This is a pretty big topic, although it may not look like it. A huge field for privacy and security is how you log into foreign servers, what accounts you own, what data is stored in them and how many there are.
I used a free email provider that was horrible for privacy, like nearly everyone does. It actually is a lot of work to change your mail, but its totally worth it and you can learn a lot.
1. Get a private mail provider
There are many things to consider, before choosing a mail provider.
Practical aspects:
- How much does it cost (if its free, they track you to get the money)
- Do they work with apps you like (Android: K9-Mail/FairEmail, Desktop: Thunderbird)
- Do they offer enough storage for the money
- do they offer aliases, Spam-Filters, extra functions (that you actually want)
Security aspects:
- where are they located (Surveillance by Law, Digital laws)
- What kind of Encryption do they use (unencrypted are unsafe and shouldnt be used for anything interesting)
- Has the company had hacks or gave information to the government? If yes, how have they dealt with it and what were the circumstances
- Is their software open source
Here are some Lists of private Email providers (List 1, List 2). Depending on what you like, you can choose an email provider from those lists. I chose Mailbox.org, as they:
- offer 2GB storage for 1€/month, 5GB for 3€
- allow 3 aliasses, 25 for 3€!!
- use open source code
- work in Thunderbird, FairEmail and K9-Mail (IMAP, unlike Protonmail and Tutanota)
But others may be equally good or better. Just pay for what you use and stay away from those datakrakens (gmx,web.de,gmail,outlook,…)
2. Find your logins
I had mine stored in Firefox, you may have a piece of paper or a password manager (or the very bad habits, stored in a messenger, an unencrypted file (.txt, .docx, etc.), an unencrypted notes app etc).
For the future
Store every password in a password manager like Keepass. It has apps for all platforms, and works by creating a file (.kdbx), encrypted completely (not just the password) by a master password. Create the file in a location you know, then you can sync it using Syncthing (device to device, free and private), Nextcloud, Mega-App or any other sync service, there is no danger as its encrypted.
Dont use Closed-Source applications and unpaid cloud-based ones, as they will contain tracking. Bitwarden is also Open Source, there are other services too, but these are the main ones.
3. Change your mail or delete the account on websites
This is a very important thing everyone should do once in a while, delete unused accounts. Some sites may no longer exist, you just bought something there once or used it once and forgot it… But your account data, often including an unsecure and widely used mail containing your name, and maybe other personal information, are stored on many many servers.
If now one of those dozens (if not more) of servers gets hacked, this can have serious consequences. HaveIBeenPwned shows if your mail adress was included in a data breach
Many sites dont even offer the feature to delete your account, in that case email them mentioning your “right to be forgotten” (depending on the laws of the state you live in) and it will work most of the time. Ironically, you sometimes have to proof you are the one that wants to be deleted, like “Here is all my personal data and now please forget it”.
4. Get rid of your old mail
- copy important mails
To get important mails from one profile to the other, you can copy them between folders in Thunderbird.
- forward mails to your new adress
If not everyone knows your new mail, you can setup forwarding of mails for nearly every provider. Just make sure to not use your main adress, best is to use a temporary mail, so that the unprivate providers (e.g. Google etc) dont know your new adress. (Google sends mails to your alias/temporary email, which sends the mail to your main one, Google doesnt know your new main email).
When everyone has been contacted and knows your new adress after like 2 months or so, you can delete the alias/ temporary email and your old mail account.
- delete as much data as possible
This of course builds on trust in the company which you try to get rid of, but at least you can try it. I.E. ask Google to delete everything, your location history (insane shit), metadata, targeted ads, and what you can find else.
- change your personal data very often if possible
This is just an idea: Server costs are a thing, and a company should have limits for data storage. If you now change your real Name, Adress etc to fake ones like 6 times, maybe the real ones are permanently deleted, as they would take up too much storage.
With Reddit this works, as they only store the last version before deletion (so deleting something doesnt work, you have to edit & delete)
Change habits in the future
If you need to create an account for something and you know you wont need it in the future, use a redirection service like Firefox Relay. Just create a throwaway adress, let it forward mails to your mail email-adress and delete that throwaway email when you dont need it anymore. You can still delete the account, but this will also save you from spam
If you need to provide a Telephone-number, that isnt used for 2FA (two-factor-authentification, very important for security) or validated through an SMS code etc., you can use a fake number, as in many states your number is associated to your full name and more. There are also services like “Spam Frank” (Tel: 01631737743), that will deal with spam-calls you dont need.
Some obvious things
- never use your main email (the one you login with) if you can use aliasses
- never use the same password for multiple accounts
- use Keepass’s Password creation-tool or make a difficult one yourself, dont use names, words or easy combinations (daniel, potato, 12345, password)
- dont store your Passwords unencrypted! Hackers could just read all your logins when getting acces to your files
- dont give your full name and other sensitive data if not needed or otherwise already given (payment by card, postal adress sometimes)
- use 2FA as often as possible and with important logins
Some advanced tips
- use aliasses whenever possible (from your provider, AnonAddy, Firefox Relay, Simplelogin,…)
- check haveibeenpwned.com, if your mail was included in a data leak, maybe use a service like “Firefox Monitor”
- use mail-extensions
- encrypt your mails yourself using OpenPGP
- use a FOSS mail program that has private settings (no safe-browsing, blocked tracking images, filtered HTML, etc)
2FA (Two-factor-authentification)
This can be a
- TAN-list
- phone number (obviously very unprivate although most commonly used)
- an authentification app (Aegis is recommended, as its FOSS)
2FA can save you, as nobody can access your login with just password and mail, but needs to have access to the second Factor too.
Mail-extensions
A few weeks ago I didnt even know this existed, as you nearly never see it. A lot of mail providers (including mailbox.org) allow them, you use it like that:
user@mailbox.org
—> user+ACCOUNT@mailbox.org
The Extension can be the domain that you use the email for, for example “user+reddit@mailbox.org”. Advantages:
- easy filtering without filter algorithms like in Thunderbird
- Transparency about who shared your email
If you for example discover your reddit-login email on a completely different server, you know you cant trust that former server as it shared your data.
Note: Some sites like Aliexpress dont allow extensions in your login mail, they say “enter a valid email” if it contains a “+”
Hardening Thunderbird
K9-Mail and FairEMail have really good privacy settings, some by default.
Thunderbird, like Firefox, has its default settings mainly for easy usability, not privacy at all. But because of its open nature and customizability, you can use a file called “user.js”, defining a lot of settings on every start of Thunderbird, overriding the old ones. There are a lot of presets to be found online, I have made my own one, combining best Privacy with needed usability and including short explanations and a guide how to add it. It is based on the Thunderbird-Addon “PrivaConf” and "Privacy-Handbuch"s user.js (Here is a link to it in my Cloud).
Hardening your Browser and Email-Program can have negative effects on the usability, thats why tested user.js like mine are a good start, some hard presets like Arkenfox cause a lot of features to break, and falling back to an unconfigured version or a different mail program is not the solution, so a less hardened version may suit your needs better (keyword: Threat model), you dont always need TOR-anonymity.
Note about anonymity
- The smaller a provider is, the more you are fingerprintable because of the domain
- creating an own domain avoids people seeing your mail provider but makes your mail unique = fingerprintable (but you can keep it even after a provider change)
- smaller providers are less likely to be under pressure of the state (Protonmail as an example for the other side)
- IP and more can be stored by email providers, if you want to be more private, use extra Encryption and Orbot/ Tor, or just not Email! Good providers make clear what data they gather
Thats it!
Changing your email and adapting good habits is some work, but the good thing is, that those healthy workflows will stay and get easier, and there is a ton of great software and great people out there, making it easy for anyone to be private.
Lets keep fighting against the unleashed capitalist surveillance dystopia we live in, wake people up and keep ourselves safe!
this post was mirrored from my Reddit account
Congratulations, this was a good read for me. Even though I already knew enough about it, I think hearing different opinions always inspires me. I ended up using ProtonMail and Tutanota as my email providers, but I still use my Gmail account because it’s still a pain in the ass due to force majeure. Someday I’d really like to get Google out of the way, but their services are great for my taste… They are just too much of a bad habit.
Anyway if you’re interested over the years I’ve also started using SimpleLogin in combination, can go AnonAddy service as well, and I’ve had a great time.
It’s hard to quit Gmail if your workplace uses it as its main mail provider though
Yes of course. In that case create a second identity, using the android work profile or even dual-boot on a Laptop.
Do they actually require you to be online in your freetime?
Thunderbird will be no longer supported afaik, becaus Google is soo concerned about security.
Speak to your IT people about using a different provider, dont every private one also have business solutions?
Unfortunately, the work laptops are also used for remote work.
I’m currently using Thunderbird, but when Gmail stops supporting it, that’s just another reason to replace Google services altogether.
I switched to protonmail.com some years back. The switch was very easy and straightforward. As a bonus, ElectronMail is a pretty good desktop client.
While it is generally true that completely free* providers make money off of your personal data, some of them are run by not for profits and are funded by donations. An example of this is disroot.org.
*As in, not freemium