> Other than rolling our own email server, another solution is to use paid email alternatives ...
Actually there are a lot of very strong free alternatives which seeks to protect privacy and security of the users.
ProtonMail [1] is a very promising one, for example. The entire mailboxes of the users are encrypted so that even the sysadmins cannot read them.
And there are the likes of Riseup [2] and autistici [3], providing e-mail and other web services for activists, they intentionally refuse to provide data about the users when requested.
And there is Mailpile [4] project as a client.
All of them run on donations.
It also is good to observe after Snowden that it progressively becomes a common knowledge that "if a product is free, you are the product".
> The entire mailboxes of the users are encrypted so that even the sysadmins cannot read them.
Come on. If there is one thing we should have learned, it is that trust is not enough, we need more insurances. At the face value, ProtonMail is saying "we receive your emails in plaintext, we encrypt them immediately and we promise to never ever read them. Pinky swear". "We promise we won't give your information to anyone. Trust us, we're from CERN !". That is absolutely not acceptable; we need guarantees that give us the assurance that they can't access the content of our communications. Basically, there is no other way than having everything done on your machine, and treat any provider as a stupid router. At least mailpile is a step in the right direction, because it doesn't assume your mail provider will help in any way.
There's a saying in french, it goes like this:
"Promises only bind those who believe in them".
Please please please don't promote something that is based purely on promises. We should already be beyond this.
The main problem I find with these smaller email providers is the uncertainty of their future - they can easily disappear the next day, because they ran out of money or simply lost interest, and then you're f.cked. With Google, Yahoo! and Microsoft you can be at least sure they'll provide their email service as long as possible.
Which is exactly the reason that I have provided rather well-established examples.
Protonmail is developed by a group of people from MIT and CERN, and they raised more than half a million in their crowdfunding campaign [1]. They take the matter so seriously that its co-founder has talked about privacy at TED Global [2]. And riseup has been providing e-mail and VPN services for activists since around 1999.
Just check the links for more information.
The point is that if you take privacy and security really seriously, it is not very hard to find people just as serious as you.
As for riseup, they're always upfront and transparent about how their funding is going so that a case like that seems rather unrealistic for them (at least to happen suddenly)
It’s not entirely clear if this only applies to the free Gmail offering or also the Google Business App offering.
This is entirely clear:
No. There are no ads in Google Apps Services or Google Cloud Platform, and we have no plans to change this in the future. We do not scan for advertising purposes in Gmail or other Google Apps services. Google does not collect or use data in Google Apps services for advertising purposes. The situation is different for our free offerings and the consumer space.
Do iPhone/US Gmail users really see ads in Gmail on their mobile devices? Not sure whether it's because of our privacy laws here in Germany, but I've only ever seen the (quite general) ads on the webinterface where I've opted out of profiled ads I guess.
The issue of ads are a red herring, if you don't control the server, and aren't using end to end mail encryption, your emails aren't private in the sense the author intends: someone else's server is parsing your emails and has accesss to the plaintext. If it's not parsing them for ad keywords it's parsing them for spam filtering or for IMAP search indexing or it's a service that supports web mail and so it has to sanitize the messages to prevent XSS.
Honestly this blog post reads like an ad for SlideMail disguised as community PSA. People interested in mail security should choose more secure options than just avoiding server side processing.
End to end is the only real way to go for personal 1:1 messages you need kept private.
To summarize the blog post- The solution to free email is paid email. And solution to email clients is to read privacy policy.
It would be a cool post in 2007 when Google described their ad policy for gmail, and we gladly accepted that. As of 2014, in post-Snowden era, the simplest solution to security and privacy is- end to end encryption. Or, if you have something better in your bag...
> assuming we have a good chain of trust between us, all communications are secure.
That is not correct - an SMTP server will deliver email to another SMTP server in the clear [1]. Your ISP or the ISP that the remote SMTP server is using can read it. Even then - running an email server from home has certain issues such as port 25 inbound blocked, or most email servers will drop email from residential IPs.
The only way to make sure communication is secure is to use an email certificate with encryption or GPG. These would have 2 benefits: the email would verify who it came from (email can be easily forged) and the contents would be encrypted.
I agree. Not sure what's new here. However, I still think the general public has no sense of how email works and possibly assumes all of their email is private?
I know, I did this too recently, but you can build trust.
and I was mentioning my friend to friend example.
Additionally, if someone on gmail had sent me an email, it would go through my spam filters and I would see it.. if I were to reply, gmail remembers that he solicited the conversation and thus I am not blocked..
so it still works, just not so much for initiating conversations, but even then, it'll work after some time.
Actually there are a lot of very strong free alternatives which seeks to protect privacy and security of the users.
ProtonMail [1] is a very promising one, for example. The entire mailboxes of the users are encrypted so that even the sysadmins cannot read them.
And there are the likes of Riseup [2] and autistici [3], providing e-mail and other web services for activists, they intentionally refuse to provide data about the users when requested.
And there is Mailpile [4] project as a client.
All of them run on donations.
It also is good to observe after Snowden that it progressively becomes a common knowledge that "if a product is free, you are the product".
---
[1]: https://protonmail.ch
[2]: https://riseup.net
[3]: http://www.autistici.org/en/index.html
[4]: https://www.mailpile.is