In this second of a three-part series on email privacy, we examine why you should use secure email services designed for privacy. We recommend you use a Privacy-focused Email Provider (PEP) built to respect privacy via “end-to-end encryption” and “zero knowledge”.
Why use secure email services
In our previous blog post, Send private email more securely, we outlined the privacy risks of using unencrypted email services, such as Gmail, Yahoo! Mail, Hotmail, or cable/phone company email services, and recommended the use of secure email services. We examined browser add-ons that add encryption tools within Gmail, the most widely used “free” email service; they help improve privacy to a degree, but do not go far enough, in our view, to maximize privacy. Instead, we recommend that you use secure email services -- at least for your sensitive emails to your accountants, lawyers, healthcare professionals, brokers, financial planners, family/friends on confidential matters, business colleagues, etc. – from one of the standalone secure PEPs, that is, not an add-on product augmenting another mail service.
Why use secure email services
We found vendor websites and reviews of over a dozen reputable secure email services that give you private email services. They do this by providing encryption not only while your email messages are “in transit” (a potentially vulnerable time, when they are en route to the recipient through a chain of servers), but also while “at rest” (that is, while residing on the provider’s servers, where they could potentially be hacked).
These services also do not store or scan the text of your messages and their attachments, and most cannot decrypt/decipher the content of your emails even if they desired to do so, because they do not store your personally-assigned keys and your password, which are required for decryption. Unlike Gmail and Yahoo! Mail “free” web-based email services, PEPs store the email body, in most cases the attachments, and in some cases the subject line in an encrypted (coded/scrambled) form that is unreadable. So even if someone hacked into their email servers, the email messages would be unreadable. Your message is unscrambled (decrypted) on the recipient’s end. Most of these PEPs claim “zero knowledge” meaning no access to your content, your identity, email meta-data, your encryption/decryption keys, or your password.
Reviews of privacy-focused secure email services
Detailed reviews of such PEP systems appear, for example, in the following publications:
RestorePrivacy’s Private and secure email
TechJunkie’s Nine of the most secure email systems
Lifewire’s The 5 best secure email services for 2020
Amongst them, and with overlap, they review the following offerings, listed alphabetically, though we would note that ProtonMail and Tutanota are cited frequently in reviews, user forums, and news articles as on the short list of candidates:
Factors to consider in choosing a secure email system
The survey articles cited above touch on features to consider and profile each PEP system’s pros and cons. Some key factors we view as important to consider are as follows, both privacy-related features and other core features:
Privacy-related features to consider
Does it offer end-to-end encryption, in transit and at rest
Does it have zero knowledge of your contents, passwords, keys and identity
Does the encryption use the PGP (“Pretty Good Privacy”) standard, such as ProtonMail, or its own encryption methods, such as does Tutanota, which allows them to encrypt the subject line
Can you send unencrypted as well as encrypted emails to email users who use other email services providers
What is involved in sending encrypted email to an email address that does not use the product? (e.g., Tutanota requires the recipient to type an agreed-upon password, whereas ProtonMail does the same, but doesn’t require one if the recipient’s email uses PGP)
Where is the service located and is that jurisdiction privacy-friendly?
Are attachments encrypted? Not all services do this important part.
Does it have an integrated, encrypted calendar and contacts functions?
Can you register for the service without providing personal information?
Does it log your IP address? (more privacy if it does not)
Key features not directly related to privacy
How easy is it to install the product and set it up?
Can you import email from Gmail or other systems?
What email text composition features exist? Does it support rich formatting, and embedded images?
How extensive is multi-lingual support (e.g., does it have advanced right-to-left alphabet support with proper handling of mixed languages in the text)
How extensive are the email organization features? Folders, labels, conversation view, mass deletion, and other bulk operations?
Does it have and how good are the apps for mobile devices?
How good and fast is the email search capability (a challenge for encrypted text)?
Can you use your private-branded domain? (Useful not only for branding, but enables portability if you decide to switch email systems later; no need to notify anyone of a new email address)
Is the source code “open source” making it reviewable by experts?
What are the pricing tiers? Is there an entry-level free tier? How much storage do you get with each package?
Why I chose Tutanota
I narrowed down my choice to either ProtonMail, located in Switzerland, or Tutanota, a Germany-based email service, and I used the free version of each at first. Most PEPs are in Europe where there are more stringent privacy laws than North America. Both offerings provide excellent privacy, with each having its own pros and cons, though the two have many similarities: they both allow you to send end-to-end encrypted messages and have zero knowledge of your email content (or near-zero in the case of ProtonMail’s visibility to subject lines, a consequence of adhering to the PGP standard). They both allow sending email in unencrypted or encrypted forms; they both allow you to establish aliases (different email addresses that go to the same inbox); they both allow a private-branded domain name; they both allow you to send encrypted emails to outside users, though they do so somewhat differently.
ProtonMail has the edge in encryption convenience because if the recipient uses an email service that employs PGP encryption, the encryption/decryption is automatic, but if the recipient uses an external email system that does not support PGP encryption the recipient will need to enter a previously-agreed password key to open the email. Tutanota does not use PGP encryption, which on the plus side enables it to encrypt the subject line in addition to the body, but has the inconvenience of requiring the recipient to provide a password key if the recipient of an encrypted email is a non-Tutanota user, regardless of whether or not the recipient email system employs the PGP standard.
Since they both do a great job at privacy protection, and each has their own pros/cons, I chose Tutanota, largely based on pricing. There is a minimal free version, but the lowest paid version has substantial storage and features, and is significantly cheaper than many others.
Generally, I'm happy with the Tutanota service. The user interface is friendly, the options are intuitive, the help screens thorough, and sending mail is fast. However, there are some features I liked in Gmail that are missing, such as richer text formatting, bulk operations such as mass deletion, multiple labels in addition to folders, and conversation view (“coming soon”).
There is excellent support via email if something goes awry, though other reviews state that ProtonMail provides excellent support as well. The speed of getting/receiving emails is excellent, notwithstanding the servers being in Germany.
Challenges in moving to any new email system
There are some admitted challenges in moving to any new email system, issues into which we delve in our next, or third blog post on email privacy:
Trading off convenience for privacy
Giving up some email features in favor of strong privacy
Dealing with minor inconvenience to recipients outside your email system
Choosing a transition or co-existence strategy with your legacy web mail account
Guarding your password
Considering a branded domain name for your new email service
Dealing with a calendar and contacts
These issues are explored in our next blog post, Change email providers: trading off convenience for privacy
Choose a secure email system that respects privacy via end-to-end encryption and zero knowledge. Use it at least for your sensitive correspondence.