speed tier and ISP next hops.
IE: first boot up of your modem does TFTP to an ISP giving service server. It downloads your speed tier and other filters et al first. You do not see this part of your modem.
Goofing around here mention using TOR. Basically here configured an OpenWRT micro router with a TOR OS which you can get to via the LAN / WLAN. If you use the wireless SSID for the TOR router then you are using the "dark net". It is very slow but it works sort of.
Do a traceroute to watch the hops to your email server via your regular connection, VPN connection and TOR connection.
Do a reverse lookup of the hops (routers).
First in / out hop is always your modem and next is your ISP router which is doing the harvesting these days for business purposes.
To get out to the internet your modem at home (router) is configured with your modem mac address, speed tier and ISP next hops.
IE: first boot up of your modem does TFTP to an ISP giving service server. It downloads your speed tier and other filters et al first. You do not see this part of your modem.
Goofing around here mention using TOR. Basically here configured an OpenWRT micro router with a TOR OS which you can get to via the LAN / WLAN. If you use the wireless SSID for the TOR router then you are using the "dark net". It is very slow but it works sort of.
pete_c
Guru
The use of the term "dark net" is typically bad. That said it was invented here by the US government for secure browsing.
It is so good that bad and good people utilize it.
The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997.
Tor
It is meant to be used for data communications more than anything else.
What is Tor?
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
Why Anonymity Matters?
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
Personally I do not care or let this stuff bug me (well sort of).
I do keep my cell phone off / tablets off unless I want to use it. Same with desktops / laptops. I leave the Homeseer servers on and Ubuntu servers on and Samsung Hub on (and echo's are on or off). Like everything these days though Windows 10 is much dependant on the cloud where as Ubuntu 18.04 now has all of the cloud pieces built in these days.
Recently helped a CT peer configure a PFSense firewall. He started to watch everything which did occupy much of his day and he did get a bit paranoid relating to what he saw.
It is so good that bad and good people utilize it.
The core principle of Tor, "onion routing", was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online. Onion routing was further developed by DARPA in 1997.
Tor
It is meant to be used for data communications more than anything else.
What is Tor?
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.
Why Anonymity Matters?
Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
Personally I do not care or let this stuff bug me (well sort of).
I do keep my cell phone off / tablets off unless I want to use it. Same with desktops / laptops. I leave the Homeseer servers on and Ubuntu servers on and Samsung Hub on (and echo's are on or off). Like everything these days though Windows 10 is much dependant on the cloud where as Ubuntu 18.04 now has all of the cloud pieces built in these days.
Recently helped a CT peer configure a PFSense firewall. He started to watch everything which did occupy much of his day and he did get a bit paranoid relating to what he saw.
jeditekunum said:
If I understand correctly you are describing a situation where two computers each have a POP/SMTP email client software that use an encryption method in order to hide the email from prying eyes. I can imagine how that would prevent the ISP from seeing the contents of emails. But I want the advantages of IMAP servers and that puts me at the mercy of whoever maintains that email server. Who can you trust to keep their promise to not examine and share your email data? I also don't want to need to read and try to understand a multiple page privacy policy.
Wouldn't it be nice if I could get private email service without having to study network technology. Is that even possible?
Mike.
pete_c
Guru
Wouldn't it be nice if I could get private email service without having to study network technology. Is that even possible?
Note that this technology has evolved over the years and getting better and much more sophisticated.
In the 1990's there was a private contest relating to encryption.
Everybody (cryptologists) played including Microsoft and Google and ....
The prize was a million dollars back then.
The encryption winner could sell the technology for millions of dollars.
Someone won (independant cryptologist) and became a multi millionaire, retired and bought an island to live on.
Note that this technology has evolved over the years and getting better and much more sophisticated.
In the 1990's there was a private contest relating to encryption.
Everybody (cryptologists) played including Microsoft and Google and ....
The prize was a million dollars back then.
The encryption winner could sell the technology for millions of dollars.
Someone won (independant cryptologist) and became a multi millionaire, retired and bought an island to live on.
This thread is getting increasingly technical and a lot of it is going over my head. I have a limited knowledge of networking and am looking for a simple solution which probably doesn't exist. What I'm trying to do is to get what measure of privacy I can get without digging into the technical details of email privacy.
What I think that I've gathered so far is that the short answer is to dump my free ISP email and subscribe to one of the reputable web based email services like Godaddy or Fastmail. The consensus also seems to be that no one of these services is any more or less secure than another.
Myself I am not convinced that a paid email service is going to be any more private than my ATT/Yahoo email. Call me lazy but I don't want to read the privacy policies of two or three services in order to choose one. My eyes glaze over about three paragraphs into one of those things and they are usually several pages long. Has anyone ever read the Iphone/IPad IOS agreement that they they agree to each time they download an IOS upgrade? I'm thinking that trying to avoid data farming by marketing people is like trying to avoid the common cold. You can wash hands a lot and avoid a lot of kissing but you can't hide in the house all day. I'm looking for the email equivalent of not shaking a lot of hands.
What started me thinking in this direction in the first place is that I did read much of a privacy agreement that I received when my Yahoo mail merged with AOD to become OATH. What I read made me want to never use email again. You basically agree to the fact that they can read every email and share with whoever they see fit to. There must be a better way without needing to become a network technician.
Mike.
What I think that I've gathered so far is that the short answer is to dump my free ISP email and subscribe to one of the reputable web based email services like Godaddy or Fastmail. The consensus also seems to be that no one of these services is any more or less secure than another.
Myself I am not convinced that a paid email service is going to be any more private than my ATT/Yahoo email. Call me lazy but I don't want to read the privacy policies of two or three services in order to choose one. My eyes glaze over about three paragraphs into one of those things and they are usually several pages long. Has anyone ever read the Iphone/IPad IOS agreement that they they agree to each time they download an IOS upgrade? I'm thinking that trying to avoid data farming by marketing people is like trying to avoid the common cold. You can wash hands a lot and avoid a lot of kissing but you can't hide in the house all day. I'm looking for the email equivalent of not shaking a lot of hands.
What started me thinking in this direction in the first place is that I did read much of a privacy agreement that I received when my Yahoo mail merged with AOD to become OATH. What I read made me want to never use email again. You basically agree to the fact that they can read every email and share with whoever they see fit to. There must be a better way without needing to become a network technician.
Mike.
huggy59
Active Member
The short answer: there is no such thing as completely secure, private email if you use it in a public (internet) setting.
The issue is that the "public" email systems in place today do not fully support encryption of the details of the email or the metadata, so that someone along the way could siphon off your data. Even "encrypted" email is actually a way to notify someone to use a browser or pre-shared encryption keys to access the contents via SSL/TLS or the keys and possibly use authentication mechanisms.
The only true private email is email that stays within clients and servers that you own and maintain, using secure storage and transmission, and only sending email to other members of that server. As soon as email leaves systems under your control, you can't insure they are private. If you send an email to someone else, what they do with it is up to them. And unless your systems use VPNs or encryption in transit, that email data can be copied while being transmitted. Even encrypted traffic can be copied, and given enough time and power, might eventually be decoded.
The issue is that the "public" email systems in place today do not fully support encryption of the details of the email or the metadata, so that someone along the way could siphon off your data. Even "encrypted" email is actually a way to notify someone to use a browser or pre-shared encryption keys to access the contents via SSL/TLS or the keys and possibly use authentication mechanisms.
The only true private email is email that stays within clients and servers that you own and maintain, using secure storage and transmission, and only sending email to other members of that server. As soon as email leaves systems under your control, you can't insure they are private. If you send an email to someone else, what they do with it is up to them. And unless your systems use VPNs or encryption in transit, that email data can be copied while being transmitted. Even encrypted traffic can be copied, and given enough time and power, might eventually be decoded.
jeditekunum
Active Member
mikefamig said:
POP or IMAP matters not. Those, along with SMTP, are just the mechanism for moving the data between your client and the server.
Nobody. You can trust nobody.
Someone really worried about being secure, say for some potentially illegal activity, would not even trust a client with an encryption plugin. They would encrypt a message as a file separate from the email ecosystem and then send the encrypted blob. The recipient would decrypt outside of their email client. It really is an endless pit of potential leaks where you are just shifting the trust from one thing to another. Do you trust Apple or Microsoft to not snarf your file and send it to them? Before you answer that... when you use Siri or Cortana where does the audio from your mic go - ALL THE TIME? These days many things just automatically "float" up to the cloud without you necessarily being fully aware of it. How do your books or audio or video files magically appear on other devices you own? We are fully in the age of big brother and there is really nothing you can do about it other than not play with the technology.
Now I'm certain you're not asking about potentially illegal stuff. Nor am I concerned with that. Like me, you just want to communicate with people without "everyone" looking over your shoulder and listening in on your conversations. As a practical matter its the same - you can't stop it.
I'm moving soon and I've contemplated for many months about not associating my real name with my new address. I'd use a mail forwarding service for physical mail addressed to my real name. An alias for everyday purchases, newspapers, etc. A VPN to disassociate my IP address. Basically counter-warfare against the harvesters. I've come to the conclusion that its a never ending game that, in the end, I can't win. It would take an enormous amount of thought, constant consideration of many every day activities, money for services, etc. Only 1 tiny mistake and the whole thing fails.
I'm nearly to the conclusion that, for the same reasons, even a superficial attempt to avoid harvesting is also likely to be futile. In the last year or so I've seen so many suspect cases where information separated with great distance seems to be showing up in the least expected places. You can't win.
Its a loosing battle at this point. Maybe someday an end-to-end encryption email will become popular, but the US Gov. isn't likely to let that happen anytime soon.
The best plan is to let all the snooping be used to your advantage. Just make your name, age, sex, address, hobbies, all information slightly different to everyone. Then if there is a data breach, which occurs almost hourly now. You will never be able to hide this information, but you can put so much fake stuff out there, that nobody knows fake from real. It really works. I keep a database of my "birthday" or "mothers maiden names" should I need it. And my security questions, always fake and always changing.
The best plan is to let all the snooping be used to your advantage. Just make your name, age, sex, address, hobbies, all information slightly different to everyone. Then if there is a data breach, which occurs almost hourly now. You will never be able to hide this information, but you can put so much fake stuff out there, that nobody knows fake from real. It really works. I keep a database of my "birthday" or "mothers maiden names" should I need it. And my security questions, always fake and always changing.
pete_c
Guru
I don't think it matters what's done these days.
Older these days see a new generation of a "me first" workforce that doesn't care.
Here locally when the state went to outsourcing / adjusting it's tax stuff so much personal data got released to the internet that they had to take the site down around tax time and put a pause on filing taxes.
Last year here a bank got compromised by a fast food account holder and probably a bunch of kids. Rather than even mention it the bank changed everyone's account numbers mentioning an "upgrade".
Consumer Reports mentioned in their last report that a very high percentage of data breaches are occurring with medical institutions from small offices to hospitals.
Older these days see a new generation of a "me first" workforce that doesn't care.
Here locally when the state went to outsourcing / adjusting it's tax stuff so much personal data got released to the internet that they had to take the site down around tax time and put a pause on filing taxes.
Last year here a bank got compromised by a fast food account holder and probably a bunch of kids. Rather than even mention it the bank changed everyone's account numbers mentioning an "upgrade".
Consumer Reports mentioned in their last report that a very high percentage of data breaches are occurring with medical institutions from small offices to hospitals.
pete_c
Guru
Tested Tor Browser a few days ago. I am impressed. I am testing it and use it mostly out of curiousity.
Most of the negative hoopla related to using Tor is just that and mostly put out there to discourage it's use.
What is Tor Browser?
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
Tor Browser lets you use Tor on Microsoft Windows, Apple MacOS, or GNU/Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained (portable).
Most of the negative hoopla related to using Tor is just that and mostly put out there to discourage it's use.
What is Tor Browser?
The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.
Tor Browser lets you use Tor on Microsoft Windows, Apple MacOS, or GNU/Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained (portable).
Similar threads
- Sticky