Ask Slashdot: Recommendations For Non-US Based Email Providers? 410
First time accepted submitter jlnance writes "I don't particularly like the NSA looking over my shoulder. As the scope of its various data gathering programs comes to light, it is apparent to me that the only way to avoid being watched is to use servers based in countries which are unlikely to respond to US requests for information. I realize I am trading surveillance by the NSA for surveillance by the KGB or equivalent, but I'm less troubled by that. I searched briefly for services similar to ymail or gmail which are not hosted in the US. I didn't come up with much. Surely they exist? What are your experiences with this?"
Not sure I understand the question. (Score:5, Insightful)
Actual communication security implies point-to-point security. In such a setting, a third-party service doesn't make any sense. Hence either what you're look for can't exist, or you won't know if it's secure.
KGB better than NSA? (Score:4, Insightful)
Wrong question (Score:3, Insightful)
Roll your own... (Score:5, Insightful)
Only about 1/3 of my family and friends use my server for email.... So any over seas email service is going to have the same limitation as mine. If I email my sister from my server, that email goes to gmail. So now the NSA knows what I sent to my sister.
So unless everyone you communicate with is outside of the US or on a server outside of NSA's reach, it won;t do any good.
Sorry to break it to you, but in the war against terror, the American people have lost.
Re:KGB better than NSA? (Score:5, Insightful)
As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.
Wrong Question (Score:5, Insightful)
Re:Runbox.com (Score:4, Insightful)
Personal data must be kept confidential unless required by law or court order.
That's a hole you can drive a truck though. The NSA justifies everything on those grounds.
Makes no difference. (Score:5, Insightful)
From all reports, most or all of the countries where spying occurs, despite their very vocal public outcry against what the U.S. is doing, are in fact sharing information with the U.S. government. And even if they don't, the U.S. can simply grab the data on its way out of the country to that server.
The only way to make email secure is to abandon email in favor of a protocol that supports end-to-end encryption, such as iMessage, XMPP, etc. and to tweak your centralized server and/or clients to require that end-to-end encryption be used. And even then, the metadata (who sent mail to whom) is at risk. The only way to prevent metadata from being trackable is to either develop a new system in which locating a user does not require credentials and use Tor to connect to the centralized server (e.g. use wide-area Bonjour to advertise your current IP address) or design a whole new messaging system built in a darknet.
Either way, email is and has always been just as secure as sending a postcard (which is to say, completely insecure), and cannot readily be improved upon significantly in this regard without starting over from scratch.
use encryption (Score:5, Insightful)
Many E-mail providers overseas require you to give personal information to sign up, often due to legal requirements in those countries; sometimes they verify that with a credit card number or simply by comparing your address data with government databases. Many countries (including much of Europe) also have data retention requirements and give their own police and intelligence service nearly free reign, and they may well exchange data with the US anyway, so it's not clear you're better off. And some providers of anonymous services may simply be fronts for intelligence agencies. And, of course, if the other parties to your E-mail use a US provider, your data is already available to US intelligence agencies, and your foreign E-mail account will stick out.
As an American, if you want to communicate privately, you have to use encryption, and preferably steganography. Getting an E-mail account in another country really doesn't help very much.
Re:Roll your own... (Score:4, Insightful)
One of your nephews or cousins that uses your e-mail server decides to purchase a pressure cooker online. He also has some friends in Europe that he e-mails once in a while. What do you do when the NSA asks you for all the e-mails stored on your server?
Re:Not sure I understand the question. (Score:5, Insightful)
You would have to lease space in a datacenter, buy a domain, setup VPN, use securelinux (though probably not since it was written by the NSA) or solaris, run a VM inside that, always do a restore before accessing email and read through the tens of thousands of lines of code to delete out anything that MAY compromise your security (best use open source in this case). Also you will have to ensure that everyone you email is doing the same thing. So you may want to start mandating that everyone you email use your domain, but since it will b so expensie you should probably charge for it to at a minimum off set costs. Though you should probably charge enough to ensure that you can afford to quit your current job to do full time maintenance.
After all that, probably be best you find a neutral country that has no agreements with the US and will refuse to work with it.
But good luck!
Re:Wrong Question (Score:2, Insightful)
That is fucking bullshit. The NSA don't have a monopoly on scientists and practical quantum computing is decades off.
There's nothing the NSA would like people to believe more than that they can magically break modern encryption that would take 1000,000s of processor years to decrypt. The more people believe it, the less they will bother using encryption and the easier it is to keep tabs on the few that do.
Re:Norway has a 4th Amendment? (Score:4, Insightful)
I'm not attempting to argue with you. The point is not what the NSA should or should not be doing, but rather about the practical considerations. On US soil, the claim is all they can gather is metadata (the SMTP envelop). Start using a foreign mail service, and it's very likely that everything after the DATA command is being stored as well.
Re:Runbox.com (Score:5, Insightful)
So, unless there's an unknown backdoor built into SSL, as long as Runbox.com uses HTTPS, how should "Australia, the UK, the US", etc. know what was transmitted unless they use a brute-force attack?
Just yesterday, NPR indicated that US-based cloud platforms stand to lose between $21 billion and $35 billion over the next few years over the NSA scandal... http://www.npr.org/templates/story/story.php?storyId=210570888 [npr.org] . Lavamail and Silent Circle shut down unexpectedly & destroyed all data they had to not get caught up in the scandal...
Re:KGB better than NSA? (Score:3, Insightful)
As a US citizen, I sure as hell would prefer the KGB looking over my shoulder. the chance that it has any kind of impact on my life is far lower.
Considering it was disbanded in 1991, I wouldn't worry about them either. Americans really don't care about world history do they (we)?
Re:KGB better than NSA? (Score:4, Insightful)
That won't work: 1and1 has management in the US. (Score:5, Insightful)
This is what I understand:
1) The U.S. government can force any company to do anything it wants.
2) The U.S. government can demand that the company keep that secret.
3) The U.S. government can put a U.S. employee in prison if 1 and 2 are not followed.
Seems to me to be a vicious, anti-democratic government.
Also (Score:0, Insightful)
Re:Not sure I understand the question. (Score:1, Insightful)
Re:Not sure I understand the question. (Score:5, Insightful)
Of course, the part that the NSA et al seems most interested in is the source and destinations of your mails to map your associations. By sending via your ISP smarthost you're still handing them that info, so if you want to cut them out of the loop you need to vpn the mail relaying outside their grasp and ensure encrypted smtp/tls direct between endpoints.
Your random mail idea does screw with them in a nice way tho as it'd mess up their social graph and probably get yourself classified as an uninteresting spammer after which you can freely inform islamic insurgents how they can enlarge their manhood and obtain large fortunes from Africa by sending a small upfront payment.
But for actual secure comms it's probably better to use i2p or some other darknet. And traffic on that screws with the snoops as well.
Re:Norway has a 4th Amendment? (Score:2, Insightful)
The US government stopped worrying about the Constitution a long time ago. Just recently, they decided they had the power to mandate that every single US citizen purchase a specific product or be fined (Obamacare). But more to illustrate this, look at how the administrative branch of the government is refusing to follow laws congress implemented and how they think they can just write a new law without congress at all.
And before anyone jumps in here to defend Obama as if their world would fall apart if his name was ever tarnished, this has happened by both parties in the past starting with the civil war and become widely done since the new deal where Roosevelt ended up having a stand off with the supreme court. Obama is used only because he is the most recent president to be doing it.