Mailpile is a relatively rare thing: a software project that looks certain to achieve its crowdfunding goal. The Mailpile Indiegogo campaign is less than $5,000 away from its $100,000 target, still with 22 days left to run, so it’s clearly struck a chord with its close to 2,000 backers. Still, it’s not hugely surprising — given how timely this pro-privacy project is.
So what is Mailpile? It’s an open source webmail client designed to be run on the user’s own computer so they can retain control of their email data. Encryption is also built in, says its privacy-focused creators who are based in Iceland, with support for OpenPGP and S/MIME encryption and signatures. And there’s no ads. Its business model is to start with crowdfunding, and then aim to build a community of users around the software — with those who contribute $23+ per year getting a say in the long term direction of Mailpile. Which seems like a small price to pay for your privacy.
Free consumer webmail was a revelation when it blazed onto the scene, way back in the 1990s — you know, when Hotmail was actually cool. Now, around a decade or so on from that, the dream has arguably gone sour. Google’s lawyers were recently caught arguing that Gmail users have “no reasonable expectation of privacy“. Free of course means you’re paying in other ways — at the most basic level, with your privacy. Your correspondence will be data-mined to determine which ads to push at you so Google can monetise your use of its service.
Add to that, Google — and other webmail providers (Google is of course not the only privacy-infringer here) — are increasingly unifying privacy policies across multiple products so they can build up an even more nuanced view of your digital activity to try and flog you more stuff (or flog data on you to other companies). The tech adage ‘if it’s free, you’re the product’ applies in spades here.
And then there’s the issue of geographical location. Gmail, Yahoo Mail, Outlook et al are all U.S.-based webmail providers, making them vulnerable to the NSA’s mass surveillance program (not that the U.S. is the only nation with heavy-handed security agencies right now, either). Recently two US-based encrypted email services, Lavabit and Silent Circle, shuttered their email services to avoid having to hand users emails over to the NSA. It was a very public admission that hosted ‘secure webmail’ had effectively become an oxymoron.
“Soon we will be back to pen and paper,” wrote The Guardian‘s Editor Alan Rusbridger yesterday, in a story describing how the newspaper’s offices had been visited by U.K. security agency officials who went on to destroy hard drives containing data leaked by Edward Snowden. Sure, you can argue that journalists investigating government surveillance programs should expect even less privacy than the average citizen. But the extent to which privacy in general is being eroded — through systematic surveillance of digital communications, as governments co-opt consumer technology companies as their data-harvesting outposts — should be of serious concern to anyone who cares about the individual’s right to privacy. And the risks posed by a surveillance-obsessed state.
So what’s Mailpile doing about all this? Firstly its creators are aiming to offer an alternative to the webmail behemoths to give users more control over their email data, remove ads from the equation and build in security features. Plus, if the platform gains traction, they hope to put pressure on the usual webmail suspects — to convince them there might be a reason to care about user privacy.
Consumer webmail’s main differentiator — aside from plentiful storage — has been the ability to access email from anywhere with an Internet connection. And that’s not something Mailpile users will have to give up. Its creators note that a user’s local Mailpile can be made accessible over the Internet “by using port forwarding or a tunneling service like PageKite“, albeit you’ll need to be running it on a machine that’s normally switched on to ensure access (a Raspberry Pi could work nicely for this).
They also note it is also possible to host Mailpile on a VPS — albeit, that means there is a risk of your data being access by others (e.g. hackers, VPS provider technicians, or via law enforcement subpoena of your VPS’ hard drive). ”For these reasons, most security professionals would strongly advise against storing your encryption keys or processing sensitive data on a VPS. But it really depends on your “risk model”, as the cryptogeeks like to say,” they note.
That said, they argue Mailpile hosted on VPS would still require an attacker to make a “dedicated effort” to get at to your data vs the “wholesale mass surveillance enabled by centralized proprietary web-mail”.
Current designs of the Mailpile interface offer a refreshingly clean-looking interface vs all the usual proprietary webmail clutter (see below). Plus they have some neat feature ideas in the pipeline, including the ability to browse photos that have been emailed to you like a photo album; a delay sending email feature; and inbound email sender verification.
The initial Mailpile client is being developed for Linux and Mac, but they are also planning to get it running on Windows once the project gets funded. Their goal is to get a stable first release of the software ready to go next summer. Donations to the project can start at $1, but $23 or more makes you an official member of the Mailpile community with a say in its development.