Slashdot Mirror
Ask Slashdot: Recommendations For Non-US Based Email Providers?
First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"
Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.
I am using www.runbox.com myself: it's a service based in Norway, it's pretty cheap considering, they do not have any NSA-ties or the likes. I dunno what else to say about it, really, so I'll just copypaste this from their site:
Email Privacy in Norway
Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.
In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.
Additionally, the Personal Data Act as set forth by the Norwegian Data Inspectorate regulates collection, storage, and processing of personal data.
The Data Inspectorate was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.
Central principles of the Norwegian data privacy regulations are:
Personal data must only be collected by private entities when consent from the user has been obtained.
Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
Personal data must not be stored longer than required by the purpose of collection.
Personal data must be kept confidential unless required by law or court order.
Finally, the coming Data Retention Directive will soon be implemented in Norway but will only regulate electronic infrastructure providers, which Runbox is not.
You'd really rather have the KGB looking over your shoulder rather than NSA? Surely you are joking.
Since the NSA programs are designed primarily to intercept communications between US and non-US folks, if you are in the US and store your mail somewhere else you are asking the NSA to collect all of it. Today, if you are in the US and have your hosting in the US the NSA only gets the parts that go between you and someone in another country (or where you said some "interesting" thing like "that new pressure cooker that fits in my backpack for camping is the bomb". If you move your mail to another country, the NSA will be collecting it all (assuming your communications end point is still in the US). Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.
My email server is sitting in my laundry room. I also host some message forums and picture galleries for just my family and friends. It is how I communicate with them.
Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.
So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.
Sorry to break it to you, but in the war against terror, the American people have lost.
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
"First things first -- but not necessarily in that order"
-- The Doctor, "Doctor
Domain names are relatively cheap, and hosting is relatively cheap. I go that route myself. The only people that have access to my server is the hosting company (which is no worse than Google to be honest)
if you have the means, the very best solution is to run an email server out of your home or place of business.
What you should be asking is "How do I get everyone to sign and encrypt their emails as a matter of course?"
Ultimately there are two reasons why - apart from the yuck factor, which is legitimate - why you don't want the NSA reading your email 1) If you say or do something which generates a shadow of suspicion, the probability that the Russians will act on it, to the extent of a SWAT team beating your door down and shooting your dog, is lower 2) If you are politically active, it's going to be less likely that the Russians will provide data to the FBI about your dubious activities Sure - avoiding either is a better ideal - but perversely I would prefer the KGB, unless I am resident in Russia, in which case they would be a very bad idea.
From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.
The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.
Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.
As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.
If you are emailing people who use GMail, Live, Yahoo, or a US ISP for their email provisioning, your emails to/from them are still tracked. So unless you're planning to drop all your US contacts as well, you're not helping yourself much.
Here in Canada we have a bigger issue -- all of our network pipes connect to the bigger pipes in the US. So even though we might be emailing a fellow Canadian from one Canadian ISP to another, the traffic still gets routed and sniffed through US servers.
The same is a problem for people in the EU -- the emails get routed through the pipes that are monitored by the UK's spy agency.
The NSA doesn't have to install backdoors on email servers to monitor you at all. And they *don't* typically make requests when they're spying on someone in particular -- they just sniff the traffic on the big data pipes directly.
And seeing as all those pipes run through the major partner countries like the UK, Australia, and the US itself, we're *all* fucked.
I do not fail; I succeed at finding out what does not work.
Try https://prism-break.org/ for some recommendations of OS, email, IM and more.
Witty signature omitted for brevity.
www.startmail.com -- currently in closed Beta -- and based in the Netherlands.
Securing your local data is easy, because you have end-to-end control. Securing email is complicated because you'll never be able to maintain complete control. It requires coordination and mutual understanding between you and everyone you email, and that's just not going to happen unless you're in a tightly-controlled organization and all of your communication is internal. I'm assuming you're an end-user at home, not an IT manager in a large corporate environment.
If your ISP allows it (and that's a big if in today's spam wars), you could run your own email server to host email service for yourself, your family and your friends and require SSL/TLS connections for all communication. Don't forget TrueCrypt or luks/dm-crypt for disk encryption on the server itself. But this only protects against eavesdropping and snooping for email users on your hosted service. There's basically nothing you can do about emails sent or received from outside of your own service. And then there's the assumption that email recipients inside of your hosted service will adequately secure their own devices (good luck getting grandma to use TrueCrypt).
If you can actually accomplish this, well, you have better powers of persuasion than I (my boss is a smart and tech savvy guy and I can't even convince him). Your best bet is: don't use email for anything you wouldn't want publicized.
I think there are ways around it, not a 100% perfect but at least make their job a lot harder. Services like lavabit were good and it goes to show that they needed to use some nasty legal tactics to make them open up. Those tactics are not available when you use providers in countries like Russia or China. Sure, they can tap the underwater fiber all they want, but I think it still is better than nothing.
Hushmail is one of the oldest 'secure' mail systems, and they moved out of the US specifically to avoid problems like the NSA. They're worth looking at, I guess.
"First they came for the slanderers and i said nothing."
I'm not attempting to argue with you. The point is not what the NSA should or should not be doing, but rather about the practical considerations. On US soil, the claim is all they can gather is metadata (the SMTP envelop). Start using a foreign mail service, and it's very likely that everything after the DATA command is being stored as well.
The world's burning. Moped Jesus spotted on I50. Details at 11.
That targets 1 person assumed traitor, terrorist, criminal or whatever, they don't thow a nuke into a populated city to kill just one person, or very few ones. What about US policy, where 50 civilians are killed for every terrorist?
1and1.com is a US-based company, or has management staff in the United States, so that won't work.
This is what I understand:
1) The U.S. government can force any company to do anything it wants.
2) The U.S. government can demand that the company keep that secret.
3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.
Seems to me to be a vicious, anti-democratic government.
In my world, at that point, it's just a bunch of useless wordplay..
Sometimes boldness is in fashion. Sometimes only the brave will be bold.