The New Oil

Like it or not, email is a critical part of our digital lives. It’s how we sign up for accounts, get notifications, and communicate with a wide range of entities online. Critics of email rightfully point out that email suffers from a significant number of flaws that make it less than ideal, but that doesn’t change the current reality. In light of that reality, I believe that an encrypted email provider is a must-have for everyone in today’s age of rampant data breaches, insider threats, warrantless police access, and targeted advertising. If I can get access to your emails, I can get a range of sensitive information including where you bank (to craft more convincing phishing attacks), information about pets (I get notifications each year from the vet for my cats’ annual checkups), calendar reminders, news announcements from family, support tickets from services you use, and more. In a worse case scenario, if I get access to the account itself, it’s trivial to simply issue password reset requests for nearly any of those accounts, have it to sent to said compromised email account, and gain access to a wide number of other accounts you use – from banking to shopping and more – for any number of reasons. So this week, let’s look into the top encrypted email providers The New Oil recommends and their features to help decide which one is right for you.

Before I offer my suggestions, I should take a moment to explain how I define “secure” email since marketing can mean basically anything. “Secure email,” to me, means an email provider who enforces zero-knowledge encryption; that is to say a provider who cannot access your emails as they're sitting in your inbox. It’s not enough to simply pinky promise to respect your privacy. If they can access your data, so can an attacker who gains access whether a cybercriminal, a crooked employee, or a government with a court order. Likewise, services should apply that encryption automatically wherever possible. The onus should not be upon the users for you to go generate your own PGP keys (or whatever security protocol the provider is built upon) and apply it yourself. I also expect the clients (aka apps) of the service to be source available so that qualified, interested parties can verify that everything is implemented correctly and doing what it claims to. Security is important and easy to mess up. Readers can see my full list of criteria here.

Notes: This list is in alphabetical order. It also contains affiliate links that will help support us if you choose to use one of these services, however standard links are also provided for those who are uncomfortable with affiliate links.

Proton

Non-Affiliate Link

Image courtesy of Proton

Proton is by far the biggest name in the privacy space, particularly when it comes to email and VPN, though in recent years they’ve begun to roll out a full suite of products like cloud storage, a calendar, and a password manager. Proton is aiming to become a user-friendly all-in-one suite, a great replacement for Google or Apple geared toward mainstream users. Of course, there is something to be said for not putting all your eggs in one basket, but for those who prefer the ecosystem approach to their services, Proton is a powerful service. In addition, Proton is compatible with PGP, meaning that other PGP users can initiate a secure conversation with you even if they’re not Proton users (though you will have to dig through the settings to find your public key first). Proton offers a free tier you can use to test it out if you so choose.

The main drawback of Proton – in my opinion – is feature parity. Proton operates under the philosophy of “if something is usable, why wait to publish it?” As such, they are notorious for publishing apps that – while functional – are still missing a number of features and need fine-tuning. On the plus side, this allows them to prioritize much-wanted features thanks to the immediate feedback from the community. On the other hand, this often results in situations where a feature in the iPhone app is missing from the Android app (or vice versa) or a Windows app is available while Mac and Linux are still in beta (if available at all).

Tuta

Image courtesy of Tuta

Tuta – formerly Tutanota – is Proton’s main competitor, and unlike many competitors in the tech space they do actually set themselves apart quite considerably. Tuta is based out of Germany and currently offers a calendar in addition to their email. On the user-facing end, Tuta users will notice a much more consistent user experience across the board compared to Proton: all the apps should more or less have the same features regardless of your operating system. Behind the scenes, Tuta is not based on PGP (you can see more details here for technical readers). The advantage of Tuta's encryption implementation is that it protects more metadata than traditional PGP, such as the email subject line. The drawback, however, means that only other Tuta users can initiate an end-to-end encrypted conversation with you.

Proton and Tuta are the two most popular encrypted email providers, and with good cause. They check all the boxes and users really can’t go wrong with either. Originally I was hoping to list three or four more options, but out of all the other popular choices in the privacy community, I couldn't find any that were zero-knowledge by default (and had open registration). That's unfortunate because privacy and security aren’t always black and white. I hate giving users only two choices of provider. Unfortunately, at this time, Proton and Tuta are the most user-friendly, reputable, and trustworthy services I can recommend to mainstream readers. That's not to say that there aren't other services that are trustworthy, but they may require additional setup or come with caveats that make me uncomfortable to recommend them to my target audience.

A common criticism of encrypted email among hardcore privacy enthusiasts is that very few people use it, and therefore a copy of your correspondence is still accessible with the provider of whoever you’re speaking to. While technically correct, I personally think this is a poor excuse. Having one weak spot in your armor is preferable to having two (or simply not wearing armor altogether). When you ask these same people for a solution, the response is invariably along the lines of “people should be using something like Signal instead.” While that would be nice, my bank isn’t going to Signal me notifications. Or my veterinarian, or a job interview, or a receipt for an online purchase, and so on. At least, not any time soon. I have a longstanding challenge to show me the person who functions in modern western society – has a job, pays bills, has a social life, etc – without email (truly without email, not “my grandpa never uses it, my grandma handles it for him.” That’s like arguing that Joe Biden isn’t on Twitter because he doesn’t personally craft and post tweets.) To date, nobody has produced such a person. Like it or not, email is a critical component of modern digital life. Perhaps that will change someday, and if it does I’ll be quite happy to revise my stance. But for now, it’s a necessary evil and therefore one we should endeavor to protect accordingly. If you’re not using an encrypted email provider, I strongly to encourage you to start immediately. There are plenty of other great providers out there for more advanced users who want different features, but for most mainstream users one of the choices on this list will be a great place to start. Until something better comes along, email is a critical part of your digital identity and should be protected accordingly.

(Note: the original draft of this blog post recommended StartMail as an honorable mention. However, a reader informed me that upon closer inspection, StartMail is not zero-knowledge as I was originally led to believe. Apologies for the bad information.)

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...