We’ve noticed some misconceptions about email aliases and some recommendations that are bad for privacy in the comments. We’d like to share our thoughts on the matter in case anyone is interested in learning more about it.

1. How do email aliases protect you online?

Why not simply use an extra email account with plus-addressing (as one commenter recommended)?

• If your goal is to protect your privacy online, you must reduce your digital footprint. You simply cannot achieve that by providing the same email address (even if it’s a secondary email) to different services online. The plus sign does not prevent you from being identified. Data brokers can easily link all your accounts in that case.
  • With privacy-kit, every service would have a completely unique and unlikable email alias making it impossible for data brokers to link your accounts by email addresses.
• If your goal is to protect yourself from spam, using plus-addressing does not prevent your email address from being sold to third parties and spammers. Spam won’t necessarily go to you main email in that case, but you’d still be receiving it in your secondary email. Your inbox would quickly become cluttered and unsafe.
  • When using privacy-kit, every email alias is tied to the website it was generated for and only accepts emails from domains registered and verified by the website owner. This means privacy-kit email aliases cannot be shared with third parties and cannot receive unsolicited mail.
• If your goal is to protect your privacy against email service providers and aliasing services, using a secondary email address with plus-addressing does not have any impact. Your email provider, responsible for storing all your emails, can simply access them at any point in time. If you’re using an encrypted email provider, they would have read access to your emails before encrypting and storing them.
  • When using Privacy-Kit, our Mail Relay service is designed to process emails in-memory and never storing them to disk. This means upon reception of an email, Mail Relay can encrypt your email with zero access encryption and relay it in its encrypted form to your email provider. Your email provider, responsible of storing your emails, cannot access the contents of your emails in that case. This allows you to do a separation of concerns between providers responsible for storage and providers responsible for encryption with zero storage.

2. Are we evil? 😈 providing a free service to steal and sell your data?

• First of all we are not a free service. Our business model is very fair and transparent and allows us to fully fund the operation of our services and the development of new products for our users. That said, we do have a free plan aiming to help small creators and businesses provide privacy functionality under a certain usage threshold.
• We have spent more than two years designing and building our existing products from the ground up to provide best-in-class privacy for our users. We opened Mail Relay to the public almost a year ago.
• We’re also contributors to select Open-Source projects aiming to improve Free-Speech online. For instance, we are contributors to Lemmy: e.g. https://github.com/LemmyNet/lemmy/pull/4881

3. Lots of unfounded accusations in the comments. Here are some answers:

• No. We’re not hiding our Github repo. It’s actually the first link in our post. It’s also available in the linked blog post and available on our website.
• No. We’re not hiding the fact that users need to sign up to use Hide-My-Email. It is technically impossible to provide the service otherwise. This requirement is mentioned in the first paragraph on privacy-kit’s Github README.
• No. Privacy-Kit’s repo is not sketch because it only has 2 contributors. The repo is open source and verifiable by anyone. It uses a very permissible MIT License and it was just open-sourced yesterday. Contributions are more than welcome ❤️.
• No. The privacy-kit repo is not just a website and it does not import unknown code as suggested in the deleted comment 😳. It actually contains the privacy-kit library code, which is a lightweight library with zero dependencies. It also includes two HTML pages for testing under a /test directory. These are not part of the library bundle.

We just felt the need to clear these misconceptions.

Thank you all for supporting us in our mission to improve privacy online ❤️

We like the skepticism. 😀 Hope the following clarifies things a bit:

1. The repo contains the privacy-kit library code under the /src directory.
2. The website files in the repo are test files used by contributors to test the library.
3. The code from the repo is packaged into an npm library as mention in the README.md.
4. The privacy-kit-*.js are the built library assets that you can build by running npm run build.

Feel free to ask any questions for more clarification. Also the library is tiny it’s designed to have zero dependencies and no impact on website performance.

We usually don’t trust new services either but here are a few points that might address your concerns:

• The privacy-kit library was just announced yesterday. There are no external contributors yet but it’s open source and anyone is welcome to help make it better.

• “for the masses” means that it doesn’t require high technical skills and anyone can include it to their website. This is one of our goals: democratizing online privacy.

• Our website is simple on purpose. We aim to keep it this way. We build everything from scratch to reduce external dependencies to the strict minimum.

• We’re also contributors to Lemmy and other select FOSS projects: https://github.com/LemmyNet/lemmy/pull/4881

When a visitor requests to generate an Email Alias using Hide-My-Email or Subscribe-Anonymously, a popup will appear with an OAuth Authentication page using the Privacy Portal OAuth provider. Once authenticated, the email alias will be filled in the email input in the case of Hide-My-Email or the user would get automatically subscribed to the newsletter using an alias in the case of Subscribe-Anonymously.

If the user already has a Privacy Portal account, they just need to sign in otherwise they would need to register a free account.

This information is available in the links included in the post (you can click on the “Privacy-Kit” link in the post for the Github Page.)

For easy access here are all the links included in the post:

• Privacy-Kit Github repo: https://github.com/privacyportal/privacy-kit
• Announcement Blog Post: https://privacyportal.org/blog/enhance-user-privacy-on-your-website-with-ease
• Privacy Portal’s OAuth Products: https://privacyportal.org/for-business/products
• Privacy Policy: https://privacyportal.org/privacy

Edit:

• We do not collect data from sites and users as claimed by A_norny_mousse@feddit.org.
• We do not have a free business model (a la Google) either. We have a transparent and fair business model. We offer our OAuth services free under a threshold in order to allow small creators and businesses to benefit from our privacy features.
• We’re a small team with a lot software experience aiming to make something good.

Given that an E2EE solution requires all online stores switching technologies, it’s unlikely to happen. The next best option is using a VPN-like solution for email. I use Privacy Portal email aliases with email encryption for this. There are multiple other alternatives but I like Privacy Portal because it has one of the strictest privacy policies and because I’m a little biased (I’m an engineer on the team).

Emails sent to you from online stores get sent to Privacy Portal’s relay servers. These servers act like VPN servers meaning no logs, no writing to disk, zero storage, … The emails get encrypted in memory with your public PGP key (or certificate) and get sent encrypted to your email provider. Only you will be able to decrypt them on device.

If you use Proton mail as your email provider, it supports PGP encryption by default. You can simply copy your public PGP key from proton and submit it to Privacy Portal and you’re done. Proton won’t have access to your emails. Alternatively you can use any email provider with an email client that supports PGP (e.g. Thunderbird, K9). And if all else fails you can even use S/MIME with Apple Mail on iOS but that has some drawbacks.

With this solution you would be separating providers into 2 categories:

• The first provider receives the unencrypted data but has no authorization to log or store anything.
• The second provider is responsible for storing your encrypted emails but does not access the unencrypted version.

On top of that, you can also reply to emails without exposing your the unencrypted versions to your email provider because encrypted emails sent by Privacy Portal contain public keys used for decrypting outbound mail before relaying it to its destination.

The cherry on top is that the online store won’t have access to your personal email. So if they start spamming you, you can stop the email alias.