Ask Slashdot: Recommendations For Non-US Based Email Providers? 410
First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"
Not sure I understand the question. (Score:5, Insightful)
Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.
Re: (Score:2)
+++ THIS.
Do it yourself.
Re:Not sure I understand the question. (Score:5, Insightful)
You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.
After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.
But good luck!
Re:Not sure I understand the question. (Score:5, Funny)
If you restore your VM (that hosts your email) before accessing your email, didn't that just wipe out your emails?
You need more paranoia please.
Re: (Score:3)
Only if you restore it on the server side. I suspect what he meant was using a VM on the client accessing the server to ensure there are no bugs or trojans set to intercept or log the communications.
Re:Not sure I understand the question. (Score:5, Interesting)
You would have to lease space in a datacenter ...
Uh, no. Use Linux (or *BSD) and point your local SMTP at your ISP's Smarthost. Encrypt files locally with GnuPG and send them as attachments. The only difficult part is expecting the recipients to do the same in reverse and to treat your privacy as seriously as you do. There, you'll need to exercise judgment as to who to trust and with what (just like in every other area of life).
I really couldn't give a rat's ass how many cycles the NSA wastes on trying to crack my encrypted attachments. I consider myself fortunate in not having to support them financially (I'm non-US). I've toyed with the idea of making a cronjob blast out emails to random addresses simply to supply them with stuff to waste time and effort on, but I don't really care that much to bother.
If I ever manage to contact the Medellin or Cali or Zeta cartels' IT guys, I'll have a proposal for them, but so far no joy there. That would be great fun.
Re:Not sure I understand the question. (Score:5, Insightful)
Of course, the part that the NSA et al seems most interested in is the source and destinations of your mails to map your associations. By sending via your ISP smarthost you're still handing them that info, so if you want to cut them out of the loop you need to vpn the mail relaying outside their grasp and ensure encrypted smtp/tls direct between endpoints.
Your random mail idea does screw with them in a nice way tho as it'd mess up their social graph and probably get yourself classified as an uninteresting spammer after which you can freely inform islamic insurgents how they can enlarge their manhood and obtain large fortunes from Africa by sending a small upfront payment.
But for actual secure comms it's probably better to use i2p or some other darknet. And traffic on that screws with the snoops as well.
Re:Not sure I understand the question. (Score:5, Interesting)
Yes, correct.
In my experience, having a mail server provider in Europe (e.g.) and using PGP/GPG could help. The problem is of course that your recipient also needs PGP/GPG.
1&1 and Deutsche Telekom in Germany just announced that (paraphrasing it) they will take email security more seriously now. You might want t get an email account at GMX in Germany (product of 1&1) and then use PGP/GPG for fully confidential communication. I wouldn't use their webmail interface, rather suggest to use their IMAP/POP Interface using SSL/TLS.
Using PGP/GPG *and* a foreign email service provider helps in (a) encrypting your email (PGP/GPG), and (b) (if used with SSL/TLS) communication, also hiding the sender/recipient identification, including your email's subject.
On the other hand, I don't know if that would be really secure (for [b] at least), as the German secret service (BND) seems to forward communication information to the NSA (at least the meta-information)...
If you really want to communicate securely, I recommend a "dead mailbox"-principle electronically, but by using PGP/GPG to encrypt the file in question, maybe even hiding the content as a picture or video...
Re: (Score:2)
Make sure that you use encrypted mails using self signed certificates or by someone you trust.
That won't work: 1and1 has management in the US. (Score:5, Insightful)
This is what I understand:
1) The U.S. government can force any company to do anything it wants.
2) The U.S. government can demand that the company keep that secret.
3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.
Seems to me to be a vicious, anti-democratic government.
Re: (Score:3)
There are usenet newsgroups that seem to be entirely dedicated to encrypted dead drop communications. I wonder what's going on there?
Re: (Score:3, Interesting)
Re: (Score:3)
Maybe you can find some colo space at McMurdo. Oh, wait...
Re:Not sure I understand the question. (Score:5, Informative)
You realize that the NSA facilities in Germany are still intact, right? What was canceled is the part where the US, UK, and France could request Germany to surveillance on their behalf. Whatever basis the data sharing was under is not known, and there is no reason to believe it has been canceled. Chancellor Merkel denied it was even happening until it got leaked. Now you believe her that they stopped, on account of canceling the most public related agreement? I guess the NSA employees on US bases in Germany just sit around and play cards all day now, right?
It has also been said publicly by German government officials that the old agreement was obsolete, and hadn't been actually used as the authority for anything since reunification! If you're going to fall for a bait-and-switch that is already reported on, how can you hope to avoid secret government surveillance?
Actually what you really do is reward companies in the countries that have the least transparency, where you know the least about what they do to spy on your, or help others spy on you. You're better off choosing companies that take the risk of publicly asking for more transparency, and employing your own security such as PGP/GPG
Re:Not sure I understand the question. (Score:5, Funny)
But like he said, you still can't be sure it's secure.
And, of course, you'd need to use a US-based pigeon.
Re:Not sure I understand the question. (Score:5, Funny)
The problem with pigeons is that they're susceptible to man-in-the-middle attacks.
Re:Not sure I understand the question. (Score:5, Funny)
The problem with pigeons is that they're susceptible to man-in-the-middle attacks.
I thought they were susceptible to cat-in-the-middle attacks.
Comment removed (Score:5, Informative)
Re:Runbox.com (Score:4, Insightful)
Personal data must be kept confidential unless required by law or court order.
That's a hole you can drive a truck though. The NSA justifies everything on those grounds.
Re:Runbox.com (Score:4, Interesting)
Besides, the way I understand it, whatever privacy protections remain apply to US citizens on US soil. Use a foreign email serviced, and it sounds like all bets are off.
Re: (Score:2)
Re:Runbox.com (Score:5, Informative)
Yeah, it ends 100 miles inside [slashdot.org] the border.
Re: (Score:2)
Re:Norway has a 4th Amendment? (Score:4, Insightful)
I'm not attempting to argue with you. The point is not what the NSA should or should not be doing, but rather about the practical considerations. On US soil, the claim is all they can gather is metadata (the SMTP envelop). Start using a foreign mail service, and it's very likely that everything after the DATA command is being stored as well.
Re: (Score:3)
In my world, at that point, it's just a bunch of useless wordplay..
Re: (Score:3)
The problem is "... unless required by law", not the second part ("... or court order"). The NSA cannot request a court order in Norway.
But if Norway has a law that requires the email provider to provide information to the Norwegian secret service, which then forwards the information to the NSA, then yes, you can "can drive a truck through [that hole]".
Re:Runbox.com (Score:5, Interesting)
The Norway data pipes probably run through the UK, as do most of the pipes in the EU. So rather than installing back doors on Norway's servers, the UK just sniffs the big data pipe traffic and captures that directly. And they give not one whit about your constitutional protections, any more than the US respects the Canadian constitution and Charter of Rights when they sniff our traffic while it passes through the big data pipes south of the border.
I don't think people are getting it yet.
Between Australia, the UK, and the US, something on the order of 90% of the global data traffic runs through the leeching backbone nodes that have sniffers attached to them. They don't need the cooperation of your local governments and ISPs to do their dirty work.
Re: (Score:2)
Re:Runbox.com (Score:5, Insightful)
So, unless there's an unknown backdoor built into SSL, as long as Runbox.com uses HTTPS, how should "Australia, the UK, the US", etc. know what was transmitted unless they use a brute-force attack?
Just yesterday, NPR indicated that US-based cloud platforms stand to lose between $21 billion and $35 billion over the next few years over the NSA scandal... http://www.npr.org/templates/story/story.php?storyId=210570888 [npr.org] . Lavamail and Silent Circle shut down unexpectedly & destroyed all data they had to not get caught up in the scandal...
Re: (Score:2)
HTTPS only encrypts the traffic between the server and your client.
Most email traffic is transmitted in plain text between the servers connected to the pipes, not over SSL.
The way it works is this:
Re: (Score:2)
The "back door" boxes that the NSA has installed on US services like GMail make it easier for them to collect the data, but they can do it regardless of whether a given ISP cooperates, as long as they know the IP and port of the email server the ISP is running.
What? You thought the NSA had their little black boxes installed here in Canada? Hell, no!
Re: (Score:2)
The other reason for the black boxes is to capture email between GMail users, for example. But as soon as you email someone with an address on a different email provider, your email contents are fired out plain text over the backbones between those servers, so they can capture it using the traffic sniffing approach.
The only way your email would be safe from the sniffers is if you only emailed people on the same out-of-country ISP you're proposing, and used SSL for all your email client's connections to/
Re: (Score:3)
By the way, the email headers are never encrypted. Only the body of the email is, so they can always get the "meta data" for your email message indicating who it's to/from and such, regardless of whether you encrypt your email or not.
Re: (Score:3)
By the way, the email headers are never encrypted. Only the body of the email is
False. IPSec, SSL, TLS, or SMTP tunnneled over SSH, or other ad-hoc encapsulation protocols with encryption features can be used to secure the transport between cooperating mail servers.
Re: (Score:3)
Agreed. I don't think hosting your email in another country will do much to secure your email. If anything, it will make you a bigger target, since they've claimed their attention is pointed most directly in communications going in and out of the US.
Re: (Score:2)
it's pretty cheap considering, they do not have any NSA-ties or the likes.
You can't know that for certain. Redbox's internal and external auditors can't know that for certain.
Re: (Score:2)
Those prices look damn good. You like the service.
Re: (Score:2)
They also have numerous exceptions for national security, and fairly low thresholds for police and courts to actually get at the data.
Notice how those principles only protect you from private entities (and are pretty vague too).
KGB better than NSA? (Score:4, Insightful)
Re:KGB better than NSA? (Score:5, Insightful)
As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.
Re: (Score:3, Insightful)
As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.
Considering it was disbanded in 1991, I wouldn't worry about them either. Americans really don't care about world history do they (we)?
Re: (Score:3)
It is the NKVD or GPU that we should really be worried about.
Re:KGB better than NSA? (Score:5, Funny)
so, you're saying my video card is now bugging me, too??
I knew it. I just knew it! nvidia is not to be trusted either.
Re: (Score:3)
However, they are probably not the group in the government that would be reading your email. That group is the Russian Federal Service for Mass
Re: (Score:2)
KGB definitely preferable except for Russians (Score:4, Interesting)
Re:KGB better than NSA? (Score:4, Interesting)
Re: (Score:2)
That's right. Although the KGB has long since passed the torch to the FSB, and the FSB still sends humans to do their dirty work. [wikipedia.org]
Re: (Score:3)
Re: (Score:2)
and is subject to far fewer restrictions.
Restrictions? What are these "restrictions" you speak of?
Re:KGB better than NSA? (Score:4, Insightful)
Re: (Score:3)
You don't know that for a fact.
He could never know that for a fact. You are attempting to force him to prove a negative to make his point. If you think there are Russian drone attacks then you should provide evidence of it. He can not provide evidence that something didn't happen.
Russian intelligence is every bit as invasive as ours, and is subject to far fewer restrictions. Putin himself recently said that the US is only doing what the Russians have been doing all along. And, don't forget, Putin is the former head of the KGB.
Don't forget Bush Sr. was the director of the CIA. I'm sure Putin did say that but Russia also recently bought drones from the UAE [google.com]. And if you search for russian drone attacks [google.com] all you get is stuff about U.S. drones and a few consipiracy theories about Oba
Re:KGB better than NSA? (Score:4, Informative)
FYI: Putin was not, as is commonly stated, head of the KGB. The highest rank he achieved before his resignation was Lt. Colonel. He was appointed head of the FSB in '98 by Yeltsin, however. FSB is one of the successor organizations of the KGB, covering similar ground to that of MI5 (particularly counter intelligence and domestic surveillance, all the fun of the FBI and NSA rolled into one).
It is interesting in this regard to note that George H.W. Bush was himself once Director of Central Intelligence (CIA head). One might almost get the impression that being privy to the secrets gathered by a state security apparatus has political advantages.
Re:KGB better than NSA? (Score:4, Informative)
The FSB and SVR, the artists formally known as KGB, have limited resources. They are used to going after those that they evalutate as threats.
The NSA has unlimited resources. The NSA just goes after everybody. They can afford to skip the evaluation phase.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Is it because the NSA is famously helpful to time travellers?
Re: (Score:2)
If you're in the Soviet Union, the NSA is better, no joke. Think about why. Pop quiz later.
Because you're a time traveler?
Wrong question (Score:3, Insightful)
Re: (Score:2, Interesting)
Since the NSA programs are designed primarily to intercept communications between US and non-US folks,
You haven't been listening. They are designed to intercept everything. The queries are supposed to relate to outside communication and/or anything else of interest (by definition, if someone looks at it for some reason, that means it is of interest). But everything is intercepted.
Yes, encryption, VPN, yada, yada. You really don't gain much by moving it.
Except that decrypting stuff is expensive, so the average NSA snooper will incur traceable costs he might need to justify better than "oh, I just had a hunch I might be interested in my neighbors mail".
Re: (Score:3)
eheh.
the whole debacle is about NSA applying such rules in quite loose form, they dont' care for shit.
Today if you're in the USA, NSA can get it all "by the book"(their book, not the lawbook) because you talked to some dude on a foreign forum - you did that by posting on slashdot. so you're screwed.
but true, it doesn't help much, only thing that would help would be to get people sending you mail to encrypt it before they send it to you.
however - hosting it outside of USA definitely does help against men in
Re: (Score:3)
Just figure out which countries that are a pain in the butt for the US when it comes to politics and host your mail there.
I just wonder if this is going to be a new market for states like Switzerland, Lichtenstein, Luxemburg and Jersey now that they have started to share some of the bank information.
But Germany is actually a good alternative these days.
Roll your own... (Score:5, Insightful)
Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.
So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.
Sorry to break it to you, but in the war against terror, the American people have lost.
Re: Roll your own... (Score:2)
I agree completely, roll your own is the best method. The only issues with it is technical know-how, and ISP limitations (and cost). But if those are a non issue, there is no better solution.
Re:Roll your own... (Score:4, Insightful)
One of your nephews or cousins that uses your e-mail server decides to purchase a pressure cooker online. He also has some friends in Europe that he e-mails once in a while. What do you do when the NSA asks you for all the e-mails stored on your server?
Re: Roll your own... (Score:3)
Demand a search warrant issued by the local county or state judge, and have the county sheriff deliver it in person. No search warrant, no search.
Re: (Score:3)
Re:Roll your own... (Score:5, Interesting)
A while ago I had a similar thought. My solution was quite easy:
Install an email system that does the the following: Normally, when "standard" email arrives, it is processed as usual.
When an email arrives from an authorized sender (such as you), in a very specially formatted way and with special content, the mail server immediately starts destroying all emails, all communication logs, and all attached backups. It literally not only unlinks the files, but also replaces all impacted file-contents with "0". You can even do it on block-level completely reformat (overwrite) the hard disc in a way that it looks crashed. It then initiates a clean re-install of a clean, unused, fresh out-of-the-box system.
The only that you have to do is to make sure none of the backups are available... Then again, I would probably NOT have historical backups of emails outside somewhere, but rather backups on devices that *are* connected to the server and erase those too...
End result: "Ooops, sorry, but it seems, my server has crashed..."
Re: (Score:2)
Alternatively, you could have everything on an encrypted hard disc and instead of deleting the files, you delete the key (overwrite it on a block-level). So could hand-over the hard disc but since the key is not retrievable anymore (and you could make it so that it looks like a hard disc failure), that's it...
Re: (Score:2)
Re: (Score:2)
Completely agree; I've been doing it like this for longer than services like Gmail and Hotmail have been around. However, with XS4ALL as my ISP here in the Netherlands, things have certainly been made easy for me. For example, my DSL connection has a fixed public IPv4 address and PPP makes it relatively easy for me to arrange for my public IPv4 address to be on my personal server. In turn, this not only allows me to run my own firewall and NAT, thus affording me far better security than I can expect from t
Re: (Score:2)
Rolling your own server is great, but email's fundamental purpose to to send and receive. Unless you are certain both end points and all hops in between are secure, it's pointless.
Use your own domain and host (Score:4, Informative)
Domain names are relatively cheap, and hosting is relatively cheap. I go that route myself. The only people that have access to my server is the hosting company (which is no worse than Google to be honest)
if you have the means, the very best solution is to run an email server out of your home or place of business.
Re: (Score:2)
Re: Use your own domain and host (Score:2)
Perhaps, but nothing is stopping them from doing the same to your hosting provider either.
Re: (Score:2)
There is a difference. I can make sure my server is powered off and its RAM flushed when SWAT arrives, allowing a properly encrypted system to remain secure.
Re: (Score:3)
That takes resources, though, and is only likely to happen if you, personally, are under investigation. In that case, you also get the benefit of knowing that you are being investigated.
For routine, hoover-up-everything surveillance like PRISM, you remove one of the vulnerable endpoints and reduce the number of third parties you need to trust. It's the only scenario listed that does that much.
Wrong Question (Score:5, Insightful)
Re: (Score:2, Insightful)
That is fucking bullshit. The NSA don't have a monopoly on scientists and practical quantum computing is decades off.
There's nothing the NSA would like people to believe more than that they can magically break modern encryption that would take 1000,000s of processor years to decrypt. The more people believe it, the less they will bother using encryption and the easier it is to keep tabs on the few that do.
Re:Wrong Question (Score:5, Informative)
Evidence suggests that scaling quantum computing to the large number of qubits required to decrypt 2kbit RSA would be extraordinarily expensive, if possible at all. The largest quantum computer[1] built so far outside of secret institutions has, I believe, 14 qubits (I may be a little out-of-date, but not by a long way). Scaling has occurred at a fairly constant linear rate of about 1 qubit per annum since the earliest machines were produced. There's no signs of an exponential take-off the way there was with conventional computing hardware, which suggests that the expense of scaling to larger and larger quantum computers doesn't get decrease the way it does with silicon.
Some data points:
1998: 3 qubits
2000: 5 qubits
2001: 7 qubits (largest achieved to date with single atom containing all qubits in different degrees of freedom)
2005: 8 qubits
2006: 12 qubits
2011: 14 qubits
This is the best private industry can do. I'd be surprised if the NSA were doing more than a factor of 10 better. To crack 2048-bit RSA, about 3000 qubits would be required[2], or about 20 times my best guess as the limit of what the NSA could have achieved. Besides, Shor's algorithm is not instant: even if it's faster than any classical algorithm, it's still third-order polynomial on the number of bits in the input, and quantum computers don't perform individual operations particularly quickly, so even if we assume the NSA has managed to make a quantum computer that's a thousand times faster per operation than existing private systems, to factor a 2048-bit RSA key on a 3,000 qubit computer would take about 8.6 billion operations running at about 10-100us each, which is to say approximately 1 to 10 days of time on the (enormously expensive) system (of which they almost certainly only have one, which will therefore have a very long prioritized queue of jobs waiting for it).
And upgrade to 4096 bits, and they'll need a quantum computer with 6,000 qubits, and the job will take somewhere between a week and three months to complete.
[1] I'm excluding so-called quantum annealing computers from this, e.g. various systems produced by D-Wave, because they cannot be used to run Shor's algorithm, so are not a threat to RSA. This is not so much an entry into the debate as to whether or not they should be classified as quantum computers, but a practical decision based on the subject under discussion.
[2] traditionally, this would be 4096 (twice the number of bits in the input), but this arxiv paper claims 1.5 x bits in input or fewer is achievable [arxiv.org] through a method I don't really understand
Makes no difference. (Score:5, Insightful)
From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.
The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.
Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.
Re: (Score:2)
Darknets refer to connections made through large numbers of peers, such as Tor's onion routing, such that it is not practical to determine where a message came from or where it is going farther than one hop away, and such that it is infeasible to compromise enough nodes to compromise the entire chain of custody for that message. Darknets exist, with varying levels of actual security. They work best for non-interactive communication like email, where each node can hand off the entire message in a single c
use encryption (Score:5, Insightful)
Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.
As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.
It won't save you (Score:3)
If you are emailing people who use GMail, Live, Yahoo, or a US ISP for their email provisioning, your emails to/from them are still tracked. So unless you're planning to drop all your US contacts as well, you're not helping yourself much.
Here in Canada we have a bigger issue -- all of our network pipes connect to the bigger pipes in the US. So even though we might be emailing a fellow Canadian from one Canadian ISP to another, the traffic still gets routed and sniffed through US servers.
The same is a problem for people in the EU -- the emails get routed through the pipes that are monitored by the UK's spy agency.
The NSA doesn't have to install backdoors on email servers to monitor you at all. And they *don't* typically make requests when they're spying on someone in particular -- they just sniff the traffic on the big data pipes directly.
And seeing as all those pipes run through the major partner countries like the UK, Australia, and the US itself, we're *all* fucked.
NSA Avoidance List (Score:2)
Do NOT forget the telco and the routing (Score:2)
NSA and foreign mail hosts (Score:2)
You should probably take into account that the few, and obviously mainly ignored, privacy protections you do have evaporate the nanosecond your communication leaves U.S. borders. Supposedly within the U.S. the NSA is limited to email metadata collection (look up the older term 'pen register' for the legal history of law enforcement access to this kind of information), but when you interact with a 'foreign agent' the sky's the limit. Ellison may have known more than we thought when he said, "You have no priv
Re:NSA and foreign mail hosts (Score:4, Interesting)
I think there are ways around it, not a 100% perfect but at least make their job a lot harder. Services like lavabit were good and it goes to show that they needed to use some nasty legal tactics to make them open up. Those tactics are not available when you use providers in countries like Russia or China. Sure, they can tap the underwater fiber all they want, but I think it still is better than nothing.
Startmail (Score:2, Informative)
www.startmail.com -- currently in closed Beta -- and based in the Netherlands.
Securing email is complicated (Score:4, Informative)
If your ISP allows it (and that's a big if in today's spam wars), you could run your own email server to host email service for yourself, your family and your friends and require SSL/TLS connections for all communication. Don't forget TrueCrypt or luks/dm-crypt for disk encryption on the server itself. But this only protects against eavesdropping and snooping for email users on your hosted service. There's basically nothing you can do about emails sent or received from outside of your own service. And then there's the assumption that email recipients inside of your hosted service will adequately secure their own devices (good luck getting grandma to use TrueCrypt).
If you can actually accomplish this, well, you have better powers of persuasion than I (my boss is a smart and tech savvy guy and I can't even convince him). Your best bet is: don't use email for anything you wouldn't want publicized.
Here are some (Score:2)
The best I have found so far are Yandex from Russia and Netease 163.com from China. 163 is extremely fast if you are in China, but it has some advertising and the interface is all Chinese, so I would suggest the English version of Yandex mail instead at mail.yandex.com.
I'm planning to get a dedicated server with the state telco in Venezuela for precisely this reason. That and also run a Tinyproxy/OpenVPN and figure out WebDAV to have my own Google Drive/SkyDrive, etc. If anybody is interested just write to
hushmail (Score:3)
Re: (Score:2)
Re: (Score:2)
They've given up content of e-mails to authorities a number of times.
Any solution which allows the provider to hold the keys if doomed to fail in protecting your privacy. We need zero-knowledge e-mail providers. Kind of what Wuala and SpiderOak do, but for e-mail instead of cloud storage.
Re: (Score:2)
Nothing wrong with a company turning over information after receiving a warrant. The issue with the NSA is that they collect everything they can without a warrant, but (fingers crossed) promise not to look at it without one.
Host it in the Netherlands (Score:2)
I haven't tried it myself, but the people who sell this are well-known old school Portuguese geeks: http://www.fullmailserver.com/ [fullmailserver.com]
Going to non-US provider won't protect you. (Score:2)
Actually, NSA by law is allowed to intercept communications outside the United States. In fact, that's its mandate. So they don't have to be sneaky and underhanded to try and sneak around the law like the bull shit currently going on with US providers. Now using a non-US provider does mean that the intercepts have to be "on the fly", but that isn't a major problem for the NSA given the number of intercept facilities they have. To be perfectly honest, given the current state of technology, the only real prot
Re: (Score:2)
Re: (Score:2)
Yes, they surrendered data with a court order. Pretty-much any service provider in most countries will, and when there's actual evidence of serious crimes tied to your identity it's easy to get such a court order in most countries. These were targeted, court-approved disclosures, which is a very, very different thing from massive unwarranted trawling.
Also: if you avoid their javascript-based interface and use the java applet, they still *can't* disclose your emails, as they are never available unencrypted
Re: (Score:2)
I have tried to convince others that I regularly corespond with to use encryption but the reactioni get is either
1 I don't have anything to hide I m not interesting enough to bother. and encryption is hard
or
2 they have all of the encryption broken because I heard it from my brother who heard it from a reliable source and your explanation is to technical of why they haven't really broken it.
I have given up on trying so now I just cryptographicly sign my email so at the very least it can't be forged.