Luke's Notes

Alternative Email 2

Continued from Alternative Email 1 which focused on criteria for alternative email. This part looks at alternative email providers.

Alternative email providers

In this part I am focusing on alternatives that on my criteria from the last post seemed the best to me when I was looking for a new email provider: Runbox, Disroot, Riseup, Proton, Tuta, Posteo, and Autistici/Inventati. Some others beyond this 'shortlist' are mentioned in the next post no. 3. At the end of the next post there is a short summary of all the providers discussed here in terms of my criteria.

a) Runbox

Runbox focus on email (an early alternative email provider launched in 2000) and their website is very forthright on ethics and privacy. They really push this hard everywhere you look. They try to make it a big selling point.

I found and liked Runbox partly because their services are mostly powered by renewable energy (mainly because Norway - where they are based - is mostly powered by renewables, despite becoming rich out of oil). The renewable energy comes from hydropower which I understand is not the best form of renewable technology (for instance in the effect on wildlife, something I feel very uncomfortable about). But at least it breaks away from fossil fuels which are behind climate change. I use Runbox email. But, to be honest, I may not have started to if I had realised the downsides of hydroelectric power on animal life and this does give me some reservations, despite many other positives about their approach. In a way, you can't blame Runbox because hydroelectric is the main Norwegian form of renewables and I'm not sure how easy it would be for them to switch to other forms of renewable energy. I also don't know how much other providers avoid hydroelectric power for solar or wind, for example. Some, unlike Runbox, do not specify this. Runbox also supports projects that work on sustainability. Many email providers fund external projects, usually privacy ones, but Runbox focuses on supporting green projects.

They have a good privacy policy about respecting the privacy of our data and not selling it or giving any away unless required to by law. The DigDeeper site is negative about how long they keep your data, but doesn't have too much negative to say about some other aspects of their privacy policy. Norway is seen to have good privacy laws.

Some other privacy-oriented providers (see below) provide higher levels of encryption than Runbox who encrypt email in transit but not at rest on their servers. This is a serious issue for those who put privacy first and other providers provide encryption at rest or even at the receiver's end. But I was (mostly) happy with their privacy policy, including in terms of the privacy of email at rest. Other aspects of their operation made me happier with them, even compared to providers with more extensive encryption but whose social and environmental credentials I was less at ease with. Runbox provide privacy but not anonymity. Of course you can have more than one email address, combining a company like Runbox with another email provider with more extensive encryption if there are occasions when you want this. There is a privacy-focused review of Runbox here

Runbox are majority employee-owned which is quite unusual. For me, this was a big thing in choosing to use them. They don't make too much of this in their publicity, I suspect because they feel it may put some people off. My experience discussing alternative tech on forums was that worker ownership was regarded very contemptuously by many interested in the alternative internet, anti-socialism obviously being prevalent and strongly held and worker ownership being equated with socialism.

Runbox are a small company and the customer support is done by the people who actually run the techy side of things. So you don't have to go via non-technical customer service people who have a pro-forma set of initial routines to go through before investigating your problem or being passed on to an expert. If you have a problem the customer service people at Runbox have tech expertise and get to the core of the issue straight away and they are friendly, attentive, and fast. They operate across time zones so you can usually get a quick response. I have had a bit of contact with their customer support and found them transparent. For instance, they were quite happy to be open about limits on the encryption they provide. While defending their approach they were not defensive. There was an issue once, while I have been a user, of problems with email and them taking a long time to update the service status (for a few hours email could not be picked up by email clients but was still available via webmail). But they accepted they had made a mistake in delaying updating the service status and promised to make sure it did not happen again.

You pay a small monthly fee to use their email. They also have a calendar you can use as an alternative to Google or Apple calendars.

They have a very old-school site and general approach. Things can be a bit clunky and change is slow. They say they are building the fastest email in the world which they are a long way away from doing. But for me, none of these problems mattered too much. In fact, I find the old-school feel and slowness quite reassuring.

Summary
Privacy: good privacy policy mostly, limited encryption, in transit but only disk-level and not mailbox at 'at rest' level, which will be a no-no for some.
Environmental: very good. Nearly 100% renewable energy, although hydroelectric rather than wind or solar.
Workers: very good. Mainly employee-owned.
Respect for users: in my experience very good.
Building a wider alternative internet: they left Facebook in 2018 and stopped using X in 2023 for reasons of principle which is more than can be said of some, and are on the alternative Mastodon. Otherwise, they are not really trying to themselves build a wider alternative internet beyond email. But focusing on one thing and trying to do it well is not necessarily a bad thing.

Overall: they are not the best at extensive encryption, but otherwise good on privacy, green issues, worker empowerment, user respect (in my experience), and an ethical stance on their use of social media.

b) Disroot

I also liked Disroot, a Dutch provider of services founded in 2015 that are helping to build a wider decentralised federated internet, as an alternative to Big Tech's corporate centralisation. In a decentralised federated internet there are many different providers, so it goes against monopoly or oligopoly and makes sure there are always alternatives and you do not get sucked into reliance on a few powerful exploitative corporations. Disroot provide email, with a good privacy policy, and they link up with other alternative services like search, cloud storage, notebooks, etc. The email and search is very simple and what you will be used to. Things like cloud storage with Nextcloud are a bit more complicated but you don't have to use that if it's too much for you. They are not on X or Facebook and they are on Mastodon. They donate to alternative internet projects.

Sadly, my experience is that some who are enthusiastic about decentralised federated organisation in theory have no will to participate in it, or are even actively hostile when possibilities like these internet ones are available. They opt for centralised corporate capitalist internet instead.

Disroot is run by a small collective of volunteers (5 at the time of writing) funded by voluntary donations. So, if you want it to be, it's free.

The images on their website celebrate radical protest politics but there is nothing in their terms of service that is restrictive only to people with radical leftist views.

Like Runbox they do not have encryption of email 'at rest' on their server, though their privacy policy, which is generally very good, says they will not read your email or allow others to. For some for whom privacy is very important the limited encryption will not be sufficient, but I was happy about their privacy guarantees.

Microsoft have temporarily blocked messages from Disroot in the past. But if you have a secondary email address I don't see this as a major problem as you could use this in such cases.

They say they use renewable energy but it's not clear to what extent, ie how much of their energy is renewable.

Summary
Green: good or very good. They say they use renewable energy but it's not clear whether this is 100% or less.
Workers: very good. Disroot is run by a small collective of volunteers so very good on workers in that the volunteers collectively control and run the operation.
Respect for users: I have had limited experience of this but all their policies are user-respectful and the one contact I had with support involved a quick and helpful reply. I have not heard them criticised on this criterion.
Privacy: good to very good. Encryption in transit but less so at rest but they do discuss how you can encrypt your data yourself. Very good privacy policy. Again, if full-on encryption is important to you they do not seem to be the best, but for me there are other criteria for choosing an email provider which I like them on, eg their internet politics.
Building a wider alternative Internet: very good, in fact excellent. One positive aspect of their approach to this is that they promote a decentralised federated internet by bringing together and linking many independent services. This is very different to a privacy company like Proton that is trying to build a wide range of alternative internet services but all run by them, including by buying out alternatives rather than supporting them in their independence as Disroot do.
Social media: they are on Mastodon and not on corporate social media. Some other providers I am covering are on Mastodon but do not link to this from their website and/or they remain also on conventional social media like X.

Overall: Disroot are very good on my criteria. The reservation some may have, which is less important to me (especially given their privacy policy about email content), is that email is not encrypted at rest. Privacy policy, collective organisation, and internet politics for me, compensate, in part, for encryption limits.

c) Riseup

Riseup are very good on my criteria. They were founded in the USA in about 2000. I think I had forgotten how good they are since I was originally interested in alternative email. Riseup provide email and email lists, mainly for leftist activists. One limitation they have is that they are based in the USA which has poor privacy laws. Riseup, like Disroot and Autistici/Inventati, is run by their activist volunteers rather than being capitalist or bureaucratic as with companies like Proton, Tuta, and Posteo.

The DigDeeper site sees them as very good on privacy policy and encryption. Their privacy policy is strong and, as I understand it, they have encryption of emails at rest on their servers [link] as well as in transit, but not at the receivers' end unless you organise this yourself using PGP.

Joining is by invite only. An existing member can give you a code and they are supposed to do so only if you have activist and leftist credentials for joining. Of course, this is exclusive and can make it difficult to join for some, but I see this as a benefit rather than a problem.

Riseup provide a VPN which stops your ISP from seeing what sites you visit and hides your IP address. When I used it briefly it was very slow. But it is free and available as such for anyone who may want to sometimes use it.

They are good at promoting a wider alternative internet, with collaborative tools for activists, beyond the email lists and VPN that I have mentioned. These are all within Riseup but the situation is not as with Proton who seem to be trying to create their own eco-system of multiple services encouraging you to get all with them.

They are on Mastodon, but not actively for a while. They ask for voluntary donations, but Riseup is free.

Summary
Privacy: very good.
Environment: energy use is unknown, but supports environmental activists and the green movement.
Workers: very good, run by a small collective.
Respect for users: very good, this covered by their privacy policies
Contribution to wider internet: Riseup provides email, email lists, VPN etc, so a bit like Disroot trying to support a wider infrastructure beyond just individual email accounts.

Overall: very good on all my criteria except environmental ones which is unknown in terms of energy use, but I am sure Riseup is used by many environmental activists.

d) Proton

What most often gets recommended for alternative email are Proton and Tuta who have higher levels of encryption than Runbox and Disroot.

Proton, a relatively large company based in Switzerland (which has good privacy laws), was founded in 2014 and are the big name in private encrypted email. They offer various other services, a VPN, cloud storage, calendar, password storage, etc, all based on privacy and encryption. As with Tuta, emails between Proton users are fully encrypted and to non-Proton users you can choose to make these unreadable without a password that you send the recipient.

On privacy, some have complained that they gather too much information when you sign up and that, in the past, they have gathered too much information when you are signed up. The latter may have improved as their privacy policy has changed, but it does raise doubts given they have been willing to compromise on privacy in the past. They do not encrypt the subject lines of emails. They have been criticised for supplying details of users to the police but I'm not sure they can be fairly criticised for actions which they were legally obliged to make. There is a review outlining some of the strengths and limits of Proton's privacy and encryption here.

Proton are trying to get you fully onto their eco-system and replace one set of oligopolistic attempts with another, albeit based on privacy rather than surveillance. This is different to, say Disroot, who provide links to many services but offered by a variety of providers. Disroot promotes decentralisation and federation while Proton is effectively oligopolistic in approach. Proton do, however, campaign on and fund wider alternative internet and privacy projects.

Proton feel a bit corporate to me and their emphasis is very much on privacy, not so much on other ethical criteria. In terms of worker involvement Proton appears to be a conventional hierarchical capitalist company I think, although they are owned by the non-profit Proton Foundation. They are very heavy on the big sell, there are lots of marketing emails, they are always trying to sell you paid plans, and move you on to higher paid plans, etc. There is no mention of environmental policies so I don't know if they use renewables.

I have found them not always that transparent. They have a VPN that includes a tracker blocker that blocks big tech from collecting data about you, as is normal these days for VPNs. However, it is weaker than some and if you ask them what lists they use for their blocking they are reported as not answering. VPNs like IVPN and Mullvad openly say what tracker blocking lists they use. I have seen other complaints about their customer service not always being that transparent or supportive, but I don't know how widespread these issues are.

In terms of social media, they are on Mastodon, the alternative to X and Facebook, and this is mentioned on their website, but also on all the usual corporate social media.

Summary
Privacy: very good, especially at encryption. For activists or journalists or anyone in danger of state surveillance probably a good bet. Some questions have been raised about their privacy policy.
Environmental criteria: you have to assume not good as this is not mentioned by them.
Worker involvement or empowerment: not good as far as I can see.
Respect for the user: I have found them not always that transparent.
Building a wider alternative internet: very good, but if you are happy for them to try to do this all within their own company and draw you into sole involvement with them. Not so good if you believe in a decentralised internet of independent providers. They campaign widely on privacy and alternative internet issues and support projects in these areas.

Overall: if you want private encrypted email, Proton and Tuta stand out. If your criteria are wider and you don't mind compromises in how far your email is encrypted at rest others are preferable.

e) Tuta

Tuta (formerly Tutanota) is a small German company, founded in 2011. They use 100% renewables and their code is open source. Messages sent between Tuta users are automatically encrypted. If you send to a non-Tuta user you either do it unencrypted at the destination or if encrypted you have to give the recipient a password to open the message which they do in a temporary Tuta email inbox. This is a similar method to that used by Proton. There is encryption of mail at rest. So, as with Proton, they are at the higher end of privacy in terms of encryption of email. There is a positive review of Tuta's privacy credentials here.

Some have complained that they collect too much information about users, share some, and can block attempts to anonymise yourself when joining. These are similar to complaints made about Proton. 

On respect for users, on one occasion they changed what users got for their plan, this being reduced for members mid-plan. There was an uproar and they then withdrew the change and apologised. But it does show a willingness to not treat users with complete respect.

For me, as with Proton, there is a bit too much heavy selling going on. They are trying to promote their alternative private and green product but the marketing is very full-on and regular. They host plenty of articles on privacy issues which sound open and informative but effectively are often adverts for Tuta as the solution.

There is not much information about worker involvement or the structure of the company, ie how much workers are empowered in decision-making. So, I have to conclude it is a conventional capitalist company. When I asked about unionisation they said it was not necessary as they were a small company.

Their support forum is on Reddit which some people may not want to join. Many alternative internet networks have left Reddit because of their policies. They are on Mastodon and also corporate social media like X and Facebook. There is no evidence from their website on supporting a wider alternative internet beyond their own offerings and I could not see any information on them donating to wider projects, as many other alternative email projects do.

Summary
Privacy: very good on encryption, some questions raised about the privacy policy.
Environmental criteria: very good, 100% renewables.
Worker involvement or empowerment: no evidence that there is anything formal in their organisation for this.
Respect for users: on the basis of the plan change I mentioned and pushing people onto Reddit, this does not seem as good as it could be.
Building a wider alternative internet: beyond what they provide themselves it is not clear they are doing this.

Overall: importantly, Proton and Tuta are probably the best on encryption of email, so for full as possible privacy of your emails these companies are probably the best. Beyond this and their use of green energy, it's not too clear Tuta stand out on my other criteria, but the encryption will (rightly) be very important to many.

f) Posteo

Posteo, founded in Germany in 2009, who I mentioned at the start of the first post, seem pretty good on environmental concerns, being fully based on renewables and having other good green polices such as on work flights etc. They are strong on privacy and encryption of email. Higher levels of encryption are opt-in but that is OK, they are available. Their privacy policy is very good in the view of the DigDeeper site. There is a generally positive privacy-focused review of Posteo here.

They say they treat their workers well, but they are a conventional capitalist company not, unlike Runbox or Disroot, run by the workers/volunteers. When I contacted them, for research reasons, to ask about worker involvement/representation and user choice (see on spam policy below) they were quite defensive. Asked about unionisation they told me they treated employees well. When I pointed out they had not answered my question of whether they were unionised they did not reply.

They have some compromises on email privacy and security. They do not use DMARC authentication checks on email and they recycle deleted email addresses after 36 months. So if I close my Posteo account then after 36 months someone else can take my defunct email address and potentially then receive email intended for me.

One big issue, for me, is that for a long time they would not allow users to have spam folders. They instead sent non-delivery messages to senders of mail deemed spam and blocked. If falsely identified as a spammer, the sender could then send it to another email address for you. This is not really satisfactory if the suspect mail came from a no-reply address, or a big circular where the sender does not deal with replies. And senders usually do not have an alternative email address for you. The justification they gave for this policy is that users do not check their spam enough and could not be trusted to check their own spam folders for genuine email, so they took this function away. I thought this raised a more general issue of a lack of autonomy for users and a lack of respect for them. Recently they added the option of having a spam folder the user can manage but overall this approach I felt showed a problematic, patronising, and undemocratic attitude to users.

Some of their marketing has been misleading. In one instance they posted an image of areas they were assessed on as scoring well on privacy but cutting one criterion from visibility where they did not. I recall them being dismissive of other providers for using hydroelectric power but now I can't find that statement on their website and I see they use hydroelectric sources. I am fairly sure I remember this right but am happy to be corrected.

Posteo's website and webmail box are easier on the eye than some others. They are quite an idiosyncratic operation. I really want to like them but they make it unnecessarily difficult.

Summary
Privacy: very good, in fact excellent. Encryption at rest is possible on an opt-in basis and their privacy policy is praised.
Environment: very good.
Workers: if you believe what they say about the treatment of their workers, good. But not excellent in that workers are not empowered in the company through ownership or unionisation.
Respect for users and transparency: in my experience (see above) very poor.
Contribution to alternative wider internet: they donate to a range of green, democracy, digital, refugees and humanitarian organisations, so well beyond alternative internet. Posteo are not on any social media, corporate or alternative, as far as I can tell, apart from a long-dormant X account they no longer use.

Overall: good on privacy and environment. Not so good on worker involvement or respect for users.

g) Autistici/Inventati

Autistici/Inventati (A/I) are an Italian anti-capitalist email provider founded about 2002 with a strong leftist-anarchist political approach. They specifically say they are not just about privacy but have a wider agenda. To join you have to give a statement to them of your reasons for why, and one that matches with their politics is expected. There can be some to-and-fro joining, where they check your compatibility with their aims and objectives. I was accepted straight away as I set out political reasons for joining which matched with their politics. I have heard others who applied then had to answer further questions (as A/I say may happen) moving them on ideological or political affinity.

A/I bans discriminatory behaviour. Somehow some people see this mild policy as a bad thing to be condemned. In this day, for me, they are to be recommended for their stance. They say their email platform is not for promoting political parties and military weaponry. Basically, it's political email for people of a certain ideological position. It seems misplaced to criticise them for these sorts of political entry criteria; don't join them if you don't share their views. DigDeeper is very negative about the fact that you may get kicked off if you don't agree with their ideology. But they make clear they have an ideological project and are for people who agree with their politics so those who do not are warned and have other choices. DigDeeper is positive about other aspects of their privacy policy which does seem good.

There is not much information available about A/I online but as far as I can see email is encrypted in transit but not at rest on their servers, like a number of other providers in this blog.

They were offline for a long time once and, while I have been a user, I lost the contents of my email box on one occasion because of a bug, but they were able to restore the emails from a backup if I wanted them to.

In terms of respect for users, I see their ideological mission statement as very good on this issue. Some see their political criteria as bad, I see them as the opposite. On the two occasions I have had contact with them they were responsive and helpful.

They are on Mastodon but not on corporate social media. I think their contribution to building an alternative internet is restricted to their own operation, but as a small amateur operation, this seems reasonable.

A/I email is free but you can donate if you want to

Summary:
Privacy: the privacy policy seems good, encryption in transit but not at rest.
Environment: not any information about this.
Workers: run by a collective of volunteers, very good or excellent.
Respect for users: very good in my experience.
Contribution to alternative wider internet: good in that they are not just a capitalist corporation but provide an example of a radically different approach themselves.

Overall: if you would like a left-wing email provider that you have an ideological affinity with and a good set of policies, very good (like Riseup), but worth having another email provider too in case of technical problems.

The next part: will briefly list other alternative email providers, and discusses switching email and picking up email, wider alternative internet possibilities, and a summary of alternative email on the ethical criteria I have used.