List of providers
Everyone is entitled to their email privacy. Take back control of your data and experience a clean inbox with no advertising.
Okay, I'm in! Just give me a minute to check if the evidence supports your claims...
When you visit our website we may collect information about you, including your browser type, operating system and the Internet Protocol (“IP”) address of your computer. We use this information to facilitate your use of the website, gather market information and prevent abuse of our services.
No thanks. But wait, that's only the website - I could possibly deal with that if the actual mail service was private. But is it?
We take steps where possible to limit the personal information we collect.
Wow, thanks! So let's see just how limited those "limits" are:
As part of the account creation process your IP address will be recorded. We may request that you provide other information, such as a phone number, as well. We use this information to analyze market trends, gather broad demographic information [...]
Asking for my phone number is very "limited" indeed. And the market trends shit rears its ugly head again.
Information we record may include [...] account usernames, sender and recipient email addresses, file names of attachments, subjects of emails, URLs in the bodies of unencrypted email, and any other information that we deem necessary to record for the purposes of maintaining the system and preventing abuse.
So you're even snooping on the links in my messages! And
any other information is an admission that they could possibly collect everything they imagine. But why pretend it's about
preventing abuse? Just say you're in the business of gathering information.
We store sales, marketing, and customer care information with third-parties that support these business processes, which means that information such as your name, email address, phone number, and company name, as well as the history of communications related specifically to the sales or customer care process, may be stored there.
And now my name and phone number is being sent to whoever the fuck. Could this get any worse?
The records we keep of your activities are permanently deleted after approximately 18 months. Records that are stored for statistical purposes may be kept indefinitely.
I forgot to mention that Hushmail actually wants money for all this abuse! And it doesn't even support mail clients. Taking all that into account, this is without a doubt the worst choice on this whole list. And they have the audacity to claim stuff like this:
Hushmail has been providing secure, private and encrypted webmail solutions since 1999. Here is why our customers trust our experience in the field.
Yeah sure - very trustworthy you are!
If you register to use, or use, one of our websites or services [...] personal information that may be collected directly from you includes name, billing address, mobile phone number, organisation name, your own domain name, IP address, browser user-agent and billing details
Name, phone number, address. You're off to a fast start towards privacy hell, FastMail.
We process mail sent and received from your account to block spam and fraud.
The private FastMail scans your mail.
We also store information from your address book, calendar, notes and files on our servers.
Is there anything you guys don't store?
We also collect the email content you create, upload, or receive from others
Guess not - even other people aren't safe from FastMail's prying eyes.
Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username. If you send mail, we also log the email address you're using to send mail and the email address you're sending to. If you take action on mail in your mailbox, we also log the activities taken.
So literally your every move is being tracked and logged. And now for some humor - look at how they justify themselves:
This is necessary for providing proof of delivery and fraud analysis.
Sure. I wonder why almost no other provider on this list is doing so, then? Now check this admission (from section
How do we use the personal information we collect from you?):
conduct analytics and measurement to understand how our services are used;
Oh, so it was about analytics all along, instead of
fraud analysis or some other bullshit excuse. And for something even more damning (from section
Sharing personal information with others):
We may share your personal information [...] with third parties who help manage our business and deliver services [...] Some of these providers use “cloud based” IT applications or systems, which means that your Personal Information will be hosted on their servers
And now all the stuff I've talked about will be put on some third party servers.
We may use your name and email address to send direct marketing communications to you and let you know more about our services or related services that we believe will be of interest to you
You will also be flooded with directed advertisements. But how does FastMail know what
will be of interest to you? Of course, it's because of all that collected data - which, remember - includes your mail content! Later they claim that they don't profile you to send targeted advertisements, but that seems to contradict the above - and we should always assume the worst. FastMail also uses the Matomo tracking service, which was described in detail in ProtonMail's section. Anyway, that's quite a lot of data collected - but how long does it stay around?
Where we log information related to your IP address, we retain this information for approximately 90 days.
Where you request that we delete your account from our system, we will immediately lock the account and archive the information, then delete it from our severs within approximately 7 days from the date of your request.
Not bad, I guess. I mean, some other providers take a year or more...But wait:
However, in specific limited circumstances we may store your personal information for longer periods of time
After an account is terminated, data and backups are purged within a timeframe of between 37 days to 1 year after closure
So you do take a year after all. And you fucking lied straight to our faces with the 7 day thing. This seems more and more like some entry-level trolling...Can we say anything at all positive about FastMail in light of the information presented? I guess this:
Providing secure end-to-end encryption via webmail is impossible. There are basically two options, both flawed:
That's right - it's the same thing I've been speaking about. So at least they don't pretend to have some super-duper in-browser encryption. And maybe another thing:
We won't release any data without the required legal authorisation from an Australian court. As an Australian company, we do not respond to US court orders.
But remember that some of your data will be stored on third party servers in other countries, which might have some different ideas...All in all, I struggle to provide a reason to use this one at all. The amount of stored data is simply massive (and I didn't even cover all of it), it's shared with third parties and used for sending advertisements - and you have to pay for all that.
Data about your device, your device configuration, and nearby networks. For example, data about the operating systems and other software installed on your device, including product keys. In addition, IP address, device identifiers (such as the IMEI number for phones), regional and language settings, and information about WLAN access points near your device.
It's not enough for them to know how you're using their services - Microsoft will also snoop on everything else you're doing with your machine. Ugh.
Data about your interests and favorites, such as the sports teams you follow, the programming languages you prefer, the stocks you track, or cities you add to track things like weather or traffic. In addition to those you explicitly provide, your interests and favorites can also be inferred or derived from other data we collect.
Not sure how applicable the above is to E-mail specifically - but it clearly shows the attitude of Microsoft towards your privacy - which is a complete disregard for it.
Data about your contacts and relationships if you use a product to share information with others, manage contacts, communicate with others, or improve your productivity.
Information about your relationships and interactions between you, other people, and organizations, such as types of engagement (e.g., likes, dislikes, events, etc.) related to people and organizations.
Data generated through your use of Microsoft’s communications services. Traffic data indicates with whom you have communicated and when your communications occurred
Now these are surely relevant to E-mail. Not only does Microsoft keep your contact list, but also when you have written them. What about the duration of data storage? Unlike Google, Microsoft does graciously tell us something about it:
when your Deleted Items folder is emptied, those emptied items remain in our system for up to 30 days before final deletion
So, we know that - when we delete an E-mail - it's gone in 30 days at most. This sucks, but at least we get told about it - which many allegedly private providers can't manage to muster. As for the other data, we're unfortunately left with vague statements such as:
Microsoft retains personal data for as long as necessary to provide the products and fulfill the transactions you have requested, or for other legitimate purposes such as complying with our legal obligations, resolving disputes, and enforcing our agreements.
Realistically - considering the avalanche of various anti-privacy and anti-user stuff in their policy - we should assume the other data is stored for much longer than the actual mail content (you'd think they'd mention the duration if it was something they could have bragged about). Okay, there's just one more transgression of note that I want to cover:
To build, train, and improve the accuracy of our automated methods of processing (including AI), we manually review some of the predictions and inferences produced by the automated methods against the underlying data from which the predictions and inferences were made.
That's right - Microsoft uses your data to train their AI. The same crap Google has been pulling for years with their ReCaptcha. If you were considering Outlook as your E-mail provider (why?), this alone should drive you away from it. The ToS also makes SJWs look like freedom lovers by comparison. Same as with Gmail, Outlook does support mail clients and is free - which are the only advantages of the service.
Fuck it, I'll give it a proper review, because why not? It's not even the worst provider out there, if you can believe it. It does support mail clients, for one - so it automatically has an advantage over many of the ones advertising privacy and user respect that are webmail-only. My VPN was not blocked, though it did ask for my real name (which you can fake) as well as requiring phone confirmation - which I ended up choking on.
Unfortunately - as if it wasn't obvious - mail client support is the only positive Gmail has. Well, it's also free - but you pay with giving up an amount of data which other providers can only dream of matching. For example:
unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including operator name and phone number and application version number. We also collect information about the interaction of your apps, browsers and devices with our services, including IP address, crash reports, system activity, and the date, time and referrer URL of your request.
We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases and server logs.
There is much more. It's not an exaggeration to state that every step you take, every move you make while using Google is stored and analyzed (and the duration is not stated, as far as I can see - so assume it's forever). What makes it worse is that you can't sign up just for Gmail, but need a Google account for every one of their services. So, if you're logged in (because you're using their webmail, for example), then they can also track you all over YouTube, etc. and mix up all the information to make a profile. Google is also a PRISM member, so your stuff is likely ending up grabbed by law enforcement (they've shared location data with them before). And, using Google's services means you enable all their unethical practices (such as shoving ReCaptcha into our faces, heavy censorship on their search engine, widespread tracking and ads, their monopoly on browsers, etc). Other providers - even those of the spying sort - pretty much limit themselves to mail; they don't have the worldwide influence on so many things as Google does. So, you should specifically avoid Gmail just to inhibit their quest for world domination (did you know they can even lock you out of your house?) - even if they're not the worst provider out there.
I wasn't supposed to review any more trash providers but this one stood out and someone requested it, as well. I'll be quick here, I promise. You need to get a domain with these guys before registering for their E-mail. The domain registration process needs an account with your real name, phone number, E-mail address and physical address. If that wasn't enough torture: to pay with cryptocurrency, you need to register for the third party payment provider BitPay - which is Cloudflared, requires solving reCaptcha, and providing them a fucking ID document! Holy shit. Are you a masochist? Then Gandi is the perfect provider for you! And yet, they have the audacity to advertise themselves as having
UPDATE May 2022: requires reCaptcha again, but allows to bypass it by
upgrading your account, whatever that means (probably paying). Still asks for your real name; registration also fails on Pale Moon. Everything else is as shit as it was when I wrote the first report, except the site is now behind the evil Cloudflare. Mail clients are supported, but auto-configure doesn't seem to work. Accepts signing up from a VPN, and that's where the positives end...A lot of suspicious things in the user agreement; going over all of them would take a year, so I will discuss only the most important ones:
[...] VFEmail.net can terminate and/or change and/or modify your account [...]
modify my account? What the fuck? This can literally mean anything, including rewriting your mail, deleting contacts, or changing the password. Suspicious as fuck!
[...] VFEmail.net or its designee may disclose information to third parties about User and User's use of the Service [...]
Great! Prepare yourself for your privacy being ripped away and thrown around to advertisers and trackers.
User acknowledges and agrees that content, including but not limited to text, software, music, sound, photographs, graphics, video, or other material contained in sponsor advertisements or information presented to User through the Service or advertisers is protected by copyrights, trademarks, service marks, patents, or other proprietary rights and laws.
So you will be sent advertisements and can't even show them to anyone. By the way, I've confirmed they add ads to your mail. Whenever you send anything from the free VFEmail account, your recipient gets this:
This free account was provided by VFEmail.net - report spam to [email protected] ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
If you do recieve mail between your last POP and the snapshot at 12am, it will exist on backup for a week - unless it's on Saturday night, then it's a year.
WTF? These guys must be trolling around here. Your mail is stored in a backup for a week...except on Saturdays! How random.
As for other data, you don't get told what gets stored and for how long. If you still didn't get the memo - get away from this crap! Honestly, it looks as if some jokers just slapped all the anti-user things they could think of, advertised themselves with bullshit like the
Metadata Mitigator™ - for which of course you have to pay - and went around their merry way while raking in the cash. This might be worse than Gmail, which is more honest in regards to their (lack of) privacy and provides all its features for free.
And if you try to receive confirmation through a RiseUp E-mail, it says this:
So, SMS is the only option (unless you want to donate, which would reveal your personal information of course); therefore their claim that
ProtonMail does not require any personally identifiable information to register is a shameless lie. Proton later included the option to solve a hCaptcha (used to be reCaptcha) for confirmation; however, the option disappears while using a VPN. They must really want that damn phone number if you are using anonymizers! And the claim that you can sign up without personal data is still false.
We employ a local installation of Matomo, an open source analytics tool. Analytics are anonymized whenever possible and stored locally (and not on the cloud).
All standard statistics reports: top keywords and search engines, websites, social media websites, top page URLs, page titles, user countries, providers, operating system, browser marketshare, screen resolution, desktop VS mobile, engagement (time on site, pages per visit, repeated visits), top campaigns, custom variables, top entry/exit pages, downloaded files, and many more, classified into four main analytics report categories – Visitors, Actions, Referrers, Goals/Ecommerce (30+ reports)
So that's the website. What about the e-mail service?
we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. [...] We also have access to the following records of account activity: number of messages sent, amount of storage space used, total number of messages, last login time.
Great, even more metadata than Tutanota (if you trust Tutanota's claims that they collect as little metadata as they say they do). And then there's this gem:
When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails are also permanently deleted from production servers. Deleted data may be retained in our backups for up to 14 days.
Read that again! Indefinite retention of data by the "private" ProtonMail! And 14 days for deleted data - enough for "them" to get you. At least there's disk encryption...UPDATE August 28; a direct admission they do store IP logs forever in certain cases -
and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions. Their TOS says this:
You agree to not use this Service for any unlawful or prohibited activities. You also agree to not disrupt the ProtonMail networks and servers, which can cover pretty much anything.
If you read their transparency report (archive), you will see quite a lot of requests for their data from governments all around the world. ProtonMail pretends to "require a Swiss court order" to cooperate - but you see that they often do that before receiving it - so don't expect that to protect you. One particularly egregious example is from May 2018, where they disabled an account because of terrorist allegiances - and we all know that's not just a convenient excuse these days, right? The new transparency report shows they've complied with 336 government data requests in 2018 alone - including 76 foreign ones. Oh, and since August 28, they finally admit to direct surveillance -
UPDATE: this is no longer valid. But I'm leaving it up to show that these frauds do not care about security at all. And they still have OTHER clearnet redirects up! Even this one took them way too long to fix it. And they seemingly did it ONLY because I trashed them for it. Otherwise, you'd keep being violated by the malicious redirect, since ProtonFail still shows no indication of caring about the user at all.
UPDATE May 2022: the new interface contains dark patterns! Look:
This button appears on the index page. And when you click it, instead of a creation screen for the free account that you were promised, you see this:
Everything on this screen is trying to get you to buy the most expensive plan (even though
Mail Plus provides pretty much the same features if you only care about the E-mail). Starting from its middle position, which is the part most visible to your eyes. The purple border and button instead of boring white. The full storage bar making you feel like you're getting a crippled version of the service with the other options. The shiny fire button screaming at you how it's the most
popular option (is it really more popular than the other plans?). Then there is the arrow pointing at the 24 month option (this ensures that, even if you find a better provider, Proton will still run away with your cash). We can add the dark patterns to the pile of reasons to avoid Proton.
But let's assume there aren't any dark patterns. The
Mail Plus plan still costs more than a mail account alone should. And the free plan is useless, as it does not support mail clients. So, Proton's
Mail Plus is not only outclassed by cheaper paid plans like Posteo, but also free ones like Disroot. That is even if you ignore the privacy issues. Just bury Proton already.
Free 7 day trial and then you have to pay. No mail client support. Claims to encrypt metadata and senders instead of just messages. Blog and support forum appear pretty dead; FAQ is also outdated - says Scryptmail is only a year old, but it's actually 4.
sent times metadata is stored. On the other hand, if someone using another provider sends an e-mail to your Scryptmail account, the collected data extends to this:
sender and recipient email addresses, the IP address incoming messages originated from, message subject, body and attachments and message sent and received times.
Other stored information includes:
Last login time, IP address, User agent, API call. Though they claim that they
have no ability to match an IP to a specific user account. Which appears to contradict the earlier claim, since they know when a certain account logged in, as well as with which IP address. It is possible they delete the information about the account which the data belongs to, but to say that they have "no ability" to connect them is a lie.
You should assume that your data will be stored pretty much forever. From the Data Retention section:
Active accounts will have data retained indefinitely. What about deleted accounts?
Your personal data shall be deleted no later than at the end of the calendar year following the year of the termination of the contract unless in an individual case specific reasons to the contract apply. [...] Moreover, the deletion of inventory and billing data may be omitted provided that legal regulations or the prosecution of claims require this action.
Another one dug up by a chat member. Website doesn't work at all without JS enabled and embeds Cloudflare scripts. Then - after you turn on JS - you'll wish you hadn't when you realize the CSS has all kinds of fucked positioning (at least in Pale Moon), making the site barely usable. Usually I'd drop it right here, but I was in the mood for some suffering - and MsgSafe provides it in droves. As far as I can see, the service is webmail only, so we can't avoid dealing with the shitty design. It's funny how they make this seem like a virtue:
Our software works through the web and operates using open standards so you know what's happening at all times. There's no software to download, no app store to trust, there's just you and us, and you're in control.
This includes referrer pages, time stamps, page requested, user agent, language header and website visited.
We don't get told the duration all this stuff is kept for, either. And no information about the possible storage of mail content or metadata. The free account allegedly supports up to ten aliases, but I can't seem to find a way to actually create them. I assume the paid tiers do support the option, but I'm certainly not going to test it - the quality doesn't justify the price of $5 minimum per month (hell, I wouldn't use this crap for free). As a positive, it does apparently support Bitcoin payments, but...why? Leave it rotting along with FastMail, Criptext and the other piles of junk.
There are so many violators popping up now that I wasn't supposed to review any more of them unless they were significant for some reason. However, this one was mentioned to me by two people and it encompasses a lot of what's wrong with E-mail services and computing in general, so I might as well get to it. Let's start with the quote from their main page:
Quite possibly the most private email service — ever
That's it - I'm sold. Of course, no violator has ever made that promise before...not at all. But let's not jump ahead of ourselves, and first check out what's actually so special about Criptext. First of all, since it's a shitty Electron "app" (literally embedding Chromium inside it), it takes up a huge amount of resources - much more than Claws Mail. The interface is your usual webshit and you cannot make it fit with the rest of your operating system - like an alien invader. Obviously, forget about it supporting mail clients; Criptext says fuck the established standards - we'll run our own special snowflake webshit implementation. That alone would usually be a dealbreaker for me, but let's dig deeper. I don't seem to be able to run the "app" through either torify or proxychains, so it can be assumed to not support anonymization. To use Criptext, you need to sign up through the "app" which asks you for your real name. Now let's tackle some specific claims made on their site:
All your emails are locked with a unique key that‘s stored on your device alone, which means only you and your intended recipient can read the emails you send.
So, Criptext alleges to be E2E - but actually, it only works between Criptext accounts - others will just receive your mail unencrypted as usual. And - as the "app" doesn't support PGP (unlike a regular mail client) - you're left bare unless you encrypt through the command line. This is not at all different than what Proton or Tutanota are doing.
Criptext doesn‘t store any emails in its servers. All your emails are stored on your device alone, which means you‘re in control of your data at all times.
That's actually absolutely impossible. At some point, the E-mail has to go through Criptext servers so that it is delivered to the recipient. Why pretend otherwise?
With real-time tracking you can know once your email is read.
This is advertised as an unique feature, but actually, mail clients support it with something called
Request Return Receipt. No advantage for Criptext, unfortunately. Now check this from their security section (I cannot even archive the Jabba-heavy page, ugh):
All your emails and private keys are stored solely on your device. Once Criptext delivers an email there‘s no trace of it left in our servers whatsoever.
This is called
Once messages are delivered to your device, they are deleted from our servers. The same holds true for messages which you send.
Okay - assuming they're not bluffing (which they already did a few times) - this is a welcome change of pace compared to most violators. However, POP3 protocol in mail clients supports the deletion of E-mail upon retrieval - so again, this is not specific to Criptext.
We also keep email metadata (subject, date and sender email address) in order to enable certain features of the Services, such as the “unsend”, “read receipts” and “expiration” features.
The duration is not mentioned. Red flag.
When a normal, unencrypted email is sent to you by a non-Criptext sender, the email gets encrypted by the server with your public key and can only be decrypted by your device. The same holds true for attachments that are sent to you from non-Criptext addresses. This means that your emails are always encrypted, even if the sender is not using Criptext.
That just means the E-mail would be encrypted from Criptext to you - but not before it reaches Criptext. Therefore, Criptext could still read it - again, why pretend otherwise?
We may automatically log information about you and your computer or mobile device when you access our Services. This includes information like hardware model, operating system information, battery level, signal strength, app version, browser information, and mobile network, connection information including mobile operator or ISP, language and time zone, and IP.
So, Criptext stores your IP address and lots of other information. Duration is again not specified. It also shares that data with unspecified partners:
Okay, I think it's lights out for Craptext now. The only positive about them is their promise to immediately delete your E-mail upon retrieval - but seeing how many deceptive claims they've already made, it's doubtful they do even that. All that remains from the privacy posturing on their main page is a pile of rubble. The sane thing to do is to leave Craptext rotting right along the Protons, Fastmails and Hushmails and use some proper services.
Mollie will share your personal data with third parties if this is necessary for the performance of the contract or if it is based on legal obligations or legitimate interests. As for some positives - well, mail clients are apparently allowed, as well as Bitcoin. But if their payment processor stores so much stuff, does it even matter? There is disk encryption...who cares, everyone now does it. If you really want to part with your money, get Posteo that is 3 times cheaper and much better. Or just go for the good free ones like RiseUp or Disroot.
A chat member has inquired about this one. Their modus operandi sounded nice:
Purism is a Social Purpose Corporation (SPC), which means we put social good above exploiting people.
So I decided to check them out, naively believing it (I guess the Mozilla situation has taught me nothing). The amount of personal data required for getting an account is the most I've ever seen out of any provider:
Billing First name is a required field. Billing Last name is a required field. Billing Country is a required field. Billing Street address is a required field. Billing Town / City is a required field. Billing State is a required field. Billing ZIP is a required field. Billing Phone is a required field. Shipping First name is a required field. Shipping Last name is a required field. Shipping Country is a required field. Shipping Street address is a required field. Shipping Town / City is a required field. Shipping State is a required field. Shipping ZIP is a required field. Please enter an address to continue.
We do not track you. or
We do build products, software, and services that respect society and your privacy. - the only mildly useful information is that they keep
temporary things for 30 days. Don't expect the
social purpose corporation (heh) to tell you about what exactly that consists of, though. Librem does support mail clients, which is the only real positive I can see about this service.
UPDATE August 2020: The signup still requires manual approval and it's hit-and-miss whether you get in. Last time I reviewed them I didn't, even though I gave a real looking name. Now despite a troll name they accepted me for some reason - and I did it through the TOR network too. Clearly, they're not a serious service. Often, you can't even connect to the site and they send you http:// links through E-mail - which are not even redirected to HTTPS (without addons). More importantly, full mail client support is limited to paid accounts - free ones can only receive. Therefore, this should be considered a paid provider, with minimum $25 per year (or about $2 / month). And if you do that, you need to provide your real name, address, and credit card data, so it becomes totally useless for privacy. Lights out for SAFe-mail then, but there's more damning information I wrote previously, so take a look at it if you want to dig deeper still:
Israel-based service established in 1999. Before I delve deep into the meat of the issues, let's look at the first impression. Namely, the site structure and grammar is something a chimpanzee would make - this makes getting any information from the site a puzzle in itself. Most of the stuff in there is ancient, and some sections contradict each other. They've had 20 fucking years to make a proper website but instead we get this abomination...but let's try to make sense of it anyway:
Safe-mail.net is not using cookies and not collecting any data about users. Safe-mail.net does not transfer, sell, trade or oterwise exchange any data it might have about its users with any other company.
So it allegedly does not collect ANY data about its users. Why, then, do they bother to qualify it with a statement that they also don't sell the data? Wait, there's also this: (from the user agreement) (archive)
SAFe-mail Ltd. will not disclose information about you or your use of the SAFe-mail system, unless...
Okay, so you DO have data about your users after all...
You agree that SAFe-mail may access your account, including its contents, for these reasons or for service or technical reasons.
So now you admit that you can access even the contents of my account? Isn't this an admission that you read our mail?
Please note that your Internet Protocol address is transmitted with each message sent from your account.
No shit. But what we're interested in is whether that IP, or any other data, is stored by SAFe-mail, and for how long - and this information is not provided. Does this not sound suspicious? SAFe-mail spends a lot of time posturing on how privacy-based it is, yet seems strangely secretive about the kinds of data it collects; in fact, you have to read between the lines to realize that it stores anything at all. A clear indication of a honeypot to me.
You consent to providing us with the following personal data when you register an account: First name, last name, company name (where applicable), mobile phone number (where applicable), country, and alternative email address. [...] To revoke this consent you must terminate the Service
Sorry Runbox, but requiring my real name just ain't privacy-respecting. The first impression already isn't very good...and it's just the beginning.
Your Account Information is stored on servers located in Norway for as long as your account is active...
Great, so I have to kill the account for you guys to stop storing my information. And then it's fucking gone, right?
...and: up to 1 month after closure of trial accounts; or up to 5 years after closure of subscribed accounts, as financial records must be kept for 5 years according to the Norwegian Bookkeeping Legislation.
No, of course it isn't fucking gone - that would be too private for the "privacy-loving" Runbox. So it's five years after the deletion of your account until your real name is gone from their database...or is it?
Backup of Account Information is stored on secure servers separate from the Runbox system for up to 6 months, even after the information has been deleted from the main storage.
Nope, the privacy-loving Runbox is truly smashing all the previous privacy records set by privacy giants such as Google or Yahoo; it's five and a half years until your data is gone from their servers! Oh Runbox, what are some other ways in which you protect my privacy?
Email service content (data associated with Webmail, Contacts, and Files in the Service) is stored in main storage on servers located in Norway for as long as your account is active and: up to 3 months after closure of trial accounts; or up to 6 months after closure of subscribed accounts.
So all your mail and metadata (sender, recipient, subject, date/time) is stored as long as your account exists. There's also the backup which is stored for longer. Should we prolong this torture? Okay, let's do the finishing move and get this over with: The Runbox "service" is fucking paid! Can we say final nail in the coffin? Seriously, they're like a Gmail you have to pay for...but wait, there is more: (I swear it's the last quote!)
If you correspond with us via e-mail, the postal service, or other forms of communication, we will retain such correspondence and the information contained therein.
To say something positive, I will mention that they accept Bitcoins...and you can use them through the mail client. There is also a 30 day "free" trial. Oh, and they are powered by renewable energy sources (but so is the actually private Posteo, reviewed later), which is the only really commendable thing about this "service". But since the data collection and storage policy is so terrible, you should stay away.
all user data is stored in privacy respectful countries - without, of course, specifying those uber-private countries. ReCaptcha is required to sign up, which shows you just how much privacy matters to them (if they submit to the Big G's botnet, you can safely assume they store fucking everything). Openmailbox severely lacks ethics, deleting features without notice (archive):
Free users of Openmailbox could use IMAP/POP to connect to their mailboxes previously. The new owner of the service, French company SASU Initix, disabled the option without prior notice for all free account owners.
This blocked the use in all email clients for free users, and left them with no choice but to use the web interface instead to do their mailing.
Related to that is the removal of the mail aliases feature. The available aliases were removed completely and stopped redirecting any messages.
Imagine you've used an alias to talk to your family and it suddenly stops working - so you don't get their messages anymore, unaware of the reason it happens (hey, maybe they hate you now...). They also claim you can make an account in a minute - which is simply mockery due to ReCaptcha. Their Terms of Service (archive) follow the same principles (or lack of):
OpenMailBox reserves the right to amend this text, without prior notice, and you are therefore responsible for making yourself aware of the latest version of this text. In the event of a breach of these conditions, your user account may be locked or deleted, with no option for redress or compensation.
So if they suddenly decided VPN / TOR users are dangerous terrorists, they will kick you out just like that; say goodbye to your contacts, messages, everything (since mail clients don't work, you can't easily download them). Free accounts inactive for 180 days will also be deleted.
There is a rumor going around reddit that either OpenMailBox or Autistici gave access (archive) to someone's account to the Singapore Tax Authorities. However, this is almost impossible for Autistici since it would go against everything they've always stood for (archive):
After 2005 we have been constantly pestered by prosecutors and security forces (and even by the Vatican! ) asking us to hand over users’ data and identities and we are proud to say we were always able to answer: we are sorry, but we do not have them. Recently (2010) some very smart policeman managed to convince a judge to order the full seizing of three servers in three different countries to find out if we REALLY did not have any data about a user’s activity on our servers . After spending a lot of public money (for a couple of graffiti on a wall), the judge ended up with a lot of encrypted files with no useful information inside, and maybe he’ll think twice about giving out other investigations to the cunning policeman.
On the other hand, it would be quite consistent with OpenMailBox's proven lack of ethics. But, in the end, it is just an unconfirmed rumor - so take it with a grain of salt (however, the person did post it more than once).
It's August 2020, time for an update. First, let me say that I could not sign up despite enabling cookies, JabbaShit, XHR and filling out all the fields correctly several times. Was the issue Pale Moon or maybe the VPN? Who cares - if I can't register, the service is useless. Free tier does not support mail clients so for MailFence to be even slightly worth bothering with, you need to pay (2.50 € per month, Bitcoin accepted). Of course the front page contains privacy posturing:
We believe that online privacy is a fu