Hey, howdy, hallo,
Someone replied to my last email and mentioned that my newsletter is landing in the Gmail Promotions tab. I think Gmail may have changed how they classify emails over the past couple of months, which could explain it. I wanted to flag that in case you use Gmail. Although, now that I think about it, if you do use Gmail, you might not even see this note since it’ll be in Promotions 🙂
Speaking of email: it isn’t secure. It was never designed to be secure, anonymous, or private. Anything claiming otherwise is essentially a band-aid on the underlying protocol RFC 5321. That said, email is still incredibly useful, and there are meaningful benefits to not relying on Gmail or the other big tech providers.
Let’s pretend for a moment that you use Gmail. Gmail is not end-to-end encrypted (E2EE), which means Google can technically access your emails, both incoming and outgoing, along with everything stored there, including drafts you might be using as notes.
Google scans messages and attachments for spam, malware, and automated processing. In the past, Gmail content was also used for ad personalization. While Google says it “no longer uses email content directly for ads”, it still collects metadata and activity across its platform to build user profiles.
For me, this is one of the biggest privacy issues that using an E2EE provider like Tuta or Proton addresses. Because messages are encrypted end to end, the provider cannot read your email content or attachments. Some metadata may still be visible, such as subject lines in Proton.
Proton’s main site says, “Communicate and browse. Privately.” I think that can be misleading. Using one of these providers does not automatically make all of your email communication secure and private.
If you are using Proton and emailing another Proton user, the message is end-to-end encrypted. The same goes for Tuta. But if you send an email from your Proton account to someone with a @gmail address, the message arrives readable to Gmail. It may be encrypted in transit, but once it reaches Gmail’s servers, it can be processed and stored in clear text like any other Gmail message.
So keep that in mind when using these providers.
It’s true that PGP, or Pretty Good Privacy, works for encrypting email. I find it a bit clunky, and it does not provide PFS (Perfect Forward Secrecy). Without forward secrecy, if someone compromises a private key you have been using for years, they could decrypt past messages that were encrypted with that key.
I’m not going to go into much detail here, but while PGP works, it still feels like a band-aid layered onto a protocol that was never designed for strong privacy.
If you truly need secure communication, use something like Signal. The main point of this email is to highlight some of these limitations, because when you sign up for one of these services, they are not always communicated clearly.
I hope you had a great February, and I’ll see you in March!
-Josh
I remember seeing a site like this years ago. I don’t know if it’s the same one, but it’s interesting either way.
A Few Thoughts on the Future of Tech • I/O
Qubes OS First Boot – Wi-Fi, Updates, TOR, & Videos
Is your phone being tracked? IMSI Catchers (EFF Rayhunter Setup Guide)
How to Install Home Assistant on Raspberry Pi (Connect ZBT-2 Tutorial)
Why I’m Leaving macOS for Qubes OS
A few things I make and work on:
Membership Site — Bonus content, monthly livestream Q&A, and more.
Consulting — Personalized help for individuals and teams.
Yellowball — Podcast hosting. No BS, no tracking.
"People generally see what they look for, and hear what they listen for."
— Harper Lee, To Kill a Mockingbird