I’m going to assume that if you’re reading this, you probably have at least one email address, and/or use email at least occasionally. I’ll also guess that, like me, you probably never really thought about the details of your email accounts in a “big picture” way. Most of us probably started with something through our Internet service provider (ISP) and then perhaps were introduced to the wonders of Gmail or Yahoo, or Hotmail if you were really an early adopter. Once you settled into something (which was probably several years ago) you’ve probably happily continued with that ever since. Or, perhaps you’re not a big email user, and you’ve simply used the email address issued at work to keep up with other things. After all, you already use it every day, and it makes things simpler, right?
Well today, I’d like to go back to ground zero and look at the basics of what I believe each of us needs in terms of email addresses, and how to manage them from a privacy perspective.
I think everyone should have at least 2-3 email addresses, plus an anonymizing service (more on that later). The basics are:
- Work address
- ‘Professional’ (optional)
- Secondary (optional)
- Backup (optional)
- Proficiency with a service like Blur, 33mail, or trashmail
I separate work and personal email, because I see many people who send their personal mail from their work address. I think there are two very good reasons NOT to do this. The first is that you don’t own that email. If you get fired/laid off, retire, go on a leave of absence or for any other reason sever ties from your company, you’ll lose everything associated with that email. Contacts, messages, etc. If you foresee this, and are backing it up on a personal flash drive, then you’re probably violating some company policies AND risking company data, both of which are bad ideas. The second reason for not using company email for private correspondence is that since they own your account, they’re certainly able to read your mail, and may well be doing so. Griping about your boss with a friend? Reading off color jokes from your uncle? Signing up for services from a company that ends up sending your malware? All of these things could put your job at risk if you’re using a company account to do them. Ideally, you shouldn’t be doing anything personal on a company computer. If you do, it’s best to be using a personal webmail account.
The ‘Personal’ account is just that, the email from which you do all of your personal stuff. Email friends and family, sign up for important services like lastpass, paypal, etc. We’ll get into what I mean by minimally identifiable below.
The ‘professional’ address is simply an extra in case you choose something like joelovesbaconyum as your personal email and would prefer a little more professional sounding email to contact business associates with or put on resumes. I don’t recommend that you use this one very much
The secondary is something that you only use to log in to certain sites with. Think of something like your bank account. You need an email on file with them, and it’s really nice if you limit the number of people who know that email address. This reduces the chances that it can be used to hack your account, or be used to impersonate you.
The backup email address could be your professional or secondary address. It is just that, a backup address for your primary account, so if you get locked out somehow, you can still use email/contact your primary email provider, etc.
Services like Blur are useful for filling in some of the slack between these addresses, we’ll cover what they do in a moment.
What should we call them?
The next question is how to choose usernames. Let’s look at each address:
Work: This is probably assigned, and likely your full name. There’s not a lot you can do about this. If you own your own business, probably firstname.lastname@example.org is your best bet.
Personal: It is best not to use personal details like your full name, birth year, etc. email@example.com is a TERRIBLE email address. Anyone you give it to now has your full name and the hardest 1/3 of your birth date. From the other direction, anyone searching through a hacked database (which is easy to do) can find all that data from just your email address. All that said, I recognize the social hurdles to having an email like qxKvvr49O@protonmail.com. I believe the best middle ground is to incorporate something that makes sense to those who know you, and reveals a little personal info, but only about hobbies, etc. A construction worker named bob might choose Bob.firstname.lastname@example.org , a boat enthusiast; email@example.com. Even something like abbreviating your name is (in my view) preferable to your full name. Our friend above could simply use firstname.lastname@example.org.
Professional address: Again, it’s nice to avoid your whole name here just so you have no emails with your whole name. If you can use something like email@example.com that would be good. That said, using your whole name here and ONLY using it for resumes or the like would be better than using your whole name to sign up for email lists, etc. Another option is, with the paid versions of the services below you can use custom domains. You can buy a domain for about $20/year. So, if this is very important to you, and you’d like to take a little extra time, you could have a more secure AND more professional looking email via that route.
Secondary email: This one should only be for machines to use regularly, so you could (and probably should) use something a little more random like firstname.lastname@example.org
Backup email: If this is a freestanding email purely for the case of a backup on your primary account (perhaps you use Protonmail and you just want a tutanota account to diversify) you could use any of the schemes above. You could also just incorporate that function into one of the other categories.
Where should we get them?
As I’ve written before, I recommend that EVERYONE move away from mass surveillance providers like Yahoo, Google and Microsoft. This means no ymail, gmail, Hotmail, winmail, yahoo.com or other addresses, which is probably what you’ve already got. It IS possible to use PGP encryption and something like thunderbird to send encrypted email via those providers, but it only benefits you if both sides are doing it, all the time. And realistically, that’s not going to happen. So, where should you go? There are a variety of options out there, all with their pros and cons, which are detailed in this excellent series of articles. My recommendation for the average person is either Protonmail, Tutanota, or Posteo. These are all webmail providers, and I’ll go into a few details on each momentarily. The reason I recommend them is that they don’t read your email and provide end to end encryption, which keeps bad guys from reading your emails. So, if you’re emailing within the service (protonmail to protonmail for example) then you have end to end encryption, and no one can read your email in your inbox, in transit, or in the recipient’s inbox. However, if you’re emailing someone with a gmail account, google can still read the message from the recipient’s mailbox (though there are options to avoid that, they cause a bit more hassle for your recipient). The last option, if you’re emailing someone who uses another secure service such as Tutanota, while it will not have end to end encryption, It is still just as secure in transit as any other service (pretty much all email providers are using the same systems to encrypt mail in transit these days) and it will be protected in both their inbox and your inbox, AND neither of your providers will be reading it. All that to say, while you’re probably no better protected against hacking than someone using a “free” webmail provider, you ARE protected against corporate or government mass surveillance in this case. The final key point here, is that as more people use these services, you and they become safer. Now we’ll look at my specific recommendations
Protonmail is the provider I personally use.
They don’t store your password on their servers
Mostly open source
$70/yr if you want more than 500MB storage
I’ve used Tutanota only a little, I have the least experience with it.
$12/yr for paid subscription
1 GB free storage
Uses one password for logging in and decrypting the mailbox (reduces security)
I’ve experienced a slight amount of difficulty with the android app
I’ve used Posteo as a primary address for several months
1 Euro/month for subscription
Inexpensive upgrades (more storage, addresses, etc. pay 0.25 euro/month per item)
Uses green energy
Socially responsible business
includes encrypted calendar
6 year old company, one of the oldest in this field
Somewhat old fashioned interface
Requires extra steps to encrypt your mail box
Uses one password for logging in and decrypting the mailbox (reduces security)
Overall, from a privacy standpoint all of these are vast improvements over any provider that reads your email. I would gladly recommend any of them as upgrade options. Personally, I’m planning to keep using Protonmail, and I’m hoping that they start to offer a mid tier option that is a little less expensive. What they provide for $70/yr is very good, you can have a custom domain, multiple emails, and large numbers of outgoing emails. Really, I think many of us would be happy with a $15/yr account that just upgraded our storage capacity.
Since I’m suggesting that you have multiple accounts, you may want to try out several providers and use them for different purposes.
There are several other privacy oriented email services out there. I don’t have experience with any of them, and it’s worth noting that some have different approaches to privacy and security. Make sure you understand how they work before you commit to anything.
The Final Piece of the Puzzle
Finally, I suggest that you use a disposable email service. Blur from abine.com, 33mail.com and trashmail.com are all good options. They all work a little differently, Blur requires you to set up an address in advance, while you can do it on the fly with the others. What this does is allow you to register with something like email@example.com when you sign up for something. This allows you to do two things. First, you can monitor who is selling your email. If I sign up for a service with a unique email like that, and then get something to that address from someone else, I know my information was sold. Second, it allows you to easily disable individual email addresses, if they do get sold, or a service provider starts spamming you. The final benefit is that by divorcing your online identifier (your email address) from that service, you do a little bit to minimize how easy it is for advertisers to profile you.
These services all work by giving you a random email address, you give that out, and anything sent to that address is forwarded to your email address that you provide. The details of how you set it up are a bit different between services, but that’s the gist of them.
I hope that this has helped you think about how your email is set up. I know this may seem like an obscure geeky thing to be considering, but I believe that if we want to live in a more private world, some of us must help build and support more private technologies. By using these email services wisely, not only are we protecting ourselves, but we’re helping pave the way for a more private future.