If you are tired of hearing about the privacy invasions caused by using Gmail, you may wonder how to de-Google without accidentally switching to another insecure email provider.
In this blog, we will pinpoint the least secure email services so that you can determine which providers to avoid, and subscribe to a service that puts your email security and privacy first.
What makes email providers insecure?
You often get what you pay for when it comes to online services that provide top-line security and data privacy. Free services, for example, are frequently funded with revenue made from user data.
This means that the service provider has a vested interest in retaining access to your data, which creates privacy issues and security threats.
In addition, if the email provider does not provide secure client-side encryption for emails by default, it is possible that government snoops could access your emails via a warrant. In addition, there exists a threat of mismanagement and data leaks caused by the company.
A lack of end-to-end encryption for the emails stored on company servers will also mean that cybercriminals can breach your emails – because the keys for server-side encryption could be stolen from the email provider's servers.
What are the least secure email providers?
In this section, we will pinpoint commonly used email providers that are known for mishandling user privacy and data security. Many people use these free email services. However, in our opinion, it is much safer to migrate to an email provider that puts your privacy first. Thus, we recommend that you steer away from the email providers below!
Yahoo Mail is perhaps the most controversial and insecure email provider on this list. Yahoo's reputation was dealt a severe blow in 2016 when it was revealed that the company had provided government snoops with backdoor access to hundreds of millions of user accounts.
In order to give the NSA access to those accounts, Yahoo provided the government with a purposefully designed tool that could be leveraged to backdoor Yahoo Mail accounts en masse. The purpose-built tool was then used to search all incoming emails for keywords and information provided by US intelligence officials.
Even with this controversy aside, Yahoo remains a free email provider that retains full control over its user's email vault. As a result, it can theoretically access anybody's mail at any time. What's worse, those emails are at risk of cyberattacks due to the server-side encryption the company implements.
It is also worth noting that in 2017 Yahoo became a Verizon Media service, which means you must agree to Verizon Media's terms of service to use Yahoo Mail.
Those terms clearly remind users that personalization lies at the core of its services and that in order to provide personalized services and ads it will leverage its users' data.
Verizon Media analyzes and stores all communications content, including email content from incoming and outgoing mail. This allows us to deliver, personalize and develop relevant features, content, advertising and services.
AOL Mail is another email provider that is considered bad for user privacy and data security. The service became part of Verizon Media back in 2017 after the business was successfully acquired alongside Yahoo.
This includes "device specific identifiers and information such as IP address, cookie information, mobile device and advertising identifiers, browser version, operating system type and version, mobile network information, device settings, and software data."
In addition, the company reminds users that it "may recognize your devices" to provide you with "personalized experiences" and to advertise to you "across the devices you use."
Add to this the risks posed by server-side security and the potential for data leaks and data breaches it results in, and you can see why this is an email service that cannot be considered secure. Finally, Verizon Media has now agreed to sell AOL and Yahoo Mail to the private equity firm Apollo in a deal valued at $5 billion. This could mean further changes to both email services' ToS and policies.
Google is a company that already holds vast amounts of data about internet users. The company has a mountain of marketing information about people, which it uses to identify their likes and habits.
This data is collected every time you use Google to make a search, or browse the web using its popular Chrome browser. Add to this the data it can collect from Android phones via Google Services, and you begin to understand why this company controls so much information about consumers.
Having a Gmail account only increases the level of surveillance that the company can engage in, and Google is known to scan email subjects and contents. That said, the firm did finally stop scanning the contents of emails for marketing purposes in 2017. However, it is still scanning email subject lines, and it allows third parties to access email information.
In fact, even when Google claimed to have stopped automatically scanning emails for marketing purposes, the firm admitted it was still allowing third parties to access user inboxes. This allows those third parties to snoop on the sender and recipient, the time an email was sent, and even the contents of those emails.
In addition, it is vital to remember that Google completely controls access to your inbox, which means it can read your emails if it wants to for R&D and surveillance capitalism purposes, and it almost certainly is doing this via automated means in order to gather information about people.
Despite its claim that it does not use the contents of emails to market to users, data from your Google account is used to serve ads in your Gmail inbox.
Admittedly, Google is a company that works hard to prevent unauthorized access to email accounts. It is now forcing users with a linked device to set up two factor authentication, and it has strong measures in place to detect unusual activity.
However, it is worth remembering that any company that completely controls the keys to your email vault could theoretically be subjected to a cyberattack that allows hackers to steal the keys to your email vault. And the firm might be served a warrant and gag order that forces it to provide access to people's emails by the government.
Outlook is Microsoft's email service, and while it isn't as invasive as some of the other services mentioned in this guide, it is still not an email service that can be considered secure.
This shouldn't come as a surprise because Microsoft is known for engaging in high levels of surveillance capitalism – primarily by collecting sizeable amounts of telemetry via the Windows Operating System.
That said, according to Microsoft, "Outlook.com is a free personal email service from Microsoft that doesn't scan your email for the purpose of serving you ads."
This is certainly better than many other free email services. However, it is important to remember that Microsoft still controls the keys to your email vault. It is also an American company based in the US, which means it can be subjected to warrants and gag orders that force it to provide access to the data stored on its servers in complete secrecy.
A lack of client-side encryption means that it can search your emails if it wants to, and while it claims not to use the content of emails for advertising, it is possible that it could leverage them for other purposes, including training up its algorithms and developing new products.
In addition, it is possible that Microsoft could suffer a cyberattack in which the encryption key to your email vault is stolen from its servers. As a result, it is possible that hackers could access your emails.
Apple Mail is a service that is considered more private than the other email providers mentioned in this guide. Apple doesn't use user emails for marketing purposes, for example. However, the firm does control access to your emails, and it does automatically scan those emails to improve its software services.
That said, vulnerabilities have been discovered in Apple and iOS Mail in the past, and the company has received criticisms for its failure to properly acknowledge the severity of those vulnerabilities, and for its failure to deal with them swiftly. As a result, security experts harbor concerns over Apple's ability to secure email accounts, should more exploits be discovered.
Most recently, two severe security flaws were discovered in iOS Mail by ZecOps, a San Francisco-based mobile security company. Those vulnerabilities exposed users to severe security concerns that could have allowed hackers to access the contents of their email accounts. Also, according to ZedOps the Apple Mail App vulnerability was exploited in at least six cyberattacks in the wild.
Apple's failure to completely shore up its email services in the past doesn't bode well for the future, which means that it is hard to consider its email services truly secure.
It is also important to note that Apple is a completely closed source platform, so while the firm can make wild claims about privacy, it is impossible to know what it is doing with people's data. This means that there is an element of trust involved with how Apple manages people's accounts and data.
This raises concerns, because despite Apple's claims to be in favor of consumer privacy within its services and products, the firm has contradictory policies, and has consistently failed to shore up its ecosystem to prevent apps on the Apple store from performing invasive levels of tracking (something it could do if it wanted to because it has full control over what appears in the store). This raises serious questions regarding its true motivations.
Is it time to move to a secure and private email service?
The answer to this question is almost certainly yes! Free email services provided by major corporations open users up to privacy and security risks, because they all have dubious Terms of Service and privacy policies that threaten the privacy of their users.
At the end of the day, these companies provide free email services for a reason; they want to access those emails for research, development, and marketing purposes. The important thing to remember is that, when a service is free, this is because you are paying for it with your data.
Anybody interested in gaining higher levels of email security and access to encrypted emails that cannot be accessed by anybody is encouraged to move to an email provider with strong privacy policies that promise not to scan emails, and that provide email security like PGP natively within their apps to let you send emails that are secured with end-to-end encryption.