Security was not a concern for the people who developed email. As such, there are flaws to the system that persists to this day and make it an incredibly easy target for hackers and surveillance teams alike (not to mention Google, who actively sell off their users’ email contents to turn a profit).
Posteo is one of many services that claim to provide a private and secure approach to email. As such, we’re going to hold it up to the light and see whether these claims can be trusted.
What is Posteo?
Posteo is a German-based email provider built by husband-and-wife team Patrik and Sabrina Löhr. It is a subscription-based service that aims to offer a truly private email experience, and it is now in its tenth year of operation.
The Löhrs were able to demonstrate their commitment to user privacy in an altercation with the police. In summer 2013, Bavarian officials issued a warrant for Posteo to turn over information about an account holder who was using the service for illegal means.
Instead of surrendering to police intimidation, however, the Löhrs stuck to their guns and took their battle to court. (The warrant, it turned out, did not grant access to their full office.)
It was a relatively high-profile case in Germany at the time, and such an active defense against law enforcement is commendable in terms of staying true to one’s mission statement.
Dedicated though they may be, though, is their software any good? Our Posteo review now take a closer look at how it all works to see how it fares under scrutiny.
Posteo earns all its revenue through its monthly subscription charge of €1.00 per month. This means that it has no use for ads, and there will thus be no ads cluttering up your inbox.
As with Gmail, Posteo allows users to send attachments up to 50 MB in size, and its total inbox storage is 2 GB. You can also pay an extra €0.25 if you want to upgrade that to 20 GB.
Unlike many decentralized email providers, Posteo also has calendar and address book functions, and these can be safeguarded at the click of a button using an AES encryption cipher. (In fact, all of your saved data can be encrypted using the same technology if you wish.)
Posteo supports IMAP, which allows you to synchronize your emails to your mobile device. This makes up for a lack of custom Android or iOS app for Posteo, although that certainly remains a drawback in its own right.
Most importantly, Posteo supports end-to-end encryption (E2EE), which is the gold standard for email communications.
How does Posteo work?
Posteo’s E2EE works in the traditional method, wherein a secret key is shared between contacts – usually communicated outside the main email service – that is used to encrypt and then decrypt the cleartext within the email.
In other words, it’s like a password that prevents man-in-the-middle attacks, eavesdropping, or any other form of interception.
The service is engineered to prioritize privacy above all else. Unlike many other subscription services (even VPN providers), it doesn’t even log your payment details or the IP address you’ve used to visit the site, meaning that it fool-proofs your information against any possible data seizures
However, while it does not log your own IP address, it will log the IP address of anyone you’re sending an email to if they aren’t using Posteo.
Is Posteo secure?
On paper at least, Posteo is incredibly secure. E2EE is a tough nut to crack, especially when it’s backed up by AES encryption, which is the same cipher (though possibly not the same model) used by the US government.
What’s more, users may enable two-factor authentication at the access point, meaning that if anyone were to get into their Posteo account – even physically getting hold of the device it’s on – then there is still a massive roadblock in the way of accessing the emails.
One issue with the E2EE method used by Posteo, however, is that it does not use the Diffie–Hellman key exchange, which is an algorithm that randomly creates a passphrase for encrypted emails that is deleted shortly thereafter.
Of course, this is more time-consuming for anyone, but in terms of email security, it’s as good as it gets.
The only major quibble we noticed is that the company is registered in Germany, a 14 Eyes member state whose intelligence agency, the Bundesnachrichtendienst (BND), frequently co-operates with the NSA and GCHQ. This, of course, is a major security risk.
Is Posteo anonymous?
At the start of this article, we mentioned the Löhrs’ refusal to surrender Posteo information to the authorities. In the years since, Posteo has received dozens of further requests by the BND, only some of which have been granted.
The ones that were granted, however, only provided information on user access times, which gives the authorities very little to work with.
Posteo’s transparency report concedes that some mailboxes were affected by telecommunications surveillance by the BND, but also that these actions were reversed when the Löhrs sought legal action against the authorities.
Indeed, Posteo’s privacy features are impressive in general. As all your metadata is encrypted (which also stumped the BND), there is little chance of your privacy being compromised in such a way.
That they do not store your IP address also makes it much harder to lose any of your personally identifiable information to the BND or any other legal bodies.
Possibly the best thing in terms of Posteo’s privacy credentials is that you can actually hand-deliver your annual subscription fee to the Posteo office in Berlin.
Of course, this means you can make your payments without a paper trail, therefore keeping your identity as anonymous as possible.
Throughout our Posteo review, we have been deeply impressed with this email provider that, for just €1.00 per month, gives you some truly powerful encryption software to work with.
We love the developers’ grand gestures of publicly denying law enforcement and seeking legal action, as well as their smaller gestures such as inviting users into their office to pay anonymously.
As such, this appears to be a mostly great secure email provider that we’re confident that you should be able to trust.