Three Things to Consider When Offshoring Your Email

Three Things to Consider When Offshoring Your Email

Some in the alternative media have long advocated for the internationalizing of investments, capital, finances, and digital footprints. On the surface, this appears to be reasonably prudent advice. History has proven time and again that internationalization and diversification are prudent precautionary practices to protect against government encroachment, capital controls, wealth confiscation, inflation, and government surveillance.

But the world is changing. What was true in the 1990s may no longer be true today.

Unprecedented globalization, international organizations and treaties, and global challenges are changing the game. Nowhere is this more pronounced today than on the Internet. Years ago, for example, an offshore email service was considered the gold standard of privacy. Today, it’s a different story.

In 2013, top-secret documents published by the Guardian exposed the NSA’s email and telephone surveillance programs. These surveillance programs are not new. Well over a decade earlier, the Five Eyes used Project Echelon to capture the satellite and electronic communications of the world.

Prism, Fairview, Bullhorn, Xkeyscore, and other top-secret government documents suggest that virtually all electronic data are insecure, regardless of location, and regardless of the service provider.

Consequently, when analyzed in light of the global surveillance state, internationalizing email services appear to make little sense.

If all email communications are captured, for example, and probably stored forever, an offshore email service is of little use to protect the content and metadata of email communications against a global adversary.

When properly executed, an international email service can be a reasonable bulwark against those that would invade your privacy. It all depends on proper implementation and execution, however. Internationalizing your email alone is a very weak defense today.

In addition, since international email services are outside of the United States, they are afforded less legal protection from NSA surveillance than US-based services.

However, this doesn’t mean that international email services are useless.

The first thing to bear in mind when considering an international email service is the top-level domain, or TLD for short. A TLD ending in .com, .org, or .net, for example, is usually owned by a corporation, individual, or organization in the United States and consequently is under US jurisdiction.

TLD is important because a TLD under US jurisdiction gives the US government legal authority to seize any domain, regardless of who owns the service, and regardless of the location of its servers. A seized domain is not the worst of scenarios, however, as it’s fairly easy for an email service to transfer content to another domain outside of US jurisdiction. Seizure of an email service’s domain is very unlikely, but to avoid a potential loss of service, it may be advised to use email services with domains outside of US jurisdiction. Iceland, for example, is a good alternative.

The next thing to consider is the location of servers. This is important, but just as important as server location is the legal structure of the organization of the email service provider. Some have erroneously assumed, for example, that if a server is located outside of the United States, it is not under US jurisdiction. This can be true, but depending on the legal structure of an organization or business, it may not be true.

For instance, a US district court recently ruled that Microsoft must comply with a US warrant to give investigators access to information on a Microsoft server hosted in Ireland.

This is not at all surprising, as Microsoft is a US corporation and must comply with US law. Thus, when considering an international email service, it is important that both the server and the legal structure of the email service provider be outside of US jurisdiction.

A third thing to consider is the independence of the international location. States which are signatories of global organizations, regional or global bodies, certain international treaties, or are wholly or mostly dependent legally, economically, or militarily on another state are generally not ideal locations for offshore protection. Countries with no legally defined privacy rights, data retention laws, and/or have a history of censorship should also be avoided.

Regardless of whether a TLD, the email service owner, and an email service’s servers are outside of US jurisdiction, it’s still not safe to assume that an international email service is absolutely secure.

There is no such thing as absolute security.

However, a service operated in a privacy-friendly international jurisdiction can help protect your privacy, but only within limits. Don’t assume that offshore status alone can legally protect someone from another jurisdiction’s law enforcement. Depending on the circumstances and the allegations of the crime, it’s very likely that an offshore location will comply with international warrants or subpoenas.

The most important thing to understand is to never trust any email service. Offshore and international email services alone are no longer a fortification against surveillance, as they once were. They ideally should be used in combination with encryption and other methods.

The most secure and private email communications always involve encrypting email communications locally with OpenPGP, using email services operated by privacy activists, using a combination of multihop proxy services, and using an open source email client.

The Invisible Internet Project, or I2P, is highly recommended for secure email communications. I2P email communications, however, are only secure if they are used exclusively inside the network. The I2P email app “I2P-Bote” (German for “messenger”) is the most secure email protocol available, in my opinion, as it uses very strong encryption and is currently limited to communications inside the network.

In sum, it’s important to remember that internationalizing your email is by itself a very weak defense. It needs to be used in combination with other measures—like encryption and proxies like Tor—to obtain maximum privacy.

Editor’s note: For more on internationalizing your digital presence, see here.

James Black is the author of The Privacy Book, and more recently The Privacy Book: Second Edition. Both books are available at

Tags: digital diversification,