Ask Slashdot: Recommendations For Non-US Based Email Providers?

First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"

Not sure I understand the question.

Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.

Re:Not sure I understand the question.

You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.

After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.

But good luck!

Re:Not sure I understand the question.

[Znork]

Of course, the part that the NSA et al seems most interested in is the source and destinations of your mails to map your associations. By sending via your ISP smarthost you're still handing them that info, so if you want to cut them out of the loop you need to vpn the mail relaying outside their grasp and ensure encrypted smtp/tls direct between endpoints.

Your random mail idea does screw with them in a nice way tho as it'd mess up their social graph and probably get yourself classified as an uninteresting spammer after which you can freely inform islamic insurgents how they can enlarge their manhood and obtain large fortunes from Africa by sending a small upfront payment.

But for actual secure comms it's probably better to use i2p or some other darknet. And traffic on that screws with the snoops as well.

KGB better than NSA?

[tonytally]

You'd really rather have the KGB looking over your shoulder rather than NSA? Surely you are joking.

Re:KGB better than NSA?

[Opportunist]

As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

Roll your own...

[flogger]

My email server is sitting in my laundry room. I also host some message forums and picture galleries for just my family and friends. It is how I communicate with them.

Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.

So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.

Sorry to break it to you, but in the war against terror, the American people have lost.

Wrong Question

[ocularsinister]

What you should be asking is "How do I get everyone to sign and encrypt their emails as a matter of course?"

Re:Runbox.com

Personal data must be kept confidential unless required by law or court order.

That's a hole you can drive a truck though. The NSA justifies everything on those grounds.

Makes no difference.

[dgatwood]

From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.

The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.

Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.

use encryption

[stenvar]

Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.

As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.

Re:Runbox.com

[BUL2294]

But the on-site / server backdoors are necessary unless there's some unknown backdoor built into SSL that the NSA, MI6, IDF, etc. can utilize. By default, my GMail uses HTTPS, but the NSA's backdoor to Google servers negates that advantage.

So, unless there's an unknown backdoor built into SSL, as long as Runbox.com uses HTTPS, how should "Australia, the UK, the US", etc. know what was transmitted unless they use a brute-force attack?

Just yesterday, NPR indicated that US-based cloud platforms stand to lose between $21 billion and $35 billion over the next few years over the NSA scandal... http://www.npr.org/templates/story/story.php?storyId=210570888 . Lavamail and Silent Circle shut down unexpectedly & destroyed all data they had to not get caught up in the scandal...

That won't work: 1and1 has management in the US.

1and1.com is a US-based company, or has management staff in the United States, so that won't work.

This is what I understand:
1) The U.S. government can force any company to do anything it wants.
2) The U.S. government can demand that the company keep that secret.
3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.

Seems to me to be a vicious, anti-democratic government.