When the FOSTA-SESTA bill was passed into law there was a rush of sex workers and clients moving from Gmail to the enhanced security of Protonmail. Since then I’ve noticed a backlash to Protonmail, with complaints about its reliability resulting in some people moving back to Gmail. At the same time I’ve also observed some confusion about the security issues involved, with comments like “Gmail uses encryption anyway” or “I’m on a VPN, so why does it matter?” Obviously, everyone can make their own judgement call about utility vs security, but I’d like that decision to be an informed one. Hence, this post to dig into the issues.
When it comes to encryption, Gmail does use an encrypted connection between you and their servers. That’s nothing unusual. So does pretty much every internet service that carries personal data (banking, shopping, email, etc). That’s necessary to stop people in your building, coffee shop or IT department sneaking a look at what you’re sending and receiving. Obviously this is a good thing, but pretty much irrelevant when it comes to law enforcement. Even if they could do it (which they can’t), they’re not going to try and hack your internet connection and reconstruct your emails from the data you send.
Similarly, while a VPN (virtual private network) is generally a good thing for privacy, it’s irrelevant when it comes to law enforcement and email. Normally, even with encrypted connections, it’s still possible to see what sites someone is visiting. With a VPN, a remote computer (typically in another country) makes all those connections for you, and you just have a single encrypted connection to the VPN. That’s great if you don’t want someone to be able to trace your interactions with sites like eros or slixa, but kind of pointless when it comes to Gmail. If you’ve got a public web presence tied to a known email account, there’s absolutely no value trying to hide the fact you’re connecting to that email service. The fact you’ve got the email address on your website proves that you must be using the service.
The key difference between Protonmail and Gmail is how the data is stored on the email servers. In Protonmail the data is encrypted so that even the people running Protonmail can’t read it. That is absolutely not true for Gmail. Google’s entire business model is based on mining user data. In some cases it’s even possible for third parties to access the data. As Google describes here, they will produce the content of your Gmail account in response to a search warrant. And, as they document here, they produced user data for around 80% of the legal requests they receive each month. So if a prosecutor has your Gmail address and a search warrant, he can read your emails. The bar for obtaining a search warrant is simply showing probable cause. That is not a high bar. In contrast, even if US law enforcement managed to get hold of Protonmail data, it would be a jumble of meaningless numbers. They’d need the account password to make sense of it.
One could argue that there are easier and more likely ways for law enforcement to hassle sex workers than trying to access their email accounts. Or that if an investigation has reached the point of getting search warrants, it’s unlikely to be stopped simply by a lack of email data. However, in the current climate, I tend to take the view that safer is always better. Would you want to bet against the possibility of a prosecutor going on a fishing expedition after scraping the web for pro-domme and escort email addresses? Or getting hold of the data from sites like eros or slixa and then using some bullshit sex trafficking story to get a load of warrants signed off? No tech company is going to want to be perceived to facilitate sex trafficking, even if the trafficking story is a fiction with zero relationship to reality.
As I said at the beginning of the post, the utility vs security trade-off is a matter for individual judgement. But nobody should assume that there isn’t a trade-off involved here. Gmail and Protonmail offer very different levels of privacy. Personally, even though pro-domination is legal and I only engage in non-sexual BDSM activities, I’ve switched to Protonmail for my personal account.
If anyone has questions about any of this feel free to leave a comment. I’m absolutely not a legal expert, but I do know a bit about computers and networks. I also added some follow-up thoughts in a subsequent post.
This domme certainly takes security seriously. She doesn’t ever turn her computer on. That’s hardcore security.
As far as I can tell the website originally associated with this image has ceased to exist.