I’m considering finally jumping off gmail. I’m not going to host my own email since I just don’t have the skill to secure that thing well enough myself. Any mail server I set up would become a botnest within hours. So that has me looking at third party stuff.
Proton has a mostly good reputation, though their CEO’s twitter post a while back praising the Trump regime makes me question if I should trust them with anything. I don’t know enough about the entire situation to know if its just internet drama or a real concern, but anything involving Trump is a huge red flag for me.
Tuta looks pretty nice but I’ve read there are concerns about it being in a country that’s part of the 14 eyes collaboration, so it might not matter what the organization wants if the government of the region they are in says fuck off and do what we tell you.
On the lower end of concerns, I am in the Apple ecosystem. (boo hiss I know). I like the clean and simple built in apps like email and calendar and how the notifications all work across my watch, phone, mac and homepods. I like how safari can just jump in and throw an email alias at things for me. I like how all my stuff is managed. But I also know Apple could piss me off at any moment and make wild sweeping changes I might not like, so relying on them too much could screw me over someday. I dont know, right now I really like their setup but portability does seem to matter more ultimately so this switch does seem like a better idea in the long run, even if I’m giving up features I may enjoy.
What are your opinions on the privacy email and calendar services in 2025? Should I even both with a cloud based calendar in the first place?
I use Tuta combined with Addy.io, and it’s been great. I never hand out the main email at Tuta, and if I ever want to pack up and move, I just tell Addy to change where to forward email.
I don’t think you need to worry about Tuta. Iirc, all of the encryption/decryption happens on your device, so they can’t see the content of your inbox, even if they wanted to. Their free tier is enough for me, and I just make sure to clean out any unwanted emails so I don’t hit the 1GB limit.
Now, there’s the caveat that encrypted email needs to be able to work with unencrypted email, so somewhere along the way, it’s possible somebody could figure out who you are and what you’re talking about by intercepting traffic or the endpoint, but if you need that level of privacy, email shouldn’t be trusted anyway.
The biggest benefit of encrypted email is a judge can’t force the company to hand over your inbox (because it’s encrypted), and you don’t have to worry about the parent company or whoever data mining it. But even if it’s in a country that could order data collection, and you “aim to misbehave,” I think it’s moot, since you should know better than to use email for that purpose.
anonaddy and simplelogin seem to replicate what I already do with icloud+ hide my email feature, but they also seem to have the same problem. data flows through them meaning they can all keep copies and sell that data, train AI on it, etc. all it takes is a shitty corporate merger and that security feature becomes a risk. So it looks like I would want to find an email provider that already offers unlimited email aliases since that would reduce the number of people handling the data.
If you’re willing to pay for it, Mailbox.org would be my choice. No provider will give that feature away for free (which I’m sure you know). My threat model can tolerate an extra hand via Addy, so I don’t mind them being there.
But no matter who you choose, email just isn’t the best option for true privacy. There will always be some cleartext email somewhere in the process, even if only sometimes. And as somebody once said, “No company is going to break the law for you.”
If you need an extra level of privacy with email specifically, your best option is to self host. That way you control both the server and the database/storage.
I wont self host email. I just don’t have the skill to properly protect a public-facing server. I’m smart, but only enough to know I’m outgunned there. I’m not running some grand criminal enterprise. It’s more of a concern that I’ve been a bit lax in my online privacy and with the worldwide rise in fascism, I feel I need to resist (or at the very least, inconvenience) those who could do me harm.