In the modern world, privacy is becoming increasingly rare. Conglomerates like Google, Microsoft and Meta are watching your every move to profit off your daily activities. One of the best changes you can make to improve your day-to-day privacy is to move your email to an encrypted mail service. Services like ProtonMail and Tutanota are among the most popular services out there, but here comes a new challenger: PrivateMail!
PrivateMail is an "encrypted" private email service brought to you by the people at TorGuard. TorGuard is sketchy and very hypocritical (check out one of my previous VPN articles to find out why), but that story is for another day. This article will be focusing on the incompetency of PrivateMail's developers and the blatant misleading of their customers.
Plaintext Password Transmission
PrivateMail claims to be a secure, "hacker-proof" and end-to-end encrypted email provider on its various pages:
Private Mail is secure and protects you from all forms of web attacks such as data leaks, Man in the Middle Attacks and other online exploits. Your data and contents can never be altered maliciously due to powerful end to end encryption. Our team constantly audits Private Mail's systems to provide our clients the most secure experience possible.
Source: PrivateMail Homepage
This encryption protects your data so well that not even anyone at PrivateMail will know a thing. We're just as locked out of your email as the rest of the world.
File content is transmitted to the server in encrypted form only, and encryption keys are never transmitted to the Private-Mail server at all. Thus, it would be impossible for us to view, or decipher any of your encrypted files since only you hold the key.
However, their API calls on their login and "registration" pages say otherwise.
Before we dive into why PrivateMail's encryption is bogus, let's go over some of the basics of user data storage.
When storing user data on unencrypted services, users' passwords will be transmitted to the server in plaintext and then hashed before being stored in the database. Hashing the user password creates a representation that cannot be reversed but can still be compared to plaintext equivalents. For example, let's say my password is "123". The server will receive this in plaintext, and then compute a long string, like "202cb962ac59075b964b07152d234b70". The hashing process cannot be reversed if the server discards the plaintext password and only stores the hashed version. This is an unverifiable process and requires trust in the server. Users must trust that the server is not actually storing their plaintext passwords.
This process is a little different in end-to-end encrypted contexts where the user's password is the key to all of their encrypted data. Instead of hashing being done server-side, it's done on the client-side (the user's device). Services like ProtonMail and Tutanota compute a hash client-side containing your password and other data, like encryption metadata. The server only receives a hashed version of the user's password for authentication. The server will never be able to intercept and grab the user's password in transit. They will not be able to process or store the plaintext password, as they never receive it in the first place.
Now that we know how servers handle user authentication in both unencrypted and encrypted contexts, let's look at how PrivateMail handles this process.
When logging into PrivateMail from the webmail page, the user's credentials are sent in plaintext to the server! As mentioned previously, this means that PrivateMail can theoretically store the password in plaintext. Why is this so critical? It means that PrivateMail may be able to read your emails if they want to. Unlike their actually competent competitors, PrivateMail does not compute the hash client-side, and they can intercept your plaintext password.
Their claims about being "as locked out of your email as the rest of the world" are complete and utter bullshit. How are they "locked out" if they can process your plaintext password?
In addition to sending your plaintext password during login, it's the same thing on registration.
Their registration page uses an off-the-shelf product called WHMCS, a web dashboard meant for server hosting companies. They were so lazy that they couldn't even make their own registration system.
Plaintext Email Storage
When receiving emails, PrivateMail does not zero-knowledge encrypt them at rest with your keys. This means that PrivateMail can read all emails if not client-side encrypted.
In the screenshot above, the webmail app fetches the data of the selected email. Unfortunately, the data received is the plaintext version of the email. This can mean two things. Either:
- PrivateMail is server-side encrypting emails (which means it's not zero-knowledge, and they can technically read your emails)
- PrivateMail is simply just lying
The second option is the most likely, as they're already false advertising to their users on their homepages, support, and blog articles.
In the following quote, TorGuard claims to keep all users anonymous during registration by collecting no personal data:
We don't even collect information about you when you make your account. You could be anyone from anywhere, and that's the entire point. You're completely anonymous every step of the way.
Nonetheless, their registration page literally says that they're collecting your IP address for "fraud prevention."
How are these people blatantly lying to their users like this? They're not even making an attempt to hide what they're doing...
- Google may store a cookie for collecting anonymized analytics data (you may opt-out here);
Apache web server logs
- Apache Webserver logs (see apache.org; no usernames or passwords are ever logged by the webserver and the logs are regularly purged);
Apache webserver logs contain IP addresses by default.
Sharing data with advertisers
Quoting PrivateMail's homepage:
By encrypting your email and important files with Private-Mail you can prevent marketing and advertisers from using, selling and storing your data.
Private-Mail may store and use your personally identifiable information for [...] (iii) voluntary marketing, promotional, and advertising purposes, such as to inform you of promotional offers from Private-Mail;
They also share your internet activity with "trusted third-party service providers":
- internet or other electronic network activity (e.g., browsing history, search history, and information regarding a consumer's interaction with an online site or application, or similar information);
PrivateMail is blatantly misleading its users by providing false claims on their homepage and other marketing pages. Most non-tech-savvy users will never notice this, mainly because it does take a little bit of digging to find out the legitimacy of these claims, such as the transmission of plaintext passwords. Most users don't even read the privacy policies of their favorite services. They instead blindly trust the claims to "protect user privacy," even when they may not be valid.
A developer of Windscribe once said:
Protect their privacy … but sneaky
Sadly, PrivateMail is not a private product nor an excellent one, but a misleading mess. If you're looking for a high-quality and trustworthy private email service, I suggest looking elsewhere. My preferred one at the moment is Tutanota.