Here is a list of some of the most common mistakes and misconceptions people have about e-mail usage. The purpose of this list is to help users become more aware of the security and privacy risks involved in using e-mail, especially from the big e-mail providers.
* * * * * * * * * * * * * * * * * *
MISTAKE 1: I use a popular e-mail providerHotmail, Gmail and Yahoo are some of the worst e-mail providers available. They are run by the largest IT corporations in the world where e-mail is just a segment of their business rather than the main service, and because they are very popular they focus more in acquiring and maintaining a large user base rather than offering basic security and privacy features you could expect from a decent service. As an example, until not long ago none of them supported secure connection (SSL/TLS) while you were logged in, so if you were checking your e-mails from a public Wi-Fi, café or hotel anyone could easily intercept and read your messages.
MISTAKE 2: I think only the recipients can read my messagesWhen you send e-mails they reach the destination almost instantly, but to accomplish that they often travel through many machines, networks and even countries, and they can be easily intercepted by anyone who is in between such as network administrators, corporations and governments. It is similar to someone opening up your mail, reading it, copying it, putting it back in the envelope and forwarding it to you, except that with e-mail it leaves no traces that the message was intercepted.
MISTAKE 3: When I empty the trash bin I believe my messages were erased foreverWhen you empty the trash bin all you do is to erase the messages from yourself, from your own sight, but in fact they are still there stored in your e-mail provider's servers in the form of backup for an undisclosed period of time, possibly forever. That means that in the future all those messages you thought had been erased years ago can be leaked, exposed and used against you, some of which you certainly would't like to become public.
MISTAKE 4: I think it is great that my e-mail account is freeNothing is for free and your e-mail account is no different. While you don't pay the companies directly for it with money you do it with your privacy, which worths much more to them.
They track everything they can possibly obtain about you, including to whom you communicate, how often you communicate, the contents of your messages, your physical location, and other personally identifiable information. This is not limited to e-mails only. Since those companies also operate other business such as search engines, software development, social networks and online advertising, they often extend their tracking methods to those services and combine your data obtained from all of them to build a gigantic profile of yourself.
Now imagine all things you've ever searched during the last years combined in a single database that could be exposed or given to authorities at any time. That's what they have about you. And why do they do it? For two reasons: to sell you intrusive advertising based on your usage behavior, and to comply with government surveillance programs.
When they say they collect "certain types of personal information about our users" to "improve our service", that's exactly what they mean.
MISTAKE 5: I own my own messages, they are mineIn the US e-mails lose their status of protected communication after 6 months, which means that after this period the US government doesn't need a court order to break its secrecy, a single request (a subpoena) is enough for them obtain it. Note that you don't have to be in the US for that to happen, as long as you use a provider that has servers in the US, or your messages are routed through the US, you can expect that to happen. This applies to all messages you keep in your account, as well as the messages you deleted but they keep them in the form of backups for more than 6 months (which they all do).
MISTAKE 6: I think cryptography is unecessaryWhat is really unecessary is to send your messages exposed like a postal card so anyone can read them. Everybody uses e-mail these days and it is impossible to avoid the risks it poses, but there are many ways to protect against those risks, one of them is by using cryptography. Cryptography allows you to encode all your messages so only the recipient can decode them.
You have easily available to you high level cryptography for free that only brings benefits to you. It takes minutes to set up and and once configured it can be set to automatic, so you don't have to worry about enabling or choosing it every time. Another benefit is that it is compatible with any e-mail provider and you can still communicate with people who don't use cryptography if you want.
If you don't use cryptography you automatically indicate to others that you don't care about your privacy and security, as well as theirs, which lowers your credibility and makes it difficult for others to contact you to exchange more personal, sensitive information.
MISTAKE 7: I don't care about what the NSA is doingYou should because they care about what you are doing. Often people don't care because they don't live in the US, or they think they have nothing to hide.
The NSA is spying and monitoring digital communications from all around the world, not only the US. If you use an american e-mail provider then you are technically inside the US, subjected to US laws.
If you think you have nothing to hide then you better think again. We all have something to hide, especially from the ones who want to monitor us. Here is an example: if the US government decides to monitor everyone who may have an interest in bitcoins they can easily obtain from all e-mail providers the registers of all accounts that have sent or received a message cointaining the word "bitcoin" in the last 5 years. The companies will comply and provide those data to the government since they keep all the registers.
That could happen in any country with any other term. What is perfectly acceptable today, tomorrow may not be so.
Even if you really have nothing to hide in your inbox, you should still be aware that the same companies that provide you your e-mail account are collecting huge amounts of other personally identifiable information about you, which could then be given to authorities to monitor you without your authorization.
MISTAKE 8: I think my messages are safeKeep this in mind: if something - anything - is stored it can be leaked, breached and made public, and it probably will. In fact we might say it's certain that those things will happen one day and it's not far from now, it's just a matter of time. While the companies don't change their policies and practices, there is nothing you can do to prevent it from happening, except using cryptography.
MISTAKE 9: I trust my e-mail providerYou shouldn't, especially when they have a history of controversial business practicess. First of all they use vague, open-to-interpretation Privacy Policies and Terms of Service. That by itself should be enough reason for you not to trust them. Second, if for whatever reason your data gets compromised or exposed they can't be held responsible for it, it's your loss. And finally, you have your e-mail account for free, so technically you are not even a customer.
MISTAKE 10: I believe I have privacy onlineIn the digital age if you want privacy you have to go for it. By default most systems you use every day such as e-mail, chat, VoIP and the web lack even basic security simply because most users are not aware of the risks and do not ask for it. Corporations take advantage of this fact and do not invest in improving their services because that would result in increased costs to them without a direct return. If you question them about it they will give canned responses such as how they take their customers' privacy seriously and how they comply with thousands of regulations (which are flawed and don't work at all).
Unfortunately it will take some time until companies start offering more secure systems by default, but that is not an excuse to remain insecure since there are already many tools available to protect your privacy in all those services. As this post deals primarily with e-mail, we recommend that you use GNU Privacy Guard to protect your e-mails.
* * * * * * * * * * * * * * * * * *
There is much more to cover than what is presented in this list, but hopefully by now you are more aware of some of the privacy and security risks of using e-mail.
If you have any comments or suggestions, feel free to give your feedback by replying to this thread. Thank you!
The Golden Keys Team
