Contact me for feedback or questions! I reply to everyone.

E-mail providers - which one to choose?

- Introduction -
- The Providers -
- Google, Yandex, Outlook, Yahoo -
- Hushmail -
- VFEmail -
- FastMail -
- Scryptmail (DEAD)-
- Criptext -
- SAFe-mail (safe-mail.net) -
- OpenMailBox (DEAD) -
- Runbox -
- Mailfence -
- ProtonMail -
- Safe-Mail (safe-mail.nl) -
- Neomailbox -
- Mailbox.org -
- Paranoid.email -
- Secmail.pro -
- CTemplar -
- KolabNow -
- Teknik -
- Tutanota -
- Cock.li -
- Dismail -
- StartMail -
- CounterMail -
- Posteo -
- Autistici -
- Disroot -
- RiseUp -
- Temporary e-mail -
- Summary -
- Why the situation is as it is -
- On encryption -
- On "privacy-respecting" laws -
Friend's E-mail report, covering additional providers (onion-only)

Introduction

E-mail sucks but is a necessary evil for now. What should be taken into account while choosing a provider? The most important thing is their privacy policy - as in, what data do they collect and store, and for how long - as well as whom they share it with and under what conditions. Of course, privacy policies should not be automatically trusted - some red flags to watch out for are: too much secretiveness, too much privacy salesmanship, contradictory claims. Always search the Internet for possible breaches that the service in question might have had! Other criteria to consider are: whether the provider supports mail clients (webmail is terrible all around, and takes control out of your hands); the possibility of signing up through Tor / a VPN; and whether its free or paid (though a good paid one is better than a shitty free one; don't worry - the best ones in this report are actually free). Another thing you might want to take into account is how likely is the service to last - if it's been around for 10 years, it's pretty safe to say it will be around for another ten. A single guy running a provider is a ticking time bomb. What about encryption? In-built encryption I consider mostly an illusion - there are various ways of implementing it, but none as robust as PGP with your own keys. And, of course, all of those require webmail, while PGP can be used with mail clients (some, like Claws Mail, even have built-in support). Okay, enough of the introductory bullshit - let's move on to the actual providers!

List of E-mail providers

Google, Yahoo, Outlook, Yandex

These are designed to collect as much of your information as possible, and are obviously unsuitable for everyday use. Not much more to say. So let's move on to the ones that are (or pretend to be) more private.

Hushmail

Everyone is entitled to their email privacy. Take back control of your data and experience a clean inbox with no advertising.

Okay, I'm in! Just give me a minute to check if the evidence supports your claims...

When you visit our website we may collect information about you, including your browser type, operating system and the Internet Protocol (“IP”) address of your computer. We use this information to facilitate your use of the website, gather market information and prevent abuse of our services.

No thanks. But wait, that's only the website - I could possibly deal with that if the actual mail service was private. But is it?

We take steps where possible to limit the personal information we collect.
Wow, thanks! So let's see just how limited those "limits" are:
As part of the account creation process your IP address will be recorded. We may request that you provide other information, such as a phone number, as well. We use this information to analyze market trends, gather broad demographic information [...]

Asking for my phone number is very "limited" indeed. And the market trends shit rears its ugly head again.

Information we record may include [...] account usernames, sender and recipient email addresses, file names of attachments, subjects of emails, URLs in the bodies of unencrypted email, and any other information that we deem necessary to record for the purposes of maintaining the system and preventing abuse.

So you're even snooping on the links in my messages! And any other information is an admission that they could possibly collect everything they imagine. But why pretend it's about preventing abuse? Just say you're in the business of gathering information.

We store sales, marketing, and customer care information with third-parties that support these business processes, which means that information such as your name, email address, phone number, and company name, as well as the history of communications related specifically to the sales or customer care process, may be stored there.

And now my name and phone number is being sent to whoever the fuck. Could this get any worse?

The records we keep of your activities are permanently deleted after approximately 18 months. Records that are stored for statistical purposes may be kept indefinitely.

...yes, it could in fact get worse. And that's not even the entirety of it (I don't want to write a book here!) - check out their privacy policy (archive) if you want to torture yourself further.

I forgot to mention that Hushmail actually wants money for all this abuse! And it doesn't even support mail clients. Taking all that into account, this is without a doubt the worst choice on this whole list. And they have the audacity to claim stuff like this:

Hushmail has been providing secure, private and encrypted webmail solutions since 1999. Here is why our customers trust our experience in the field.

Yeah sure - very trustworthy you are!

VFEmail

UPDATE FEBRUARY 2020: Used to require ReCaptcha to sign up, doesn't anymore - however, still asks for your real name; registration also fails on Pale Moon. Everything else is as shit as it was when I wrote the first report, except the site is now behind the evil Cloudflare. Mail clients are supported, but auto-configure doesn't seem to work. Accepts signing up from a VPN, and that's where the positives end...A lot of suspicious things in the user agreement; going over all of them would take a year, so I will discuss only the most important ones:

[...] VFEmail.net can terminate and/or change and/or modify your account [...]

Wait, modify my account? What the fuck? This can literally mean anything, including rewriting your mail, deleting contacts, or changing the password. Suspicious as fuck!

[...] VFEmail.net or its designee may disclose information to third parties about User and User's use of the Service [...]

Great! Prepare yourself for your privacy being ripped away and thrown around to advertisers and trackers.

User acknowledges and agrees that content, including but not limited to text, software, music, sound, photographs, graphics, video, or other material contained in sponsor advertisements or information presented to User through the Service or advertisers is protected by copyrights, trademarks, service marks, patents, or other proprietary rights and laws.

So you will be sent advertisements and can't even show them to anyone. By the way, I've confirmed they add ads to your mail. Whenever you send anything from the free VFEmail account, your recipient gets this:

This free account was provided by VFEmail.net - report spam to abuse@vfemail.net ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!

Funny how they claim to protect you from the NSA when they are Cloudflared (a US company) and have no real privacy policy. With a free account, you don't even get SSL encryption on your mail. So it is sent around in plaintext, completely visible to your ISP for example. Now what if you've paid? You get SSL (congrats for being the only provider out there who doesn't provide that for free), aliases, no ads and unlimited bandwidth - but are still in the dark as to the privacy and still subject to the shitty ToS. And to lighten up the mood...

If you do recieve mail between your last POP and the snapshot at 12am, it will exist on backup for a week - unless it's on Saturday night, then it's a year.

WTF? These guys must be trolling around here. Your mail is stored in a backup for a week...except on Saturdays! How random.

As for other data, you don't get told what gets stored and for how long. If you still didn't get the memo - get away from this crap! Honestly, it looks as if some jokers just slapped all the anti-user things they could think of, advertised themselves with bullshit like the Metadata Mitigator™ - for which of course you have to pay - and went around their merry way while raking in the cash. This might be worse than Gmail, which is more honest in regards to their (lack of) privacy and provides all its features for free.

FastMail

This is another one of the paid providers which are also absolutely terrible from a privacy standpoint. From their privacy policy (archive):

If you register to use, or use, one of our websites or services [...] personal information that may be collected directly from you includes name, billing address, mobile phone number, organisation name, your own domain name, IP address, browser user-agent and billing details

Name, phone number, address. You're off to a fast start towards privacy hell, FastMail.

We process mail sent and received from your account to block spam and fraud.

The private FastMail scans your mail.

We also store information from your address book, calendar, notes and files on our servers.

Is there anything you guys don't store?

We also collect the email content you create, upload, or receive from others

Guess not - even other people aren't safe from FastMail's prying eyes.

Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you're using to send mail and the email address you're sending to. If you take action on mail in your mailbox, we also log the activities taken.

So literally your every move is being tracked and logged. And now for some humor - look at how they justify themselves:

This is necessary for providing proof of delivery and fraud analysis.

Sure. I wonder why almost no other provider on this list is doing so, then? Now check this admission (from section How do we use the personal information we collect from you?):

conduct analytics and measurement to understand how our services are used;

Oh, so it was about analytics all along, instead of "fraud analysis" or some other bullshit excuse. And for something even more damning (from section Sharing personal information with others):

We may share your personal information [...] with third parties who help manage our business and deliver services [...] Some of these providers use “cloud based” IT applications or systems, which means that your Personal Information will be hosted on their servers

And now all the stuff I've talked about will be put on some third party servers.

We may use your name and email address to send direct marketing communications to you and let you know more about our services or related services that we believe will be of interest to you

You will also be flooded with directed advertisements. But how does FastMail know what will be of interest to you? Of course, it's because of all that collected data - which, remember - includes your mail content! Later they claim that they don't profile you to send targeted advertisements, but that seems to contradict the above - and we should always assume the worst. FastMail also uses the Matomo tracking service, which was described in detail in ProtonMail's section. Anyway, that's quite a lot of data collected - but how long does it stay around?

Where we log information related to your IP address, we retain this information for approximately 90 days.
Where you request that we delete your account from our system, we will immediately lock the account and archive the information, then delete it from our severs within approximately 7 days from the date of your request.

Not bad, I guess. I mean, some other providers take a year or more...But wait:

However, in specific limited circumstances we may store your personal information for longer periods of time

Ha! So the 7 days figure was just for show. Let me quote some related information from another section (archive):

After an account is terminated, data and backups are purged within a timeframe of between 37 days to 1 year after closure

So you do take a year after all. And you fucking lied straight to our faces with the 7 day thing. This seems more and more like some entry-level trolling...Can we say anything at all positive about FastMail in light of the information presented? I guess this:

Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed:

That's right - it's the same thing I've been speaking about. So at least they don't pretend to have some super-duper in-browser encryption. And maybe another thing:

We won't release any data without the required legal authorisation from an Australian court. As an Australian company, we do not respond to US court orders.

But remember that some of your data will be stored on third party servers in other countries, which might have some different ideas...All in all, I struggle to provide a reason to use this one at all. The amount of stored data is simply massive (and I didn't even cover all of it), it's shared with third parties and used for sending advertisements - and you have to pay for all that.

Scryptmail (DEAD - https://blog.scryptmail.com/discontinuing-of-service/)

Free 7 day trial and then you have to pay. No mail client support. Claims to encrypt metadata and senders instead of just messages. Blog and support forum appear pretty dead; FAQ is also outdated - says Scryptmail is only a year old, but it's actually 4.

What about the privacy? Website uses Matomo analytics described in ProtonMail's section. And the mail? According to their privacy policy (archive), whenever two Scryptmail accounts communicate, only sent times metadata is stored. On the other hand, if someone using another provider sends an e-mail to your Scryptmail account, the collected data extends to this:

sender and recipient email addresses, the IP address incoming messages originated from, message subject, body and attachments and message sent and received times.

Other stored information includes: Last login time, IP address, User agent, API call. Though they claim that they have no ability to match an IP to a specific user account. Which appears to contradict the earlier claim, since they know when a certain account logged in, as well as with which IP address. It is possible they delete the information about the account which the data belongs to, but to say that they have "no ability" to connect them is a lie.

You should assume that your data will be stored pretty much forever. From the Data Retention section: Active accounts will have data retained indefinitely. What about deleted accounts?

Your personal data shall be deleted no later than at the end of the calendar year following the year of the termination of the contract unless in an individual case specific reasons to the contract apply. [...] Moreover, the deletion of inventory and billing data may be omitted provided that legal regulations or the prosecution of claims require this action.

In summary: paid, no mail client support, confusing and contradictory privacy policy, significant amount of data stored and never deleted. Avoid!

Criptext

There's so many violators popping up now that I wasn't supposed to review any more of them unless they were significant for some reason. However, this one was mentioned to me by two people and it encompasses a lot of what's wrong with E-mail services and computing in general, so I might as well get to it. Let's start with the quote from their main page:

Quite possibly the most private email service — ever

That's it - I'm sold. Of course, no violator has ever made that promise before...not at all. But let's not jump ahead of ourselves, and first check out what's actually so special about Criptext. First of all, since it's a shitty Electron "app" (literally embedding Chromium inside it), it takes up a huge amount of resources - much more than Claws Mail. The interface is your usual webshit and you cannot make it fit with the rest of your operating system - like an alien invader. Obviously, forget about it supporting mail clients; Criptext says fuck the established standards - we'll run our own special snowflake webshit implementation. That alone would usually be a dealbreaker for me, but let's dig deeper. I don't seem to be able to run the "app" through either torify or proxychains, so it can be assumed to not support anonymization. To use Criptext, you need to sign up through the "app" which asks you for your real name. Now let's tackle some specific claims made on their site:

All your emails are locked with a unique key that‘s stored on your device alone, which means only you and your intended recipient can read the emails you send.

So, Criptext alleges to be E2E - but actually, it only works between Criptext accounts - others will just receive your mail unencrypted as usual. And - as the "app" doesn't support PGP (unlike a regular mail client) - you're left bare unless you encrypt through the command line. This is not at all different than what Proton or Tutanota are doing.

Criptext doesn‘t store any emails in its servers. All your emails are stored on your device alone, which means you‘re in control of your data at all times.

That's actually absolutely impossible. At some point, the E-mail has to go through Criptext servers so that it is delivered to the recipient. Why pretend otherwise?

With real-time tracking you can know once your email is read.

This is advertised as an unique feature, but actually, mail clients support it with something called Request Return Receipt. No advantage for Criptext, unfortunately. Now check this from their security section (I cannot even archive the Jabba-heavy page, ugh):

All your emails and private keys are stored solely on your device. Once Criptext delivers an email there‘s no trace of it left in our servers whatsoever.

This is called decentralized architecture by Criptext - which is of course a total joke since their "app" enforces usage of Criptext servers - unlike a regular mail client. Let's now check out their privacy policy:

Once messages are delivered to your device, they are deleted from our servers. The same holds true for messages which you send.

Okay - assuming they're not bluffing (which they already did a few times) - this is a welcome change of pace compared to most violators. However, POP3 protocol in mail clients supports the deletion of E-mail upon retrieval - so again, this is not specific to Criptext.

We also keep email metadata (subject, date and sender email address) in order to enable certain features of the Services, such as the “unsend”, “read receipts” and “expiration” features.

The duration is not mentioned. Red flag.

When a normal, unencrypted email is sent to you by a non-Criptext sender, the email gets encrypted by the server with your public key and can only be decrypted by your device. The same holds true for attachments that are sent to you from non-Criptext addresses. This means that your emails are always encrypted, even if the sender is not using Criptext.

That just means the E-mail would be encrypted from Criptext to you - but not before it reaches Criptext. Therefore, Criptext could still read it - again, why pretend otherwise?

We may automatically log information about you and your computer or mobile device when you access our Services. This includes information like hardware model, operating system information, battery level, signal strength, app version, browser information, and mobile network, connection information including mobile operator or ISP, language and time zone, and IP.

So, Criptext stores your IP address and lots of other information. Duration is again not specified. It also shares that data with unspecified partners:

We may disclose your personal information to our subsidiaries and corporate affiliates for purposes consistent with this Privacy Policy.

Okay, I think it's lights out for Craptext now. The only positive about them is their promise to immediately delete your E-mail upon retrieval - but seeing how many deceptive claims they've already made, it's doubtful they do even that. All that remains from the privacy posturing on their main page is a pile of rubble. The sane thing to do is to leave Craptext rotting right along the Protons, Fastmails and Hushmails and use some proper services.

SAFe-mail (safe-mail.net)

Israel-based service established in 1999. Before I delve deep into the meat of the issues, let's look at the first impression. Namely, the site structure and grammar is something a chimpanzee would make - this makes getting any information from the site a puzzle in itself. Most of the stuff in there is ancient, and some sections contradict each other. They've had 20 fucking years to make a proper website but instead we get this abomination...but let's try to make sense of it anyway:

SAFe-mail pretends to be privacy-based but has no real privacy policy. The only thing is a snippet from 2008 saying:

Safe-mail.net is not using cookies and not collecting any data about users. Safe-mail.net does not transfer, sell, trade or oterwise exchange any data it might have about its users with any other company.

So it allegedly does not collect ANY data about its users. Why, then, do they bother to qualify it with a statement that they also don't sell the data? Wait, there's also this: (from the user agreement) (archive)

SAFe-mail Ltd. will not disclose information about you or your use of the SAFe-mail system, unless...

Okay, so you DO have data about your users after all...

You agree that SAFe-mail may access your account, including its contents, for these reasons or for service or technical reasons.

So now you admit that you can access even the contents of my account? Isn't this an admission that you read our mail?

Please note that your Internet Protocol address is transmitted with each message sent from your account.

No shit. But what we're interested in is whether that IP, or any other data, is stored by SAFe-mail, and for how long - and this information is not provided. Does this not sound suspicious? SAFe-mail spends a lot of time posturing on how privacy-based it is, yet seems strangely secretive about the kinds of data it collects; in fact, you have to read between the lines to realize that it stores anything at all. A clear indication of a honeypot to me.

The free account does not support sending mail through the mail client, only receiving. Other alleged privacy features like the SafeBox are also paid only. Of course, once you pay for the service, you are not anonymous anymore - they, again, don't accept bitcoins. Registration form asks for your real name and phone number; there is a manual approval of every account. I've tried to sign up through Tor while leaving the phone number field empty - but giving a real-looking name - and didn't receive the confirmation in two days. However, one reader has had a different result and was able to access his account in one day. Regardless, this seems like a honeypot and is NOT worth using.

Runbox

Their website is so full of privacy posturing it's a wonder how they managed to fit anything else. I won't bother quoting it all here; let's move right on to seeing whether the posturing is actually worth anything (spoiler: it isn't). From their privacy policy (archive):

You consent to providing us with the following personal data when you register an account: First name, last name, company name (where applicable), mobile phone number (where applicable), country, and alternative email address. [...] To revoke this consent you must terminate the Service

Sorry Runbox, but requiring my real name just ain't privacy-respecting. The first impression already isn't very good...and it's just the beginning.

Your Account Information is stored on servers located in Norway for as long as your account is active...

Great, so I have to kill the account for you guys to stop storing my information. And then it's fucking gone, right?

...and: up to 1 month after closure of trial accounts; or up to 5 years after closure of subscribed accounts, as financial records must be kept for 5 years according to the Norwegian Bookkeeping Legislation.

No, of course it isn't fucking gone - that would be too private for the "privacy-loving" Runbox. So it's five years after the deletion of your account until your real name is gone from their database...or is it?

Backup of Account Information is stored on secure servers separate from the Runbox system for up to 6 months, even after the information has been deleted from the main storage.

Nope, the privacy-loving Runbox is truly smashing all the previous privacy records set by privacy giants such as Google or Yahoo; it's five and a half years until your data is gone from their servers! Oh Runbox, what are some other ways in which you protect my privacy?

Email service content (data associated with Webmail, Contacts, and Files in the Service) is stored in main storage on servers located in Norway for as long as your account is active and: up to 3 months after closure of trial accounts; or up to 6 months after closure of subscribed accounts.

So all your mail and metadata (sender, recipient, subject, date/time) is stored as long as your account exists. There's also the backup which is stored for longer. Should we prolong this torture? Okay, let's do the finishing move and get this over with: The Runbox "service" is fucking paid! Can we say final nail in the coffin? Seriously, they're like a Gmail you have to pay for...but wait, there is more: (I swear it's the last quote!)

If you correspond with us via e-mail, the postal service, or other forms of communication, we will retain such correspondence and the information contained therein.

To say something positive, I will mention that they accept Bitcoins...and you can use them through the mail client. There is also a 30 day "free" trial. Oh, and they are powered by renewable energy sources (but so is the actually private Posteo, reviewed later), which is the only really commendable thing about this "service". But since the data collection and storage policy is so terrible, you should stay away.

OpenMailBox (DEAD)

Has no privacy policy at all - a huge red flag; in fact, all they really say about privacy is that all user data is stored in privacy respectful countries - without, of course, specifying those uber-private countries. ReCaptcha is required to sign up, which shows you just how much privacy matters to them (if they submit to the Big G's botnet, you can safely assume they store fucking everything). Openmailbox severely lacks ethics, deleting features without notice (archive):

Free users of Openmailbox could use IMAP/POP to connect to their mailboxes previously. The new owner of the service, French company SASU Initix, disabled the option without prior notice for all free account owners.
This blocked the use in all email clients for free users, and left them with no choice but to use the web interface instead to do their mailing.
Related to that is the removal of the mail aliases feature. The available aliases were removed completely and stopped redirecting any messages.

Imagine you've used an alias to talk to your family and it suddenly stops working - so you don't get their messages anymore, unaware of the reason it happens (hey, maybe they hate you now...). They also claim you can make an account in a minute - which is simply mockery due to ReCaptcha. Their Terms of Service (archive) follow the same principles (or lack of):

OpenMailBox reserves the right to amend this text, without prior notice, and you are therefore responsible for making yourself aware of the latest version of this text. In the event of a breach of these conditions, your user account may be locked or deleted, with no option for redress or compensation.

So if they suddenly decided VPN / Tor users are dangerous terrorists, they will kick you out just like that; say goodbye to your contacts, messages, everything (since mail clients don't work, you can't easily download them). Free accounts inactive for 180 days will also be deleted.

There is a rumor going around reddit that either OpenMailBox or Autistici gave access (archive) to someone's account to the Singapore Tax Authorities. However, this is almost impossible for Autistici since it would go against everything they've always stood for (archive):

After 2005 we have been constantly pestered by prosecutors and security forces (and even by the Vatican! [4]) asking us to hand over users’ data and identities and we are proud to say we were always able to answer: we are sorry, but we do not have them. Recently (2010) some very smart policeman managed to convince a judge to order the full seizing of three servers in three different countries to find out if we REALLY did not have any data about a user’s activity on our servers [5]. After spending a lot of public money (for a couple of graffiti on a wall), the judge ended up with a lot of encrypted files with no useful information inside, and maybe he’ll think twice about giving out other investigations to the cunning policeman.

On the other hand, it would be quite consistent with OpenMailBox's proven lack of ethics. But, in the end, it is just an unconfirmed rumor - so take it with a grain of salt (however, the person did post it more than once).

In short - no privacy policy, no mail client support (for free accounts), no respect for the user. Just a cash in for their premium service which still doesn't guarantee you any privacy (in fact it's a possible honeypot for governments). No reason to use this at all when you've got other free services available with more features, better privacy, and actual ethics.

Mailfence

We believe that online privacy is a fundamental human right which can no longer be taken for granted so we decided that it was time to offer a service which is fully dedicated to email privacy.

I've heard that before. Let's see how this claim stacks up with your privacy policy (archive)...

We implement a local instance of Matomo [...]

This crap again. Read ProtonMail's section to see just how vile it is.

We collect IP addresses, message-ID's, sender and recipient addresses, subjects, browser versions, countries and timestamps.

Already a red flag here...but let's check out how long does this data stay there:

We retain backups of deleted messages and documents for 45 days.

Very private you are. And then comes this excuse:

This is for the purpose of restoring data in case of accidental deletion by users. After 45 days, data will be permanently deleted from all our systems.

Yeah sure - it's always "for the user's good". In the end, your deleted mail will stay on the servers for 45 days, regardless of justification. And if that wasn't enough...

Should you close your account, all data will be permanently deleted 30 days after the legal expiration date (i.e. the Belgian law imposes 365 days after account closing).

So you have to wait for over a year for your "deleted" account to be actually deleted. Nice privacy you've got there.

Mailfence makes a big deal about being protected by strong Belgian privacy laws - but not only has this been refuted above, but the relevance of these laws is doubtful anyway

Sign-up form requires JavaScript and asks for your real name - but you can give a fake one; there is no waiting period for approval. Mail client support is paid only; they do accept bitcoins though. Allows importing your PGP keys but it's still all done in-browser. All in all, no free mail client support and a disappointing privacy policy despite lots of posturing - forget about this one.

ProtonMail

The most popular "private" E-mail provider, and often the first choice of a person getting away from the three giants. But does that mean it is in fact quality? Let's start with the sign-up process - if you're signing up through Tor or a VPN, ProtonMail requires SMS confirmation:

And if you try to receive confirmation through a RiseUp E-mail, it says this:

So, SMS is the only option (unless you want to donate, which would reveal your personal information of course); therefore their claim that ProtonMail does not require any personally identifiable information to register is a shameless lie. Update: a contact told me that Proton now includes the option to solve a recaptcha (still an evil) for confirmation; however, the option disappears while using a VPN. They must really want that damn phone number if you are using anonymizers! And the claim that you can sign up without personal data is still false.

The way their "end to end" encryption works is by generating the encryption keys while you sign up - using your already existing keys is not allowed and ProtonMail must store the generated private key (archive) for PGP to work. Since the whole encryption process is done by JavaScript in the browser, nothing prevents them from sending you backdoored JS; the encrypted messages can also only be sent to other ProtonMail users, unless using the paid account (update: actually, a friend has told me that the latter isn't true anymore, though you have to upload the recipients' public PGP keys to ProtonMail if you want to use them). According to researchers, ProtonMail's encryption contains serious shortcomings. At the end of this report, I also link to an article detailing the issues with in-browser encryption in general. Mail clients are not supported except, again, through a paid feature called "Protonmail Bridge".

But let's move past the fluff and see which data does ProtonMail actually store and for how long. Quoting from their privacy policy (archive):

We employ a local installation of Matomo, an open source analytics tool. Analytics are anonymized whenever possible and stored locally (and not on the cloud).

So when you visit their website, this Matomo spies on you. But what data does it actually collect? From Matomo's website (archive):

All standard statistics reports: top keywords and search engines, websites, social media websites, top page URLs, page titles, user countries, providers, operating system, browser marketshare, screen resolution, desktop VS mobile, engagement (time on site, pages per visit, repeated visits), top campaigns, custom variables, top entry/exit pages, downloaded files, and many more, classified into four main analytics report categories – Visitors, Actions, Referrers, Goals/Ecommerce (30+ reports)

So that's the website. What about the e-mail service?

we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. [...] We also have access to the following records of account activity: number of messages sent, amount of storage space used, total number of messages, last login time.

Great, even more metadata than Tutanota (if you trust Tutanota's claims that they collect as little metadata as they say they do). And then there's this gem:

When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails are also permanently deleted from production servers. Deleted data may be retained in our backups for up to 14 days.

Read that again! Indefinite retention of data by the "private" ProtonMail! And 14 days for deleted data - enough for "them" to get you. At least there's disk encryption...UPDATE August 28; a direct admission they do store IP logs forever in certain cases - and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions. Their TOS says this: You agree to not use this Service for any unlawful or prohibited activities. You also agree to not disrupt the ProtonMail networks and servers, which can cover pretty much anything.

If you read their transparency report (archive), you will see quite a lot of requests for their data from governments all around the world. ProtonMail pretends to "require a Swiss court order" to cooperate - but you see that they often do that before receiving it - so don't expect that to protect you. One particularly egregious example is from May 2018, where they disabled an account because of terrorist allegiances - and we all know that's not just a convenient excuse these days, right? The new transparency report shows they've complied with 336 government data requests in 2018 alone - including 76 foreign ones. Oh, and since August 28, they finally admit to direct surveillance - In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. And you will never be told you're being watched. So, what we have here is a provider that does not support mail clients, requires personal info to sign up while claiming otherwise, spies on you on their website, stores your e-mail metadata (and IP in certain cases) forever and immediately gives it up whenever government knocks on the door and shouts "terrorism!". Its encryption is also lacking according to researchers, and cannot be used for non-ProtonMail accounts without paying. And then - after all that - it claims to be a champion of privacy...As we can see, ProtonMail is found out to be a paper tiger when examined deeper. It does have an onion domain, but guess what - when you try to sign up through it, you are redirected to the clearnet with no indicators unless you happen to look at the address bar. This behavior is something I'd expect from a honeypot - you get lured with the added security of the onion domain, and then it's pulled away like the carrot on a stick. Avoid!

Safe-Mail (safe-mail.nl) (SIGN UP DISABLED)

Let's move straight to the meat of the issue:

The Safe-Mail Team are a bunch of nerds with a clear vision about privacy. And we want to give others the opportunity to protect their privacy. With a Safe-Mail community we want to let the world know that privacy is a legal right and we are ready to fight for it.
Great, and yet...
The provider does not check on messages or any other content stored on Safe-Mail.nl unless bound by law to do so (this means only when we get a court order!!).
So you can check on messages? Anyway, they will not fight court orders. So much for the privacy is a legal right posturing.
We do not hold any user information accept for the information you give us at the registration.
Unfortunately, that information includes my real name and city (I guess I can give a fake one, but still...).

Safe-Mail.nl does not have a true privacy policy, so all we have to go by is the above snippets plus a section from their FAQ - What do you log? - which says:

The whole Safe-Mail system is using different log files which we need to access when there are problems with the system. It's called maintenance and important for the health of our Safe-Mail system. We totally understand that it feels uncomfortable by the idea that you aren't really anonymous then, but we also cannot say that we log nothing. But we are convinced that log files older then 7 days does not have any value to us. Especially when it contains maintenance value. So we decided that all logs with "specific" information are being deleted from the server after 7 days. Log files only takes up space and we want to save that for more important matters. That does not mean you can abuse the system. There are rules and our guess is that all of you know what those rules are. We fight for privacy here, but we condemn illegal activities. Please, think wise and twice when you use the Safe-Mail system.

Not many specifics - remember, secretiveness is a red flag - but "specific" data (whatever that means) allegedly stays around for only 7 days.

Free account does not support mail clients. They do accept bitcoins so theoretically, you can have an anonymous account with mail client support. Even in the free account, you can upload an S/MIME certificate to have end-to-end encryption, however, unlike PGP, this relies on trusting a certificate authority - similar to SSL.

Maybe I'm a little too harsh on this one - but if FREE services with mail client support are available - that also don't ask for your real name - and will ACTUALLY stick their heads out for your privacy - then those should be used.

Neomailbox

Paid only - 50$ per year; bitcoins accepted. Mail client support. TOS forbids you from badmouthing the service (lol) - not publish or post false, malicious, defamatory or libelous comments about Neomailbox or Neomailbox Customer Support in any form online of offline. What about the privacy? Not much is mentioned except:

We keep logs of SMTP traffic for 6 months for performance analysis and abuse prevention. Anonymous surfing logs are wiped every 10 minutes.

This used to be 2 months, so they multiplied the duration by 3. And the specifics of "SMTP traffic" are not mentioned so you should assume it's absolutely everything. And in another part of the website:

We keep no logs or customer data other than what is absolutely necessary for performance tuning and security monitoring of our servers. Your IP address is not saved in our logs. All logs are deleted every 7 days.

UPDATE: the IP part is not in the FAQ anymore, roundabout confirming they do store your IP. But wait, that contradicts the earlier quote. So they didn't explain themselves clearly - that's a red flag; as if they didn't want you to know what exactly do they store. You should assume the worst - namely that all your mail content and metadata is saved for 180 days. There is also this:

The following statement is true on January 1st, 2020: Neomailbox has never released any customer data to any government agency or other entity.

That's nice. However, the fact is - not only do you have to pay for getting your data stored for half a year, but cannot even say a bad word about them. For something positive, Neomailbox has disk encryption and unlimited aliases. Still, they are paid, keep your unspecified data for 6 months, and have weird stuff in their ToS. My friend has also proven that one of their mail servers fails the TLS test - which means your mail is sent around unencrypted. You could do much worse than Neomailbox - but also much, much better.

Mailbox.org

Right off the bat you get smacked with Google's recaptcha; this is an absolute injustice as Google is the epitome of spyware companies. The service also demands your full name and country. They do allow signup and use through Tor. I was prompted for SMS or email verification for the purpose of password reset, this was however, optional.

The privacy policy states that they use Matomo spyware; it is self hosted, however, this does not redeem them. It is still possible for this data to be leaked or handed to law enforcement. They collect a plethora of data:

And "other similar data and information" for "security purposes"; there should be absolutely no ambiguity in a privacy policy.

They say they collect this data expressly to provide it to law enforcement. They will erase data if requested; they also detail the erasure period of particular data:

The german public prosecutor's office and police have "easy" access to their database. "Simple" requests do not need a court order. They are not legally allowed to inform the customer to any information request. They are also not allowed to dispute the request, and as such you have no protection.

Access to the log data of mail or web servers or the email content of a mailbox requires a judge’s decision, unless the investigating authorities can directly establish “imminent danger”, in other words the police can just cry terrorist and they can get any of your data.

They claim they will only disclose data to mandatory requests, "Such requests for information from the police without a court order will definitely be rejected by us."

Playing around with the web interface, there is not a single third party request.

All in all mailbox.org is absolutely abysmal for privacy. Not only do they retain an exorbitant amount of data, they bend over backwards for the authorities and don't try to (or legally can't) protect you whatsoever. NOTE: this entry has been submitted by Oreamnos; I only did grammar / structure improvements. Thanks, Oreamnos!

Paranoid

Alleges itself to be extremely privacy based, with quotes such as Our mission is to return the feeling of privacy back to people. and Return the privacy to day-to-day email communication and make it as popular as possible. However, the service has no privacy policy, so you can't know what do they actually store. They say that they are PROBABLY THE ONLY OPENPGP-ENCRYPTED EMAIL BOX, but that isn't really true - even the dreaded ProtonMail and MailFence have that (though the implementaion is worse). Supports mail clients and has an onion domain. Here's the big thing though - Paranoid requires an invite, which I tried to get a few days ago. First, it told me that my cock.li mail is "disposable" and won't be accepted. Then I signed up with real disroot account and - though the message about the disposable services didn't appear - I still didn't get a reply in 5 or so days. One of my contacts says his friends sent requests months ago that are still not accepted. Thus, regardless of its privacy, Paranoid appears to be pretty useless.

UPDATE February 2020: The above is what I wrote very long ago. Then, the service went down shortly after so I assumed it's dead. Now it's back and one of my contacts was impressed with it, so I investigated again. Everything I wrote above is still true, except I also tried to sign up with my RiseUp E-mail alias, and got rejected for using a "disposable address". However, the contact managed to get through the process so we did some tests. Paranoid claims that:

If a sender can't encrypt the eMail which will be sent to your @PARANOID box - we will encrypt it for you using your public key - the only key we store.

This is true. Any E-mail sent to a Paranoid address will be encrypted by them with your public key (which you will have to generate and upload). However, since the encryption is done by Paranoid - they (as well as the sender's server) can still see the contents; and as they have no privacy policy, we don't know what they do with that. Let's check out another quote:

@2048.email & @4096.email aliases can receive encrypted eMails only. We will check for you, if an eMail, which has been sent to you, is encrypted.

Unless we've understood it wrong - the above is false. I've sent an unencrypted E-mail to both of those addresses, and my friend received them, where according to the claim - they should have been "bounced" back to me. I did, however, get a message implying that the unencrypted E-mails did not go through:

Dear owner of the email address digdeeper@disroot.org, recently you've sent an email to the email_redacted@4096.email which is in the 4096.email domain provided by Paranoid.EMAIL service. This user does not accept unencrypted emails. Please encrypt email using PGP and send it again. If you do not know the key you can ask using this email email_redacted@paranoid.email To avoid seeing this 'bounce' message again in the future you can either start sending OpenPGP-encrypted eMail messages to the recipient (if you've already familiar with OpenPGP/GnuPG) or alternatively, you can become an early bird tester of our brand new encrypted eMail service...

Of course, even if he did not receive them, they would still have traveled unencrypted from my machine, through my provider, ending at Paranoid (with many other points inbetween). So, him not being able to read them wouldn't provide any security. What does the "bouncing" accomplish, then? It might possibly (in some alternate world...) get the other guy to encrypt using PGP - however, to have real end-to-end encryption, that person would also have to generate his own keys, which - for the vast majority of people - is insurmountable. Also remember that the above applies only to the 4096 and 2048 aliases - you can still give the regular paranoid.email one to avoid the bounce.

The above, however, is still the best implementation of PGP you can have without PGP proper. At least they are not doing decryption in the browser, or worse - storing your private key like ProtonMail. In fact, they are specifically warning against those approaches. Not only is there no security or other disadvantages in what Paranoid is doing, some benefits even exist. The messages you receive will be encrypted for at least a part of the journey without the other person's involvement (again, you must upload your public PGP key), and you might "convert" a few people to real end-to-end encryption in PGP (at the cost of annoying some others).

Despite all the above, Paranoid is actually a pretty good email service. It sucks that they consider so many real E-mail addresses as "disposable", but what can you do? If you get past that, you can sign up for free through anonymizers and without providing any personal data - which is already miles above what many others are doing. They also realize the perils of webmail and don't even provide it - therefore, you must use them through a mail client. An onion domain is available as well. The biggest problems (aside from the ones with signing up) are not having a privacy policy and making some weird statements on their main page - however, language is very clearly a barrier here. In summary, I can't recommend this one with the registration issues as well as not having a privacy policy - but it is better than most others allegedly private ones that are listed here.

Secmail.pro

Onion-only provider accesible through http://secmailw453j7piv.onion. No mail client support. Signing up is hassle-free with simple captcha and no personal information required. Keep in mind that - even though connecting through onion means that your IP address likely won't be revealed - secmail could still read the mail contents unless they are PGP encrypted. Since the Tor network is a very tasty target for various spies, it makes secmail's trustworthiness all the more important - and unfortunately, they fail the test. The service contains no privacy policy - though it has some vague claims of really caring about your security, there is zero information on what they store and for how long. Their clearnet domain contains just a link to the onion - however, it has no SSL so an attacker could rewrite the link to their phishing site and steal credentials. In fact, this is how SIGAINT, another onion e-mail provider, got hacked sometime ago (archive):

“We are confident that they didn’t get in,” states the alert. “It looks like they resorted to rewriting the .onion URL located on sigaint.org to one of theirs so they could MITM [man-in-the-middle] logins and spy in real-time.”

Another investigator wrote them an e-mail a few days ago where they said that they have no time to implement SSL (they are relying on the Tor network's automatic bad relay detection, which is not perfect - In 32 days I've found 15 instances where a node is sniffing and using my credentials). They've had two fucking years to support SSL but don't - and since they know about SIGAINT's hack, making themselves intentionally vulnerable to the same means they are either be heavily incompetent or a honeypot. Secmail has also refused to comment on not having a v3 (more secure) onion domain; do they also not have time for that? All it takes is one additional line in the config file (archive).

When secmail got started, they advertised themselves on reddit (archive), where they took a lot of criticism. For example, their first server configuration used to reveal the OS and PHP versions, which makes it so much easier for hackers to get in - and at that point, they were already operating for more than six months - can you say incompetent? So, despite allegiances of security and the allure of the darknet, I'd stay away from this one. It has nothing at all over RiseUp which also supports onion domains (v3 as well!). Read a deeper investigation of secmail here if you're interested.

CTemplar

I used to have a review of this one, and it was not so good. However, after reading my review, CTemplar wrote me an E-mail to say they've changed most of the offending issues (kudos!). Since I didn't want to spread wrong information, I took the old review down, and just now finally got around to a rewrite. So, is CTemplar actually worth using now?

I would still say - not really. First of all, it lacks mail client support which for me is the most important issue. I don't care about webmail when it will never have the amount of features my mail client does and requires enabling potentially malicious JavaScript in the browser. But wait, CTemplar claims that they cannot do that because of checksums:

Currently all end to end encrypted email services can hack their own users and decrypt all of their data except us. We are able to provide this level of protection using an implementation of checksums that have not been used before.

There are two problems with this claim. First of all, comparing checksums doesn't require any special implementation - you can do it with any service that shares their code externally (for example, on GitHub). Then, you just compare that code to the one from your browser's View source option. However, all the E-mail providers I've seen don't actually share the code that runs on the site - only files to build / generate it. Thankfully, one of our chat's regulars undertook the job of building CTemplar and after several tries, still did not manage to build the files on the site. Even if you did manage to do so, you'll have to compare the checksums every single time you use the site and for every single script it loads. Clearly, this is impossible in practice, and therefore useless. If they really cared about this, they'd just put the real code on GitHub so you could compare directly.

Of course, even if you managed to accomplish the above Herculean feat, this would do nothing to guarantee that the code is not malicious. You'd still have to go and inspect it to see what it does, and it's made all that much harder if it is obfuscated - which CTemplar's happens to be. Even though they might not be able to target you specifically without being exposed through the checksums (that is, if you happened to compare them at that moment) - they can just attack everyone, and then even remove the violating code the next day before anyone detects it. See? Checksums do nothing to protect against malicious code. Okay, enough about checksums, let's check out their privacy policy (archive):

When you visit our website, your browser sends us your user-agent and IP address. When you leave our site no records are kept of your IP address with association to your account. We store your IP in an anonymous way for 7 days.

The "anonymized data" rears its ugly head again. What exactly is stored is anyone's guess.

If you choose to delete your account, everything is deleted and no records or backups kept.

Now that's a great policy which unfortunately most providers don't follow. By the way, this is apparently thanks to the Icelandic privacy laws - which are actually a thing unlike, say, Swiss privacy laws (a meme at this point) which enforce 6 months of data storage.

We will not disclose anything to third parties, except your payment information if you choose to buy a paid account.

Again, this is the only way to be private. CTemplar, by the way, also allows bitcoin payments so even if you DO want a paid account, you can avoid your data being stored anywhere but CTemplar.

Okay, I've skipped some sections because I want to cover the most important part in depth. Check out this quote:

We use a CDN service because its use is required to provide a better experience serving our static website content quickly around the world. Our CDN service also provides necessary protection against DDOS attacks. CDN’s can theoretically serve malicious code to our users. Our SRI & Checksum implementation offers protection from malicious code served by CDN’s.

The checksums thing I've analyzed above, so let me tell you briefly what is SRI. Whenever a site includes a resource from a third party (let's say, a JavaScript library or a style) - that third party could in theory modify the file being sent at any time. To protect itself (and the viewers), the site could attach an integrity parameter to the resource with a hash which your browser would then compare to the received file to ensure it's what the site intended to send. If the hash doesn't match, it means that the either the site serving the resource, or some other third party, tampered with the file. However, this works only for the resources for which the site added the integrity tag - the meddling third party could still modify anything else. The bigger problem, though, is what kind of CDN did CTemplar have in mind (archive):

For example, if CTemplar receives a DDOS attack that we are not able to handle, we will switch to using Cloudflare.

So they will put their site behind the evil Cloudflare in case of a DDOS. What does that mean for their claims about SRI? Briefly, what Cloudflare does is proxy the whole page (instead of a specific file or several) - so that it can modify it before serving it to you, including removing the integrity checks if it wanted to. See, SRI can only protect against the third party modifying a file if it has no access to the page that sets the integrity checks - but Cloudflare does. That CTemplar pretends otherwise means they are either lying to you or didn't do their research - which is bad news for their trustworthiness.

With that out of the way, let's get to the positives about CTemplar. Registration requires no personal data or ReCaptcha. Front page claims that they never track your IP address, keep logs on your usage or record any identifying information at any time; which is great but again - since they've specified identifying information, there must be collection of some allegedly non-identifying data - and we're in the dark as to what it is. CTemplar does provide an onion domain but it redirects to their clearnet one:

Wow! And here I was thinking I'll be a good guy and list some positives, but it seems CTemplar does not deserve it. I could dig deeper, but it seems fruitless at this point. CTemplar does seem to care about you at least a little bit - since they did send me an E-mail some months ago and changed some of the offending issues. But they still don't support mail clients (the most important feature for a provider) and have other glaring flaws such as the totally insecure and disrespectful downgrading of the onion domain to the clearnet. They also made wrong claims about both checksums and subresource integrity - call it fraud or incompetence, I don't care. Even if they changed stuff again, the reputation has been irreversibly damaged. As much as it pains me to say it - because there are truly lots of way worse providers out there - avoid CTemplar.

KolabNow

Paid, requires real name and an existing E-mail address to activate. Accepts bitcoin. Full of privacy posturing, complete with the claim of being protected by strong Swiss privacy laws. Such as this one (archive), for which they've gotten a government data request that they complied with:

Damage to data 1. Any person who without authority alters, deletes or renders unusable data that is stored or transmitted electronically or in some other similar way is liable on complaint to a custodial sentence not exceeding three years or to a monetary penalty. If the offender has caused major damage, a custodial sentence of from one to five years may be imposed. The offence is prosecuted ex officio. 2. Any person who manufactures, imports, markets, advertises, offers or otherwise makes accessible programs that he knows or must assume will be used for the purposes described in paragraph 1 above, or provides instructions on the manufacture of such programs is liable to a custodial sentence not exceeding three years or to a monetary penalty. If the offender acts for commercial gain, a custodial sentence of from one to five years may be imposed.

I don't understand exactly what the above means - sounds like hacking but could be interpreted in many ways (even deleting your own mail could fit deletes or renders unusable). I explore the "laws" issue in-depth at the end of this article, so let's move on to KolabNow's privacy policy (archive). It says literally nothing about what data do they actually store aside from We [...] guarantee you that there is no third party access to your data. No information about the length of data collection or the possibility to delete your account and what does it actually do. Maybe we can find something in their TOS (archive) then:

We will only keep the minimum of logs and debug information necessary to ensure that we can improve the service and resolve issues that may have occurred.

Minimum of logs - yeah, that tells us a lot. Umm...maybe their Legal Framework (archive) page has something more concrete?

These are requests for retained data. Switzerland has a legal requirement for six months data retention by the provider. Data that is retained is communication metadata, so information about who communicated with whom from where and when but not the actual content of the communication.

Swiss privacy laws in action - but at least we now know something about KolabNow's data collection. By the way, their transparency report has been last updated in 2017, so they might have gotten more requests since then. In fact, the whole site appears to be dead (even their Twitter). In summary, I don't see a reason to use this one - paid, asks for real name, stores 6 months of metadata and doesn't reveal anything useful in their privacy policy. Why can the free RiseUp manage to store metadata for only one day - despite being hosted in the allegedly un-private United States - while the service with super strong Swiss privacy laws cannot? Supporting mail clients is KolabNow's only positive it seems. That, and I guess accepting bitcoins - but since you can find better providers that are free, why bother?

Teknik

Requires an invite code to register. Supports mail clients. Has a nice feature of (I assume) displaying your public PGP key to others if you provide it. The privacy policy does not say much, however:

We use Piwik to track user interaction with the site. We keep it hosted on the server locally, so no analytic data is leaving the server.

Piwik has changed its name to Matomo recently, so just read ProtonMail's section to know more about it.

Dates - When you perform an action (ie: register an account), the date of the action will be recorded.

I assume this goes for all actions? Then it's absolutely terrible. What comes next?

Emails - Any email you send or receive with your Teknik.io email address is stored locally onto the server. These emails are not read.

Thanks for not reading my mail...and that's it for Teknik's privacy policy! No mention of whether the deleted e-mail is actually deleted, if there are any backups, what kind of data is shared and under what conditions. Nothing whatsoever! Pretty suspicious if you ask me. IMO, it's not even worth bothering to get an invite code for this, when better alternatives exist that don't require it. NOTE: The webmail can conflict with the LinkBot extension if you use it, so disable it for this website.

Tutanota

UPDATE February 2020: Everything is as it was but added information about Tutanota blocking anonymizers. With that, lack of PGP and mail client support, it is absolutely useless regardless of its privacy.

This was my first provider after I got concerned about privacy and dumped Gmail and friends. That was before I "dug deep" - needless to say, I don't recommend it anymore. It does not support mail clients; I used to think that's something dinosaurs use, but now I can't live without it. Encryption works only if you pre-shared a password with your recipients (unless they also use Tutanota, then it's automatic) - and that, of course, comes with its own issues (how to share the password securely?) which PGP has already solved. And since Tutanota is only accessible through webmail or their shitty desktop client (which is the same as the webmail it seems), they could easily modify the code to send themselves your password and be able to decrypt your shit. Tutanota does not support the usage of other encryption, like PGP (and in fact shits on it on its website [archive], even though it's the only real E-mail encryption you can have). Unlike with ProtonMail, there has been no third-party audit of Tutanota's encryption; however, at the end of this report I link to an article that discusses the issues with in-browser encryption in general. There's also this worrying policy in regards to logging:

In order to maintain email server operations, for error diagnosis and for prevention of abuse, mail server logs are stored max. 7 days. These logs contain sender and recipient email addresses and time of connection but no customer IP addresses.

No IP addresses? Great! Except if you use a VPN or Tor - Storage only takes place for IP addresses made anonymous which are therefore not personal data any more. It's a genius excuse, isn't it? You've hidden your IP so it isn't personal...except if Tor or the VPN ever got compromised. Also, later you will learn how just the metadata (which Tutanota does store) can reveal much more about you than you'd ever guess. This is all assuming you can actually use a VPN or Tor, but Tutanota provides no such option:

The above message appears both with the Snopyta VPN as well as Tor Browser - therefore, there is no anonymity with the uber-private Tutanota. Signing up is free, but you are limited to only one account if you don't pay. If you do, then prepare for this:

For the execution of credit card payments your credit card data will be shared with our payment service provider Braintree. This includes the transfer of personal data into a third country (USA)

Later they say that they have an "agreement" with this company that they will only use your data for the processing of the payment - but the value of these "agreements" is doubtful, in my opinion. Your payment data is also stored for whoever knows how long:

Order-related data and the addresses associated with the order are stored in respect to tax, contract and commercial law retention periods and erased at the end of those periods.

Summary: blocks anonymizers, no mail client or PGP support, stores your anonymized IP and metadata, indefinite (?) storage of payment data. Yet another privacy giant bites the dust.

Cock.li

Sounds good at first glance - supports mail clients, does not ask for personal information, allows registration and usage using Tor and other privacy services, and is run by "some dude", not a business. I've confirmed it does actually support Tor - however, a proxy extension I've been using did not work. Claws Mail could not automatically detect the settings, but manual configuration is still possible. So is this the service to use? For that, we will have to see what data does it collect, as usual:

IMAP and SMTP logs include: When an E-mail is sent, the username, destination e-mail address, and information about the connection (like IP address, quota information) When you connect to IMAP, what IP address and username (if any) you are logging in with, and if that login was successful

These, according to cock.li's privacy policy (archive), are stored for 48 to 72 hours. When you visit their website, cock.li stores this information: HTTP access logs containing your IP address, user agent, and type/location of your requests. They say it's not related to your account, but it would be trivial to connect them.

Cock.li's privacy policy is a little unclear on that point, but it seems that you can delete all your data manually - aside from registration information - and it will be gone immediately. Removing the latter requires erasing your account, but even then, that data will be kept for 30 days.

Cock.li has to be commended on its honesty. Privacy policy and TOS are short and straight to the point. It admits it can read your mail and that it cooperates fully with law enforcement; transparency and donation reports are also available. There's one other thing you might want to know about though...

https://arstechnica.com/tech-policy/2015/12/cock-li-e-mail-server-seized-by-german-authorities-admin-announces/ (archive).
"That means that SSL keys and private keys and full mail content of all 64,500 of my users, as well as hashed passwords, registration time, and the last seven days of logs were all confiscated and now are in the hands of German authorities,

Yeah...I mean, could this have gone any worse? The victims of this breach were probably wishing they never cared about this "privacy" stuff and still kept using Gmail, haha. Also, forget about having a normal domain name with this guy - they are all shitty jokes about cocks, rape, memes like blazeit and others you'd rather not show to most people. Another really significant issue is how often the cock.li domain is blocked on various sites. With that in mind, I cannot anymore say that this is a good choice at all. It does at least have an onion domain at http://mail.cockmailwwfvrtqj.onion/; this, however, does not prevent them from reading your mail or storing the metadata.

Dismail

Best "sign up and go" service if you trust its privacy policy. Well, there is a slight hassle in having to send them an XMPP message first - but the e-mail activation appears to be automatic, so it isn't a real problem. Signing up requires no personal information. Supports mail clients. There is disk encryption:

All emails you send and receive while using our email platform, as well as all contacts, are stored on an encrypted file system.

Good. This means that if anyone seized the server, they would get only encrypted data. According to Dismail, they haven't ever gotten requests from the government (but would they tell you?). But let's say someone got the server anyway and managed to decrypt the data - what would he get?

SMTP logfiles: Sender, recipient, message ID, and size of every sent and received email. [...] IMAP logfiles: Which account has logged in when from which IP address.

Hmm, that's quite a lot of metadata - which can be pretty revealing, as I describe later. They claim they delete it after 3 days, which is better than most other providers rated in this report. Though the ideal would of course be no storage of metadata.

Neither the email content nor its subject line are stored.

This is the big one which makes Dismail better than the other hassle-free services. Your most important information - the mail content itself - is 100% protected.

StartMail

Free 30 day trial. Funnily, the webmail tells you you can't send mail - but it does work with the client. JavaScript is required for logging in. Tor is allowed, but provides no onion domain. Paid version disposable e-mail addresses (a'la airmail) and OpenPGP encryption. But as usual, the most important issue is their data collection policy. Do they actually follow their Privacy. It’s not just our policy. It’s our mission. slogan? Let's find out. First, their website:

The data that's collected and processed by their website include: your IP address, browser and operating system type and version, browser language settings, country, date and time, origin of your visit, as well as clicked links and visited (parts of) pages of their website. Hmm, the latter sounds suspicious. Wonder how do they justify it? to help us get an idea of which of our pages appear to be effective to inform our visitors. How about the origin of your visit? to assess the success of our search engine optimization and information outreach efforts. And the country? to know in which countries and at what moments our marketing efforts appear to be effective. Sounds like good old tracking to me. They claim this data is then "deleted or anonymized", but whatever. I don't know about you, but I don't want to be apart of their "marketing" and "information outreach" experiments - anonymized or not. How about the mail service?

The big problem: StartMail's privacy policy is extremely long, and yet manages to not say what it actually stores or the duration. All that we're told is what happens when you delete your data:

When you delete an email, it is immediately deleted from our production servers, unlike what happens with many other webmail providers. Only on the off-site backups (which are fully encrypted, of course) a copy will remain for the maximum retention period of three days. Your Account will be stored for as long as our Agreement remains in force. When an Agreement is fully terminated, all data contained in the Account, including all emails, will be deleted permanently.

As well as their policy in dealing with requests:

We will not comply with requests from any authorities other than Dutch authorities. If we receive a request from any foreign government, we will refuse to comply and will instead refer the requestor to place a formal request to the Dutch authorities for mutual assistance.
StartMail will never cooperate with any voluntary surveillance programs. Under the strong current laws that protect the right to privacy in Europe, European governments cannot legally force service providers like StartMail to implement a blanket spying program on their users. Should that ever change, we will use all methods at our disposal to resist.
We will not comply with any requests from private third parties to provide information about our Users, unless we would receive a valid Dutch court order to such effect.

Though it's cool they won't share your stuff with snoops without a valid court order, as well as having a sane deletion policy - let's not get bamboozled here. Not a word is said about the storage of your E-mail content and metadata, which is the most important part of a privacy policy - and yet it doesn't exist here. There's one more thing you might want to know about. Since the service is paid, and they don't accept bitcoins, you won't be anonymous. And they keep payment information for 7 years - We store invoices for 7 years, or whichever period may be prescribed under applicable tax law. And, according to Wikipedia, invoices contain personal data, such as your name. Despite a lot of posturing, I can't recommend StartMail as long as they keep us in the dark in terms of the most important information.

CounterMail

Paid service, with 4 EUR per month (4 times more than the below!). Accepts bitcoin so you can pay anonymously. Privacy policy says no IP logs, however they do store mail contents and metadata and don't state for how long. Apparently there are no hard disks on their servers so if they turned them off in time, a raid wouldn't be able to get anything without some RAM extraction magic. However they could still be hacked while online of course, or "compelled" to give away the data. Supports mail clients and up to 10 aliases. Sounds like a great service - and it actually is similar to the below, but there's some cracks in the wall. Though it alleges to support automatic PGP encryption, you can only use their own keys, and we know the perils of that. Actually, there's an option to generate your own, but you have to send them to CounterMail to use them, which seems suspicious as fuck. The Java browser plugin is also required to sign up (man, I haven't used that in years). FAQ is 6 freaking years old as of writing this. There's a free 7 day trial if you want to try CounterMail - but check out the entirety of this report first, because better things are coming...

Posteo

Their privacy policy (archive) starts off very promising:

we strictly do not save any IP addresses that could be traced back to customers. [...] This was independently confirmed in an audit report by the German Federal Commissioner for Data Protection.

The audit is in German so I can't confirm what was actually checked, however it's nice that they bothered to do it.

We also do not collect or save your IP address if you use an external client to retrieve your emails via IMAP or POP3 or to transmit messages via SMTP to be delivered by us.

So, if you use a mail client, your IP is not stored at all. How about the mail contents? Posteo doesn't seem to directly say what is stored and for how long, besides the fact that you can wipe it:

When you delete content data, it's deleted immediately. If the data has been backed up in one of our daily security backups, it will remain there for an additional 7 days until it is completely deleted.

So you can delete your mail anytime, and it's gone except for the backup. Not bad; you can encrypt the backup as well:

Additionally, we offer the possibility to encrypt all emails, notes, contacts and calendar entries that are saved at Posteo individually with the password of the account (AES-encryption).

Posteo is a paid service (1 EUR per month), though it alleges that the payment data is anonymized (as in, not connected to your account); you can read more about this here (archive). However it is unclear what is actually saved - on one hand, they say that Despite the change in the law, we still do not save any of our customers' user information; and on the other - For PayPal payments: The time and date of a payment, the amount, and the name of the payer. The data is stored for 10 years; they say it is not connected to the user's account, but you will have to take their word for it. Cash payment is also available. Since I did this for Disroot, RiseUp and Autistici, let's now check out what does Posteo's ToS prohibits:

5.3 The customer will not use the email service to send out advertisements for commercial purposes by email or to send standardised emails to a multitude of recipients.

So you can't advertise your commercial service, despite Posteo itself being paid for and not following anti-capitalist politics. Weird. You also can't break German laws and break regulations regarding protection of children. Pretty mild, I guess.

Since June 2019, the German laws have changed so that targeted surveillance by the government is now unlawful (maybe we should be speaking about German privacy laws instead of Swiss privacy laws?):

At the present time, there is no longer any legal basis for TKÜ (surveillance of an account for a specified time period); Posteo is therefore no longer allowed to and will not implement such orders.

No tracking shit on their website, unlike StartMail. No IP storage, e-mail deleted immediately upon your action and only stored in a backup encrypted with your password. No personal information collected ever; payment data anonymized as well, so even when the government comes knocking, they get nothing. Two aliases are available upon signing up, and you can buy more. You can't use custom domains with Posteo and it also does not have an onion domain available. Posteo is powered by renewable energy sources! So you're protecting the environment with this provider, as well. Taking everything into account, this service is one of the best out there, though it does have a few flaws.

Autistici

A service for activists that starts off with some nice quotes:

We believe that this world is far from being the best world possible. We respond to this by providing activists, groups and collectives with platforms for a freer communication and digital tools for privacy self-defence.
Our principles are fairly straightforward: the world should not be run on money, but it should be rooted in solidarity, community, mutual help, equal rights and freedoms, and social justice.
We believe that communication must be free - and for free - and, therefore, universally accessible.

But then goes off the deep end with an extremely restrictive policy required to use it - banning, in particular:

discrimination based on gender, race, religion or sexual orientation

Which is all well and good except it's historically been used to, for example, ban cosplay, memes, or hand gestures. Let's go further:

Using the Services in order to promote institutional political parties or any other organization that already has the financial resources to widely spread its own content and ideas

Speaking in favor of a politician is a sin according to Autistici.

Using the Services for any military purpose, including information or training material about firearms and related combat techniques, cyberwarfare, weapons development and manufacture.

Forget about self-defense related content, too. And the funniest:

Using the Services for cryptocurrency related activities;

What's wrong with cryptocurrency? You'd think it would be considered a (relatively) anonymous and uncontrolled alternative to bank accounts. Anyway, we don't know what exactly they mean by promoting political parties, for example - so the severity of what's accepted by the ToS is unknown. Either way, if they detect you violating the policies, you're out:

if we see that you’re violating our principles publicly while using our services, we won’t hesitate to delete your account without previous notice.

So, you better agree with them or get good at lying / hiding. You can read more about Autistici's beliefs in A short short tale about why we are who we are and why we do what we do (archive) Now let's move on to the newly written privacy policy (which Autistici has lacked for the last two decades). Starting with the bad:

In order to detect abuse of our email services, we keep track of email metadata (message sender and recipient only) for every message that goes through our systems. These logs are retained for 15 days.

Metadata is extremely revealing - enough to kill people because of it. And why is it necesary to store it for 15 days when other privacy services like Disroot manage with just 24 hours? Now, since this is the E-mail report, I will only briefly cover their policy for other services they provide:

Whenever you interact with our platform or Services, whether you have an account or not, the automatic exchange of information between your client and our servers will provide us with some non-personal data, including, without limitation, data relating to the browser you are using (browser type, whether it is a mobile/desktop device, OS version, preferred language), the date and time of your visit and the referring website, but not your IP address.

I've written before about the perils of anonymized data, so I will only respond briefly. All the data Autistici collects is certainly vulnerable to browser fingerprinting, and we don't know what their alleged anonymization consists of. Referring websites could also be used to create a profile of someone's interests to possibly connect it to their real life identity. How about the good stuff?

Autistici controls their servers and uses disk encryption. When you delete your account, it's fully gone in 3 days. There's no third party data sharing. Personal information is not required to sign up, but you need to fill a request - which they will check if it agrees with their beliefs, such as:

We support individuals, collectives, communities, groups and so on whose political and social activities fit within this worldview and who share with us some fundamental principles: anti-fascism, anti-racism, anti-sexism, anti-militarism. And on top of that, one has to share our basic attitude towards money and the capitalistic world: a deep feeling of uneasyness and unrest.

They're really serious about this, so much that I was asked twice that I really am on board with their ideology before they let me through. As said before, Autistici will kill your account if they find you doing something contrary. In other parts of their site, they claim that they keep no logs at all - but I guess that is now superceded by the the recent privacy policy.

Autistici has an onion domain that doesn't seem to work very well. When I wrote them an E-mail notifying them of their onion failing, they've ignored it. Recently, the Autistici E-mail service also been down for a few months in a row. Sure, I get it - you're funded entirely by donations, whatever. Still, surely you could have gotten someone to fix stuff up in a much shorter timespan? All in all, for a primary account, I don't recommend Autistici anymore - though of course it's still superior to the big privacy violators. But with services like this, it's always a danger that someone will rat you out for violating their ideology, or they will find that out themselves somehow. So, unless you're an all-out SJW activist, you'll have to worry about self-censoring. Though, with how incompetent Autistici seems to be (being down for half a year, and having wrong information in their privacy policy before I reported it to them - despite allegedly being written with the help of several lawyers), it might not be a real problem. Remember, also, that even non-ideologically focused services have heavily restrictive ToSes - just maybe in some others ways. So, it's a case of pick your poison most of the time. Autistici has been around since 2001 and have a mission, so they will surely stick around, at least.

Disroot

Starts off with some nice quotes. From the front page:

Disroot is a platform providing online services based on principles of freedom, privacy, federation and decentralization. **No tracking, no ads, no profiling, no data mining!

The About page (archive):

In the last few decades information has become very valuable and more and more easy to collect and process. We are accustomed to being analyzed, blindly accepting terms and conditions for "our own good", trusting authorities and multi-billion dollar companies to protect our interest, while all along we are the product in their 'people farms'.
Many networks use your data to make money by analyzing your interactions and using this information to advertise things to you. Disroot doesn't use your data for any purpose other than allowing you to connect and use the service.
By running Disroot we hope to change how people typically interact on the web. We want to encourage people to break free of the walled gardens of popular software and turn to open and ethical alternatives

And the mission statement (archive):

The once decentralized, democratic and free internet, has been dominated by a handful of technology giants, promoting concentration in monopolies, more government control and more restrictive regulations. Everything that, in our opinion, opposes and destroys the true essence of this wonderful tool.
Our motto is "The less we know about our users, the better". We implement data encryption whenever possible to ensure that obtaining user data by unauthorized third parties is as difficult as possible and we maintain only the minimum of user logs or data that are essential for the service performance.
We chose a working approach in which users (from now on referred to as Disrooters) are the most valuable part and the main beneficiaries of the project

So, we get the impression that Disroot dislikes what the Internet has become - a place where we're data-mined, controlled, dependent on powerful entities that don't have our interests in mind. Sounds great; but as usual - what's most important is the confirmation of the ideas espoused above - after all, Mozilla, for example, says the same things. So let's check out their Privacy policy (archive). Since this is just about their E-mail service, I will focus on that:

IP addresses of currently logged in user via IMAP/POP3 protocol are stored as long as the device is logged in to the server. (per each device logged in)

No persistent IP storage then.

All emails, unless encrypted by user (with gpg for example) are stored on our servers in plain-text.

This means that Disroot can read it - unlike, say, RiseUp or Posteo - that encrypt the mail with a key derived from your password. However, AFAIK - those two could still do it if you were targeted and they decided to swipe your password before hashing (so, use PGP anyway if you can). Disroot also uses disk encryption. This is it for the E-mail specific policy, so let's check out the general one:

We store logs of your activity for period no longer then 24h (unless specified otherwise per service). This data is used to help diagnose software issues, maintain security of the system against intrusion, and monitor the health of the platform.

So, for E-mail: IP is not stored at all, while all other logs are wiped every day. Very well, can't do much better than this. Let's now check out their Terms of service (archive). The relevant parts are these:

2. Contributing to the discrimination, harassment or harm against any individual or group. That includes the spread of hate and bigotry through racism, ethnophobia, antisemitism, sexism, homophobia and other forms of discriminatory behavior.

These days, absolutely anything (even harmless jokes) is considered discrimination so whether what you do qualifies is anyone's guess. However - assuming they don't read your mail - you should be safe (unless you get reported).

3. Contributing to the abuse of others by distributing material where the production process created violence or sexual assault against persons or animals.

Again, lots of room for interpretation here. Would reporting on a violent event that happened qualify? Using Disroot for commercial activities is also not allowed:

Because of this structure we see using Disroot services for commercial purposes as abuse of the service and it will be treated as such.

However, they will not immediately kill your account when such an activity is detected:

5. Using Disroot services for any other commercial activity will be examined per case and the decision on terminating such accounts will be based upon communication with the account holder and the type of the activities in question.

This might seem worrying, but it's still better than the ToS of almost any other provider listed here.

Disroot allows signing up through a VPN or the Tor network (however, there is no onion domain). Mail clients are supported - but you can use the RainLoop webmail as well, which supports PGP encryption - but they tell you not to rely on it and instead encrypt your shit locally (as I've been saying all throughout this report).

Nevertheless, we encourage you to always be cautious when using email communication, and to make use of GPG encryption to ensure your correspondence is safer.

Signing up for Disroot requires filling a "Your Story" section. Earlier, they've used ReCaptcha to deal with the spam problems they had - but - due to privacy reasons - dumped it and had to come up with something else, so there it is. If you do so, you also get access to some other services, including a forum, where you can read that Disroot is in for the long haul (archive):

So as far as I'm concern disroot isn't going anywhere. It is my primary email address, xmpp account and d* account.
I think we have something, big corporations don't. We believe in what we do, and the change of current status-quo. Going back to the roots, to how the internet used to be.
We started disroot with "long run" in mind. From my side I can tell you, disroot is my baby and I believe in it's success (or however you want to call it). You don't kill your babies.

The admin also claims the service is not activist exclusive (archive) - unlike RiseUp or Autistici:

I dont know where did you get the information that we are somehow for activist exlcusive. Nowhere on our website, neither in our Mission statement we say anything about it.

Me and a chatroom member also did tests with him sending E-mail to my account from some rarely used providers (such as Paranoid or Onion Mail), and Disroot blocks them, forcing the other person to resend. This is called greylisting and is a form of spam filtering - but still, kind of annoying.

In summary - no IP storage, other (possible) logs only for 24h, no personal data required for registration, VPN / Tor usage allowed. So, privacy is very good and they mostly did end up confirming their mission statement - unlike Mozilla. The issues with Disroot include: no onion domain, blocking unknown providers and a somewhat restrictive ToS (no discrimination or violence, no commercial usage) - however, still much less so than almost all the others. You also have to pay for aliases. Along with RiseUp, Disroot is still likely the best free option out there.

RiseUp

The Riseup Collective is an autonomous body based in Seattle with collective members world wide. Our purpose is to aid in the creation of a free society, a world with freedom from want and freedom of expression, a world without oppression or hierarchy, where power is shared equally. We do this by providing communication and computer resources to allies engaged in struggles against capitalism and other forms of oppression.
We work to create revolution and a free society in the here and now by building alternative communication infrastructure designed to oppose and replace the dominant system.
We promote social ownership and democratic control over information, ideas, technology, and the means of communication

This is exactly the kind of stuff I've spoke about in the Avoiding "The Botnet" - impossible? article. If RiseUp realizes the source of the "botnet" and the need to control the infrastructure, then surely their service does not spy on you. Let's check it out (archive) though, to be sure:

No IP addresses of any user for any service are retained.

Good, the most important one is out of the way.

Your web browser communicates uniquely identifying information to all web servers it visits [...] We do not retain any of this information.

So, user agents and stuff like that isn't collected. So what do they actually store?

we keep a log of the “from” or “to” information for every message relayed. These logs are purged on a daily basis

So the sender and recipient metadata is stored but only for 24 hours at most, apparently for the prevention of spam. But then comes this:

Anonymous, aggregated information that cannot be linked back to an individual user may be made available to experienced researchers for the sole purpose of developing better systems for anonymous and secure communication. For example, we may aggregate information on how many messages a typical user sends and receives, and with what frequency.

If I have criticized Mozilla and DDG for the same thing, I can't let it slide here. Though, of course, it's mild compared to what everyone else is doing.

You may choose to delete your riseup.net account at any time. Doing so will destroy all the data we retain that is associated with your account.

Okay, so regardless of what is stored, if you delete your account - it's gone for good. The only sane policy that unfortunately isn't used by most other providers.

The more important things, though, are said in their RiseUp and Government section (archive)

We will do everything in our power to protect the data of social movements and activists, short of extended incarceration. We would rather pull the plug than submit to repressive surveillance by our government, or any government.
We have fought and won every time anyone has tried to get us to give up information. We have never turned over any user data to any third party, fourth party, fifth party or any party.
We would not consent to the installation of any external hardware or software on our network and would end the organization rather than install any.

So they admit they will fight the government and would rather die than surrender. What other provider would do that? However, the claim that they've never turned over data is false:

After exhausting our legal options, Riseup recently chose to comply with two sealed warrants from the FBI, rather than facing contempt of court (which would have resulted in jail time for Riseup birds and/or termination of the Riseup organization). The first concerned the public contact address for an international DDoS extortion ring. The second concerned an account using ransomware to extort money from people.

Even though this might seem justified by the apparent evil of the actions, it opens a can of worms that I'm not sure should be opened. I mean, the legal system itself is a massive oppressor and we shouldn't ally with it just because it happens to do something we like once in a blue moon. After this fiasco, RiseUp has taken steps to further increase privacy - they implemented automatic encryption of mail using your password (similar to Posteo):

Additionally, as of March 2017, the storage for all new accounts is personally encrypted. Riseup is unable to read any of the stored content for these accounts. Any user with an account created prior to March 2017 may opt-in to personally encrypted storage.

You can read more about this here. There is also disk encryption - so you're still protected against the government better than from any other service. And let's be real here - in RiseUp's 21 year long history (as of the time of writing), such a situation has (AFAIK) only happened once - while providers like Proton have given away data hundreds of times. RiseUp will remove your account for engaging in these activities:

Pretty mild compared to the litany of things you're not supposed to do that providers like FastMail (archive) or Mailbox.org (archive) have (and you pay for them). RiseUp also provides the best E-mail alias feature of all, which is free, does not reveal your real account in the headers, and you can delete the aliases if they aren't useful anymore or have become spammed. Though other providers, such as cock.li or danwin1210, do use the more secure v3 onion domains for XMPP and E-mail, RiseUp is the only one which provides them for the whole suite of services, such as bins, pads, file upload, etc.

All in all, for me this is still a great E-mail provider - taking into account the logging policy, lack of personal data needed for registration, v3 onion addresses, unlimited aliases, mail client support and great reliability (I don't think I've ever had it go down - unlike their XMPP). They also respond to support tickets. The only possible problem would be the FBI fiasco - though, they could not have done much there with the gag order. Remember - this service is used by thousands of activists - it has to take privacy and security very seriously. Of course, there is also the focus on anti-racism, anti-"homophobia", etc - but I haven't seen them claim to delete accounts for certain views, unlike Autistici. Other providers - such as FastMail or Mailbox.org - have a litany of things you're not supposed to do in their ToS (ten times longer than RiseUp) - and you pay for them. Still, it is a minor issue and since the service has no major ones, I have to mention those. To register, RiseUp requires an invite code from a person who already has an account.

Temporary e-mail (AirMail and such)

Just for completeness' sake - they're pretty much useless. Blocked everywhere and only stay around for a while, preventing password reset and such. Outclassed by RiseUp's alias feature.

Summary

It is very worrying how many providers pretend to be privacy based but turn out to be anything but - even actively trying to compromise it. No matter, there still exist a few good guys such as Riseup, Disroot and Autistici. If you managed to sign up for all of those - you could get the full set of Internet tools - E-mail, XMPP, VPN, cloud storage and web hosting! If you can't or don't want to get into those (perhaps disagreeing with their principles) - the second best option is paying for a Posteo account. StartMail and CounterMail look pretty OK but are also paid. A few galaxies further you find Dismail and Cock.li - if that wasn't clear, it means I recommend those only as a last resort.

You should not fully trust any provider, though (or any internet service at all). Take this quote from RiseUp to heart:

Nothing online is 100% secure. If you have something very sensitive to say, do it offline.

Why the situation is as it is?

E-mail services can be funded in a few ways:

Option 1 can afford to be private without needing your data - however, that does not mean it will. After all, privacy is a big business opportunity now and there are lots of frauds taking advantage (many of them I've analyzed here). Some do exist that do go out of their way to create a secure, private and functional service - so, use those if you've got the money. Option 2 is obviously undesirable and the reason for this report's existence. Option 3 is extremely rare and doesn't last long (see SigaVPN), so let's move on to Option 4:

For a service to earn donations, there need to be people willing to give them. Unfortunately, there are not enough privacy autists for whom that cause is important enough to support monetarily. There is a group of people who do care more about it, though - the so-called "activists", or people "working on liberatory social change". This means the service will be inseparable from the donators' ideology - since it was made by them, for them, anyway. The activists consider it an abuse that the big corpos or governments can spy on their communication or even track their web browsing to show them ads, etc. More importantly, since they use the Internet to talk about their "activism", they cannot afford to be watched - because that innocent convo might be used against them during protests, etc. Privacy autists alone usually do not have an ideology they identify with from which the privacy would follow - they just don't like being spied on. They also don't do real-life stuff such as shoplifts, whistleblowing, etc. for which the privacy would be required. We can see, then, why the "activists" care so much more about the issue that they can afford to donate. This is why we don't yet have a service that is free, donation-supported, and without a stated ideology - privacy alone just doesn't move the spirits enough. When the privacy autists consider the issue more important, these kinds of services will spring up. For now, we're unfortunately dependent on RiseUp, Disroot and some others.

On encryption

First of all, ensure your mail is sent using TLS since some providers actually don't support that. For those that do, there are two settings that determine how it's used - STARTTLS or SSL / TLS - and the former is insecure. Briefly: for SSL / TLS, the mail is encrypted by default for its full journey; if TLS is unavailable at the other end, the mail is dropped. STARTTLS, on the other hand, first sends an unencrypted packet to check if the other server supports encryption, and only upgrades the connection if it does. A downgrade attack can be performed by any man in the middle by modifying the server response (archive) to make it seem like it doesn't support TLS. STARTTLS is actually a historical relic whose point was to upgrade insecure connections from an age before TLS even existed. Later, the port number 465 was defined to support only encrypted connections, so that is the one that clients should be configured to use to prevent MitM attacks. Of course, this will disallow sending mail to providers which don't support encryption, but pretty much every relevant server (archive) does today.

Now, SSL / TLS still has many of its own issues. Any of the points inbetween you and the recipient can try to perform a Man in the Middle attack (just as an example - a connection to mail.riseup.net takes 22 hops). The protocol usually protects against those by requiring the server to prove itself with a digital certificate. However, SSL validation can be broken in many ways. Even if the above don't apply - all software that uses the protocol has an in-built list of certificate authorities that it trusts by default. If a hacker takes over one of those, they can generate fake certificates (which your program will automatically accept) for the servers they want to capture traffic from. This allows them to see request content, steal passwords, forge responses (archive), etc. for the spoofed providers (such as Google's in the above case). Another way to perform a MitM is by installing a rogue root cert on the target's machine - this is done by both corporations (archive) and governments (archive) - and is in fact also how you can spy on your own browser's HTTPS traffic. Even without a MitM, both yours and the recipient's servers can still see everything, including message content in regards to E-mail. How do we protect that? Enter PGP:

PGP, or Pretty Good Privacy, is a way to locally encrypt your E-mail before sending it to other people, as well as allow receiving encrypted messages yourself (it can do more, but since this is the E-mail report, we will focus on just that). This hides them both from possible MitM as well as compromised servers. To take advantage of this tool, you first need to create your PGP key. Claws Mail can do this through its PGP plugins - but it's limited to the less secure 2048 bit key length - so we'll do it from the command line. First, install the necessary packages - gnupg2 and pinentry. Now type this command:

gpg2 --full-generate-key

Select RSA and DSA for key type (option 1). 4096 for size - this is the highest possible value, and the most secure. To make using PGP easier, we will create a key that never expires - option 0; otherwise, you'd need to generate and share new public keys every so often. Press Y to confirm all the chosen options. Now, it will ask you for your real name - however, we - being the privacy ninjas - don't share personal details on the Internet - so type something like Totally Real, or whatever nickname you usually use. Then type your real E-mail address - then confirm everything by pressing O. Now choose a strong password - but also one you will remember. This is very important - if you forget it, you won't be able to decrypt the messages sent to you. On the other hand - if it's weak (either too short, made up of common words, or personal details like birth dates) - it increases the possibility of cracking.

You've now managed to create two keys - public and private. The former allows other people to send encrypted messages to you. You're supposed to share the public key either through your website, a keyserver or directly with the people you talk to. The private key is used to decrypt messages others sent to you, as well as sign your own (which proves they have come from you). As its name suggests, you're not supposed to share it and in fact should protect it as best as you can. Without it, you won't be able to read the E-mail that's been encrypted with your public key, and will have to generate a new key pair. Worse than that - if a hacker steals it and is able to guess your password, they will be able to spy on your mail and even forge signatures; at which point you'll likely need a new account. To export your public key, type this command:

gpg2 --export --armor myemail@account.com > mypublickey.asc

Of course, the E-mail address has to be the same one you've given during the key creation process - otherwise, GPG won't know which key to export. Now, you can safely put that file on your website, upload to the keyserver, or give to your contacts directly (easiest by sending them an E-mail with the public key attached). This is enough for people to be able to send you encrypted messages. To read them, you first need to load the necessary Claws Mail plugins:

PGP Inline is insecure (archive) and shouldn't be used - however, you will need it if someone sends you an E-mail encrypted with it. Now click on the encrypted message and a prompt for your private key password should appear. Enter it and the message will display. To encrypt back, your contact must first generate their own PGP keypair (with the process described above, for example) and send their public key to you. Then you import it with this command:

gpg2 --import random_guy_public_key.asc

Now mark the necessary options in the Compose (or Reply) window and click Send:

Signing ensures your recipient that you're not being impersonated (only someone who knows your private key password could have signed a message with that key) and that your message has not been modified by a MitM (in that case, signature verification will fail). Technically, you can encrypt without signing (or sign without encrypting) - but for better security, you should do both. Of course, for the signing to matter - you need to verify out of band that the key that's been used to sign the message actually belongs to the person you think you're communicating with. This means you need another trusted channel such as a website that you're sure is theirs; or the best way - in person. Anyway, GPG has much more functionality than this - but I think I've covered everything needed for basic usage (and you can always learn more on your own).

There are various ways to implement encryption in webmail, and many providers use them as a strong marketing point, but none of those are as strong as PGP proper, so we will ignore those (if you want, you can read up). PGP still has flaws - for example, it does not encrypt the headers; this includes the subject, sender, recipient and others - you can see all the headers in your mail client; it is all the stuff above the actual message. There have been analyses done (archive) on just how much information can be revealed without even knowing the message contents - the results should astonish you:

But we see that even our not very sophisticated, DIY methods, enabled us to create a deep and clear image of someone’s habits and activities, using information extracted from ‘only’ email metadata. Although our investigation primarily discovered relations, patterns and anomalies of someone’s work life, it still gave us an insight into that person’s habits that border with private life.

But this is not even necessarily required, since an actual attack on PGP called EFAIL (archive) has recently surfaced - which needs the attacker to have:

access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers.

For clarity's sake - Claws Mail was immune to the attack - so the situation wasn't that bad. Still, it shows you shouldn't put all your privacy eggs in one basket. Despite the attack, PGP is still fucking awesome and should always be used for any sensitive communication (best case scenario: all for every contact you can get to use it) - in addition to secure providers and all the other stuff we should be doing.

On "privacy-respecting" laws

One of the major ways various privacy frauds advertise themselves. I've pretty much ignored this issue while rating singular providers, since it's so common and requires a dedicated section to analyze. The claim usually goes something like this:

"Our service is hosted in (insert uber-private country of choice), which, instead of (insert non-private country of choice - usually UK or the US), has super-strong privacy laws. Only a valid court order can force us to release your data!"

You might have already detected the issue while looking at the last sentence. The "super strong privacy laws" claim is based solely on whether a court order is required to release the data. Let's assume they do bring that valid court order - what ends up mattering, then? The data that a service has actually stored, since they can't release what they don't have. Nothing prevents a service from storing whatever they want despite being positioned in a supposedly privacy-respecting country. More than that, many of the countries commonly claimed to be private actually force providers to store certain data. Examples from specific providers above:

Thanks to the above, we end up with some funny situations like RiseUp (hosted in non-private USA) keeping metadata only for one day compared to KolabNow's six months. But in the end, the law is your enemy, not your friend. It imposes the minimum amount of data a provider is required to store, while not preventing them from collecting more if they want to. Being hosted in a country with strong privacy laws is purely a marketing strategy that mostly seems to arise from US and UK citizens scared of their nations' mass surveillance programs. But other countries - like France or Germany (realistically - probably all of them) - run them as well. More than that, many of them cooperate with each other. In 1946, the UK and US formalized an agreement to share intelligence data between them; a few years later Australia, Canada and New Zealand joined in (this was called the five eyes). Eventually the number of eyes increased to 14 as more and more countries became apart of the alliance (with even more "unofficial" members such as Japan or Israel). Edward Snowden's leaked documents revealed that the eyes work closely together to share electronic communication data (abbreviated as COMINT and ELINT). For example:

And they admit the operation is becoming more and more effective as time goes on (you can learn more about the history of the "eyes" here [archive]). What does it mean for the people, though? Choosing a provider from a supposedly privacy-respecting country does not help avoid surveillance - many of them are apart of the fourteen eyes and even if they aren't, they might still cooperate with foreign intelligence. I mean that's exactly what Iceland (non-14 eyes) did during the Silk Road investigation (archive). They've literally let USA agents in to do whatever they wanted. Therefore, in the end, you shouldn't focus too much on the country issue (just assume they're all in it together anyway), but instead on the provider's actual policies, history and trustworthiness. That plus using encryption, a VPN and good OPSEC should protect you from surveillance way better than falling for red herrings like the service's location.

To put the final nail in the coffin for this idea, we have to come back to the court orders again. To begin - what makes you so sure that a provider will actually require a court order as they state? Remember that ProtonMail has already broken that promise in a case of alleged terrorism. How much resources do some of the smaller companies have to fight the data requests in court? Do they even have lawyers on board to determine if a court order is valid? SafeMail.nl (based in "private" Netherlands) has admitted they will not fight court orders and just hand over the data. On the other hand, Lavabit (from "non-private" United States) did everything they could to protect their users from surveillance, including trolling the government (archive). Eventually, they preferred to shut down their service rather than give in to the spies' demands (similar to what RiseUp promises to do today). How many of the providers hosted in supposedly privacy-respecting countries would do the same, instead of just saying "fuck you" to the users and giving up the data? Taking all that into account, I hope we can put the location non-issue to rest...

Back to the front page