Ever since the Apple CSAM debacle earlier this year, I have been searching for alternatives to the “free” products provided by Apple. Apple’s push to implement the CSAM spyware in the face of very vocal opposition by privacy and security researchers (including myself) and civil libertarians around the world revealed to me that Apple’s promises of “What Happens on your iPhone, Stays on your iPhone.” is just marketing hot air. Apple has broken its brand promise as a protector of digital privacy rights, and I can’t imagine a way for them to regain my trust.
So, starting with email, I have spent the last few months investigating alternative products and services providers that will achieve the following aims:
- Provide assurances that my email metadata is not being sold to 3rd parties for targeted advertising.
- Provide a stable and reliable platform for storing and managing my email.
- Provide assurances regarding the security and privacy of their service. Note, I do not expect any service provider to provide a “we won’t give your data to the government” promise — frankly if they did I would consider that the ultimate sign of untrustworthiness. When it is a choice between compliance and shutting down the service, the provider will cave. However, whatever they can do to prevent carte blanche government access to all the provider’s customer data is welcome.
- Interface with existing email clients using industry-standard protocols.
- Show that their service protects email through the security and privacy features and audits they provide.
- Is reasonable priced. Note, I am specifically not looking for a free service because as Robert Heinlein so famously stated, “There is no such thing as a free lunch”. If you are not paying for it, you and your data are the product that is being sold or monetized.
- Is old enough and stable enough that I can be reasonably assured they will not disappear when I least expect it.
So after looking at what I consider the leading contenders (Fastmail, Protonmail, Tutanota, Mailfence, …) the answer is… Posteo, a German email provider you have likely never heard of if you live in the US.
Why them? Because:
- They have what I consider to be a unique solution to spam, in that if a message does not pass their tests of legitimacy, they bounce it back to the sender and do not deliver it. There is no spam/junk box folder for you to periodically check to make sure you did not miss something. Spam is not only a time wasting annoyance, it is a major vector by which phishing and malware are received. Posteo largely eliminates the problem by never allowing it into your mailbox.
- They show their commitment to security and privacy by the extensive options that they provide both built into the platform, and which you can enable as even higher level security such as PGP, strict inbound and outbound encryption, encryption of your email, calendar and contacts such that it is unreadable by them, etc. You can enable any or all of these depending on your needs or degree of paranoia.
- I can use them with whatever email client I wish, including a browser. No more funky bridge solutions such as I had to use with Protonmail which never worked right for me.
- They have a long and public commitment to email security and privacy, including a no logs commitment and the ability to sign up without providing personal details. If you want you can use crypto to create an account for even more anonymity.
- They have a highly flexible and powerful filtering capability so that you can sort, delete, discard email to your heart’s content on their servers before it even hits your email client.
- They are by far the cheapest solution (discounting the free tier options of others which are severely limited in capability) amongst the options I reviewed, starting at just 1 euro a month.
So, how’s it going? So far, so good. I now have all my legacy accounts forwarding to my Posteo account and am enjoying a massive reduction in spam and distraction, along with the ability to sort my mail as I want for later reading. No hiccups or delays were encountered, so we’ll see if this ends up as my permanent solution.
If your email security, privacy, or your personal sanity is a concern for you, check them out.