A talk about Cyber security - gmail

Note: all that I say here applies to Yahoo, and Hotmail as well, but Google is particularly egregious with mining your patterns and data

I really don't want to be a scold, but I do fear it is time for the talk.

This comes as I migrated from Substack to this self-hosted Ghost install, and the data I now can see from the Mailgun logs. I currently have 2,058 subscribers (thank you for volunteering to sign up!) and of that 1,211 of you are using a Google Gmail account. That is the "free" email offer by Google.

Now, in and of itself that isn't terrible, because I don't do any commerce, I don't store any data about any of you wonderful people besides your email addresses, and since I don't commercialize at all, and never plan to, I will not send you anything but newsletters like this into your inbox.

No, the concern is that if you are using gmail for all of your online life, I am worried about you. No, I don't think Google will get hacked. Or if they do, it won't likely affect you too much besides the inconvenience.

What I do know is that google reads everything you send or receive. It is how their spam filters are eerily good, and how in their web interface, they are pretty good at bulk segregating inbox, promotions and others.

But, Google doesn't do this out of the goodness of their hearts. Google runs the largest, vertically integrated advertising tech stack on the planet.

This means they own the marketplace where advertisers bid for your eyeballs, the placement engines that media and other websites use to "sell" website real estate for said ads, and also two of the largest properties for ads that has ever existed: Google search, and Youtube.

It is this dominance that has led to the antitrust case and subsequent loss for Google (if you want to read about it, search Matt Stoller's Big substack, it is a fascinating read. Also the original DoJ complaint is here).

Needless to say, this monopoly over advertising requires metric fuck-tons of data about ordinary consumers to maintain. And a large fraction of this data that drives the targeted advertising that you see on your devices comes from your gmail accounts.

59% of you are using gmail to access here.

And Google makes it so convenient to log in to a service using your gmail credentials. Have you noticed lately that when you sign up for a new service there is the option to use your Google account? That uses a passkey, a unique cryptographic (meaning encrypted and non-public) key to seamlessly and frictionlessly sign in.

Again, I like convenience. But with convenience comes trade-offs. And that makes me think who is getting the better part of the deal. Google isn't doing this to be altruistic. No, they are money grubbing capitalist fuckwads. The benefit to them is they now know that you are using your Google credentials to log into all these sites, and from that they can infer on your behaviors, and thus better target ads.

In short, you become more valuable to Google, the more you use Google's conveniences.

What should I do?

As I mentioned in an earlier post, a good first step is to get an email account somewhere that you pay for. If you actually pay for the service, and it isn't subsidized by this surveillance juggernaut that uses the info they glean on you to dominate the internet, that is a good start.

Personally, I use two services. Proton Mail is my main account. It is European based (in Switzerland) and they have pretty solid privacy features, buttressed by Switzerland's strong secrecy laws (there's a reason why the uber-wealthy bank there). They offer email, a VPN, and even a completely encrypted cloud storage service. It isn't cheap, but I feel good that the spy agencies aren't going to get their eyes on my messaging. And no, I don't do any hinky shit, still, I want to be safe and secure in my papers.

The other one is for our family domain (tralfaz.org) that I have had since the 1990's. For that, I use Fastmail. It was easy to set up, and it was trivial to move my wife's poor hygiene inbox to so I could delete the old Google Apps account I used to pay for. Fastmail also has the ability to connect with our password manager, 1password, to create masked emails if you are going to sign up for random accounts. It is so easy and transparent, even my wife who is hopeless around technology does it. And masked emails for the odd sites is good because say Petco gets hacked, and the baddies get your email and some other token about you. They can't do anything because you use that email address in only one place.

Both these services have migration assistants that will guide you through moving to their system, and both of them support custom domains if that is your thing.

There are others, but these are two I have personal experiences with, and positive results.

But Sweaty, I have 20 years of gmail under my belt...

Ok, I get that. It can seem like an impossible ask to do this.

That said, prioritize it like this:

Top Priority: Banking, financial sites, and anything that accesses your money. This is your bank, stock brokerages, Paypal/Venmo/CashApp. Here, I would use your new email address and change your email on these accounts. These are the holy grail for the scammers.

As an example, I get 4-5 urgent Paypal emails for invoices sent to my Tralfaz account a week, an email address I never used with PayPal. That is people using my hacked email address to try to scare me into sending them money. I have stopped reporting them as fraudulent to PP. (and PP is quick to identify and shut these down - kudos where kudos are due)

Tier two: Major shopping sites. Amazon is front and center, but if there is some site you order from more than a couple times a year, change your email address there. Again, they are not too likely to be hacked, but if you use the same address across a lot of sites, this is an attack vector and can make your life uncomfortable.

The Rest: Here, it is probably OK to leave it with Gmail. Again, if it is something that might be embarrassing (like your PornHub account), I would change it. But be vigilant in monitoring communications. Pretty low risk.

Doing this ought to help you rest easier.

Why to keep your gmail account...

Ok, this is for the most sophisticated of people. If you have custom domains, that you use for your website (like this one, I pay for sweatyspice.com, tralfaz.org, tralfaz.com, greytbros.com, thepmdude.com, and prodbistro.com - don't ask) it is a good idea to use a big public mail provider like gmail, yahoo, or hotmail as your contact with the domain registrar (again, if this is you, that will make sense).

There is an attack vector where a baddie can get your domain registration changed, setup a mail relay, impersonate you, and take control.

For that, I do have a gmail account, and it is the perfect use, because nobody is going to get Google's domains to redirect for them. (ok, the NSA can probably do it)

Last point(s):

I had some people ask about Apple's iCloud mail. That is actually pretty safe. If you have multifactor authentication (and Apple is good at encouraging you to do so) turned on, it is pretty safe from prying eyes. Apple may be slipping a bit on their commitment to privacy, but they are the best of the majors. Additionally, they offer the masked email capability too. If you use Safari (and most people on Mac's and i-devices do) it is solid. They also have by default a passw0rd manager integrated. As with all things Apple, it just "works".

I will say that I get about 120 email bounces from each post, and a lot of them are for icloud accounts that have full inboxes. People, do some clean up of your email!

Summary

Do get a paid email account from a trustable service. There are plenty of them beyond the two I mention.

Begin to move the most important (i.e. money) accounts to this new identity.

A future post will be on why you should use a password manager, but if you do, use it with the masked email that will give one more layer of security.

You don't need to be a fortress, but a few easy steps will greatly reduce the risk. The baddies will go elsewhere, and you can breathe easier.

The next installment will be on web browsers...