Luke's Notes

Alternative Email 1

This is the first of 3 posts on alternative email; alternative to big tech email like Gmail, Hotmail etc. Below is a list of contents followed by an introduction.

Contents

Alternative Email 1
Introduction
Widening ethical criteria for alternative email beyond (but including) privacy
Ethical criteria for assessing alternative email

Alternative Email 2
Alternative email providers

Alternative Email 3
Other alternative email providers
Calendars, changing email, and picking up email
Wider alternative internet providers
Summary of alternative email on the ethical criteria

Introduction

About 20 years ago I decided I wanted a new independent email address separate from my internet provider (ISP) in case I changed to a different ISP. This was in the days when many of us got our email addresses with our ISP. I decided I would look for one with some sort of ethical mission.

But when I started to look for an email provider with a more ethical approach I was surprised to draw a blank. Maybe I didn't look hard enough or in the right places. But I did look pretty hard. I ended up switching to the German company GMX because they said something on their website about planting trees. I wasn't sure whether their environmental policy (it has developed since) was greenwashing but it was the only statement of ethical intent I could find at the time from anyone, so I went with them. But from what I read over time GMX seemed like a fairly conventional tech company.

Then many years later I got a message from someone at a Posteo email address and I looked into Posteo. They aim to be a green company that also emphasise anti-surveillance, privacy, and treating their employees well. This started me up again on the search for ethical providers of online/internet services like email. I had more success this time.

These three posts are about my search for alternative email providers - alternatives to big tech ones with ethical, anti-surveillance, environmental, and worker-friendly approaches. They are more an account of the search than a guide, but pointers can be taken from this. The first post outlines criteria for alternative email providers, the second the alternatives I came up with. You can skip forward to the alternatives if you want to get straight to that.

I'm an amateur in this area and tried to make sense of the information I gathered on that basis. There are many people who follow the complex and detailed privacy side of it, at least, intensely and in greater depth. I think I've got the basic technical and wider details right but am happy to receive corrections or advice on anything in these posts.

Most people I know seem to use Gmail from Google and quite a few Microsoft's Hotmail. These are often people who are very critical of capitalism or capitalist corporations. You can easily not use these exploitative big tech surveillance companies. There are plenty of alternatives that are simple to change to. And these alternatives are functional and fine and easy to use.

Widening ethical criteria

I've charted what I came up with in terms of alternative email and some of the ethical criteria I used to find providers. I was not as scientific as it looks here. I just read up on alternative email providers on and off in an ad-hoc way over a period of time, using their websites, independent guides, and Reddit and other forum discussions. I had no very clearly determined criteria in advance, just to look vaguely for someone who seemed more ethical, in terms of my own beliefs. But gradually privacy (ie not practising surveillance and capture, use, and sharing of our data) and green criteria appeared as prominent, often mentioned by providers themselves. Then I started to wonder about the treatment of workers by email providers, or even employees or volunteers having a role in the alternative being run, respect for users, and wider contribution to an alternative internet. These got much less coverage in discussions I encountered but they became important to me and gradually got added in by me as criteria.

After the Snowden affair, exposing widespread government surveillance of citizens including of their email, lots of providers started promising privacy and alternatives to big tech surveillance. There are now many guides to alternative online providers but most focus on privacy issues. This is generally a much bigger priority for most alternative tech developments than other environmental and social concerns. But the latter were also important to me so my search for alternatives reflected that. Using these criteria and information I had gathered I put together a post-hoc assessment of email providers, in a more systematic way than when I was first looking.

I got interested in this personally but also academically (as part of my academic job) and ended up writing about alternatives to the surveillance internet in an article and a book. This post develops what I wrote then on alternatives to surveillance capitalism to include ethical criteria beyond privacy.

My main criteria are on:
1) Privacy and anti-surveillance.
2) Environmental and climate policies.
3) Treatment of workers, and especially worker empowerment.
4) Respect for users.
5) Contributing to building a wider alternative internet, including use of the 'fediverse'.

The ethical criteria

This blog is about what I came up with in this search. It's not what everyone would recommend but it's what worked best for me in terms of my criteria. You can choose to pay attention to some of the criteria and ignore others. I hope I'm filling a gap in widening extensive coverage of privacy also to less covered wider environmental and social criteria in choosing email alternatives. I welcome being advised on guides I may have missed that also cover broader ethical criteria.

Environmental

In terms of being green, using renewable energy is a key issue. Computing, such as running servers and keeping them cool, can be very energy-intensive. There are different kinds of renewable energy. As we'll see below, there is a distinction between, for example, hydroelectric and other forms of renewable energy like wind and solar. I have also taken into account general business practices of alternative providers on green grounds and donating to environmental causes.

Workers and unions

I got a lot of stick on online forums when asking about this criterion when applied to the alternative internet. People got hostile, and said this sort of thing was irrelevant, and none of my business. I was accused of being a communist, mainly by people from the USA I suspect. They assumed being a communist was a bad thing.

In terms of workers, the main thing I looked for was employees (or developers or volunteers) being involved in actually running the alternative, rather than working for an owner or employer. I think that is the main way to avoid exploitation and ensure empowerment. This is much better than promising good treatment of employees, although I took that into account too.

As part of a bit of academic research on this area a while back, I asked a number of email providers about union recognition and membership in their companies. It was a partial survey that I did not pursue and complete properly. Runbox (see next post) got back to me and pointed out that their company is employee-owned. Do you need a union to represent the workers when the workers are also the bosses? Similarly, providers like Disroot and Autistici/Inventati (again, see next post) are collectives and their workers effectively volunteers so the issue of union recognition does not apply so much.

Most of the other conventional companies who replied were quite defensive and said the issue was inapplicable to them. They gave unconvincing replies about not needing a union because they treated their employees well and consulted them, or about being too small a company to require a union. These are not good reasons for not having a union.

Contributing further to an alternative internet

All the providers I outline support a more alternative internet by the fact of providing their own alternative services. But some go further by providing or funding alternative internet provision more widely or speaking out on, or lobbying for, a more free or democratic internet. Some try to actively build a decentralised federated internet of providers that are alternative to centralised and oligopolistic big tech and guided by different ethics, eg pro-privacy and anti-monopoly. I took this into account.

One aspect of this is breaking away from corporate surveillance social media and using decentralised federated non-profit social media on what is called the 'fediverse'. An example is Mastodon which is an alternative to social media like X and Facebook. I noted where providers did this and some had gone so far as to leave X or Facebook, or never join them in the first place. At the time of writing, X are actively promoting fascism. Meta (the owner of Facebook) is a major harvester of peoples' personal data (see below).

In alternative internet discussions, some prefer open-source provisions, where the code for the service or app is public so people can check it or use it to set up an alternative of their own. I took this into account but it was not a dealbreaker for me as some providers who are good on my other criteria are not fully open-source and being open-source does not necessarily make you a saint.

Respect for users

When looking into alternative email, I was taken by differing levels of respect for users. People assessing this tend to focus on customer support and whether it is helpful and quick. This is, of course important, and I include this and found quite different approaches and effectivity on this. Respecting privacy is also a matter of respect for consumers but this is covered under privacy below.

But I noticed other issues which for me are about respect for users: transparency and openness, for instance. Empowering or trusting users and allowing them choice were other areas where I found the providers had different approaches.

I have deliberately described this criterion as respect for users rather than customer service or customer responsiveness because of these broader issues. My findings are a bit patchy on this criterion as I have had user interactions with some of the providers more than others.

Privacy and anti-Surveillance

a) Threat Model and mass surveillance

Privacy advocates will tell you that you need to work out initially what your 'threat model' is, i.e. what you want to keep private and why. Then you can decide on what best action to take. For some the threat model is that they are activists or journalists, maybe in repressive states, who need to keep their activity private or even anonymous for their own safety or for that of people keeping them informed. For me, it's more a question of disagreeing with my online behaviour and data being accessible (in enormous breadth and minutiae), recorded and retained, used to profile me, and often shared or sold. I think this is morally wrong (as well as potentially dangerous) and, as far as I can, I am not prepared to let people do this.

I prefer the term 'anti-surveillance' to 'privacy', as not practising mass surveillance of us is what, for me, it's really all about. People tend to use the term privacy for this, but this has connotations, for me, more of net curtains and gossip. However, I use both anti-surveillance and privacy as terms in this blog post.

I'm not going into the problem of surveillance as the focus of this blog is on the alternatives, and what some of the surveillance is or can be should become clearer when I discuss what privacy protections different providers offer. But suffice to say, Google, Meta etc collect huge amounts of incredibly detailed data about us, package it up, and use, share, or sell it, often without our knowledge. It can be made available to governments and police if requested. They are mass surveillance organisations with very little respect for privacy. They make their money by selling our personal information or using it to facilitate personally targeted advertising.

On email specifically, governments have been found to read our email, as have corporations like Google. The Snowden affair revealed widespread reading of peoples' emails by government officials. This prompted providers to set up email with privacy protections and policies against allowing access to messages and the collection and retention of personal information. As there developed protections to restrict government snooping, it became important to protect also against information gathering by corporations. Where government could not spy so much any more, they could sometimes still get the information they needed from corporations that we use in our digital lives.

For a recent account of online surveillance see Mullvad's outline - there is a web version and a pdf version. Mullvad are a company that provide a privacy-protecting VPN and web browser. Their report is only in small part about email but It gives you an idea of the incredible scope of what corporations and states are able and willing to do.

b) Privacy Policies and anonymity

Key privacy measures are: 1) privacy policy and 2) encryption. A good privacy policy is about collecting limited information about you, retaining as little of it as possible, for as short a period as possible, and not using it for building up a picture of a person, sharing information held about you, unless required to by law, or selling it. A key issue is the initial collection and retention of data. If little of it is collected in the first place there is less that can be shared or demanded by external bodies. There are, of course, many providers that have privacy policies, but the degree of privacy they promise varies across them, even amongst privacy-focused providers. And a key thing about privacy policies is whether you are willing to trust providers that they will adhere to the policy they set out.

A distinction is between privacy and anonymity. Someone who values privacy may be willing to submit, for example, their email address or banking details to a provider but wants that information to be private and any further information (eg the content of emails) to be kept private or not retained. Someone who values anonymity wants to use the internet without agencies knowing their identity, so they will be against their email address or banking details being provided in the first place. Consequently, some providers do not require email details to join up and they will accept payment anonymously, eg by cryptocurrency, vouchers you buy independently, or even cash. If you don't collect or log account information about identity you can't sell it and you have nothing to give the authorities if they come asking. This is how some VPNs, like Mullvad or IVPN, operate.

My focus is on privacy more than anonymity. So I was looking for good privacy policies that promise to limit what information providers collect, for how long, and promise to not make what they do collect available to others such as advertisers or even the state or police, except where legally obliged to.

Jurisdiction is important for many. Some countries have stronger (eg Switzerland) or weaker (eg USA) privacy laws that affect how easy it is for the authorities to obtain your personal information, such as email data, from providers. If you are an activist or journalist who wants to avoid state surveillance this is especially important, and where the company hosting your email is may be significant, with places like Switzerland or Norway being preferable to, say, the USA or the 'eyes' states (who share intelligence information).

c) Encryption

Encryption is where information kept (eg your email messages) is done in a way that is unreadable to anyone apart from you or the person you are writing to. There are two areas in which data like email messages can be encrypted. One is in transit, when the information like email content is encrypted while it is being sent. The other is encryption at rest where the email is encrypted on a server once delivered to you. Encryption in transit is common, encryption at rest is less so. I personally had a preference for encryption at rest when I was looking for an alternative provider. But as my threat model was more about thinking it is wrong for people to be able to read my messages rather than right now feeling in danger if they do (but, see Mullvad on the issue of feeling you have nothing to hide) I was OK without encryption at rest if the provider promised they would respect the privacy of that data, I felt they seemed trustworthy on this, and they were desirable on other wider social or green criteria.

If email is not encrypted at rest by the email provider (as with some of the providers I am looking at) then you do need them to have a privacy policy that says they will not read or scan it, trust them to carry out that policy, and believe their security is good enough to stop others reading it. Some privacy advocates would see this a bit too relaxed and believe that encryption at rest is essential.

There can also be encryption of your message when it reaches the recipient. This involves the email only being readable to a person who has a password to open the message. One way you can ensure this is by using what is called PGP (Pretty Good Privacy) which many email providers support but which you have to set up yourself. I have focused here on encryption of the message to the receiver already set up by your own email provider, which some, but not all, of the providers I am looking at use.

There is a lot more technical complexity and depth to types and methods of encryption than I have discussed here but I think these are the main points, at least for me.

It's worth noting that, despite all this, Edward Snowden (and others) say that email will never be fully private, for various technical reasons. If you really want to avoid surveillance then messaging (eg with Signal, which is much preferred by privacy advocates to WhatsApp) is a better bet. Or it is even better to just talk to someone orally if you can. This is all the more reason for paying attention to criteria beyond privacy when assessing alternative email.

Cost/pricing and privacy

The issue of cost of services is related to the issue of privacy. Most (but not all) of the alternatives I am looking at require small payments for their services. In some cases, this is required for all levels of the service, in others for tiers beyond free basic ones. In others, voluntary donations are welcomed but not required. Big tech (Google, Meta etc) give us many of their services for free. This is because they take our personal data in great granular detail and then sell it or use it to attract targeted advertising. That is how they make their money. Privacy people say that if a service is free then we are the product; i.e. the customer (in terms of their personal information) is what is sold. The alternatives I am looking at do not generally harvest and sell our data and so, as an alternative, they have to charge to make their money. But, by and large, the charge is not high. I tend to go by the pint of beer rule. If it costs the same as a pint or two of beer a month, we (or at least me) would not baulk at buying two pints of beer a month. So, I can pay the equivalent for tech services. I've always been surprised by people who would happily spend £5 a month on most things but not on tech offerings and are outraged when a tech company charges such a small amount every month for their service, especially when this is because they do not make money from your data or from venture capital.

Sources of information

To mention just some sources on this area, there are recommenders, such as Privacy Guides, The Privacy Dad, and The New Oil mainly focused on privacy. DigDeeper provides a useful guide on email providers' privacy policies. I have also drawn on peoples' comments on forums like Reddit and Privacy Guides forums. The Ethical Consumer uses, like me, broader criteria but requires a subscription.

Next part: Alternative Email 2 looks at alternative email providers, based on the criteria outlined in this post.

Related article: Surveillance Capitalism and Digital Alternatives