Why do average people like me need to use private email providers like CounterMail?
Over the past few months, the world has watched as Edward Snowden – a now ex-employee of NSA contractor Booz Allen Hamilton – leaked information that confirmed what we all assumed; that the government is spying on us, in a very, very big way.
What is CounterMail?
Privacy and security have always been important to me, but far from being an expert, I decided to reach out to Simon Persson, the owner of secure email provider CounterMail, and ask him a few questions about PRISM, online privacy and security, and what he thinks about crypto-currencies like Bitcoin.
I’ve had a number of requests for a comparison between CounterMail vs ProtonMail, and the various other secure email services, and figured it was about time I reached out to the man himself and had a chat.
A Conversation with CounterMail founder Simon Persson
Let’s dive right in…
Simon, could you tell our readers a little bit about yourself, your background, and why you decided to start a secure email service?
My name is Simon Persson, and I am the founder of Countermail. I’m 40 years old, I live in Stockholm, Sweden.
I got my first computer in 1983, it was a Spectrum 48k, which had 48k in RAM and a 3.5Mhz CPU, pretty exotic in those days, but today’s mobile phones are around 1000 times more powerful! I was immediately hooked, especially with the programming aspect, most of my friends preferred playing games on their computers, but I always had programming as #1 interest, playing games was #2. I have been programming since then.
In the late eighties I became more and more interested in hacking and cryptography. I remember I always felt that IT-security is the future, because computerization will only increase, and when companies start sending their information through the cables, it must be protected well. But it wasn’t until 1999 I became seriously interested in cryptography, I got a present from my mother, it was The Codebook (by Simon Singh). At that time there was an active competition in the book, the cipher challenge, with a first prize of 10,000 pounds (GBP), so it made the book even more interesting. I still recommend it when people ask about books about cryptography. It’s one of the the best introduction books.
After reading that book I really realized how important cryptography is, and will be. During world War II, it was a matter of life and death, strong encryption may save lives, and weak encryption may kill people.
Since 1999 I started implementing cryptography in most programs I made, sometimes even though it was not necessary 🙂
I used Hushmail for many years, until 2007 when it became clear that they could disable the encryption for individual users. At that time, there was no other provider with web based OpenPGP end-to-end encryption. So I started planning to create my own service, with OpenPGP end-to-end security, no unencrypted emails or passwords should be stored on my server. I registered the domain name in 2008, but it was not until May 2010 the service was ready to open up.
In light of PRISM and all the recent NSA shenanigans, where do we go from here? I’m especially curious to hear your thoughts on people’s behavior in regards to security going forward.
More people will understand that they need to be cautious when the send stuff over internet, it’s not only NSA that could tap into your information, an advanced hacker or criminal organization could do similar things with your data.
I hope that companies start realizing that their trade secrets could be compromised when using weak or backdoored encryption. I think more people will try to learn the basics in IT-security.
How do you choose your passwords? Randomly generated, or do you have a system? Many people seem to have trouble striking a balance between security and memorability.
I use different levels, a less important site gets an easier password, and more sensitive places get longer & harder passwords. The most sensitive information, like server disk encryption, gets a randomized password. I also use SafeBox (a password manager in Countermail) to keep track of passwords.
I think it’s safe to assume that you’ve heard the “if you’ve got nothing to hide…” over the years. What are your thoughts on this in respect to personal privacy?
Yes, I heard it many times. I think it’s based on ignorance or naivety. A Swedish professor of criminology said that those “I got nothing to hide”-persons do no exist IRL, everyone have something that they want to keep private. Information can also be misinterpreted, a quote from a french politician: “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang them”.
There are no government or police organization that can protect their data 100% against leakage, and the people working for the government are just like normal people, mostly good, but some evil. Some may abuse the information. The government must be allowed to use surveillance against targeted suspected individuals, but not against the whole population and innocent people, aka. mass surveillance.
Secure email services seem to be a dime a dozen these days; what sets CounterMail apart from say, HushMail?
There are many things, here are some of them:
- We are under Swedish jurisdiction and swedish laws, Sweden still have better privacy laws than many other countries
- We don’t log IP-addresses
- You can pay anonymously if you follow our instructions, or simply just use Bitcoin
- Incoming email will be encrypted to your public key, which means no emails will be stored as plaintext on our server, only in encrypted format
- Web based OpenPGP encryption with no possibility to disable the end-to-end encryption, passwords and decrypted texts is never sent to our server
- We have an USB-key option, which gives you two factor authentication, and increased protection
- Our webmail server do not have any hard drives, only CD-ROM, which means no “leakage” to any hard drive is possible
- Our customers never have any direct connection to our mailserver, regardless how they connect to their account, IMAP/SMTP/webmail always connects to a diskless server (tunnel)
- You can delete the private key from our server (but we recommend this only for advanced users, your private key is always encrypted on our server anyway)
- We have an additional encryption layer to protect against man-in-the-middle attacks
If anyone can find any other established provider that have all our privacy and security features, we will give that person $10k as a reward!
Aside from securing our email, what’s one other easy win for the average computer user in terms of securing their personal privacy?
Learn how to use FireFox + the NoScript add-on, and use that as your main web browser. With NoScript, the first time you visit a domain you have to manually allow a certain domain to run a scripts and plugins. If I had to choose between an Anti-virus software and a “NoScript”-plugin, I will choose the “NoScript” plugin. You should not allow global scripting/plugin execution in your web browser, only to domains you trust. Also set your browser to remove cookies when you close it, to prevent tracking and give you more privacy. A good antivirus program and a software Firewall is of course also good to have.
Bitcoin and other crypto-currencies have really started making waves this year. What are your thoughts on their viability? I’ve seen quite a bit of backlash along the lines of “they’ll only be used for money laundering!”.
I like the idea with crypto-currencies, they are decentralized and give much more privacy compared to normal payment methods. However, I would not put all my savings into Bitcoin, there are some theoretical attacks that could crash the currency, but it’s very hard to “kill” BitCoin permanently. The Banks and the governments do not like it, so they will probably try to use the “fear”-factor or “criminal”-factor on it.
Is there anything else you want to tell our readers about CounterMail or security in general?
HTTPS/SSL-encryption alone do not give enough security against an advanced attacker, I and many other in the IT-security field already knew that before it was confirmed in the NSA leaks by Snowden.
Start using PGP email encryption, or at least try to learn how it works. OpenPGP is not locked to a specific provider, it’s an open standard that could be installed on almost any computer platform, with many email providers. One benefit with Countermail is that most PGP-actions is done automatically, so it’s easier to get started, and of course the fact that incoming unencrypted email is automatically encrypted to your public key, this feature is something that many providers lack. When Edward Snowden started to communicate with the journalists, he wanted them to use PGP encryption, and he had to learn them how to use it. So far, everything indicates that PGP still holds up, even against NSA.
Chad’s Thoughts…
I’ve heard Snowden’s revelations described as “the least surprising, most unexpected” thing to happen, and I think that’s pretty accurate. Though governments have been spying on foreign bodies since time immemorial, advances in technology have made this easier than ever, both abroad and domestically.How could any spy agency resist that kind of temptation?
In a way, I actually find the whole situation kind of funny. Temptation aside, can we really be upset when we’ve been so complacent pushing back as a society? I would really love to hear your thoughts in the comments below.
And Simon, thank you very much for taking the time to answer my questions, and allowing me to share them with my readers. I greatly appreciate it.
We arnt hearing much about snowden in the UK. Bcc news rarely mentions GCHQ and the scale of its involvement. In fact when I talk to people about it they know or care very little.
You’ve gotta be kidding me. You’ve never heard of the Guardian? It’s a British paper.
Wasn’t it from Knight Rider, the comment that, “One Man Can Make A Difference.” Thank you Chad and definitely thank you Simon. I was on and crackin’ with Hush Mail and then I read something about it’s vulnerability.A guy who use to cut my hair in Hollywood went to Sweden, had nothing but good things to say about the visit.
Then I saw a drop dead gorgeous woman [and her daughter] whom live in Los Angeles from Sweden, It was the hardest thing to concentrate on anything else with either one of them in the room. Having worked with models you get somewhat numb to so-called beautiful women. Not these two.
I agree that the “if you have nothing to hide” crowd is naive. Why won’t you give me your name, address, telephone and social security number when I first meet you? If you won’t because I am a stranger, then why give it to anyone else? The video stores in L.A. have been said to ask for it. The phone company and cellular providers ask for it [they are private corporations, unless you are employed by them they are not going to be putting anything in your retirement account].
Oh and if you tell me they need it [I was writing a book called, “Social Security Numbers: the ignorance of the Law is causing your abuse.”] I personally had home phone service with SBC and Pacific Bell and cellular service with Sprint…WITHOUT GIVING THEM MY SOCIAL SECURITY NUMBER!
I had looked at CounterMail once before and now I really want to dig into it. When I first got my Commodore 64, I too started with an interest in programming…wish I hadn’t got away from it. Now I have an IT guy who loves programming I can turn to. At the suggestion in the above interview I intend to acquire the Codebook and PGP [which have a background in protective services is also long over due]. I am glad you did the interview and glad I discovered it.
First off, you’re welcome. I love interviewing interesting people, and Simon definitely fits the bill.
I completely agree with your last point. I like to think of myself as a fairly open person (it comes with the territory), but you’re right… I don’t simply hand someone my personal credentials the first time I meet them. At that point, it’s really none of their business.
Hi Chad. There is particular concern with regards to your government’s close cooperation with the US government, particularly in the aftermath of the Assange affair shenanigans. With the recent closure of secure mail provider Lavabit after attempting to get strong armed by the US government to give up user data and to allow them to monitor specific user accounts and SilentCircle quickly preempting any interference by also shutting down their services, there are hard questions now about where the physical location of off shore mail servers are hosted and how closely that government works with the US. What sort of reassurances can you give the many Americans seeking a secure mail solution about Swedish Laws and your role in protecting their privacy from their government? Would you comply to a subpoena from your government to turn over user data of Americans?
Do you support payment by Ripple? XRPs
I have found three mistypings in the text, and I hope the encryption is better than the writing:
“when the send stuff over internet”
“I and many other in”
“.How”
None of the above mistypings are due to the fact that the writer probably isn’t using his native language. It’s just mistakes by either the writer or the printer.
An error due to the language factor could be (as an example);
“There are many things, here are some of them:”
The latter doesn’t disturb me to see, which is due to the fact that grammar and editing is a different profession than say computer science.
Mistakes though, makes me wonder about the security of the service provided.
I apologize for any mistypings or other errors that I may have made in my commentaries. Writing nor editing is my profession.
There is always room for improvement, right?
Sincerely
Roger
Slightly ironic that the security add-on he recommends for FF doesn’t let his site Countermail load properly … 🙁
Darren,
You are not understanding his comments and his use of Noscript. no script is the most powerful single tool you should use browsing, hence why TOR uses it as a key ingredient in its large recipe of end to end browsing security aside from the last end node, etc complications.
What he pointed out was to always use Noscript while browsing, allowing trust only to websites that you trust communication from.
You can properly use NoScript and allow a single selection to allow Java to be recognized and used while accessing CM. also note the USB key two step verification. Through that channel you may access CM offline. Cheers!