It is a bit overkill, but the closest you can get to owning your online identity is to "own" your own domain. sarcastiquotes used because you don't really own a domain you only rent it.<p>I run my own mail server because I am a sys-admin and running a mail-server is something I do for fun. but the amount of agency you gain once you have a domain is staggering. people without a domain are pretty much second class net citizens.<p>I wish municipality offered domains, for example: you move to St Louis you would get name.stlouis.mo.us this would give you the same agency online that a mail address gets you offline.
Another solution that the article doesn't mention: separate the email address from the email provider. It really is the domain name that is your legal identity. Make it as easy for people to register a personal domain name as it is for them to sign up for free email so they can switch from Gmail to Hotmail to Protonmail without changing their email address.<p>Edit: We then need a standard for discoverable DNS settings that providers can publish, together with an endpoint that the domain name provider calls to inform the email provider that it should accept email from person@personaldomain.person and forward it to person@emailprovider.com. Then your domain name provider can discover these, and switching email provider can be done with a click of a button without you having to have any knowledge of DNS. Of course email providers will have little interest in supporting something like this, so this is where regulation would be needed.
And this is why, back in 2007, I registered my own domain, and signed up for then-free Google Apps for Your Domain (then GSuite, Google Workspaces, whatever they're calling it now). Earlier this year I moved my email to Fastmail, and I can move it elsewhere if I want to, with zero disruption or downtime.<p>I <i>really</i> wish email providers would make custom domains either the default, or a very obvious option when signing up. Google is already a domain registrar, and other providers could partner with one. Granted, this option would not be free (though Google could probably swing making it free; they just wouldn't let you use the domain for anything else unless you start paying for the registration), so that would reduce its desirability for most people, unfortunately.<p>(On the downside, I wish I could convert my GSuite account to a regular Google Account, because GSuite accounts are occasionally crippled in random ways, and now I'm not even using the email part of it anymore. But that's a separate complaint.)
State-funded email with E2EE. Every citizen gets an email address. You don't have to use it (and it will probably suck compared to competitors), but you'll have it as a permanent fallback address. And presumably it will come with some legal protections and due process.
For me it's Fastmail with a side of Namecheap (or maybe vice versa). Thankfully I pay both companies, thus there's an incentive to keep me happy so I keep paying... In particular, Fastmail has real support staff, which provides at least a modicum of peace of mind.
> The only real solution is to rethink online identity and stop depending on email addresses.<p>I think that is true, but it would have to be a better solution. Some groups heavily push for this reformation of online identity but most of them have in common that they want to strongly bind online identity to your offline one. That simply isn't desirable in many cases.
<i>"You can take some control over your own identity in the current email-based online ecosystem by renting a domain name"</i><p>Originally, the idea was that you <i>owned</i> a domain name. Gradually, domain registrars have moved this to the concept that you're just renting it from them. Although you can still transfer domains to another registrar.<p>I'd like to find a domain registrar whose contractual terms stated that you own your domain name, and they are contractually prohibited from cancelling it or revoking it without a court order. Basically, a contract that forbids what lawyers call "self-help".
This is largely true for myself as well. 1Password helps me and my family from going full in, but if I lost my gmail i would have a lot of problems.<p>The recent discussion of CP flagging wreaking havoc[0] has caused us to start evaluating because we do have young children and we do take pictures for healthcare providers. Feels like a ticking time bomb for us.<p>[0] <a href="https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html#commentsContainer" rel="nofollow">https://www.nytimes.com/2022/08/21/technology/google-surveil...</a>
I too run my own mail server, using a mixed approach of a dumb cloud server as a point of presence on the public internet and a private server at home as the actual email store. That gets the benefit on being a non-consumer presence as far as the internet is concerned, but with all personal data stored locally.<p>With a little practice and experience, it's not difficult for those with technical skills to host their own email on a cheap rented server (along with a personal website etc). Buy a suitable domain, host at a reputable supplier on a dedicated host (i.e. IP) and there should be few problems (test with free accounts from the bit tech outfits).<p>Even nicer is to use Dovecot for IMAP either locally or remote. I run it locally with fetchmail to periodically (or on demand) grab email from the public server, with a little utility that lists the remote headers first so I can decide which/whether any are worth even downloading and reading - quite often it's a single click to delete everything unread.
The problem with several of these email subscriptions is that they will reissue your email address to another if you leave them, with all the risks that entails. The answer is to buy and use your own domain or get someone else to do it.
Email should be considered legally equal to physical mail. It should be regulated by the USPS.<p>Just like a company can't yank your ability to send snail mail, they shouldn't be able to yank your ability to send electronic mail.
Before writing about your bulletproof technical solution to this problem, think about all of your older relatives on facebook. Is the solution something they'll be able to handle?
This the reason I use my own domain and a paid email service.
I used Gmail before but got super worried about all the stories of accounts getting blocked with no way of contacting a human.<p>Sure domain registrars and email providers are not infallible, but it's a huge step up from trusting Googles customer service to do the right thing
It's a technical board so everyone propose technical solutions. But I really hope that the solution will be a legal one. That the law will change to make it as hard to kick someone from an email service as to cut running water. And to forbid the companies to define anti litigation, private courts etc. in their TOS.
After the NYT article [0] I purchased (rented) my own domain, created a cloudflare account and started using their email routing to forward all the email to my gmail address. I also configured gmail to allow me to send emails from the new email address.<p>As I have a small child and use a lot the telemedicine services I do have a fear that I will be blocked soon.<p>A drawback to this is that cloudflare does not allow you to forward to multiple email addresses.<p>[0] <a href="https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html" rel="nofollow">https://www.nytimes.com/2022/08/21/technology/google-surveil...</a>
Somewhat tangential, but I wonder where do people using their own domain draw the line.<p>I personally use a "stable" firstname@lastname.com for supposedly trusted, long-term services (e.g. bank, utilities, etc.) and for services that require my identity for obvious reasons (e.g. shipping/billing address).<p>For sites where I prefer not to reveal my identity (not even to the site operator), I use Fastmail’s Masked Email (akin to iCloud Hide My Email). This, however, means I don't own those addresses, and if I need to change email provider for whatever reason, it's a PITA to update the email address field on possibly hundreds of sites (assuming you <i>can</i>).<p>I could buy a domain like randomstring.com to use with catch-all, but then I would be more likely to be tracked across sites, especially in the case of data leaks (which do happen eventually).<p>Then there are those awkward in-person situations when somebody asks my email and I have to say firstname@lastname.com.<p>What's a good tradeoff?
Shameless plug here, but that is the purpose of [ImprovMX](<a href="https://improvmx.com" rel="nofollow">https://improvmx.com</a>).
We forward emails from a custom domain to a destination email that can be updated.<p>My personal email is contact@{custom domain} and currently points to Gmail because I never took the hassle to change it, but if someday I decide to move elsewhere (I'm contemplating Fastmail and Protonmail), all I will have to do is update my destination email at ImprovMX and that's all.<p>This is a liberty that only us, tech people, can grasp.
My parents, even my wife, doesn't see the importance of being locked to mail provider.
> people should stop and think carefully when choosing the @example.com part of their email address. It’s a decision you’re probably set to live with for life<p>Really? I’ve had dozens of email addresses over decades. I have a few favorites but even those have changed over time. I think your is hyperbole.
I have the feeling that we are gradually shifting from email-centric to phone-centric systems. With 2FA and recovery, ultimately, your unique phone number becomes more and more THE foundation of everything online, and switching phone number is harder than switching email.
Is there email counterpart of HTTP 301? This could be the solution. But it would have to be much more secure and would require human confirmations to make the "301" to take the effect.
I've spent the last year or so moving from a Gmail address to my own domain (hosted on Worksplace). I kept reading report after report of people having their Google accounts banned for any and no reason, and I realised how many services I have tied to me email. I'd be spending a lifetime trying to recover them all, and I don't think I'd be successful for half of them. Now, if my Workspace account is ever banned, I can immediately take my domain elsewhere and retain access to everything.
You can be your email provider, or own your own domain at least. Honestly owning a domain should be a minimum for anyone that is capable and their email is almost their identity
For those afraid of misconfiguring/running their own server, you can use a ready to use docker with everything in it and with nice security defaults (no relay, for instance):
<a href="https://github.com/docker-mailserver/docker-mailserver" rel="nofollow">https://github.com/docker-mailserver/docker-mailserver</a>
In order to have an email with my own domain I need to own (rent technically) a domain.<p>Registering a domain requires an existing email. Which is obviously going to be from a third party / consumer email provider whose domain I don’t have control over.<p>Kind if circular reference situation!
The solution I hope for:<p>A crypto based toplevel domain like the Ethereum Name Service. But with a twist:<p>If I lose my private key, the domain is not lost, but locked for 3 months and nobody, not even the registry can move it. After the 3 months, if I stay "silent" and not confirm my ownership via my private key, the registry can move the domain.<p>The registry should have this process: During these 3 months, I have to start an expensive process at the registry to validate my identity and ownership of the domain. When completed successfully, the registry will move the domain to my new public key.<p>So the worst thing that could ever happen to my domain (and my emails under that domain) is that I end up in a situation that is normal for domains today: That the registry has control over it.
web3 is correcting this with censorship resistance usernames via ethereum name service[0].<p>a lot of famous folks have already using them [1].<p>[0] <a href="https://ens.domains/" rel="nofollow">https://ens.domains/</a><p>[1] <a href="https://ethleaderboard.xyz/" rel="nofollow">https://ethleaderboard.xyz/</a>
It's a pretty accurate assessment. A large number of people depend on freemium email addresses provided by the likes of gmail and many others as well as some ISPs. Those are only valid for the duration of your relationship with the companies behind those and that relation may be terminated for reasons beyond your control. Then there are a lot of company email addresses that are only valid for the duration of people's employement. Only a small minority of people have their own domain. And saying that they own it would be a stretch. They merely own the right to pay to renew their lease every year.<p>Then there is the wide spread practice of tying identity to a single email address that may be used to reset passwords. There is no good technical reason to limit it just one email address or indeed just email addresses; that's just a historical quirk that gets mindlessly copied by world + dog when they spin up a new service because of the mistaken belief widely held by non technical product managers that that just is how things are done. Only a minority of websites provide 2FA, which enhances security but does not solve the root problem of people not owning their identity. Changing your email address is not a feature that is commonly supported either. Whatever email address you pick when you signup is what you are stuck with.<p>If your email provider shuts you down, you lose the ability to reset passwords, receive notifications, etc.<p>IMHO the way out of this mess is to start making multi modal signins more common. Some companies already do this but it is not a widespread practice. Simply encourage users the ability to add multiple ways of authenticating themselves. Phone number based authentication, device based authentication (using e.g. QR codes), public key based authentication (ssh or otherwise), social media account based verification, etc. are all viable strategies to authenticate. And why have just one? Combined with 2FA this makes for a much more durable account ownership. It can also remove a lot of onboarding friction as you don't actually need users to provide a lot of information about themselves.<p>A lot of the reasons for this not being so common has to do with a misguided notion of big trillion dollar companies wanting to "own" the relation with their users. So Google will not allow people to use their MS owned identities to sign in or vice versa. Even though both implement variations of OpenID 2.0 and generally have a large overlap in terms of how they implement security technically. It's a simple matter of ownership. They own you. They consider you their property. Your identity is theirs to control. This is the notion that needs to be challenged for this to ever be resolved.<p>Imagine that citizenship worked like that. It doesn't of course. But imagine. There would be a lot of stateless citizens no longer able to prove who they are because gmail shut them down or whatever. That would be unacceptable of course. Banks can't get away with that either. A passport is all you need to reclaim ownership of your bank accounts. And in case of your death, a death certificate and some paper work from a notary is good enough for your surviving relatives. Online identity should be just as strong. People confuse the means of authentication with the actual identity.
Interesting that nobody question the core concept of online identity. In real world it is useless. Same in the internet.<p>The axiom of online identity is useless and only exists for the sole purpose of control by capitalist cybernetics
There's a lot of hyperbole in this article.<p>> These extra trips through different email servers strip the emails of information about the sending server which is critical to protect against spam and email forgery.<p>Sure, a forwarder <i>can</i> strip information from a forwarded message; but that's a rogue SMTP server. And this would be your previous email provider; so you'll know whether they're rogue before you start forwarding messages through them.<p>> Email was designed in the 1960s<p>s/1960s/1970s/<p>You get your own domain; then host your email at a provider that offers bring-your-own-domain. Now you have a portable email. Your domain registrar <i>cannot</i> interfere with your messages, unless you choose to host your email with your domain registrar.<p>I agree that an email address is a poor identity token. As with SQL, an identity should be an opaque object with no embedded meaning. In addition to being an identity, an email address is a communications endpoint, and is parseable, so it's not opaque.