Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Recommendations For Non-US Based Email Providers?

Posted by timothy on from the lesser-of-evils dept.

First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"

12 of 410 comments (clear)

  1. Not sure I understand the question. by Anonymous Coward · · Score: 5, Insightful

    Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.

    1. Re:Not sure I understand the question. by ImdatS · · Score: 5, Interesting

      Yes, correct.

      In my experience, having a mail server provider in Europe (e.g.) and using PGP/GPG could help. The problem is of course that your recipient also needs PGP/GPG.

      1&1 and Deutsche Telekom in Germany just announced that (paraphrasing it) they will take email security more seriously now. You might want t get an email account at GMX in Germany (product of 1&1) and then use PGP/GPG for fully confidential communication. I wouldn't use their webmail interface, rather suggest to use their IMAP/POP Interface using SSL/TLS.

      Using PGP/GPG *and* a foreign email service provider helps in (a) encrypting your email (PGP/GPG), and (b) (if used with SSL/TLS) communication, also hiding the sender/recipient identification, including your email's subject.

      On the other hand, I don't know if that would be really secure (for [b] at least), as the German secret service (BND) seems to forward communication information to the NSA (at least the meta-information)...

      If you really want to communicate securely, I recommend a "dead mailbox"-principle electronically, but by using PGP/GPG to encrypt the file in question, maybe even hiding the content as a picture or video...

    2. Re:Not sure I understand the question. by Anonymous Coward · · Score: 5, Insightful

      You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.

      After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.

      But good luck!

    3. Re:Not sure I understand the question. by tqk · · Score: 5, Interesting

      You would have to lease space in a datacenter ...

      Uh, no. Use Linux (or *BSD) and point your local SMTP at your ISP's Smarthost. Encrypt files locally with GnuPG and send them as attachments. The only difficult part is expecting the recipients to do the same in reverse and to treat your privacy as seriously as you do. There, you'll need to exercise judgment as to who to trust and with what (just like in every other area of life).

      I really couldn't give a rat's ass how many cycles the NSA wastes on trying to crack my encrypted attachments. I consider myself fortunate in not having to support them financially (I'm non-US). I've toyed with the idea of making a cronjob blast out emails to random addresses simply to supply them with stuff to waste time and effort on, but I don't really care that much to bother.

      If I ever manage to contact the Medellin or Cali or Zeta cartels' IT guys, I'll have a proposal for them, but so far no joy there. That would be great fun.

      --
      "Tongue tied and twisted, just an Earth bound misfit ..." -- Pink Floyd.
  2. Runbox.com by Gaygirlie · · Score: 5, Informative

    I am using www.runbox.com myself: it's a service based in Norway, it's pretty cheap considering, they do not have any NSA-ties or the likes. I dunno what else to say about it, really, so I'll just copypaste this from their site:

    Email Privacy in Norway

    Some countries, especially in Europe, have a constitutional guarantee of secrecy of correspondence, wherein email is equated with letters and therefore protected from all types of screening and surveillance. In electronic communication, this principle protects not only the message contents but also the logs of when and from/to whom messages have been sent.

    In Norway, freedom of expression and privacy of correspondence is governed by Article 100 and 102 of the Constitution and the implementation of the European Convention on Human Rights in the Norwegian Human Rights Act, especially Article 8: Right to respect for private and family life.

    Additionally, the Personal Data Act as set forth by the Norwegian Data Inspectorate regulates collection, storage, and processing of personal data.

    The Data Inspectorate was established January 1, 1980 and was among the first agencies in the world to facilitate the protection of individuals from violation of their right to privacy through processing of their personal data.

    Central principles of the Norwegian data privacy regulations are:

            Personal data must only be collected by private entities when consent from the user has been obtained.
            Personal data must not be used for purposes inconsistent with the initial purpose of collection except with consent from the user.
            Personal data must not be stored longer than required by the purpose of collection.
            Personal data must be kept confidential unless required by law or court order.

    Finally, the coming Data Retention Directive will soon be implemented in Norway but will only regulate electronic infrastructure providers, which Runbox is not.

    1. Re:Runbox.com by msobkow · · Score: 5, Interesting

      The Norway data pipes probably run through the UK, as do most of the pipes in the EU. So rather than installing back doors on Norway's servers, the UK just sniffs the big data pipe traffic and captures that directly. And they give not one whit about your constitutional protections, any more than the US respects the Canadian constitution and Charter of Rights when they sniff our traffic while it passes through the big data pipes south of the border.

      I don't think people are getting it yet.

      Between Australia, the UK, and the US, something on the order of 90% of the global data traffic runs through the leeching backbone nodes that have sniffers attached to them. They don't need the cooperation of your local governments and ISPs to do their dirty work.

      --
      I do not fail; I succeed at finding out what does not work.
    2. Re:Runbox.com by Anonymous Coward · · Score: 5, Informative

      Yeah, it ends 100 miles inside the border.

  3. Roll your own... by flogger · · Score: 5, Insightful

    My email server is sitting in my laundry room. I also host some message forums and picture galleries for just my family and friends. It is how I communicate with them.

    Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.

    So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.

    Sorry to break it to you, but in the war against terror, the American people have lost.

    --
    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
    "First things first -- but not necessarily in that order"
    -- The Doctor, "Doctor
  4. Re:KGB better than NSA? by Opportunist · · Score: 5, Insightful

    As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Wrong Question by ocularsinister · · Score: 5, Insightful

    What you should be asking is "How do I get everyone to sign and encrypt their emails as a matter of course?"

  6. Re:Wrong Question by julesh · · Score: 5, Informative

    Evidence suggests that scaling quantum computing to the large number of qubits required to decrypt 2kbit RSA would be extraordinarily expensive, if possible at all. The largest quantum computer[1] built so far outside of secret institutions has, I believe, 14 qubits (I may be a little out-of-date, but not by a long way). Scaling has occurred at a fairly constant linear rate of about 1 qubit per annum since the earliest machines were produced. There's no signs of an exponential take-off the way there was with conventional computing hardware, which suggests that the expense of scaling to larger and larger quantum computers doesn't get decrease the way it does with silicon.

    Some data points:

    1998: 3 qubits
    2000: 5 qubits
    2001: 7 qubits (largest achieved to date with single atom containing all qubits in different degrees of freedom)
    2005: 8 qubits
    2006: 12 qubits
    2011: 14 qubits

    This is the best private industry can do. I'd be surprised if the NSA were doing more than a factor of 10 better. To crack 2048-bit RSA, about 3000 qubits would be required[2], or about 20 times my best guess as the limit of what the NSA could have achieved. Besides, Shor's algorithm is not instant: even if it's faster than any classical algorithm, it's still third-order polynomial on the number of bits in the input, and quantum computers don't perform individual operations particularly quickly, so even if we assume the NSA has managed to make a quantum computer that's a thousand times faster per operation than existing private systems, to factor a 2048-bit RSA key on a 3,000 qubit computer would take about 8.6 billion operations running at about 10-100us each, which is to say approximately 1 to 10 days of time on the (enormously expensive) system (of which they almost certainly only have one, which will therefore have a very long prioritized queue of jobs waiting for it).

    And upgrade to 4096 bits, and they'll need a quantum computer with 6,000 qubits, and the job will take somewhere between a week and three months to complete.

    [1] I'm excluding so-called quantum annealing computers from this, e.g. various systems produced by D-Wave, because they cannot be used to run Shor's algorithm, so are not a threat to RSA. This is not so much an entry into the debate as to whether or not they should be classified as quantum computers, but a practical decision based on the subject under discussion.
    [2] traditionally, this would be 4096 (twice the number of bits in the input), but this arxiv paper claims 1.5 x bits in input or fewer is achievable through a method I don't really understand

  7. That won't work: 1and1 has management in the US. by Anonymous Coward · · Score: 5, Insightful

    1and1.com is a US-based company, or has management staff in the United States, so that won't work.

    This is what I understand:
    1) The U.S. government can force any company to do anything it wants.
    2) The U.S. government can demand that the company keep that secret.
    3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.

    Seems to me to be a vicious, anti-democratic government.