More Privacy

Summary

To reduce the profiles that the big data companies can maintain about me, I am using:

  • ExpressVPN
  • Duck Duck Go
  • Fastmail

Or, how much data is too much data?

In 2018, I chose to sign up for a VPN, especially for the fairly numerous times that I’m using random wifi networks. As Michael Grothaus points out in Fast Company, internet service providers have been given more leeway to sell your online history, which is obnoxious.

A great many sites have moved to HTTPS, which does help. ISPs and snoopers will have less ability to see what you’re doing. ISPs can still draw insights, however, from the IP addresses you’re sending traffic to and, unless you use a third party DNS server, the domain names you look up. In fact, it occurs to me now that ISPs can likely inspect DNS packets, so they know the names you’re looking up even when you’re not using their DNS servers! Sheesh.

And then you’ve got the info vacuums of companies like Facebook and Google. I’m not a heavy user of Facebook, but I’ve been using gmail since shortly after it launched in 2004. Someone on Twitter recently pointed out Google’s Purchases page. Yep, Google has parsed every receipt I’ve gotten and put it into a purchase history.

Unlike Facebook, which had numerous privacy snafus in 2018, I trust Google’s security practices and that they don’t randomly share data with other companies (though they certainly use it to target ads!). The problem is that they’re a public company and need to maximize value for their shareholders. Their founders won’t always be at the helm. Can I trust the unknown, future Google with all of that data?

There’s been a lot of blowback in the press (see this article from the EFF for examples) from Facebook’s privacy missteps, but it hasn’t seemed to have much measurable impact on Facebook’s usage. That could embolden Google and others to eventually take steps that are less respecting of people’s privacy.

I think it’s worth repeating: I think Google of today is a far better steward of data then Facebook. Apple, today, is an even better steward of personal data, because their business model is built around selling products rather than data. They go out of their way to avoid collecting it if they can, going so far as to encrypt your photos and do machine learning on your devices so that they have no access whatsoever to your photos in iCloud. Their machine learning is trained using techniques that make it impossible to link the training data with the original creator of it.

Web trackers

Google, Facebook, and other advertising networks follow your movements around the web. Those little Facebook Like buttons and the behind-the-scenes Google Analytics allow those services to build up profiles of all of your browsing habits. Google, of course, also has the millions of Chrome users as well.

It’s too much

Many non-technical folks aren’t aware of the kind of detailed profiles these companies build up about us. Profiles that are both detailed and, potentially, full of erroneous assumptions based on data they’ve collected but misinterpreted. Some people use the “I have nothing to hide” argument, to which Wikipedia has a nice collection of responses.

Everything I’ve said to this point has been about private companies. I live in the United States of America and the founders of the US did not trust the people in government to “do the right thing”, so they created the Bill of Rights to protect the citizens from an overreaching government. As the internet has grown, the government has been going beyond what I think is good policy, so caring about your privacy also goes along with protecting your rights as a citizen.

I think we all have a line we draw after which we say “this is too much”, and seeing the Google purchase history marks the point at which I’ve reached mine.

VPN

After looking at various reviews and the features offered, I opted for ExpressVPN (this is not an affiliate link, I get nothing if you click through there). They offered the device support and speed that I wanted. Had I thought about it earlier, I would have written down my decision criteria here.

Duck Duck Go is the premier search engine that doesn’t track you.

Non-mined email

Though I’ve been using gmail for a very long time, my primary email addresses have always been at domains that I own. This will make it easier for me to transition to another service.

When I searched for email services which protect privacy, I got a lot of results which were focused on providing the ability to securely send end-to-end encrypted messages. They had a wide variety of features and tradeoffs, all working around inherent limitations of email protocols.

As of this writing, I chose Fastmail as my solution. My requirements are:

  • Good privacy
  • Not too expensive
  • Custom domain support with aliases
  • Ability to set up at least two accounts
  • Clients for the devices I use
  • Spam protection
    • Google’s spam protection is really good

I also have the following non-requirements:

  • Ability to send PGP or otherwise end-to-end encrypted messages to other people

I ended up with Fastmail and after a day with it, I am very happy with the choice. It’s still importing my huge gmail backlog, but it does indeed work “fast”, and their support for multiple domains is really easy to use.

Someone asked about a somewhat similar set of requirements on Reddit.

One possibility is iCloud. I’m already paying Apple for additional storage, and iCloud mail works with any mail app I’d want to use. As I noted earlier, Apple does not make money by mining your data. That said, in order to support normal IMAP features like search, your email data is not encrypted on their servers in a way in which even Apple employees cannot access it. There’s the possibility that future Apple could decide to monetize data, which would be a real shame. The biggest problem I have with iCloud, though, is that iCloud doesn’t support custom domains.

Restore Privacy has a good roundup from November 2018: Best Secure Email Providers.

Tutanota is intriguing because of how deep their security is. They do support custom domains, their pricing is reasonable. But in order to provide that great security, they had to go with non-standard apps for all access and those apps don’t provide the usability of more standards-based apps. There is often a tradeoff between security and convenience, and I think this tradeoff goes too far for me, though I have not yet decided for sure.

Tutanota brings up an interesting point: their approach is super secure. If I go with someone else, people at that company would be able to read my messages. Why would I trust those companies if I’m not going to trust Google? The reason is simple: these little companies are building their businesses specifically on privacy. Facebook can get away with privacy issues because of their market position. These companies cannot.

Andy Schwartzmeyer described how he got Posteo to work with a custom domain, taking advantage of forwarding from Gandi and Mailroute for spam filtering. I wonder if the approach he takes for custom domains in Posteo would work for iCloud?

A lot of people seem to like Fastmail. For $50/year/account, they support aliases and custom domains. They’ve been around for a long time and provide a service that people appreciate. They do provide their own spam filtering. In many ways, Fastmail does sound like what I’m looking for.

Another option I have: I have used Dreamhost for years to handle hosting for some of my websites, my domain registration/DNS, and email forwarding. I could switch to using Dreamhost for my email hosting as well. They support standard protocols. They allow for aliases and multiple email accounts. My hosting plan includes “unlimited” storage. It’s really quite a good deal. The only problem is that Dreamhost is primarily focused on web hosting and they provide a lot of services to a lot of people for a low price. My concern is that the service would be less reliable than others.

Generally, I’ve found Dreamhost’s support to be quite good and the service to be overall pretty reliable. Reviews are not always positive, which is often the case because there’s a selection bias around reviews. But I do worry about the multiple times I’ve seen people talk about “losing email”. I also just remembered a time when Dreamhost started bouncing email to my primary email address, making sites with that address start failing. That took a bit of effort to clean up, and one site hasn’t sent me email since.