Using encrypted, ad-free, anonymous webmail is a basic human rights.
Contents
Criteria to select a secure webmail
Here’s what you should consider before choosing a secure webmail:
Mandatory criteria
- country / jurisdiction
- zero log & IPs stripping
- full end-to-end encryption (E2EE), including subject
- encryption algorithm (PGP)
- confidence in the code (100% open source is preferred)
- anonymous payment in cryptocurrency if you decide to buy some paid services)
Recommended criteria
- Mobile device apps
Secure & anonymous webmails
All below providers offer offers end-to-end encryption (E2EE).
Due to limitations of the SMTP protocol, most providers have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times.
CTemplar (Iceland)
CTemplar stores your emails safely outside the 14 Eyes and Canadian & Swiss data sharing MLAT treaties.
Furthermore, when you press ‘delete’, your data is instantly deleted (although Dutch, Swiss, German laws require at least 6 months before emails can be permanently deleted.)
CTemplar does not record, monitor, store, log, or share anything you submit (including IPs).
All outgoing emails are untraceable to you. CTemplar does not know your IP, and use its own IP for all emails.
Encryption is end to end, and made using the OpenPGP.js library, maintained by Proton Technologies AG which is open source and audited.
Paid services can be paid in Crypto currency. Not personal info is required.
Free accounts include 1 GB of storage.
Read our article about the July 09, 2021 catastrophic incident of CTemplar mistakenly deleting all of its customers’ accounts and emails. CTemplar was unable to restore the emails, which were all lost.
More info: https://ctemplar.com (privacy policy)
ProtonMail (Switzerland)
ProtonMail is hosted in Switzerland. User data is protected by Swiss privacy laws, which is not part of the EU, but which it is part of the MLAT treaty to exchange information.
IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc).
Deleted data are retained for 30 days prior being permanently deleted.
OpenPGP.js library is open source.
Free accounts include 500M GB of storage
No personal information is required to create your secure email account. However, in the event that you wish to subscribe paid services, only credit card payment is offered (which is not anonymous).
More info: https://protonmail.com (privacy policy)
Mailfence (Belgium)
Belgium is located in EU and part of the 14 eyes alliance.
IPs are collected. External email address it requested to register.
Code is not open source.
Free accounts include 500 MB of storage.
Cryptocurrency payment options are possible.
More info: https://mailfence.com (privacy policy)
Tutanota (Germany)
Germany is located in EU and part of the 14 eyes alliance.
Email addresses of users as well as senders and recipients of emails are not encrypted.
Mail server logs are stored for 7 days. IPs are stored.
Code is open source.
Free accounts include 1 GB of storage
Cryptocurrency payment options are possible.
More info: https://tutanota.com (privacy policy)
Our opinion
The only provider to provide full anonymity with true 0 log and immediate deletion of emails is CTemplar. It is not in a country part of the LAT treaty, and accept payment is bitcoin. It is the only one that match all criteria. However CTemplar suffered a catastrophic incident on July 8, 2021 and lost all the emails of all its customers, which raises serious questions about its reliability.