VFEmail.net - FAQ - Privacy and Security

VFEmail has been asked many question recently regarding Privacy and Security. This FAQ will be updated as new questions are asked and answered.

View The VFEmail User Agreement / Terms of Service / Privacy Policy

What does VFEmail do to maintain our privacy?
VFEmail does not require any sort of identity verification for our accounts. You can even pay by Money Order (for Bronze accounts).
We also provide accounts that will mask your sending IP Address. PGP is another feature provided by VFEmail to encrypt your communication. Our interface is easy to use, and is intended as a stop-gap measure.
We've also introduced the Metadata Mitigator™! This feature creates a new 'envelope sender' for every email you send - mitigating the metadata capturing that has become so prevalent. The 'envelope sender' is not your regular From address, but is primarily used during delivery, and is the data that get's logged on each server your email passes through.

What's an 'envelope sender'? How is that different from one-time use addresses?
Think of email in the same fashion as sending a package via UPS. The message you compose is a 'Proper' letter, formatted like a busines letter with the Sender and Recipient at the top, and the body of the letter below. That letter is then enclosed in a box, or envelope, where the Sender and Recipient are also written on the outside. When you box is sent, each sorting facility see's who the box is from and to, and processes it along it's way - One can look up a UPS tracking number, and see every facility where the box was processed.
Email works the same way. Instead of sorting facilities, you have servers. Each server records the processing of the email. The 'envelope sender' and 'envelope recipeint', the names on the outside of the box, are the pieces of data that are recorded. By automatically creating a unique 'envelope sender' for every email, the privacy invading recording of that information is mitigated. It's still recorded, but is now meaningless for cataloging and 'degree of separation' processing.
VFEmail's implementation is different from one-time use email addresses in that your From address on the letter itself is not changed. When the recipeint reads their email, everything appears normally. Only the processing servers see a different 'sender'. If there is a delivery error, VFEmail is designed to still be able to route that message back to you. If you want a one-time use address, see 'Aliases' in the FAQ.

What do you mean by using PGP as a 'stop-gap' measure?
PGP is a good solution, but using the Webmail interface for PGP stores your private key on the server, and requires you to send your key password to VFEmail. That subjects your encryption key to interception by a third party.

But doesn't SSL protect from that?
It protects from interception during transmission, but not from capture at either end.

Are you referring to NSA information gathering?
Not specifically, though VFEmail supports US government data request efforts when in compliance with Federal Law. Based on previous experience, unless you're the target of the investigation, your information is specifically NOT WANTED by the government. VFEmail strives to maintain a secure infrastructure, but it's always possible an interested 3rd party were to illegally gain access to our servers. In that case, you don't want your encryption methods stored on the server. This is also what makes server-based mailbox encryption useless.

So VFEmail can access anyone's mailbox?
Any service that claims to not have acccess to the data you are storing on it is either lying or incompetent. It may not be as easy as opening a folder or doing an 'ls', but it can be done.
'Company Policy' does not apply here. If you're given a legal request, you must comply unless the request is illegal, or you are physically unable to. Read on to find out why the latter will likely never apply.

VFEmail will, on occasion, run a process to remove known phising emails from user's INBOXes in order to protect our users. That process doesn't scan every single mailbox, it uses specific log data to determine who received those emails, then scans those mailboxes to remove the dangerous content- much like specific virus removal software.

But other services say our data is unreadable.
It's not. The minute you send your password (your key), they can intercept it and use it themselves.

Look at it this way - You buy a safe deposit box at the bank. How do you access it? You walk into the vault with your key and a bank authority who has a key. They unlock the outside, you unlock your specific box. That's secure. What those online services do is equivalent to giving your key to the teller, and waiting in the lobby for them to bring your stuff out. Lavabit and Mega have solutions which are equivalent to forcing the teller to complete an obstable course between the vault and you, but the end result is the same.
The best solutions do not unencrypt your data until it's in your hands. PGP is one way to accomplish this, but is not as secure via WebMail as it is when run on your local client.

VFEmail offers PGP, Why offer it if it's not secure?
It's not the BEST solution, but it does require a password even after the mailbox has been opened. In addition, due to the extra complexity of how PGP works, I would rather users become familiar with it via Webmail, than download an external PGP program, get confused/frustrated and give up entirely. Once users are comfortable with the Webmail interface, hopefully they'll download their keys and use it locally.

Will VFEmail move their servers overseas to protect privacy?
No - but we are now offering mailbox storage on a server in the Netherlands. VFEmail has been operating for over 12 years, and has received subpoenas over that time. NONE of them have ever requested full system access. The most 'invasive' was equivalent to a phone wiretap. Even in that case, VFEmail had to provide assurances that no data other than the target of the investigation would be included. In addition, there is a time limit assigned to the request, and it must be renewed - and approved by a judge. The government doesn't WANT your data - it's illegal and can destroy an entire case. Imagine you're a painter and after a year or more of working on your masterpiece, your told it has to be thrown away because you had too many tools and resources available to you, even though they weren't used. That's what defense lawyers do when US citizens' data is captured illegally or without a proper paper trail.

But Lavabit shutdown..
Most of the below information is not consolidated anywhere else.

Lavabit billed itself on 'Privacy' and received a information request. Link
Lavabit ran custom code, built in-house. Link
Everyone knows Edward Snowden was a user of Lavabit Link
Despite having 'new' hardware Link, Lavabit was having uptime issues Link
Lavabit had not been accepting new users since May Link
Here we see Lavabit was actually sent a regular old request for log data Link, but never provided the data.
And here we see Lavabit refused to hand over metadata for one account, forced an escalation, then offered to comply for $2000. Link Link
Worst of all - the supposed 'Privacy' service, which claimed to not have access to your data, decrypted it regularly "He would log the target.s communications, unscramble them with the encryption keys and upload them to a government server once a day. " Any InfoSec person would expect this to be the case. Company Policy (not normally logging the password) is not a form of security.

VFEmail won't sell you snake-oil, then force you to lose your main method of communicating just to try and make more money.
In fact, How can anyone trust a company to follow their own TOS and Privacy Policy when they don't follow the law? Lavabit has ignored a legal court order (not a questionableFISA order), had their only officer found in contempt of court resulting in the request for SSL keys, and ultimately putting all their customer's email at risk. Violating the law is not the action of a company that should be trusted.

If it's just a wiretap, then why the gag order?
Standard procedure. You don't want your target knowing your monitoring their communications. Besides, Snowden may not be the only one under investigation.
Remember back in school when you told your friend you like that girl/guy? Even if they didn't find out, everyone else knew.

Didn't VFEmail have a similar outage and recover? Why would Lavabit be different?
Unfortunately, yes. While VFEmail had, and still has, a backup plan, the backup server was being rebuilt when the primary began to fail. Even though we were able to 'hack' the backup server back into service, some data was unfortunately unrecoverable.
This may be where Lavabit may have been a little shortsighted - VFEmail migrated to a ZFS based filesystem many years ago, which allows for easy data replication. Many services still use plain old ext3/ext4 filesystem, and running a 'plain' backup is not efficient or effective for hundreds of thousands of mailboxes. We've actually upgraded mailstore servers at least 3 times, with less than a minute of downtime each time. Backup is not only running, but now runs offsite in case of a disaster.
I know of a recent reboot of a hosted Zimbra system, those users had no access for around 8 hours simply because the ext3/4 filesystem ran an fsck on boot because it hadn't done so for a year. Sometimes even great systems have subpar foundations, or implementations.

In your opinion, what's the most secure and private method of handling email?
There are a few things that can be done to minimize your personal exposure. SMTP is over 20 years old, nothing below is groundbreaking.

Due to how SMTP works, you can't eliminate the 'MetaData' logs, so this is where you want to start. These logs will contain a 'From' account, a 'To' address, time/date, and the IP of the machine the email was received from.
-Note- The 'From' account is NOT the From address displayed when you read an email - see our new Metadata Mitigator
A service like VFEmail will mask your IP address, but it can still be recovered through legal means. Using the 'Tor' network is the best bet there.
Use your own email client. Preferrably use one that can separate the From: from the Mail From: - Logs will contain the latter. It's like a postal envelope - You could put 'Santa Claus' on the outside of your envelope as the 'Mail From', but in your letter use your real From address. Your 'From' should be a different account. Then if your recipient's log data is stolen, they will appear to be communicating with two different people. This may not actually be very effective, but wouldn't hurt. Places like RackSpace drop any bounced messages because they don't know the difference between a bounce message and backscatter. Because of this undermining of SMTP standards, the 'Mail From' has become less relevant. Again, see our new Metadata Mitigator.
Use POP, and two email accounts. One to send From, and one to receive mail To:. If you use separate providers, only half of the information will be easily available. Who you're sending 'to' will be harder to track down. The Metadata Mitigator helps here to - each envelope Sender becomes unique - making it more difficult to track.
There's nothing you can do about the To: address, the mail needs to get to that user. Unless your recipient is rotating aliases as well as you. That would make metadata logs less relevant, but a pain in the butt to keep track of.
Most importantly - Use PGP with your own email client. You should store your key on your device(s), under your control. Again, illegal access by a 3rd party could compromise your key, so be very careful of what you open and where you surf.