Review

Free privacy conscious webmail options


Disclosure: compensated affiliate: click here for more information

Even if Google manages to prevent NSA backdooring of its servers (if it is not in bed with the NSA anyway), it nevertheless represents the biggest threat to privacy the world has yet seen, as its business model relies on scanning users’ emails (and recording their searches, Skype conversations etc., Google +1’s etc., etc.) in order to find out as much as it can about them, so that it can then serve up highly personalized ads.

The reason Google was able to achieve the almost unassailable market dominance it now enjoys is that it offers internet users easy to use, highly functional tools, without asking for any money in return (little do most users realize they are instead paying for the services with their privacy and their souls).

Central to this strategy is Gmail – a ‘free’ email service (first introduced in 2007) featuring a lightweight and intuitive interface, which can be effortlessly accessed from any web browser, and because it is hosted on the web, will sync across any device.

Even though many users are increasingly aware of the privacy dangers using Gmail presents, it remains the world’s most widely used email service, boasting over 425 million active users worldwide.

Beyond simple laziness, the reason many concerned users have yet to jump ship is that there are a very limited number of email services out there which offer similar levels of web-based functionality, while also being ‘free’ (as in cost no money),  and at the same time providing improved privacy.

It is therefore high-time to overview the available webmail services which are free, and which promise to protect users’ privacy….

Autistici/Inventati

Formed by group of Italian ‘techies, nerds and activists’ who are ‘antifascists, antiracists, antisexists, antimilitarists’ volunteers, A//I offer a range of non-commercial anonymity services, including personal VPN, mailing lists, forums, chat, and of course, email.

A/I mail uses the Roundcube webmail interface, and offers around 25 domain names. There is no automated signup service, so users must request an account, and are required to install A/I’s self-signed TLS certificate (which causes it to fail the SSL Labs test despite having excellent connection security).

Although the service is technically ‘free’, A/I is run by volunteers, and therefore relies on donations, so users are actively encouraged to assist with running costs.

Ads: no Aliases: up to 5
Terminated if inactive for: 180 days Encrypted by default: yes
Inbox size: unlimited (within reason) POP/IMAP: yes
Based: Italy Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: Clam AV, SpamAssasin User IP in mail headers: No (webmail & SMTP)
Signup through Tor: Yes Max attachment: 10MB
Severs in: Norway, Netherlands, Iceland
Connection Security: TLS 1.2, AES256 GCM and SHA384 with ECDHE RSA

Mailtoo

Based wholly in France (and with a website also wholly in French), Mailtoo is built 100% using open source software. Unfortunately, full disk encryption is not used, and users’ IPs are only removed from webmail (not SMTP), but SMTP does remove users’ mail client user agent string, and Perfect Forward Secrecy (PFS) is used. User IP addresses are collected, but the logs are not kept.

Fortunately for non-French speakers, the Roundcube webmail interface can be set to almost any language. An email address is required for signup, but this is not a big problem as the activation code is sent immediately, so a disposable address works fine.

Ads: no Aliases: Unlimited
Terminated if inactive for: n/a Encrypted by default: yes
Inbox size: 1GB POP/IMAP: yes
Based: France Perfect Forward Secrecy: yes
Privacy policy JavaScript required: Yes
Antivirus/spam filtering: none User IP in mail headers: yes (webmail), No (SMTP)
Signup through Tor: Yes Max attachment: 5MB
Severs in: France
Connection Security: TLS 1.0, AES256 CBC and SHA1 with DHE RSA

Openmailbox

Another French service, Openmailbox was created in response to Edward Snowdon’s NSA revelations (this time the quite professional looking website is in English however), and its dedication to privacy is generally very good. Users should be aware, however, that Openmailbox logs IP addresses accessing its servers, and it does not remove details about users’ client user agent.

The web interface is the now familiar Roundcube, but Openmailbox has implemented Roundcube’s OpenPGP plugin with built-in, which provides up to 4096-bit key generation (keys are stored locally in your browser’s web/DOM storage, but we are unable to determine the security implications of this). Full disk encryption is also used.

Ads: no Aliases: Unlimited
Terminated if inactive for: n/a Encrypted by default: yes
Inbox size: 50MB POP/IMAP: Yes
Based: France Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: Clam AV, SpamAssassin User IP in mail headers: no
Signup through Tor: Yes Max attachment: 5MB
Severs in: France
Connection Security: TLS 1.2, AES256 GCM and SHA384 with ECDHE RSA

ProtonMail

ProtonMail is a crowdfunded project (which raised over 5 times its goal) that is generating quite a bit of excitement among the security community at the moment. It was created by Harvard PhD candidate, Andy Yen, who was working at CERN when the Snowden revelations became public, and offers end-to-end encrypted email based in Switzerland (which has some very strong privacy laws).

At present, ProtonMail is still in Beta (and we are still awaiting a space to become available), but it looks very promising. JavaScript based OpenPGP is baked-in, and keys can be managed from within your browser, although unencrypted messages can of course also be sent. Full disk encryption, open source cryptography, self-destruct messages, and mobile apps are all features ProtonMail boasts will be on offer when it goes live.

When a place becomes available in the beta program, we will review ProtonMail in greater detail.

Ads: no Aliases: ?
Terminated if inactive for: ? Encrypted by default: yes
Inbox size: 50MB POP/IMAP: Yes
Based: Switzerland Perfect Forward Secrecy: ?
Privacy policy JavaScript required: yes
Antivirus/spam filtering: ? User IP in mail headers: ?
Signup through Tor: ? Max attachment: ?
Severs in: Switzerland
Connection Security: TLS 1.0, AES128 CBC and SHA1 with DHE RSA

Riseup (.onion address also available)

Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

You cannot simply sign-up to Riseup (pun only half intended), but must request an email address or be invited by two people you know. During sign-up you are asked about your political beliefs, and there are reports of people being turned down on the basis of what they have written here (although there is no requirement to write anything).

Riseup does not log users IP address, features an on-screen keyboard for secure login, removes IP addresses and user agent information from all emails, and uses PFS. Users can choose SquirrelMail as a webmail interface, or Horde IMP 3, which includes instant messaging and PGP encrypted email (up to 2048-bit key).

One drawback with Riseup is that the inbox size is somewhat limited.

Ads: no Aliases: unlimited (with reason)
Terminated if inactive for: 6 months Encrypted by default: yes
Inbox size: 25MB to 92MB POP/IMAP: Yes
Based: US Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: Clam AV, SpamAssassin User IP in mail headers: no
Signup through Tor: Yes Max attachment: 2MB
Severs in: Seattle & Washington (US)
Connection Security: TLS 1.0, AES256 CBC and SHA1 with DHE RSA

Senditonthenet

Not strictly an email service (although users are identified with an @senditontheinternet domain name), Senditonthenet allows users to encrypt files locally in their bowser, and send them securely to other users over HTTPS using Perfect Forward Secrecy. Although it claims no software download is required, users must install a JavaScript browser extension, the code for which is open for auditing.

Non Senditontheinternet members can send members encrypted files without the need to register, using a funky ‘drop box’ feature (not to be confused with Dropbox!)

Ads: no Aliases: none
Terminated if inactive for: n/a Encrypted by default: yes
Inbox size: 25MB to 92MB POP/IMAP: no
Based: UK Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: no User IP in mail headers: no
Signup through Tor: Yes Max attachment: 80MB
Severs in: Manchester (UK)
Connection Security: TLS 1.2, AES256 GCM and SHA384 with ECDHE RSA

Unseen.is

In addition to email, this Icelandic provider offers secure video chat and VoIP. While the basic service is free, a premium option is available for $47 per year. As well as a web based interface, Unseen.is offers stand-alone clients for Windows, OSX and Ubuntu, and is working apps for Android and iOS.

Rather than use AES (which like us they consider potentially compromised), Unseen.is has developed its own open source cryptographic libraries called AESx and NRTU.

Messages on our service are sent using 4096-bit encryption, which is considered extremely strong. you generate your keys with extremely strong lattice based encryption. To that, we add an advanced symmetrical encryption which is very easy to use with keys 16x longer than those found in AES256, an industry standard. According to our engineers, this will take 23840 times longer to crack than aes256, which is commonly known as “military grade” encryption.’

The email client uses PGP encryption, although unencrypted messages can also be sent. An email is required to register, but registration is immediate so this can be a disposable one.

Ads: no Aliases: none
Terminated if inactive for: n/a Encrypted by default: yes
Inbox size: 10MB (2GB paid) POP/IMAP: yes
Based: Iceland Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: Clam AV User IP in mail headers: no
Signup through Tor: ? Max attachment: 50MB (40GB paid)
Severs in: Reykjavik (Iceland)
Connection Security: Proprietary 4096-bit encryption based on open source standards.

VFEmail (.onion address also available)

VFEmail is commercial US-based provider which offers a free email account option. This is ad supported, and includes a link to VFEmail.net in the footer of each message. Users can choose between Roundcube and Hord IMP versions 3 and 5 (default) for a webmail interface, and benefit from PGP encryption, perfect forward secrecy, and IP masking (using Roundcube only).

Paying customers also benefit from the Metadata Mitigator™, a technology that “prevents the NSA (or any other eavesdropper) from tracking your communications back to you, or profiling your communications, based on email ‘envelope’ information.”

Ads: yes (paid: no) Aliases: none (various paid options)
Terminated if inactive for: 180 suspended (280 days deleted_ Encrypted by default: no (paid: yes)
Inbox size: 50MB (various paid options) POP/IMAP: yes
Based: United States Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: Clam AV User IP in mail headers: no (webmail if using Roundcube), yes (SMTP & or if using Horde webmail)
Signup through Tor: Yes Max attachment: 50MB (40GB paid)
Severs in: Milwaukee & Wisconsin (US), Netherlands
Connection Security: TLS 1.2, AES128 GCM and SHA384 with ECDHE RSA

Vmail.me

This secretive French service does not provide any information about itself, but offers full disk encryption on its servers, removes users’ IP addresses and user agent information from all emails, and uses PGP.

Interestingly, according to the privacy policy Vmail uses an open source alternative to Google Analytics, called Pikwik, which respects the Do Not Track (DNT) technology and anonymises visitors’ IP addresses (last two bits).’ Vmail also says that it abides by the EU Data Retention Law, but as this has been struck down by the European Court of Justice, it is unclear whether this still applies.

Ads: no Aliases: none
Terminated if inactive for: 9 months Encrypted by default: yes
Inbox size: 25MB (various paid options) POP/IMAP: yes
Based: France Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: yes User IP in mail headers: no
Signup through Tor: Yes Max attachment: 500MB
Severs in: France
Connection Security: TLS 1.2, AES128 GCM and SHA384 with ECDHE RSA

Zoho Mail

Zoho is a business-focused commercial email service based in the US, and which offers free email accounts. Interestingly, even free accounts get access to Zoho’s Google-like online office apps (which also integrate with Google Docs),and can host a domain on Zoho’s servers.

Signup requires an active email address, and IP addresses are not hidden, but Perfect Forward Secrecy is used.

Ads: no Aliases: none
Terminated if inactive for: 120 days Encrypted by default: yes
Inbox size: 5GB POP/IMAP: yes
Based: United States Perfect Forward Secrecy: yes
Privacy policy JavaScript required: yes
Antivirus/spam filtering: yes User IP in mail headers: yes
Signup through Tor: no Max attachment: 30MB ( but 5GB document storage)
Severs in: Atlanta & Georgia (US)
Connection Security: LS 1.2, AES128 GCM and SHA384 with ECDHE RSA

The Rest

Closed down or no longer free

The casualty rate among free and secure webmail services is high, while others no longer offer free email accounts.

  • Cyber-Rights – basically a rebranding of Hushmail – now that Hushmail has stopped offering free email accounts, so has Cyber-Rights (although existing users can still access their accounts).
  • FastMail – although no longer free, FastMail remains a well-regarded and reputable service.
  • HushMail – not only is Hushmail no longer free, but the fact that it holds users encryption keys means it can be (and has been) coerced into handing them over to the authorities. Hushmail therefore also belongs on the ‘not recommended’ list below.
  • Lavabit – the owner of Lavabit, Lader Levison, famously shut down this service rather than hand over customer’s keys to the feds. He is currently working on a promising looking project called Dark Mail.
  • My Opera Mail – closed down on 3 March 2014.
  • Privat DE Mail – the webpage of this Egypt based service became unavailable earlier this year. No further information is known.

Not recommended

We do not recommend the following free webmail services:

  • GMX – is owned by German ISP United Internet AG. In addition to not stripping users IP’s from mail headers, or allowing signup over Tor, all email recipients are auto-added to a Contact List which cannot be edited, deleted, or opted out of.
  • HideMyAss – the basic service only lets you receive emails (not send them), although users can open their SMTP ports to host a full email service themselves. The main problem is that all registration info is stored for two years after you delete the account. Count us out!
  • Mail.com – owned and operated by the same company who runs GMX (United Internet AG), Mail.com suffers the same problems.
  • Mail.ru – we see this service get recommended a lot, and it is Russia’s most popular email service. However, Edward Snowden’s leaked documents specifically name Mail.ru as a participant in the NSA’s XKeyscore training program.
  • SAFe-mail – not only uses closed proprietary encryption, but as an Israeli company it needs to be licenced by the Israeli Ministry of Defense (and is therefore likely comprised in order to obtain such a licence).
  • Seznam.cz – this Czech web portal offers free email, but doesn’t let you sign up over Tor, includes users’ IP in mail headers, and includes ads. It is not awful, but are many better services out there.
  • Web.de – only open to residents of Germany, Austria and Switzerland, Web.de is owned by 1&1 Media, a subsidiary of our by now old friend United Internet AG. Tor signup is banned, and IPs are included in mail headers

This article builds on work published by the_simple_computer website, for which we are extremely grateful.


Douglas Crawford I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. Find me on Google+

Related Coverage

More

21 responses to “Free privacy conscious webmail options

  1. Im realy interested what else mailboxes i can use exept tutanota and protonmail. I use annonymous emails to sell game accounts and i need a lot of them.
    Tutanota and protonmail are great (because are realy easy to transfer to someone else when selling) but have restrictions – protonmail account can be made once a few days from same ip, same for tutanota (tutanota bans accoutns that are maked more offen than once a two days from same ip). I try to find not nessesary encrypted free email service – but not personalised (i dont want to write my name and surname – those emails will be selled …).
    Anyone know service that allow to make multiple emails even once a few days, and are easy to sell/transfer ?

  2. Privacy is a freedom that most governments will not give to their citizens. One argument is that governments cannot allow privacy because the “good guys” and “bad guys” cannot be separated without surveillance. Bad guys with a sanctuary cannot be terminated, and they may overthrow the government that provides them with privacy. Some governments may think that some of sites listed above are run by bad guys. These “bad sites” must be neutralized. Other governments may approve of these same sites and support them.

    My opinion is that the data collected by Google will be mined by the U.S. government. The negotiations between Google and NSA will go dark. For a single pc user the greatest threat to privacy comes from Google. My experience is that Google Ipv4 will not accept VPNs, blocked cookies, or blocked JavaScripts. That is why a VPN is useful. Google protects the user by not interacting with the user.

    1. Hi Samson,

      I agree that Google is one of the biggest threats to our privacy, and that this can and will be leveraged by (mainly) the US government. People should migrate away from Google services asap.

    1. Hi Gellba,

      To be honest, I have not heard of Fripost before, which is probably at least in due to most of the information that is available being in Swedish. After a little research, it does seem an interesting idea – a sort of email collective. I will put it on my list to investigate further.

  3. For me, Openmailbox FTW. When the original article was written, things were different back then, but now most of the listed providers either turned free-trial or do not provide anything useful for free (and some of them actually stopped allowing you to signup). ProtonMail, A/I and Riseup look plain stupid due to their invitation/political review signup policy: I’ll never share anything other than desired login/password pair. Actual list, I think, might be the following:

    – Openmailbox (nuff said) – they also offer you a free 1 GB OwnCloud storage in addition to every registered inbox;
    – sigma.email – they also allow secure SMTP/IMAP connection but do not strip user IP headers when sending from Thunderbird;
    – Tutanota (nuff said) – aside from no SMTP/IMAP support, the only catch is that the email gets locked forever after deleting the account and you can’t re-register it anymore;
    – discard.email – they promise all emails are stored 30 days maximum, allow you to specify your own domains, even those banned by PawnMail and other similar services (tk, ml, cf, ga, gq etc), offer a convenient browser add-on. But they have the following limitations though: web interface only, 15 outgoing emails per-hour with captcha and no option to send plaintext.

    All of the above are really free, ad-free (they will not modify your texts in order to insert any ads) and unobtrusive. I’d personally use Openmailbox in conjunction with any Cypherpunk-type anonymous remailers for sending and discard.email for receiving the replies.

    Btw, never trust your email to any russian company.

    1. Hi Revoltech,

      As you note, this list is a little of of date (ProtonMail and Tutanota in particular have shaken up the market). When I have the time I will update it.

    1. Hi Vera,

      I wrote this article quite a while ago, so cannot remember all my sources. At least part of came fro OpenMailvbox’s own Privacy Policy though (which is currently down as OpenMailbox seeks funding.)

  4. I’m shocked to see Yandex Mail in this list. Yeah, it’s not going to share your email with US but it has to pass all the traffic in realtime to Russian’s FSS. It’s waaay worse than NSA

  5. Hey, just wanted to point out that ProtonMail’s servers are not located in France as you wrote, but rather in Switzerland where the company is based.

  6. If I were to use one of the recommended ‘secure’ webmail services in this article to send and receive emails to and from other people, would those people also need to be subscribers? Or could they simply send me emails from their own GMail, Outlook, etc. accounts, and receive my emails into their accounts, seamlessly? In which case, wouldn’t all our email exchanges be subject to surveillance, anyway, as soon as they left my server and entered GMail or Yahoo or Roadrunner email or whatever other systems that were using? I don’t have any secrets to hide; I just inherently dislike and distrust privacy-invasive webmail services that collect far too much information on everyone.

    1. Hi bobw,

      All services listed here allow you to send emails to and receive emails from users of ‘regular’ services such as Gmail etc. As such, you are correct… although these serves do not spy on you, other services your email passes through can and do. I suggest that you look into ProtonMail and Tutanota as these services not only encrypt emails sent between users, but also allow non-users to reply to encrypted messages securely.

    1. Hi Ian,

      I have tried to be as comprehensive as possible, but I may have missed one or two services. I will look at SmartMail within the next few days, and add it to the list. If I have missed any other service, I encourage readers to let me know! Edit: After doing a quick bit of research, the only SmartMail I can find is an open source email client – not a service. Am I missing something?

Leave a Reply

Your email address will not be published. Required fields are marked *