More Reasons To Shun Webmail and Use XMPP
This is a follow-up to an earlier entry about webmail and why I was ditching it. Also recommended: Thunderbird and GPG.
I had set up someone I know in real life’s computer. Hid Internet Explorer, installed Firefox and Opera, and set things up to generally block things from domains other than the one the person had gone to. You know, just the basics that everyone’s computer should be set up to do.
I get called over because “Gmail doesn’t work.” They did a site redesign, but I never see the site because I don’t use webmail. It turned out that part of the problem was that Google added more domains, and downloading an attachment caused it to be sent from a different domain, which was blocked. The rest of the problem was that the new layout is not friendly to those users who have both high volumes of current messages and large backlogs of stored messages.
This sparked thought about the problems that webmail causes, which those of us that use clients do not see.
Not My Problem: I Do Not Use Webmail
I did discover that I still had some Yahoo Mail accounts from as far back as 1997. Since Yahoo does not support client access (except for paid accounts, I believe), I have no reason to ever use them, so I’ve closed 75% of them and have started clearing out all connections to the last one.
Best of all, I can use GPG signing on the one account that I still remember my passphrase.
If you read yesterday’s entry and followed the link to Thistleweb’s original post, you’re starting to understand that encryption is foundational to the establishment and preservation of computer and online freedoms. I do not have any inside information, but I assume that there is some government agency which can, with reasonable effort, crack any encryption you and I might use. Encrypting your communications may dissuade most agencies from “fishing expeditions,” but once you’ve gotten priority attention, they’ll know in an hour or two what you’ve been saying.
One reason we should be encrypting our communications is that the corporations who act as hubs for our data typically offer to handle that data for zero-price, in exchange for advertising. Advertisers, in turn, want more and more of your personal information, sometimes including the content of your communications, in order to target their ads at people who are going to be interested. Personally, I do not believe it works very well. An ultra-targeted advertisement is spooky, and tends to chase people away. Be that as it may, once all the sporting goods chains have a copy of your plan to go skiing next December, you have no clue what they will do with that information. As privacy policies may be changed at any time without notice, they are not worth the paper they are written on.
Now imagine if you and your friends use PGP or GPG in your client, so that your mail service cannot read your messages. That means that the mail service cannot sell or rent that information to their advertising partners, and that sporting goods stores and home security alarm companies won’t be calling you with their offers. It means that the mail service’s director’s nephew won’t show up and ask your boss to “temporarily” assume your job during a trip that your boss does not yet know about. It means that the Keep Snow Pretty Coalition will not show up at your door (and your workplace) to protest your plan to fill some snow with ski tracks.
Now, that is all exaggerated, but the fact is, any information an organization collects will eventually be stored; any information an organization stores will eventually be misused. Encryption is your tool to help prevent the misuse or abuse of your information, and webmail is not designed for end-to-end encryption, but instead to allow the service provider to access, utilize, and present your data as they see fit.
I should add that most proprietary instant messaging services have similar issues. First of all, many of them are presented inside the service provider’s webmail service. That means that everything you send may be subject to monitoring (even after-the-fact monitoring, depending on how long the service stores messages), just like your e-mail. Their client applications are likewise advertising tools, although I’ve never seen any indication that IM contents are being fed to advertisers for targeting purposes.
Instead, I’ve found that I prefer to use Jabber / XMPP. XMPP does not have a central service provider, although Gmail / Google Talk instant messaging and Facebook’s IM are both said to be powered by XMPP. There are plenty of public providers, such as Jabber.org, Tigase.im and comm.unicate.me. One of the most important things you should do is ensure the client software you use supports both encrypted connections to the server and especially OTR. With OTR, you have some assurance that your messages are going to the correct person, with no one else reading them.
Special thanks to DuckDuckGo. When writing these posts, working the duck really helps my research.