To better understand what the heck I’m getting into with migrating away from Gmail, I spent a few days doing research, reading posts on the interweb, and discussing some technical things with my technical friends. It is now clear to me that if I really wanted the highest degree of privacy and control over my email I would get a virtual private server (VPS) in a country in the EU and follow these instructions to setup an email server with encrypted message storage, full-text search, and nice spam filters. But the reason for doing this little Google extraction project isn’t to create the best email system ever, it’s to survey the landscape of alternatives to services from Google and migrate to those alternatives. Furthermore, I want any member of our digital culture to be able to follow what I am doing and take their data with them, without needing to possess tons of technical skills. So this means that the hunt is on for an email provider to host my data, not reinvent the wheel. Below are various considerations I’ve been thinking through.
Considerations
IMAP
The first thing I did when I started this was to look up instructions on technically moving emails from Gmail to another email provider. I found these instructions on leavegooglebehind.com. Basically, you need to make sure your new email provider has IMAP (which almost every email provider does now) and then you can easily, albeit slowly, transfer your emails to a new provider.
Custom Domain Name
A custom domain name is a must for me. For example when I switch my email, I would like to use tim [at] timschwartz.org rather than my new hosting provider’s domain (“tschwartz@newhostingprovider.com”). This is so that when I need to change providers again or migrate my data to a new system, I can keep the same email address. Most email providers offer this, though some make you pay extra for it.
Countries
I contacted a privacy lawyer I know and asked what countries would be good for protecting my data and not giving it to the NSA. He said that the NSA will get the email headers anyway when they are listening to all traffic going across the wires unless I use a VPN. As well, he said that countries’ laws and their collaboration with the US government might always shift in the future, so best to just pick one but stay up to date with privacy legislation in that country. But two loose recommendations on countries to go with would be The Netherlands or France.
Aside from this though, it is known that the EU’s privacy policies are more protective than the US’s and anything in the EU would be harder for the US government to get its hands on than if my data was stored by a US company.
Money
We all know (but forget most of the time) that nothing is free. Data storage costs money and right now each one of us that uses Gmail is paying for it with our own data. It’s just the way it works. Google searches through our emails for keywords and then shows us advertisements so that they make money. More eyeballs, more money. So if you don’t want your hosting provider to scrub through your emails then you have to pay cash.
Web Client
I primarily use Gmail through the web, not with a standalone email client. This is one way they are light years ahead of most: the interface is really slick on the website. I will be going back to the Stone Age and primarily using Mozilla Thunderbird on my computer to manage my email, but in a pinch it is vital that I can get to my email via a secure website.
CalDav
CalDav is the calendaring messaging system behind lots of calendars (iCal/gCal). If I can get an email hosting provider that has this as well, I won’t have to figure that out later on and can kill two birds with one stone, allowing me to sync iCal on my various devices with my email provider.
Data Encryption
I’m sure most of you reading this have heard about Lavabit and their shutdown a few weeks ago. Their service was based on encryption of their data on their server, so that if someone was able to break into their servers they still would not be able to decrypt and read the contents of emails that were sent and received by their users. This level of encryption is actually quite hard to come by from mainstream providers, simply because there isn’t a high demand for it, and the people who have demanded it went to Lavabit and other niche email providers. This is something that if I was building my own system would definitely do, but when seeking out a hosting provider I must weigh this in relation to how the provider supports the other concerns I’ve brought up here.
PGP Encryption
PGP (Pretty Good Privacy) is a type of data encryption that can be applied to emails such that the contents of emails can only be decrypted by the recipient with their key. All email hosts will work with this as long as the PGP is handled through a third party/desktop client like Mozilla Thunderbird. Some people are working on webmail clients that themselves support PGP, but in general webmail-based PGP a bad idea because users’ keys could be stolen from the server or java/javascript plugins could be hacked to steal them.