Free Software Webmail Systems
Whether the server itself runs nonfree software is a different issue. Nonfree software running on the server infringes the freedom of the server operator, but not yours; therefore, it is a secondary issue. We note here that some server operators say they run exclusively free software; you might choose one of them to reward their support for the community.
We don't know of any surefire way to evaluate a mail service for privacy, since any such service could be handing mail data massively to some government, and there is no way to detect this from outside.
We do know that specific companies providing webmail services were named as part of the PRISM NSA spying revelations: Google, Yahoo, Microsoft, Apple, and AOL.
We also know that some smaller companies, like Lavabit, were pressured to turn over information.
Establishing good practices, such as using GNU Privacy Guard (GPG) to encrypt your messages, is essential to keeping your communications private and secure. It only takes 30 minutes to follow our Email Self-Defense guide for help in how to get started with GPG, and we recommend it to everyone concerned with their security online.
As the privacy and freedom of these webmail services are evaluated periodically based on community feedback, please email us at firstname.lastname@example.org with any suggestions or if you notice any issues that may have escaped our attention.
With these caveats, here are some recommendations:
- Pick a mail service located in a country that won't cooperate with governments that you're particularly concerned about privacy from.
- Avoid using LinkedIn, which fishes for people's email contact lists.
- If your mail service and your search engine are run by companies that don't cooperate, neither of them can correlate your searches with your mail contents. (A spy agency could still do so, if the two companies are in the same country or in countries that cooperate in massive surveillance.) Thus, don't use both Gmail and other Google services such as web search.
Some of these services are gratis, but that's a separate issue. Recall that "free software" refers to freedom, not price.
- Posteo: Aims to be fully compliant with LibreJS's standards, but some scripts cause warnings. Does not work without JS. Credit card payments do not work.
- Kolab Now: Swiss based paid service focused on ensuring your privacy. Highly resistant to PRISM and similar programs. Runs on free software. Currently becoming LibreJS compliant.
- Safe-mail.net. Signup and Login possible with LibreJS enabled. Select "Traditional" interface for webmail use. Mail server details also available for mail clients.
- VFEmail (uses google syndication, and captcha - both non-free). After registering, you can use mailserver configuration details and use a mail client.
To ask about a mail service not listed here, or request corrections and updates, please send a mail to: monoverde at riseup dot net : with "Webmail System" in the subject line.
Under ReviewThese are systems either currently under review, or undergoing a status change.
- Disroot: Sign up needs JS.
- Autistici/Inventati (A/I): Sign up needs JS. They are working on becoming LibreJS compliant, but no ETA on this yet.
- Hushmail: Site doesn't load without JS.
- mailbox.org JS needed to register or use system.
- Mailo.com: Formerly French only, now available in English. Site is no longer explicit about running on free software.
- ProtonMail JS needed to register or use system.
- Tutanota: Looks promising - they're working on becoming LibreJS Compliant.
- Unseen: Site doesn't load without JS.
Not RecommendedSystems we've investigated and found wanting.
- FastMail: Sign up, sign in, and webmail all work smoothly. This is a paid service with a 60-day free trial. - UPDATE: was notified that this is not the case.
- Mail.Ru: Sign up, sign in, and webmail all work smoothly. BEWARE though - it is almost certainly under governmental surveillance, and likely does not respect privacy.
- Yahoo! Mail: works without JS apparently, but you need JS enabled to create a yahoo account
- Yandex Mail: You can register and sign in with LibreJS enabled, but not send mail in the no-js interface. Also: looks to be Russian based, so almost certainly under surveillance.
- Apple iCloud (@icloud.com. Old emails: @me.com, @mac.com). Apple requires people to own an Apple device (either an iOS device or a Mac) to create an iCloud account.