[tor-talk] Email provider for privacy-minded folk

Joe Btfsplk joebtfsplk at gmx.com
Wed Feb 13 21:47:11 UTC 2013 

On 2/13/2013 3:58 AM, bvvq wrote:
> On 12/02/2013 3:15 PM, Joe Btfsplk wrote:
>> Here's an article someone pointed out on email providers & privacy; if
>> allow signing up w/ Tor, etc.: the_simple_computer
>> <http://www.thesimplecomputer.info/articles/email-for-privacy.html>
>> They all have + & -, depending on needs.  For many, if read TOS &
>> Privacy Policy closely, they may be better than gmail, but not as
>> private as their hype says.
>
> Great link. Interesting site.
> (It's amazing that the web is so vast that after 15 years online, 
> there are still websites tucked away that I haven't seen.)
>
>
>> I took the info from The Simple Computer article & made a chart, plus
>> current data (some not in the article) from several providers' sites. If
>> anyone was interested & if I knew how to (easily) get it uploaded -
>> somewhere - I could do that.  It's not the be all & end all, but has
>> current info on several providers, including how long they retain data.
>> It's now in pdf and / or .ODT format.  I don't know if it's possible to
>> attach small files to tor-talk emails.
>
> I would be interested in your data. Do you have any problems uploading 
> it to mainstream file sharing sites? You could encrypt it and send 
> tor-talk the passphrase. Or perhaps upload it to a .onion (I don't 
> know any off-hand).
>
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
Sure - there's nothing private about it.  Most data I took right off the 
provider's TOS & Privacy Policy (or verified The Simple Computer site's 
data).  I didn't fill in all "items" on all the providers.  Some policy 
specs weren't mentioned by some providers. You can ask CS if they don't 
have some "privacy" issue in writing, but a verbal / email reply 
probably doesn't mean much (legally, at least), if it's not in their 
official TOS / Privacy Policy.

One item is how long providers retain mail, after you delete it. Some 
don't store at all; - to hrs / days / months / indefinitely. VFEmail's 
storage falls into indefinitely category (though not on my chart).

I've never had a need to u/l a file to a free server, so if someone 
could give suggestion of a simple, free one (file's only 100 KB).  I see 
no need to encrypt it - unless I'm overlooking a reason. Nothing 
private, sensitive.

Had an interesting response from VFEmail CS.  Though I've researched 
"more privacy conscious" email providers a while, I'd over looked one thing.
Unless you encrypt the email - yourself - BEFORE it hits their server, 
ANY provider can & does read (scan) the email, *at least for spam 
checking* - at minimum.  Many of you know this & probably many don't.

What else they say they do / don't do with scanning results (or anything 
to do w/ privacy), like any other agreement / contract, is only as good 
as the company that wrote it.  And if they violate an agreement, only 
recourse is to ask them to stop or sue them.

I asked about this one sentence, out of VFEmail's - ONE - paragraph 
privacy policy:

>> 7. VFEmail.net PRIVACY POLICY VFEmail.net will not monitor, edit or 
>> disclose the contents of a User's email or any other communication 
>> based on VFEmail.net, except that User agrees VFEmail.net may do so: 
>> (a) as part of the TECHNICAL PROCESSING of the VFEmail.net 
>> communication; 
> Joe:  That's fairly vague.  Monitor could mean anything or nothing.  
> Do you scan or look at email contents - ESPECIALLY the message body or 
> attachment contents, in any manner, except for data in the header 
> needed to send & receive mail, to scan for viruses or when legally 
> compelled to monitor email?  I suggest that vfemail clarify & expand 
> this part of the privacy policy. 
VFEmail responded:
>
> Of course the message body is viewed.  If you send out 200 emails and 
> cause the free outgoing queue to stop with your 'flood', would you 
> prefer if we verified you were just sending an address change, or 
> should we just block your account for spamming?
>
> You're welcome, and encouraged, to use PGP from your local PC to 
> ensure no middle man can read your emails.  Any provider who claims 
> they can not and will not read your mail are full of it. 

As I said, wrote that before thinking, all providers scan unencrypted 
mail for spam, at minimum.  That may not violate privacy, if that's ALL 
they do.  If you really want privacy, use encryption.  BUT... you have 
to convince a lot of people to do the same.  Not easy, in my experience 
- outside of a crowd like this list.

I suppose even providers offering encryption of files while on their 
server (like Lavabit), could read the mail just before it was encrypted 
/ decrypted, since they are doing the encrypting.  I believe one or 2 
offer "end to end" encryption.

More information about the tor-talk mailing list