Moving to another email service: some reflections

Before we start

• Opinions are my own and not the views of my employer.
• This write-up does not endorse any email provider, nor am I being compensated for creating it.
• Thank you, B. M. and K. for reviewing this text!

Introduction

Email is sometimes considered an old-fashioned communication medium. Many of its uses have been gobbled up by social media, messaging and (video)calling. Even so, it remains surprisingly prominent in day-to-day life. Think of:

• official communication with authorities, financial institutions or local businesses.
• ordering your latest gadget or booking a flight.
• registering for an online service or resetting a forgotten password.
• setting up a new smartphone.

Scenarios like these suggest that we should not discard email as a relic of the past just yet.

Email services are commoditised, so that one might think they are as interchangeable as utility companies. Even with lower switching barriers than for centralised services like social media, you may still find yourself locked in when you:

• are using features that are proprietary or bundled with the email service.
• need to identify and notify people with whom you want to keep in touch.
• have to provide your new address to services you have subscribed to in the past.

This write-up summarises reflections about my own email switch. Even though many are relevant in a corporate context, our focus is on private email use.

Objectives

Throughout this exercise we will be pursuing the following objectives:

• Decrease vendor lock-in and switch seamlessly in the future.
• Increase user experience, interoperability and ease of maintenance.
• Increase privacy and decrease related trust in the email service and in 3rd parties.
• Increase security and decrease related trust in the email service and in 3rd parties.

Measures

The measures in this section help us achieve the previous objectives. Individual needs differ, so you may care about all or some measures, in varying degrees of importance.

No Non-Standardised Features

Dependence on simple features like a snooze function or a to-do list, can cause friction as you switch between email providers. It is a good idea to find alternatives that are not tied to the service itself.

No Service Concentration

Some providers offer a great many services alongside email. Think of storage space, (video)calling, an office suite or even a broadband connection. To switch more easily, consider:

• getting rid of dependencies of your mailbox from everything else. This enables you to switch, but it does not get rid of the service concentration. Similar work will be needed next time you move a service to another provider.
• spreading the services you use across multiple providers, as a general rule.

Service concentration also means a lot of your data is in the same basket:

• The provider has the technological capability -not necessarily the practice or policy- to track, profile and surveil you.
• More of your data could be exposed if the provider were to be breached.

Both data breaches and online surveillance are common.

Use a Custom Domain

A custom domain provides the flexibility to move to another email service without the need to notify your contacts or to update accounts that depend on that email domain.

Use Authoritative Data Sources

Ensure you can give trusted mobile and PC apps access to a single source of contacts and calendars. This prevents data siloes and duplication.

 Also be aware that some provider-specific email apps do not allow access to their content, making it difficult to:

• switch to another calendar or contacts app.
• read contacts and calendars for a rich user experience. For example: your navigation app may want to access the address of a friend to save you the effort of entering it yourself.

Use Standardised Protocols

IMAP, CalDAV and CardDAV are examples of (de facto) standards for email, calendars and contacts. Even though they are a bit old, they provide a convenient way to:

• manage and synchronise contacts, calendars and emails consistently across devices.
• import and export data. Some providers also have proprietary import-export functionality.

Maintain a Work-Life Boundary

Work and private communications are treated and regulated differently in many countries. So why not use separate mailboxes, calendars and address books for each? Not doing so might:

• blur the line between work and private life.
• result in the loss of personal info when switching employers.
• leak confidential employer info when using a private mailbox.
• violate privacy expectations when using a work mailbox.

Create a Privacy and Security Threat Model

Before implementing any security or privacy measure, you should decide what "security" and "privacy" mean to you. What is your threat model? Methodologies for threat modelling are beyond the scope of this article, but here are 5 basic questions you should ask yourself:

1. What do I have that needs protecting? In our email scenario this includes (*) your mailbox and the accounts associated with your email address (*) your custom domain name, if you have one (*) the devices you use to check your email (*) backups: these are often overlooked.
2. Who or what do I want to protect it from?
3. How likely is it that I will need to protect it?
4. How bad are the consequences if I fail?
5. How much trouble am I willing to go through to prevent these consequences?

The answers to questions 2-5 depend on your personal requirements and context.

Analyse Security Basics

Read up on the security practices of the email service. Lack of support for the basics like multi-factor authentication, is a red flag. You might end up with a semi-dormant or abandoned email service.

Use Trusted Devices

Only check your email on personal devices you control and trust. Keep them secure, regardless of platform or form factor.

Practice Email Security Hygiene

Stay up to speed on how threats evolve and what you can do as an end user. Sometimes awareness and good reflexes can make all the difference.

Use a Password Manager

Passwords are a drag on user experience: there is a limit to the number and complexity of passwords we can remember. Password managers can help in several ways. They have a learning curve and time investment, but the reward outweighs the effort.

At one point you will also need to replace your old address by your new one in associated accounts. Identifying each affected account, can be challenging: in 2015 the average US mailbox had 130 online accounts associated with it. A password manager contains precisely this list of accounts: If you have been rigorously using it, you have a head start over people who have not.

Information Management and Data Protection

Retention rules and periodic clean-up: do you really still need that shopping confirmation from 5 years ago? What about all those automated social media mails? Doing a regular clean-up can be useful. A lot of it can be automated if the rules are well-defined. In the EU for example, there is little reason to keep an invoice beyond the legal warranty period of 2 years.

 Using the right tool for the right task. Email is often "abused" for purposes it was not designed for, like persistent file storage, project management and document management.

Prefer an email service with encryption of data at rest. Be aware, however, that there are implementation-specific tradeoffs:

• you may not be able to perform a full-text search on your emails.
• you and your recipients may have to deal with the complexity of key management.

Just like any other data you care about: take backups! Given a convenient tool and time schedule, backups do not have to be cumbersome.

The benefits you can expect, are:

• In case of a data breach: less data exposure and the capacity to bounce back quickly.
• Higher productivity and a better user experience.
• Less opportunities for the email service to track, profile and surveil you.

Check the Legal and Business Context of the Email Service

There is no such thing as a free lunch: understand the business model and financial incentives behind the email service. Also read up on its privacy jurisdiction(s), policy and reputation. This will prevent false assumptions and misplaced trust.

Scrutinise Mobile App Permissions

Be critical and selective when giving mobile apps access to contacts, calendars and emails. Some uses are legitimate, but the privacy practices of many apps are problematic. They range from data exfiltration and tracking, to full-blown surveillance.

Anti-Spam and Anti-Spoofing

To prevent spam, spoofing, phishing and malware attempts, use measures like:

• a spam filter that can be trained, complemented by well-chosen email rules.
• a disposable email address or email alias for each online registration.
• SPF, DKIM and DMARC, if you manage or own domain.
• blocking remote content from loading automatically.

Preserve Your Old Email Address

Maintain your old email address and keep it secure for a couple of years:

• There is a risk of identity theft if the old email service has a policy of recycling inactive addresses.
• An old account may be compromised if its security is neglected.

Additional remarks

• Expect the switch to be a gradual transition, not a big bang. After an intensive first week, you will come up with many things to do over the next couple of months. Most likely you will be using your old and new mailbox alongside each other for a while.
• Before diving into it: decide on the order and importance of actions. Do first things first: scope creep is always around the corner.
• Rather than updating your address at all associated online accounts at once, it is worth prioritising the accounts with the highest risk.
• The real-life scope of the switch may turn out more limited than first thought: many communications have already moved to social media, messaging and (video)calling apps.
• Switching calendars is relatively easy, compared to email. There is no need to notify any contacts. Aside from web interfaces, feature sets are also quite similar across providers.