1. Rich webmail is an absolute must for me. I use too many different computers from too many different places for anything else to be remotely practical at this point.
2. No open source webmail servers that I've seen come close to Gmail's functionality, and I don't have time to write one that is.
3. Even if there was/I did, I couldn't get the spam filtering to anything like Google's level even in theory since I don't have nearly as much data to work on.
The business model isn't there. I have yet to see a large group of consumers willing to pay for secure email and the only other alternative, advertising, leads to the exact same problem that you face with GMail.
That seems to imply you don't already. There are lots of paid email services that don't monetize user's emails. And many that are hosted outside the United States.
For the extremely vigilant, there is always CounterMail
The threat of email interruption and snooping can't be completely avoided. Undersea cables get cut, governments change, servers crash, data centers get raided, and companies disappear. At some point the data gets decrypted and everything is retrievable unless you are any extremely hard core PGP user. Even HushMail has to bend to the feds when it's all said and done. Even savvy people realize paranoia only gets you so far with email.
> advertising, leads to the exact same problem
> that you face with GMail.
Not necessarily. For some people that largest factor is that Gmail brings all of your email under US jurisdiction. It may be enough to just do advertising-funded Gmail clone that is solely based out of another jurisdiction.
You may even be able to convince non-US businesses that this is a better alternative.
I actually host my own email. I developed an open source application for automatically encrypting all email with my public key as soon as it arrives, and I can't do this if somebody else hosts my email. You can read why and how here: https://grepular.com/Automatically_Encrypting_all_Incoming_E...
Brilliant! Thank you for sharing the post and code. I'd be interested in hearing thoughts on how to make it searchable. If you don't index, searching will take quite some time. I guess the best thing to do would be to index each e-mail (keywords?) before it is encrypted and then encrypt the index itself as well. There is a problem with the keyword approach though - if the index encrypts the words but the "link" between message id and encrypted keywords is not encrypted, then an attacker who is in posession of one or several other message bodies in plain text can see correlations between the content of known and unknown message bodies.
Ok that's 2 customers who are also HNers. I think you'd need to do better than that. We are hardly a representative of the general consumer.
There is another problem, US govt' need to get access all these messages. For example http://en.wikipedia.org/wiki/Hushmail, people seemed to have signed up, but Hushmail was forced to provide plaintext messages to US govt upon request. So they sort of compromised their main selling point.
That is probably the largest problem, you'd be stuck between a rock and a hard place. You either please your security conscious customers or please Uncle Sam. You can't please both.
It doesn't have to, but unless it is located in Iran, NK or other US-unfriendly place, US govt can always pressure the local govt to pressure the local business to turn things over. I wouldn't, for example, count on countries like Switzerland, US is already getting to its banks to turn over US accounts, and is supposed to be one of the most independent and un-influenced countries.
With the current legislation trend, eventually un-cooperative or "terrorist friendly" sites would just be filtered out and blocked, so you might have a hard time accessing your email. Some messages might never make it to you.
I was actually talking about writing a front-end that you could host on your own server, not a gmail clone. (I wish I could update my original comment.)
I think for most people, $10 IS too much. Although we all talk tough about privacy, most people (even here) don't have much to hide from anyone, and when the difference between definitely secure, and probably secure (in terms of privacy and ownership of data) is $10, it suddenly feels a lot more expensive.
I am just about to migrate from Gmail to NeoMailbox. I'm choosing the Swiss hosting option. I'd prefer something in Iceland but the closest service I could find was OrangeWebsite and for them mail was pretty much an afterthought.
We use Zimbra at work. I'd have a hard time recommending it unless you really, really want 80% of Exchange and 40% of the usability.
(Outlook Web Access is still the only webmail client I've found that is in GMail's ballpark. Since running an Exchange server is beyond my skillset, my interest, and my budget, and trusting a managed Exchange host feels odd--at that point I might as well just stick with GMail. So I do.
Google isn't going to find anything particularly interesting about me by my mail, anyway.)
"[Gmail/Facebook/USGov/etc] isn't going to find anything particularly interesting about me by my mail, anyway."
There are two problems here:
1. We look at our data from our point of view. Other people and orgs have their own points of view, and it's their actions driven by their points of view that we need to worry and think about. For example, you think your mail is uninteresting, yet Google enhances the value of their ads by correlating your interests with the interests in your communication network.
Government surveillance can also learn a lot just by recording and analyzing who you talk to. When a law enforcement agency cannot get a full wiretap warrant, they will sometimes settle for a pen register, which just records the telephone numbers of your calls. This allows them to find out who you know, and who you talk to the most. This lets them form more detailed opinions about you and your known associates, which may or may not be accurate. You know, like Google does for ads.
Oh, you're just not that interesting to the government?
2. Innocent behavior being observed by the government is enough to disrupt your life in minor and major ways. Consider the British couple that was recently denied entry to the United States, merely because their tweets contained boisterous comments about destroying the US (i.e. partying really hard), and digging up Marilyn Monroe's grave. Imagine if they had used the British slang term "crack."
It takes nothing more than mere notice to disrupt your life. If you innocently have communication with someone who in turn has communication with a "person of interest," you could find your car carrying a GPS. Just from noting communication networks, never mind the communication content.
I'm not trying to go all tinfoil hat, I'm just suggesting that your view of your data is completely different from corporate and government's view of your data. You could be served an ad (horror!), or you could be served a warrant (horror), based on accurate or mistaken interpretation of any facet of your communication.
Yeah, but it's also email. You could delete every email you've ever created and everyone who's ever saved their copy still has their copy.
Even if you were trying to be all sneaky about your email by having your own service set up somewhere, you're still making copies of everything you send by virtue of sending it. It's more vectors for the government/Evil Google/whoever to need to scan to get a picture of the data you're creating, but it's not impossible.
I know you're just making a point, but to the people who actually are all tinfoil hat, this whole conversation to shift to whether or not you should even use email as a method of communicating.
A mischaracterization (and, given your tone, probably intentionally so).
A useful mail system has value to me. It outweighs the (in my mind vastly overhyped) dangers of Google doing something nefarious with my data. If you disagree, you're welcome to run your own mail server. Nobody's stopping you.
> 1. Rich webmail is an absolute must for me. I use too many different computers from too many different places for anything else to be remotely practical at this point.
That's what IMAP is for. If these are computers you don't directly control, then I'd say any downsides of using gmail pale in comparison to the security implications inherent in your usage model.
[edit] Can't say I understand the negative downvotes. Maybe I inadvertently denigrated people's preference for webmail over mutt/mail.app/etc?
Regardless, the fact is that if you're utilizing webmail for remote e-mail access on shared computers, then there are much more significant risk scenarios at play than those of gmail.
Secure webmail access over HTTPS is in theory just as strong as IMAP access can be made to be.
Of course, by using untrusted hardware you are exposing yourself to various circumventions of the security protocols, but that's just as true of IMAP as it is of HTTPS.
In fact, IMAP is probably slightly worse since it does actually download messages to the local machine by default, where they must be explicitly cleaned up.
2. No open source webmail servers that I've seen come close to Gmail's functionality, and I don't have time to write one that is.
3. Even if there was/I did, I couldn't get the spam filtering to anything like Google's level even in theory since I don't have nearly as much data to work on.