What’s your email address? Chances are it ends with @gmail.com. Now, if I told you that Gmail is a privacy nightmare, you probably wouldn’t care. If I told you that you should move away from Gmail, you would probably ask, “Why should I?”

I heard all the counter-arguments before … “I have nothing to hide”, “That’s too much work”, “I couldn’t care less”, etc. Since appealing to reason obviously doesn’t work, I’m going to try something different here. In this article I will try to present you persuasive arguments that will finally convince you to move away from Gmail.

What’s Wrong With Gmail?

Seeing something with your own eyes is worth more than a thousand words. So before I write any more words, please go to myaccount.google.com/purchases and see for yourself.

Did you visit myaccount.google.com/purchases? Go visit that site, I’ll be waiting here for you to return.

If you’re reading this sentence, I trust you have visited myaccount.google.com/purchases. What you’re seeing are all purchases you ever made that Google knows of. This might be a real surprise to you, even a shocker. If it is—good! This is the feeling I need you to have. I mean, everyone kind of knows that Google collects data, but “collecting data” is such an abstract concept many people can’t wrap their head around. Seeing with your own eyes what that actually means, “Holy crap, they know that I just bought this 100-pack of condoms on Amazon?!? How the hell do they know that??”, suddenly feels alarmingly real and is something very different.

It’s not just the obvious things like what you bought from Google Play.  … Even things completely unrelated with Google—like, what you bought from Amazon; which audio books you listen to on Audible (and thus what interests you); what iPhone apps you downloaded from the Apple App Store; how you like to dress; whether you always buy the latest fashion trends each and every season or whether you’re the type to buy fewer but more high-cost, luxurious items … Google knows. And the list goes on and on. This makes you extremely susceptible to advertising.

How does Google know all this? Because you use a @gmail.com address. If you use a Gmail address to log in to e.g., your Amazon account, then Amazon sends an order confirmation to that Gmail address every time you buy something on Amazon. And if the necessary information is delivered free to Google, all Google needs to do is to extract the information from your Gmail inbox. The key thing to remember: you deliver all that information freely to Google yourself. Google doesn’t do anything shady. It’s you who gives away all this information by voluntarily using Google’s services. So it’s in your responsibility to make a change if you want Google to stop collecting information about you. It’s you who has to sign up with a new email provider and change your email address in each of your accounts. I know that’s tedious, but there’s no way around it. Take a weekend off and do it. Otherwise you will always strip naked in front of Google, figuratively speaking, and if you’re not careful, maybe even in the literal sense, due to the emerging video cameras that people add so willingly to their “smart” home / bedroom.

Alternatives to Gmail That Respect Your Privacy

There are only three alternative services I can recommend:

• Posteo (based in Germany)
• Mailbox (based in Germany)
• Protonmail (based in Switzerland)

Forget every other email provider. Always check whether an email provider (or its parent company) operates from a country that belongs to the Five Eyes, i.e., the U.S., the U.K., Australia, Canada, and New Zealand. This already rules out most email providers. In Switzerland, there’s the data retention law, so my suggestion would be to use one of the German email providers, i.e., Posteo or Mailbox. The more convincing argument probably is that you can’t use Protonmail with an email client such as Mozilla Thunderbird or Apple Mail.

Personally, I use Posteo and pay 1 EUR a month. Posteo and Mailbox are more or less the same and are both equally good. However, if you want to use a custom domain, i.e., if you want to have an email adress that looks like firstname@firstname-lastname.com, then you have to use Mailbox. Posteo does not allow custom domains for privacy and security reasons. Posteo writes:

We are an email provider with a particular, privacy-oriented model – and this is not compatible with incorporating own domains. One of our emphases is data economy: we do not collect any user information (names, addresses, etc) of our customers. We always answer requests from authorities for user information in the negative. On the other hand, own domains need to be registered to the name and address of a person. If you were able to use own domains with us, this would affect the entire concept of Posteo: we would need to start saving user information for all customers who use their own domains with us – and to provide these to the Federal Network Agency to be provided on request to the authorities.

Even if only the MX record pointed to us, we would still need to store the assignment of the domain in your Posteo account as user information. Thus we would possess your user information and be required to give it out. For this reason, we have decided not to offer this possibility and instead to use data economy. We certainly understand that having your own domain is very important in the commercial industries, but from our privacy-oriented perspective, the disadvantages prevail.

On the one hand, this might be annoying to some who absolutely want to use their own domain for their email address. These folks still can use Mailbox if that feature is important to them. On the other hand, making such as decision, accepting to lose a couple potential customers because of it, and being so transparent about it shows me that Posteo truly takes my privacy serious.

Furthermore, Posteo writes (on their German FAQ, I couldn’t find an official English statement):

Auch im Bezug auf die Kommunikations-Sicherheit bereitet uns das Nutzen eigener Domains Sorgen: Die Inhaber müssen sich selbst um das Unterstützen von modernen Sicherheitstechnologien wie DNSSEC, DANE und SPF usw. kümmern, um sicher zu kommunizieren. Damit sind selbst Technikinteressierte in aller Regel überfordert. Schon alleine deshalb ist heutzutage dringend davon abzuraten, privat noch eigene Domains für die Alltagskommunikation zu nutzen.

which roughly translates to:

We also worry about using own domains with regard to communication security: domain owners would need to take care of supporting modern security technologies such as DNSSEC, DANE, and SPF, etc. themselves in order to communicate securely. Generally, even those interested in technology are usually overwhelmed by that task. For this reason alone, we strongly advise against using own domains for private purposes and everyday communication.

Cool Features Gmail Doesn’t Offer

Both Posteo and Mailbox allow you to encrypt your entire mailbox, i.e., they encrypt every email arriving in your inbox, including your existing emails. To perform the encryption, you have the choice between providing a passphrase and/or your public PGP key. This way even Posteo/Mailbox can’t read your emails anymore. This doesn’t solve the fundamental flaw of email—your mails still travelled through the web entirely unprotected, for anyone to read—but the cool thing is the following: imagine you somehow landed on some list and the FBI asks Posteo/Mailbox to hand out your every email from the last five years. Google will do so and the FBI can rummage through your mail. Posteo/Mailbox can only hand out useless gibberish.

There are many more cool features Gmail doesn’t offer because these features are contrary to their business model of collecting as much data about you as possible. I hope by now you are intrigued enough to continue with doing your own research.

Calendars

If Google can extract this data from your emails, imagine what they are able to do when they combine that data with your search queries and your calendar data. You have an appointment at the dentist this Tuesday? And another dentist appointment two weeks later? And after you came home, you searched Google for “cavity” or “dental insurance”? With all this data, they can show you advertisements for an expensive new toothbrush or steer you towards a particular insurance.

Posteo and Mailbox both offer calendars alongside their mail functionality. It’s not just the dentist appointment. I, for example, have my entire daily routines planned out in my calendar; from my university schedule to when/where/that I do yoga (i.e., ads for yoga mats), and so on. Always remember: Google’s core business is to collect data and sell ads. Why did they presumably invent Gmail and Google Calendar in the first place? Don’t offer them everything on the silver platter.

For the Curious

If you want to continue your research and efforts to double down on privacy, here’s a (non-exhaustive) list of helpful ressources:

• https://thatoneprivacysite.net
• https://www.reddit.com/r/privacy
• https://www.reddit.com/r/privacytoolsIO
• https://www.privacytools.io
• https://restoreprivacy.com
• https://prism-break.org/en/

What Else to Expect?

This blog post is only the first in a series about some basic security guidelines everyone should follow. I’m planning to write further articles addressing questions like

• “Do I really need a VPN and if so, which one? What’s a VPN in the first place?”
• “Which web browser should I use?” (absolutely not Google Chrome or Brave; use Firefox)
• “Are there alternative search engines to Google?” (yes, DuckDuckGo and Qwant)
• “What is Tor?”
• “What is Two-Factor-Authentication? How do I use a Yubikey?”

If you want to know the answers to these questions, consider following me on Twitter so that you get notified when I post the next article.

If you have additional questions, or know of other best practices to restore a bit more privacy, let me (and other readers) know in the comment section below. Cheers!