Privacy @lemmy.dbzer0.com shaytan @lemmy.dbzer0.com 6d ago

Simple guide towards mail privacy

It's hard to make the full switch towards a more private life, but switching your mail already fixes a big underlying issue: that being, Google or other companies having access to all your emails. So, I'll cover the basics of making your online mailing more private.

Switching Mail Providers:

Your email is a big part of your online footprint and helps you keep track of your online identity. So, in order to keep that to yourself, I encourage leaving services like:

"Gmail" or "Outlook",

for others like:

"ProtonMail" or "Tutanota".

This is already a big step towards keeping all your emails private and safe. Both of these are free and respect your privacy on their free tier, but expand in features with paid plans. This takes time, as you have to switch your email on most accounts to this new email.

For the best privacy, you should delete most accounts and create new ones with this new email or with aliases. Some people, like myself, prefer to have multiple emails over aliases. For example:

"[email protected]" -> For banking and finance
"[email protected]" -> For social media
"[email protected]" -> For casual and responsible internet use
"[email protected]" -> For crappy websites or similar uses

(Self-hosting your own mail domain is possible, but it’s a harder process, and custom domains are not always accepted or reliable.)

(You should keep your old email for a year or so to make sure no important service was left behind locked to that email. Once that's done, you can delete the account.)

Tips:

If you can, you should try expanding your protocol with this:

Adding 2FA to any online website, especially email. I use ~~"Authy" ~~for this. -> Better use Aegis, good app!
Switching your browser to something like "Librewolf".
Switching to a password manager like "Proton Pass" or "1Password".
Encourage your close family to do the same once you're comfortable with the process.
Switch social media to private alternatives.
If you take any efforts to switch browser or install Aegis, try to use "F-droid", or even better, "Droidify". These being a FOSS app store, and a good Material alternative frontend. For apps not in here, consider "Aurora store", a more private **"Play store" **alternative

This is about it for me, quick posts from class, feel free to add into this topic bellow.

Edit:

Important additions after reading the comments:

Proton is a bit disencouraged by some for some political views published by the CEO under proton's account and image. They backed down, and I believe it isn't something too bad as for users to leave such a good privacy oriented suite of apps. I encourage anyone who cares about this topic to research before making the switch.
Mail is not 100% private with any option, and shouldn't be used for highly sensitive information. For that use end to end encrypted apps well respected, like "signal". Still is best to just don't send very sensitive information online.
As a comment pointed, for a mail to be as private as possible, both the sender and reciever should have a private mail, otherwise you can be private but the other person would still be having your mail conversations stored under "gmail" or similar.

Sorry if this post didn't give the best newbie advice, I tried to track back some of my old knowledge, but I'll take more time to research the next time. Take care and stay private!

22 comments

Great guide, thank you :)

PS: You should probably add a disclaimer to proton, many people are against it now, and i'd say for good reason but YSK.

Also, to all who read: Email aliases are amazing. There are two good choices:

https://simplelogin.io/ (owned by proton fyi)

https://addy.io/

A couple of tips:

Adding 2FA to any online website, especially email. I use "Authy" for this.

Authy is known to be shady. Some better (open source) alternatives are Ente, aegis (android) and 2fas (apple).

Authy practically traps you in its walled garden, since you can't export. Also it's closed source.

Switching your browser to something like "Librewolf".

I recommend against using forks of firefox. Instead users should use a configured and personalized version of it, with Arkenfox. But that may be extreme (tho librewolf uses arkenfox).

The reason why is because often those forks are outdated or are late by days, when crucial security updates may be available. Most of their features can also be recreated in the user.js or userchrome, so they're often redundant too.

Switching to a password manager like "Proton Pass" or "1Password".

Both of those are closed source; a better, FOSS and trusted alternative is Bitwarden. I've been (and others here) using it for a long time and i can confidently say it's the best password manager on the market.

BTW: While we're all here, should we create the [soon-to be created lol] guide on the community, codeberg or dbzer0's wiki feature? I'm fond of the wiki and i'd like to try it, but reply with your vote.
- I somehow tripped writing this, I also use aegis woops, but I did use authy In the past
  
  My browser recommendation was based on how easy it is to just download librewolf compared to messing with user agent
  
  I'm outdated in that proton situation, I'll look into that
  
  I vote positive on the wiki, we can discuss it in DMs
- I feel like email is the one option where "total privacy" is either difficult or impossible to get secure, because the relay/service stores a copy and the receiver accesses that copy. If either of them are insecure or otherwise able to be configured to be no longer fully-private (e.g. ProtonMail), your efforts at private email are rendered moot.
  
  Something is certainly better than nothing in this regard, but it seems to me that if you truly need secure communication, you should be using an E2EE chat app with local-only storage.
  
  Edit: Saw your edit. Wiki sounds good to me.
  
  True, you can't make email completely secure. But I'd trust tuta for example any day over gmail.
  
  I send sensitivish content over email sometimes but I always use encrypted chat apps for the real threats. Otherwise email is just for receiving from services.
It’s hard to make the full switch towards a more private life, but switching your mail already fixes a big underlying issue: that being, Google or other companies having access to all your emails. So, I’ll cover the basics of making your online mailing more private.

The issue is that the moment you send a mail to someone or receive an email from someone that is using Gmail (or whatever provider that don't care about privacy), your own email is not private anymore: it's read by that other company. So, unless everyone was to start using encrypted emails and I should say compatible encrypted emails, real email privacy will be little more than a wish.

It's a good move to ditch companies like Google, obviously, but one should not let potential switcher believe that it's a magical wand that will make their emails private. It is not.

As a side note, I would also suggest for a much better privacy: use emails aliases so you never share your real email with any company or service provider.
i have some very bad news about proton
- I'll check and correct my post when I get home
  
  Thanks!
  
  While the original comment has validity, I think it's important to know that a lot of the proton news you'll find is very "drop it immediately" biased.
  
  I definitely think the news left a bad taste that's worth keeping an eye on, but I don't think it should eliminate them completely as an option. Especially for newer privacy advocates.
  
  Edit: full disclosure for future readers, I may be biased as well since I do continue to use proton services and I love it. But I still try to look at both sides on things like this.
- Proton the corporation may suck but the software is still solid. It's valid, just needs a disclaimer, and the user makes their choice.
Bitwarden is a good option for password manager.

I would discourage anyone from moving to Proton. I know people are quick dismiss the CEOs political views as fluff but here's a evidenced account of what unfolded:

This is what the CEO posting as u/Proton_Team stated in a response on r/ProtonMail:

Here is our official response, also available on the Mastodon post in the screenshot:

Corporate capture of Dems is real. In 2022, we campaigned extensively in the US for anti-trust legislation.

Two bills were ready, with bipartisan support. Chuck Schumer (who coincidently has two daughters working as big tech lobbyists) refused to bring the bills for a vote.

At a 2024 event covering antitrust remedies, out of all the invited senators, just a single one showed up - JD Vance.

By working on the front lines of many policy issues, we have seen the shift between Dems and Republicans over the past decade first hand.

Dems had a choice between the progressive wing (Bernie Sanders, etc), versus corporate Dems, but in the end money won and constituents lost.

Until corporate Dems are thrown out, the reality is that Republicans remain more likely to tackle Big Tech abuses.

Source: https://archive.ph/quYyb

To call out the important bits:

He refers to it as the "official response"

Indicates that JD Vance is on their side just because he attended an event that other invited senators didn't

Rattles on about "corporate Dems" with incredible bias

States "Republicans remain more likely to tackle Big Tech abuses" which is immediately refuted by every response

That was posted in ther/ProtonMail sub where the majority of the event took place: https://old.reddit.com/r/ProtonMail/comments/1i1zjgn/so_that_happened/m7ahrlm/

However be aware that the CEO posting as u/Proton_Team kept editing his comments so I wouldn't trust the current state of it. Plus the proton team/subreddit mods deleted a ton of discussion they didn't like. Therefore this archive link captured the day after might show more but not all: https://web.archive.org/web/20250116060727/https://old.reddit.com/r/ProtonMail/comments/1i1zjgn/so_that_happened/m7ahrlm/

Some statements were made on Mastodon but these are subsequently deleted, but they're capture by an archive link: https://web.archive.org/web/20250115165213/https://mastodon.social/@protonprivacy/113833073219145503

I learned about it from an r/privacy thread but true to their reputation the mods there also went on a deletion spree and removed the entire post: https://www.reddit.com/r/privacy/comments/1i210jg/protonmail_supporting_the_party_that_killed/

This archive link might show more but I've not checked: https://web.archive.org/web/20250115193443/https://old.reddit.com/r/privacy/comments/1i210jg/protonmail_supporting_the_party_that_killed/

There's also this lemmy discussion from the day after but by that point the Proton team had fully kicked in their censorship so I don't know how much people were aware of (apologies I don't know how to make a generic lemmy link) https://feddit.uk/post/22741653
Proton lol. Also the only privacy is achieved with OpenPGP but no one uses it.
- Nobody uses PGP because it's annoying, the tooling is not user friendly, it requires a lot of manual efforr for multi-device access and most people simply don't have the ability to manage keys safely. And that is why offloading all this effort to Proton (or similar providers like tuta) who does all the PGP stuff transparently is the only viable solution.

22 comments