Email Comparison by That One Privacy Guy

Welcome to the Email Comparison! This section is meant to be a resource for anyone who values their privacy and is looking for real information about email services (that isn’t disguised advertising). As my VPN project grew, some readers requested information about the best email services for maintaining their privacy.

I make every effort to keep the data on the Email Comparison Chart up to date.  However, parts of it could potentially be incorrect for various reasons, including if a given email service is not transparent and does not make information available on their official site. Please do your own research if you can’t find information that matters to you. If a company does not make certain data available on their website, I may assume the worst use a default field. My chart doesn’t make any claims about any service: it simply shows a summary of all the information available (or lacking data).

If you work with an email company and would like me to update your information, feel free to contact me citing a proper source on the official website. I will be happy to update your data!

The charts are color-coordinated like this:

Green – Generally good.
Yellow – Something of concern.
Red – Something major of concern.
Blank – Undefined or for reader’s knowledge only.


Simple Email Comparison Chart

See how these fields are calculated here.

You can download the original (up-to-date) file using these links: Excelxlsx | LibreOfficeods


Detailed Email Comparison Chart

See what these fields mean here.

(Data last updated on 5/27/2018).

You can download the Email Comparison Chart in other formats below: Excelxlsx | LibreOfficeods | CSVcsv


Email Comparison Chart Formulas

The Simple Email Comparison Chart is a simplified overview of the massive amount of raw data in the Detailed Comparison so it’s more accessible to people who don’t care about every data point.

Since I’m forced to use weighted values for this kind of comparison, I want to be completely transparent and open how I’ve calculated each value.

Jurisdiction:

Red Flag: Five Eyes country, Enemy of the Internet, or not disclosed.

Yellow Flag: Nine Eyes country, Fourteen Eyes country, owned by a Five Eyes country, or cooperative with their authorities.

Green Flag: Not a Fourteen Eyes country and also not an Enemy of the Internet.

Logging: Points are given for each type of data an email service logs. Categories other than traffic logging are awarded 1 point each, with half points for undisclosed categories, or for “See Note”. None given for a clear “not being logged” stance.

Red Flag: 2 or more points in the category.

Yellow Flag: fewer than 2 points in the category.

Green Flag: .5 or fewer points in the category.

Activism: If a service doesn’t offer an anonymous payment method (including email), I automatically awarded 3 points here. I also gave points for not accepting Bitcoin, not using an open source platform (.5 for only open sourcing part of the platform), and not having a PGP key.

Red Flag: 5 or more points in the category.

Yellow Flag: fewer than 5 points in the category.

Green Flag: 2 or fewer points in the category.

Service Configuration: I gave points for red categories in service configuration section, with half points for a “No” in POP3.

Red Flag: 2 or more points in the category.

Yellow Flag: fewer than 2 points in the category.

Green Flag: .5 or fewer points in the category.

Security: I gave 1 point if  the user doesn’t control a private key, the service doesn’t use encryption (1 for transit/rest), or if it doesn’t specify the kind of encryption being used.

Red Flag: If 2 or more points given in the category.

Yellow Flag: fewer than or equal to 2 points in the category.

Green Flag: .5 or fewer points in the category.

Availability: I gave 1 point for < 3 connections, 1 point for no custom domain, and 1 point for each “No” in the features section. I also gave 1 point for services offering less than 1 GB of storage for both email and documents.

Red Flag: More than 3 points in the category.

Yellow Flag: 3 or fewer points in the category.

Green Flag: 1 or fewer points in the category.

Website: I gave 0 points for 0 persistent cookies, 1 if < 5, 2 if <10, and 3 for more than 10. Similarly, I gave 0 points for 0 external trackers, 1 for < 3, 2 for < 10, and 3 for more than 10. I gave 0 points for 0 proprietary APIs, 1 for < 5, 2 for < 10, and 3 for more than 10. 0 points for A+ or A server grade, 1 for B, and 5 for anything below B. I gave 0 points for a self-signed cert, 2 for CloudFlare or Incapsula, and 3 for no cert.

Red Flag: more than 6 points in the category.

Yellow Flag: 6 or fewer points in the category.

Green Flag: 3 or fewer points in the category.

Pricing: There are maximum price cells  at the bottom of the price columns. I gave zero points to providers in the bottom third (least expensive) for price and price/connection, 1 point for the middle third, and 2 points for the top third (most expensive). I gave zero points if a service offered a free trial (or free service), and 1 if they didn’t. I gave zero points for 30 days or longer for a refund (or service free of charge), 1 point for 14 days or more, 2 points for 7 or more, and 3 points for less than 7.

Red Flag: more than 6 points in the category.

Yellow Flag: 6 or fewer points in the category.

Green Flag: 3 or fewer points in the category.

Ethics: I gave 1 point for each good faith column violated. I gave 1 point for each “no” in affiliate policies, half a point for “some”, and 0 for a “yes”. I gave 1 point for each affiliate violation. I only tracked ethics for the fields indicated. Services may have shady dealings outside of these fields.

Red Flag: 3 or more points in the category.

Yellow Flag: fewer than 3 points in the category.

Green Flag: 0 points in the category.


Terms in the Email Comparison Chart

Jurisdiction: Negative scores are not necessarily reflective of the companies or their policies; this column pertains to the country a service is based in.

Fourteen Eyes countries: “Owned” means that a country or location isn’t a Five Eyes country itself, but is a territory or commonwealth of one. Second tier “cooperative” countries are determined by Privacy International.

Enemy of the Internet: Based on the 2014 Enemies of the Internet report by Reporters without Borders.

Logging: These metrics are collected from companies’ official websites and other reputable sources. This section takes each company at their word. It’s up to the user to decide who is trustworthy. The term “logging” refers to long-term storage of  information, and not real-time monitoring.

Anonymous payment method: A service offers at least one payment method that does not require personal information. “Email” in this field is considered better than “No”, since an email address may or may not be tethered to an individual’s identity. This does not include companies which claim that you can just falsify personal information and technically be anonymous. It’s to highlight companies that don’t ask for it in the first place.

Open source platform: The service in question has built their product on a free (as in freedom) and open source platform. They make their source code available for independent audits and review.

Gives back to privacy causes: A given service supports (typically by way of donations) organizations and worthy causes which are important to privacy. Examples include donations to the EFF, FSF, OSTIF, and other organizations, FOSS audits, etc.

Meets PrivacyTools IO criteria: This means the email service:

  • Operates outside the US.
  • Uses SSL encryption.

More information is available at privacytools.io.

Webmail access: The service provides a method to connect remotely using a web portal to check and send messages.

Header info stripped: The service takes steps to remove or obscure email headers to provide a greater degree of privacy for the sender.

Protocols (POP3, IMAP, SMTP): The service provides for using the respective protocols to send and receive email through third party applications (Thunderbird, K-9, etc).

User can control private key: The user has direct access to their private key. They have the ability to upload their own key, and to download and view the active private key (if applicable).

2FA option: The service provides a two-factor authentication option.

# of addresses: A 25 in this field indicates no advertised limit for the number of addresses (done this way for conditional formatting purposes only).

Custom domain: The customer can use their own domain for an address through the service.

Supports CalDAV, WebDAV, CardDAV, or ActiveSync: The service supports syncing non-email resources (for example, calendars, contacts, and tasks) with third party applications and mobile devices.

Storage: The amount of cloud storage provided for email and documents. If pooled, the number is shown twice.

Number of persistent cookies: Using webcookies.org – persistent cookies.

Number of external trackers: Using webcookies.org – third-party cookies.

Number of proprietary APIs: This field is derived from a urlquery scan of each service’s website. Not all services are of equal concern (or of any concern at all). This is a loose indication of how committed to free software a company is.

Server SSL rating: Run using Qualys SSL Labs – SSL Server Test Tool.

Pricing: Pricing is based on the service’s normal rates, and doesn’t take into consideration promotions, coupons, or sales.

Refund window: Often, payments made by cash or Bitcoin can’t be refunded. Users should research as needed. As this field only allows a numerical value, services that show -1 indicate a free service.

Falsely Claims Service is 100% Effective: No security or privacy setup truly offers 100% protection or is a bulletproof solution. When a company uses hyperbole or otherwise claims 100% effectiveness for anonymity, privacy, or security, it misleads potential customers who may not know better and harms users who expect it to be true. Some claims are more blatant than others, but any claim that could be construed as a surefire way to be anonymous is counted.

Incentivizes social media spam: These companies offer rewards such as extra data allowances or free subscription time to users posting about their service on social media. This clogs up research channels and pads the number of likes (and amount of attention) a given service or feature receives. This also includes affiliates who post “deals” on behalf of the company to bring in traffic. This could mislead customers.

Forbids spam: Email or comment spam (by affiliates).

Ethical copy: Some companies expect their affiliates to use ethically acceptable copy (keywords, terms, meta tags, descriptions, and web designs) in their advertising campaigns. Ethically acceptable copy is considered copy that not deceptive and doesn’t imposes on the trademarks, copyrights, or intellectual property of another product, company, or entity. Purchasing advertisements on search engines with the names of the represented companies is strictly prohibited.

Requires full disclosure: This includes, but is not limited to, Federal Trade Commission 16 CFR Part 255 (or equivalent): Guides Concerning the Use of Endorsements and Testimonials in Advertising. This requires that material connections between advertisers and endorsers be disclosed. This means that directories, review/rating sites, blogs and other websites, and emails that purports to provide an endorsement or assessment of a company must prominently disclose that financial or similar compensation is provided by the advertiser.

Affiliates: Affiliates are free agents bound to the terms of the companies they represent and given commissions or incentives to funnel traffic and referrals to the company’s site via affiliate links. While companies are not directly responsible for their affiliates’ actions, they have a responsibility to keep affiliates and resellers operating within the terms of their partnership. Ideally, this means not spamming, breaking copyright, and providing full disclosure.


Choosing an Email Service

Disclaimer: The guide below is my opinion. I will try to provide evidence and examples to support what I write. I reference my Email Comparison Chart throughout because I believe that it’s a solid resource to help you determine if an email service meets your needs and is right for you. Much of this guide is relevant to my other projects and is therefore repeated in the other guides on the site. If you’re ready to go down the email rabbit hole, buckle up – this is going to be long.

Contents

  1. Introduction
  2. A Word About Trust
  3. A Word About Email Affiliates
  4. Privacy
    a. More on Trust
    b. More on Affiliates
    c. Jurisdiction
    d. Logging
    e. Payments and Communications
    f. Email Is Not Secure or Private by Nature
    g. Free and Open Source Software
    h. Encryption and Other Features
    i. Websites and Your Privacy
  5. Security
  6. Clearing up Misconceptions

1. Introduction

The following is intended as a detailed guide to answer the question, “How do I choose the best email service for me?” This is hard because people’s needs and level of technical knowledge vary greatly. There is no one perfect email service: they all have some flaws and different characteristics which make them better for different people.

2. A Word About Trust

You need to know that the email service you choose is trustworthy and won’t compromise your communications. Even if you only plan on sending casual messages or other non-privacy uses, keep reading. I’ll go into more detail in the “Privacy” section, but it’s important that you understand how your email provider protects your privacy.

We live in a society where privacy is undervalued and under assault daily. Some people eventually notice that their privacy is at risk and discover that they actually do value it. They set out to educate themselves and learn about tools to help them protect it – like I did when I started my project. We depend on each other for direction and on others to write software and run services to help keep us secure, so transparency and trust are paramount.

3. A Word About Email Affiliates

You may have started your search for an email service by looking for “email service reviews” in your search engine of choice. This would have returned pages of what seem like harmless review sites, or “top 10” or blog-style reviews of different email services. You may even have come to my site for confirmation of what those other sites recommended. The sites making these recommendations are, in almost every case, paid by the services they review and recommend. They are beginning their business relationship with you with what essentially amounts to a lie. The technical term for this kind of marketing is “native advertising”, and its abuse is a huge problem in the email service industry.

I intentionally recorded information about affiliates on my Email Comparison Chart. It includes data on services that have affiliate programs, the specific policies they have for their affiliates, and whether or not the affiliates act ethically: essentially, what the services tolerate from those representing them when it comes to persuading you to buy into their service.

Not all affiliates are bad actors, and having an affiliate program is not necessarily a reason to mistrust an email service. It becomes problematic when those services allow their resellers to generate referrals by any means necessary. If the same names reappear on multiple sites, there’s a chance the company in question is paying for referrals, and that they’re ok with building unethical practices into their business models. Companies often claim that they can’t control how their affiliates behave. This is false. Like anyone entering into a business relationship with someone, affiliates agree to certain terms from the service hiring them. If a company doesn’t expect and enforce certain standards from their affiliates (not spamming, not breaking copyright, disclosing who they are etc), they are approving these unethical methods. As such, they are not worthy of your trust. If they are willing to lie to you before you even buy their service, you can expect dishonesty as a customer.

4. Privacy

a. More on Trust

If you’re looking for an email service for privacy purposes, you already believe that certain parties are not trustworthy. Those parties might be big corporations who offer tempting free services but collect and analyze your communications, or maybe even oppressive governments whose unlawful surveillance is encroaching on your rights. If you’re in a position where you must rely on someone other than yourself for protection, the last thing you need is one more party that you can’t trust.

Choosing who to trust is an important decision, and not all email services deserve that trust. You’re trusting them to be able to operate a competent service that will protect your privacy. You’re trusting them to be responsive to new technical and geopolitical threats to their operation. You’re trusting them to be honest with you in the way they do business so that when you are shopping and comparing, you are getting accurate information.

b. More on Affiliates

I talked about affiliate practices above, so I will only briefly mention them here. If you choose a company with an affiliate program, choose one that expects and enforces good behavior from their reselling partners. You can usually read their affiliate terms on their site. If they are not publicly visible, they should respond with this information when asked. If not, or if they play games with you, look elsewhere. More information on affiliate policies and behavior can be found in my Email Comparison Chart.

c. Jurisdiction

In the last few years, we’ve learned that various countries are conducting mass surveillance programs. These countries are known as the Five, Nine, and Fourteen Eyes. These countries don’t just spy on their own citizens. They also spy on each others’ citizens and swap notes to bypass governmental restrictions on power. If a service or the people who run it are based in one of these countries, we can reasonably expect that they may be susceptible to unlawful searches and compromises made in the name of national security. That said, if your threat model includes protection from such actions, choosing a company incorporated outside of these jurisdictions may still not be enough to protect you. Such actors have vast resources, and if singled out, you would need to worry about more than just your email service (and use other resources like PGP, S/MIME, and paying very close attention to your opsec).

Other countries are not part of the spy collaboration mentioned above, but still have government limitations on internet freedom and free speech. Avoid countries with limited internet freedom. The degree of internet freedom a country has can also be found under “Jurisdiction” on my chart.

d. Logging

When you send communications through an email service, you are not sending your message directly to your recipient, but are routing it through the service itself (similar to how a postal service processes mail before sending it out). The email service is a “man in the middle” who you trust with your communication and meta data. Some email services choose to log this data. There are many reasons for doing so, and some more legitimate than others. They may want legal protection, to help maintain their services, or to sell your information to third parties. If privacy concerns you, you probably want your information to remain private. Choose a service that states that they do not keep logs and which specifies the types of logs they do not keep. Many services claim not to keep logs, but when examined are shown up as logging some data.

e. Payments and Communication

Assuming privacy is your priority, only some payment methods are worth considering. Services that let you pay with cryptocurrency, cash, or gift cards are the best way to ensure that you retain your anonymity. If a service requires more personal information than an email address, look the other direction – this is information they’re recording about you that may be sold to third parties or used to identify you.

Some services offer a PGP key for additional privacy. This is a nice thing to have if you want to be able to communicate with them using encryption.

f. Email Is Not Secure or Private by Nature
Unfortunately, email was not designed with privacy or security in mind. However, it is a reality of our world, which means we have to rely on additional layers of protection through other kinds of software and encryption. Below I will talk about using free and open source software and encryption to shore up email’s weaknesses.

g. Free and Open Source Software
Free and open source software is one of the most important trends in technology today. By allowing others to review code and systems used in our software platforms, we can help ensure the transparency needed for trust. These systems can be independently audited by anyone with the inclination, which means malicious systems are both less common and easier to root out. Specifically look for a service which builds its platform on free (as in freedom) and open source platforms and makes both the server and client side software available for audit and review. This is one way that we can help ensure that our communications are being responsibly handled. As I said previously, transparency comes before trust.

h. Encryption and Other Features
Encryption provides a simple-to-use method that the average user can take advantage of to reinforce their right to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.

There are many different kinds of email encryption protocols that companies use to secure your message both while in transit and at rest on their servers, and some are more secure than others. Certain protocols are proprietary and it is impossible to tell if they are or in the future may be compromised. Others are free and open source, and as such are freely available for security experts to audit and improve. The free availability of the source code helps to ensure that vulnerabilities are patched quickly and that individuals can see exactly how their software works. Choose an email service that uses SSL encryption when sending and receiving messages. Avoid using other protocols unless you have a very good reason; specifically avoid proprietary solutions as they are not suited for privacy.

Wherever possible, use encryption (specifically OpenPGP or GnuPG). This is another topic entirely which really needs its own guide, but there are lots of good resources for how to get started generating a key pair and learning more about its uses.

i. Websites and Your Privacy

When you’re browsing through services’ websites, there are some additional items you may want to consider. Some companies use tracking cookies to determine how to best serve you ads, track which other sites you’ve been to, or uncover specific personal information. In the best case scenario, this is an abuse of power by companies stretching the limits of their ideas on how to gather this information. In the worst cases, cookies can be used to intentionally violate your privacy and link your device to a certain site or activity performed. Choose a company that respects your privacy enough to use few (if any) persistent or external tracking cookies. If companies begin violating your privacy the moment you visit their site, you can’t trust that they will take your privacy seriously after you hire them to represent your interests. HTTPS allows websites to completely encrypt all data sent and received by the user, effectively blocking out anyone who might try spying on such web traffic. Choose a service that encrypts their website with an SSL Certificate.

Additionally, CloudFlare, Incapsula, and similar services have recently become popular with websites for their DDoS protection and dynamic bandwidth scaling. However, these services act as an additional man in the middle between your email provider’s website and you. In the wrong hands, the information they collect and can access about your provider’s website and your interaction with it could be compromised. Avoid email services that use CloudFlare, Incapsula, and other such services.

5. Security

Many of the points made above are relevant to security as well as privacy. I’ll go into detail below.

Jurisdiction, specifically Enemies of the Internet, is important because it ensures our information is being handled by people who are not obligated to disclose it. It also helps indicate that the services we use are located in places that respect internet freedom. This information can be found on the Comparison Chart and confirmed on Reporters Without Borders’ Website.

SSL encryption should be used by your service for transit of your communications. Some form of FOSS encryption like OpenPGP should be used when your communication is at rest on your service’s servers. I prefer using my own client-side encryption to secure my messages, in which case it is stored encrypted by default. Note that no encryption protocol is bulletproof. You are your own weakest link when it comes to your security. There are myriad ways for your communications to be compromised outside of your encryption keys. Use caution and common sense.

6. Clearing up Misconceptions

Warrant Canaries – Some email services maintain a document called a Warrant Canary which is self-published and updated. It certifies that the company has not been contacted by government agencies or coerced into compromising their users’ data. In theory, if someone demanded that they hand over data, they could stop updating the canary, which would in turn show users that their data is no longer private. Not all companies use effective warrant canaries. Some experts debate if warrant canaries are effective in the first place, as theoretically governments could coerce companies into maintaining them, nullifying their integrity. As such, they are usually nothing more than marketing theater. It’s basically impossible to tell if a company is operating a good canary. It might be worth looking for a warrant canary once you’ve found a trustworthy, capable service, but don’t make it a feature to check for when shopping around.

About the Author

About the Author

I started researching data about VPN services for my own knowledge, then posted the information online in the hopes the Internet might find my work useful for themselves. Through the positive feedback and assistance those in the community offered, I’ve been able to take this step into compiling all of my related work in one location and moving away from the Google Spreadsheet that it was originally created on.