Frequently Asked Questions
ParanoidMail is the OpenPGP-compliant encrypted email service, aimed to make the whole process of encrypted communication much easier than it exists today at the same time minimizing the inevitable security trade-offs.
The very word 'paranoid' is producing some, well, negative feelings, why did we choose it? Unfortunately, modern Internet has created an absolutely false, negative perception of privacy and handful of Internet giants are actively undermining the legal base for that tiny piece of privacy we still posess. There is no conspiracy out there, just business. Their very business model is based on collecting as much as possible data about each and every of us. Our contacts, habits, lifestyle, finances, birthdays, places we visit, sleeping patterns, political views, tastes, weight, body types, nutrition details, health, diseases, passions, travel destinations and schedules... The list can be prolonged and will definitely go out of scope of this FAQ. The more they know all the details, the better can they select which ads to show/send us. Modern internet ads are no longer 'carpet bombing' like classic TV- or radio-ads in contrary, they're much more like good sniper riffle in professional hands. That's why they're so fiercely lobbying weakening of privacy laws in countries these laws are 'too tough', trying to obtain the rights to know even more about us.
So, once 3...4-letter agencies decided to spy on us, they didn't need to hack and break into each and every computer, mobile device or email account. Instead, they looked up and said “Wow, corporations are already spying on everybody. Let's get ourselves a copy!”. Of course, companies like Google do not like to name the things with real names, they prefer nice and vague terms like 'collecting aggregated information generated by users' instead of plain 'spy on everybody'.
Our mission is to return the feeling of privacy back to people. Current Internet landscape does not offer us plenty of opportunities, honestly saying quite few. To outbalance 'the sniffing Moloch', one have to become reasonably... well, paranoid. At least for the first period of time. If governments are allowed to be unreasonably paranoid, let's use the same tactic and become paranoid as well. Proactively, but reasonably paranoid, of course.
We are community project and we are doing this project for fun, not profit. If you want to support the @PARANOID, ask us on email@example.com how to donate.
Because without encryption every data packet in Internet, doesn't matter either email, web or VoIP is similar to a postcard without envelope. Anyone can read it. Encryption can make any dataflow between point A and point B unreadable for potential sniffer.
There was little to no doubt which encryption to choose for this project. It's OpenPGP (GnuPG or GPG). There are 4 major 'pros' for that and only one major 'contra'...
- OpenPGP is de-facto industry- and folks- standard. According to different analytical studies, about 95% of encrypted emails circulating in the Net are OpenPGP-encrypted (mostly with RSA cipher, much less with Elgamal or ECC ciphers).
- There is no need to re-invent the bicycle, codebase is mature and widespread, all necessary libraries are either the part of the operating systems or can be installed from public domain with a click of your mouse
- 'Nearly zero' knowledge about your data is already built-in in the standard
- Unlike already existing and emerging 'closed ecosystems' like Hushmail or ProtonMail, OpenPGP-compliant solution won't enforce any existing PGP/GPG-users to migrate to our service. If you already using OpenPGP with (pssst!) Gmail, no problem, you can send OpenPGP-encrypted message to the user in paranoid.email domain from Gmail account and only the recipient (not us) will be able to decrypt it.
- Without some basic skills, encryption makes no sense. One has to obtain some ground knowledge. But this isn't unique to OpenPGP standard. It's not a bug, but feature. And it's definitely not the rocket science. We are at your service to make your learning curve as short as possible.
- All the packages for PGP/GPG key management have been designed and implemented 'by the geeks and for geeks'. Even for users, who understands the principles of cryptography, working with keys is usually... well, a pain in the ass. Fixing this issue is in our Roadmap.
To avoid giving pledges and promises we won't be able to fulfill and be as honest as possible, we're telling our users the truth. And the truth is — there is no 100% bullet-proof solution out there, neither for emails, nor for any other networking service. Anyone who promises you unreachable 100% is either a con or they're using non-fair marketing tricks. Period.
The 'Nearly zero' term is based upon the fact, that the very core of existing global email system compels us to send so-called envelope (and some other metadata) in plain text, unencrypted. We could create 'closed service' for members only, but that would be just another closed ecosystem. That's definitely not our way.
Yes, NO WEBMAIL. Not at all. Encrypted webmail has always some drawbacks and two most important ones are:
- If user's private PGP-keys are stored at the email provider side, then the webmail host takes over the en- and decryption tasks. In other words — email provider is able to see all your messages in plain text, unencrypted.
If second security hole is obvious, first one doesn't look so dangerous at the first glance. If you take a deeper look, you'll see that in potential case of our servers being raided or seized by any law enforcement organization, or being cracked by hackers, we could no longer guarantee, that the code sent to your browser won't steal your passwords/passphrases/keys. None of the existing webmail providers can give you such a warranty.
Growing popularity of mobile devices (tablets and smartphones) makes webmail less and less popular, all modern devices do have dedicated email client Apps and they do their job much better than browsers. Having email client on your PC or Mac is no longer an option for encrypted email communication, but 'must have'.
We're small international team of security and networking experts based in Germany. Currently our coordination center is located in Munich and our servers run in Germany, Austria and Iceland.
At the current development stage we're fully funded by our own means, once the project matures and becomes ready for production, we're planning to use crowdfunding to back mobile Apps development and legal support.
Unlike our competitors, we do not have any illusion regarding existence of 100% safe jurisdiction... And we definitely won't put all eggs in one basket. Regardless of exact location of our future legal entity(ies), our servers will be redundant and located in multiple countries with different local laws, giving you extra data loss prevention and reducing potential service downtime.