In this third of a three-part series on email privacy, we acknowledge that to change email providers can be inconvenient, but we believe that the privacy benefits outweigh the minor impediments. We offer some strategies for transitioning to a new, secure Privacy-focused Email Provider (PEP), and even a strategy of co-existing for a period of time with your current (legacy) system.
In the first post of our three-part series on email privacy, Send private email more securely, we presented the privacy risks of using unencrypted email services. We examined browser add-ons that add encryption tools within Gmail, the most widely used “free” email service. These add-ons help improve privacy to a degree, but do not go far enough, in our view, to maximize privacy. Instead, in the second post of our three-part series on email privacy, Use secure email services that respect privacy, we presented a list of secure email services that provide the utmost privacy. Here we delve into overcoming challenges if you decide to change email providers to one of the PEPs.
1. Change email providers, but you will trade convenience for privacy
Let’s face it. Adopting a new email provider, particularly one of the PEPs that embrace privacy thoroughly, entails some change and inconvenience. We believe that the minor inconveniences of a transition to and usage of a new PEP service are well worth the privacy benefits and peace of mind that goes with them. We offer some techniques below to mitigate the inconveniences.
2. If you change email providers you will be giving up some email features for stronger privacy
Some more advanced features present in Gmail are missing in many of these PEP systems, as their focus has been on privacy, and they have a high hurdle to catch up with every Gmail feature that you might enjoy. Examples of convenient Gmail features that are missing in several of these secure email systems are a) the ability to mass delete a group of emails rather than one by one; b) nested folders; c) labels; d) formatting capabilities of your email body; e) view email conversations/threads.
Recommendation: You need to decide whether you can live without the relatively minor Gmail features that you would miss by switching, as the option to send private messages is, in our view, more important, especially for the categories of email listed in paragraph 3 below.
3. Dealing with minor inconvenience to recipients outside your email system
Most of the popular, “free” email services, including Gmail, Yahoo! Mail, Hotmail, and most cable or phone company email accounts, offer personal emails that are neither "end-to-end encrypted" nor "zero knowledge." So with the PEPs, you and your recipients who use the popular services pay a small price in inconvenience, for example, in the need in some cases to provide an agreed password in order to open an encrypted message.
Recommendation: Most PEP systems allow you to send messages not encrypted when you so choose. You decide on a message by message basis. Use the encryption option, however, where sensitivity/confidentiality is really warranted, such as communication with accountants, medical professionals, financial institutions, political or other advocacy emails, private relationships, or any situation where there is personal data or sensitive information in the content. You would need to embrace the notion that the recipient having to provide a password to access your email message is a reasonable extra step to ensure your privacy.
4. Choosing a transition or co-existence strategy with your legacy web mail account
One recommendation is to get your toe in the water by using your new PEP system initially only when sending email that is confidential or sensitive. To avoid having to check and deal with two email addresses permanently, over time, you could gradually notify contacts by attrition, to use your new email address and/or forward your Gmail to your new account.
5. Guarding your password
If you forget or lose your password (as well as an “account recovery code” that some PEPs provide, a code you receive upon registration to reset your password), you lose all access to your existing archive of email messages. They can't "reset" the password for you, as part of the security is that they have no knowledge of any of your passwords, keys, or recovery codes.
The data is encrypted, and they don't have a copy of your password key or your recovery code, only the encrypted form of it. So if you forget or lose your password as well as your recovery code, bye-bye to your email messages archive. True privacy has a price. It is a consequence of two principles: a) "End-to-end Encryption," which means that the email message is encrypted on your device before transmission, so the message is encrypted when en route, and it is encrypted "at rest" on their servers; b) "Zero-Knowledge," meaning they have zero knowledge of who you are, your password, your recovery code, the keys used to encrypt (these are behind-the-scenes decryption codes created on your device upon registration), your email content, your subject lines, etc. They only have a record that an email was sent and the date/time. So you'll need to keep your password key written in a couple of safe redundant places. Pasting to your monitor or putting it in your desk drawer, which are unfortunately common practices, are a bad idea. It's a gift to a burglar, dishonest contractor, or a passer-by in your home. A fire or flood would also destroy your computer and the post-it note.
Recommendation: Make safe paper copies and digital copies (on a backup device or thumb drive) of your password and recovery code.
6. Considering a branded domain name for your new email service
This is a separate issue from encrypted emails, as you can use unique-ID@vendor.com that you get when you register. Most of the PEPs offer the ability to host your branded domain name, such as @mybrand-mail.com, which you register on any domain registration site. Using a branded domain offers 3 advantages: a) like a vanity car license plate, it reflects your family or group or business; b) more importantly, if you change email service providers in the future, you can do so and keep the branded domain by moving it to another email service, and you never will have to notify everyone of the new email address again; c) if you register the domain as private (essentially, an option that says to the domain registrar “don’t reveal the owner of the domain on any domain directory site” much like an unlisted phone number) the owner of the domain (you) will not be revealed under normal conditions, though presumably it could in legal "discovery" (a court process requesting documentation). The downside of a branded domain is that it costs $10-12 or so per year and double that if you want the unlisted registration option.
Consideration: Your own personal domain is nice for reasons cited, but you need to decide if you wish to spend the extra money.
7. Dealing with a calendar and contacts
Access to an online calendar from any device is convenient. The biggest reason to use a PEP’s calendar if they offer one, in lieu of Google Calendar or other cloud calendars is privacy. Everything you enter is encrypted. Google calendar and contacts, on the other hand, are not encrypted, so again, anyone very motivated and sufficiently skilled to illegally access your calendar could read its entries. A thief, spy, stalker/hacker, dishonest employee, or in theory, the vendor deliberately, could scan your calendar to know what/when/where you do things. Some of the PEPs offer a companion online calendar and contact list in encrypted form, so no one but you can read it. However some do not have all the advanced features of Google Calendar, such as calendar sharing with the ability to superimpose dynamically another person's calendar on yours.
Recommendation: If you choose a PEP with an integrated calendar, and if don’t need advanced calendar features, using a secure and private calendar is a no-brainer. If you need some of the advanced features of Google Calendar not present in your chosen PEP, then you have the choice trading off privacy vs. advanced calendaring features.
Adopting a PEP entails trading off some convenience and/or possible advanced email features vs. the utmost in privacy