ETHICmail is a secure email service that aims at stopping massive and illegal surveillance orders. ETHICmail secures your connection to their servers with SSL Perfect Forward Secrecy, 4096-bit digital certificates and their proprietary SecureStorage AES 192-bit encryption engine for data storage.
One unique ETHICmail feature not found elsewhere is emergency remote full data wipe of your email messages by sending a mobile phone SMS code to your account. ETHICmail also has a specialist legal team that reviews and challenges unfounded surveillance orders, Gmail claims to have that too so I would not call the last feature unique but ETHICmail notifies the individual when they receive a warrant against him whenever it is possible.
ETHICmail legal resistant email
ETHICmail email login interface has a banner on top listing a help phone number in Switzerland and displaying how many surveillance warrants have been served to them up to date, divided by interception and data seizure warrants.
Their email interface is clearly a customized cPanel UI, offering you Horde, RoundCube, SquirrelMail and ETHICmail logins, each one with a different layout, if you have used cPanel before you feel comfortable using it. If you wish, you can use your own domain name, it is easy to add, ETHICmail customer panel is based on WHM, a standard administrative web host manager deployed by most hosting companies.
Your emails are kept encrypted with ETHICmail SecureStorage but you have to encrypt messages before sending them out, this is not done by ETHICmail for you like Hushmail or Countermail do, you need to be familiar with PGP encryption and manage the whole process.
ETHICmail headquarters are in the Seychelles, a very privacy friendly jurisdiction, but I found out that part of their staff is is based in Gibaltrar, a territory ruled by British law. Being Britain NSA best buddy and a country where mass surveillance is routinely carried out with full government support, I wasn’t exactly thrilled. I am not sure how it affects legal subpoenas having the distribution centre offices in the United Kingdom.
A disturbing problem with ETHICmail is that the company claims that they only accept 10 type of surveillance orders, ranging from terrorism to copyright infringement. The accepted interception orders cover every single kind of crime, from the most severe to the most minor.
ETHICmail SecureStorage IP restriction
I don’t believe that any email service should help break the law, but when you start accepting surveillance orders for crimes that do not even carry a prison sentence, what is the point of paying extra for a self-proclaimed “legally resistant email service“. Not surprisingly law enforcement has been know to lie, there is no way ETHICmail can know if the copyright infringement really occurred or if it is something made up by a spy agency to get hold of the data.
Positive ETHICmail points are that emails are stored encrypted with your own private key to which the company has no access and they claim to be unable to recover encrypted data, you can wipe your account remotely with an SMS message and there is computer IP control restriction to whitelist account access.
Negative ETHICmail points are having part of their business in British soil, not providing automatic OpenPGP encryption when you send email like some of their competitors do and very expensive prices. ETHICmail legal assistance addon worth thousands of dollars is only affordable to big corporations.
If you are an individual, you can find better price and features in Countermail, Hushmail or AnonymousSpeech. If you are corporation with a huge budget maybe you want to consider ETHICmail but not managing OpenPGP keys would bother me because the average employee does not have a clue about PGP and without it you are open to illegal in transit email wiretapping, another big blunder is that I could not see the interface being mobile device friendly
Ricardo Fernandez
Dear Hacker10,
We want to thank you for your honest review, any constructive criticism can only help us offer a better service. ETHICmail is a complex product given its legal and technical dimensions, and we are grateful you offer us the opportunity to clarify some points:
– Absent mobile UI: It is a temporary design choice because mobile devices are prone to leak information. We are currently discussing the development of an Android and Iphone app which would integrate strong security and ephemeral storage. In the mean time, mobile users trusting their smartphone can operate ETHICmail’s IMAPS and POPS services with any common email client.
– ETHICmail is better suited for companies than individual users: Correct. We designed the services over a customized cPanel platform to maintain a familiar interface for administrators, and to ease the migration of large volumes of existing emails stored in maildir format.
– Gibraltar: ETHICmail’s overall structure is the result of a careful analysis from Lavabit, Silent Circle, PrivateSky and other secure email services demise. Massive Logics Ltd in Gibraltar only handles the distribution, while Massive Logics Corp in the Seychelles owns ETHICmail, and operate datacenters which in turn are each located under another additional and separate jurisdiction. This distributed organization improves the resilience and continuity of the service in case of hostile actions.
– Concern about mass surveillance: INTEL and SIGINT agencies don’t care about legislation. ETHICmail cannot oppose entities which do not respect the law, enjoy unlimited human and financial resources, and operate under the protection of a government. Every web service operates under this threat, including all other email providers.
– Client-to-client encryption: We can only guarantee full confidentiality within the infrastructure we know and control, therefore only when the messaging takes integrally place within ETHICmail accounts. In this context, we believe that users performing client-side encryption in addition to the SecureStorage automatic encryption prefer to implement their own independent confidentiality scheme. This independence would obviously suffer if client-side encryption capability would depend on an ETHICmail component, reason why we let users handle this aspect with their own tools.
– Intellectual Property infringements: ETHICmail is not precisely a platform suited to the exchange of illegally obtained entertainment material, there are plenty of other places for this. Every undue transmission of reserved information might constitute an infringement against Intellectual Property. IP infringements can be committed in the context of Industrial Espionage, Trade Secret revelations, Insider Information disclosures, and other similar offenses which can cause great damage. It would have been misleading not to include IP infringements in our Interception warrants list.
– Motivations of Interception warrants: It is true that ETHICmail cannot control if a lawful interception warrant is based on false information. However, our attorneys can help the customer having been the object of an interception to discover the allegations which were presented to obtain the warrant. Therefore, at the victim’s discretion, the possible misuse of an Interception warrant does not remain without consequences.
– Cost of Legal Information Assistance: The Legal Information Assistance which allows to investigate the details of an Interception Warrant can be included as addon, and is priced according to the size of the corresponding ETHICmail package. The yearly coverage can run as low as $57.60 for our smallest Bridge package, or $144.- for the Entry package. It is incorrect to state that the Legal Information Assistance costs thousands of dollars and is only affordable by big corporations.
– Concern about email wiretapping during transit: When used as intended (messaging integrally contained within ETHICmail), our service is not vulnerable to transit wiretapping because all our SSL connections enforce Perfect Forward Secrecy and 4096bit certificates. The decryption of replayed saved traffic is not possible even if our certificates would be later exposed.
– What information is confidential and for whom ? Usually for an encrypted communication to take place, the participants must agree on the method and act accordingly. Additionally, the perceived sensitivity of a given information is not necessarily the same for all these participants. SecureStorage solves these issues by allowing each user to define which communications are sensitive independently of the criterias of the other participants, what allows to automatically save encrypted versions of received messages that were not originally encrypted by their sender, or to automatically save encrypted versions of sent messages without requiring the recipient to agree on a common encryption scheme.
– Compelled key disclosure: Is it worth performing client-side encryption and storing emails locally if you can be coerced to reveal your encryption keys ? In several countries, the law includes provisions punishing by jail the refusal to reveal encryption keys. In the USA, compelled key disclosure depends case-by-case from the judge’s opinion. ETHICmail advises users to perform client-side encryption and locally store encrypted material only in privacy-friendly jurisdictions, and otherwise to leave the encrypted material on ETHICmail servers.
The ETHICmail Team