Ask HN: Should we own the free stuff we pay for?
I've blurred the sender because it might have been a hijacked account, and it's not like it's hard to get a new gmail account anyways. You can also see that I've blurred all the other people too. Yeah, the scammer cc all his targets.
I was in a good mood, so I replied and made fun of him and warned all the other recipients that, "hey, just in case you're distracted, yes this is a spam email". I didn't use any curse words, or strong language, but I was a bit edgy.
Two days later, my google account was suspended. Apparently, my account was being used to send unwanted e-mails. Ha! I just became a spammer.
And let me tell you, it was very frustrating to be blacklisted like this. A little context for you, I'm a DevOps engineer and I've been using gmail for the past 15 years. I'll skip the classic 'my files, my contacts, my email' because I had backups.
But I lost access to paid services that I had set up with social login, besides all Google's services ( GCP, firebase, youtube premium, google one, subscriptions paid through play store, google ads, etc, etc). And here's the kicker: my gmail used to be the contact I shared with potential clients, current clients, and job applications which, by the way, I was actively job seeking. Not because I don't like my job, but because I had pushback on my raise on a recent promotion, so I was trying to get offers to make a point.
But what if I was out of a job? What if I was expecting a contract to sign? What if I had an SLA with a client? What if my bank or the government, health plan, car insurance, or any of the hundreds of notifications that I've set up throughout the years was triggered and needed my attention?
I know about terms of services, that they're a company and they can do whatever they want. But what if your car maker could take away your car if you turned right without signing first? Or if you went over the speed limit? What if you were a salesman and samsung could take away your phone because you're using it to call people to do your job and they've reported you for unwanted calls? Or AT&T could take away your phone number because you said a curse word on the phone?
You could argue that gmail is not a product that I own, but I paid for it, so technically, don't I own it? Don't I get the right to use it while they figure out if I'm really a spammer or not?
That got me thinking, what is an identity? How can I prove that I am who I am? I thought I could just share my profile, or gmail, or phone number, or identity and prove that I was who I was. But all those things can be taken away because of some rule that can be judged and enforced by someone else.
The google stack is very convenient, and it's 2022, I'm not going to start hosting my email server, but I'm in need of a foolproof and long lasting solution to online identity. And I've started by purchasing a domain name for 10 years and having a 'catch all and forward to gmail' rule setup. So I can just forward it all to somewhere else in case I lose my gmail again. But what if I get reported on my domain name? What if that gets suspended or blacklisted too?
Should we own the free services that we've paid for with money and data? Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?
What do you use for identity? And what are your thoughts on this? Am I overreacting?
309 comments
[ 2.9 ms ] story [ 230 ms ] threadThis being said, since you got a scare, maybe it's a good time you buy a 2nd domain from another registar and handle accordingly.
PS: how does one find a good domain name?
brute force checking thousands of examples till you find one that isn't squatted.
domainr [1] is fast and has a cool autocomplete feature that mixes domain endings with your name
[1] https://domainr.com/?q=
The main advice would be to avoid Google as if it were the plague. There are other free and paid providers that don't have a persisting and renewing rumour of suddenly, without warning, pulling the plug on you and then making it impossible to get in touch with proper support to try clear things up.
A time machine might come in handy.
(I can just see the cartoon now: guy invents time machine, friend asks if he’s going to stop Hitler, he says no, but to register a good domain name. (Never mind the practicalities of the ten-years-at-a-time limit.))
Grace periods for everything (online and off) used to be 3+ months. Now they're days. These billing policies are quite literally inhumane, as they entirely ignore the logistics of being human.
In theory, you agreed to all the ways they can screw you over when signing up. In reality of course no one can be reasonably expected to understand the full ramifications of multi-page terms of service.
I'm happy that EU is pushing this ownership argument forward. GDPR seemed unreasonable just a few years ago, now it's the new standard. I also don't think it's the final destination. We're moving towards more regulation, but that's expected in any mature industry.
However, this specific topic to me isn't as much about ownership as it's about redundancy and diversification.
Of course it's not a good idea to build your whole identity on some corporate identifier (@gmail.com, @icloud.com...). Of course your business income shouldn't be based on a single platform (e.g. youtube demonetization, facebook news). These problems could've been forseen even without the benefit of hindsight.
There's no such thing as absolute ownership anyway. Even your money or real estate belongs to you within the framework of modern banks and governments. Doesn't mean this ownership isn't meaningful, just that there are always limits and gotchas.
The most meaningful thing you can do is own as much of your digital surface area as you can. Having everything under your own domains will get the most bang for your buck. I don't bother with self-hosting, but for someone else that would be a must. Your mileage may vary.
You weren't wrong to do so, but the convenience/risk bet hasn't worked out for you. For most people it works out fine -- i.e. car driving risks.
I use a different email host, and only use user/pass logins, no social. It's fiddly, and you'll need a good password manager (not chrome) but that's the cost of not being exposed to this risk. Only you can decide if its worth it, very few people have the skills for it to even be an option.
Did you actually pay for it? With money? Or was it free?
You can pay for Google Workspace with money, in which case you are the customer, and so you get customer service.
Or you can use the free version, in which case the advertiser is the customer and you are not.
I don’t think anything you listed a typical individual owns.
Even street addresses change.
Growing up, the houses on the street behind me got renumbered as well.
So it's not inherently wrong to say a user of a free service should have some rights. In some situations, it's not fair to pull the rug out under people.
I think that there will come a point where we need to have independent tribunals governing the behaviour of large web services. That point will probably be reached 5 years ago.
Now it is impossible to find unlimited rentals, every contract has yearly extensions! In some countries landlords even rotate tenants every two years, else they would get extra rights from long stay.
So essentially what OP stated?
If the owner could go to a small cases court and get a bad tenant kicked out with minimal cost, he wouldn't try so hard to defend against the rule.
Either way people will use the system to their advantage.
[1]: https://www.bfmtv.com/immobilier/un-proprietaire-dont-le-log....
[2]: https://www.ladepeche.fr/2021/11/12/temoignages-loyers-impay...
i believe similarly in the US you can't just take away someones car because without it they might not be able to get to work and probably would never be able to pay for their debt.
likewise having an email address is becoming a necessity in life and therefore closing an email account would make it difficult to function in todays society.
the same goes for having a bank account.
all these things should have legal protection.
Could I urge that posters follow the site convention of prefixing the title with with Ask HN, Tell HN, etc. for posts that don't link to an external source? There are currently two such posts in the top 30.
HN is primarily for discussing external articles, and I'd suggest that this post should have been submitted as such.
Good question. And my answer is probably that, as things stand, I'm not greatly inconvenienced by it.
My original post was motivated mainly by "that's not how it's done here". By internet standards, I think that HN does pretty well as a self-organising community. And part of that is a general, loose adherence to norms. To maintain that community, I think that sometimes it is necessary for its members to point-out those norms in a friendly way - without trying to police anyone's behaviour. Thats really all I was trying to do.
To me, an important part of HN's value is to direct me to external things. If the norms change so that a significant number of submissions are hosted directly on the site itself, then HN becomes a very different beast. Probably more inward looking, and maybe more like that other site that the guidelines tell us not to compare it to. I think that would be regrettable.
More practically, "Tell HN" and "Ask HN" are hints that the post is addressing the HN community rather than the entire net. That could be useful in deciding whether to read it. And, as a sibling comment mentions, those prefixes result in posts being added to certain lists.
It was fine when it was one post in a hundred that was a "Verb HN", but these days these are much more common, and the prefixes make the front page more noisy and less signal-y than I prefer. If you aren't in the habit of taking a quick glance at the domain name before opening a link, I'd encourage you to start doing that, for more reasons than this.
I know we’re getting super meta, but let dang police the site. Neither of us should be dealing with comments or submissions that “don’t fit HN”.
For the .contact gTLD you will find them at https://donuts.domains/about/policies/ or over at ICANN.
1. Is it easy to set up the redirect from Gmail to the new account?
2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)
Yes super easy. You can do this using Gmail's filter service. However, many services will also let you log in to gmail via POP/IMAP (OAuth for auth) and fetch the email from your gmail for you that way.
> 2. When I send email from new account (custom domain), how are you completely sure it is not going to be on spam? I send unsolicited emails to people in big corps (journalist asking for interviews/comments, not spammy :-)
I guess it's hard to know for sure, but I've not noticed any problems with this when the underlying provider is a well-known sender such as Gmail or Fastmail.
On sending from a custom domain, your mail provider walks you through setting up a few additional DNS records (for DKIM, SPF) that allow you to send from your domain through their servers. They maintain the reputation of their IPs and so you get their good deliverability.
I am curious: What made you switch from Protonmail to Fastmail?
That said, I'm planning to migrate to either self hosted or a paid service which is not run by algorithms and where customer supports exist (in that regards big tech is terrible: facebook, google, paypal = worthless customer support).
I completely agree with your premise though: Ideally everyone should have their own server providing a personal site and mail and maybe even hosting a decentralised social network.
Is there any significant delay in receiving or sending?
I am currently a google apps user grandfathered in the free plan which is disappearing so I am looking for something new.
PGP is a good solution, and in general the crypto space has the right idea in my opinion. I like the idea of using cryptographic key pairs to sign messages and prove identity, but the learning curve makes it impractical for general use.
The best place to start is owning a domain you control, at least that way you can manage your own facade.
This would be an excellent topic for new curriculum for the schools. Some ideas need to be generally known to be beneficial.
My domain is completely detached from my online identities, even for private and professional development to a large degree.
Many domains are pretty cheap though, not much more expensive than some mail services. Of course they don't come with respective keys for which you might have to pay extra.
Currently i have about 10 different e-mail accounts:
There are some others, as well as each platform for automation has a separate account as well (e.g. GitLab, Zabbix, Nextcloud, ...), though most of those are on the same self-hosted mail server. Of course, deciding how to structure everything is one's own choice, in my case it's just historical cruft and loosely defined boundaries of how much i care about any particular item.That said, mail servers that are easy to set up are a godsend (for example: https://github.com/docker-mailserver/docker-mailserver), as long as you also have one of the larger walled garden alternatives for public communications, should there ever be delivery problems.
It's not like Google deciding to ban all of my accounts at once (though fingerprinting, or based on IP because i don't care to set up some sort of an advanced proxy to access all of them from different VPNs) wouldn't be problematic, but this way at least the impact would be minimized.
Plus, with software like Thunderbird and something like KeePass for strong randomly generated passwords, managing everything is really low effort. Of course, this also lends itself nicely to avoiding social logins and creating a separate e-mail based account wherever applicable, for a bit more control, rather than keeping all of your eggs in the same basket.
As for those who will inevitably say that this is too hard or complicated to be practical: i invite you to try setting up your own mail server with the help of the provided link on a 5$/month VPS, things have really improved in the last few years! Of course, creating new Google accounts (or for other platforms) might be a bit more cumbersome with modern verification steps etc., but it's not like it's impossible either.
Sometimes i wish we could do the same for personal identities, e.g. a list of aliases that could be issued through some government org. for particular purposes and revoked as necessary. For example, i wouldn't want a leak of some shopping site result in my personal data being compromised in regards to my online banking or my physical address, in any capacity whatsoever.
There is really nothing you could do with a car to prompt the car maker to take it from you. And the state will only take it if you break the law in particularly dangerous ways.
When it comes to other possessions it's even harder for anyone to take them away from you. If I take a kitchen knife and stab someone with it I will go to prison for sure, but I don't think they will take the knife away. They definitely won't ban me from buying knives.
But when it's a digital service, even something as crucial as a banking service, it's seen as normal that you can lose them for posting offensive things on twitter. Perhaps it's because we haven't had these digital services for long enough to consider them as really belonging to us, so we accept that they can be taken away at the slightest provocation.
Somehow I am not sure why, we as technical people, and I would even think that most of the people in these fields are also into fiction and sci-fi, we are taking only the worst things from novels and stories, instead of the good ones, VERY slowly transforming our society in an dystopian nightmare.
For cars I don't think this future is distant at all, ten years max.
Since this is Hacker News I'm sure there will be some who can say the two are compatible, but it will only appear that way to the wealthy and the elites -- the rest of us will gain none of the benefits and will be seen solely as "customers" or "partners" from which revenue must be extracted.
One only need look at the transformation of business from selling products to selling services, changing a sales relationship into a rental relationship. For businesses operating key or critical technical infrastructures this is equivalent to a corporate "universal basic income", such as will never occur for the common man.
Not quite. Few businesses have ever been focused on improving the human condition. The new thing is their ability to control our lives, and our acceptance of that, both in terms of laws and our quiet consent.
I have only one objection here: Doesn't feel all that slow to me.
Maybe one day your Tesla will simply drive off if you don't pay the bills, or worse work for the SEC
Just like your fridge may not dispense water if you buy the wrong filter. Or your random IOT enabled device will refuse to work if you don't let it phone home with surveillance data.
Although I was joking about the SEC thing, what happens if Elon get's a grudge? Some would say it's your fault for buying the car, but some guarantees for consumers are useful.
Interestingly the problem of people excluded from the banking system has been addressed by statutory regulation in the UK: https://www.gov.uk/government/collections/basic-bank-account... ; see also discussion at https://publications.parliament.uk/pa/ld201617/ldselect/ldfi... which covers the question of people with inadequate ID.
Getting your email account wrongly banned is an injustice, whether trivial or costly, and whether or not you have alternative arrangements. That's why people are (generally) rightly cross that it's happening. That feeds into wider questions of "why is justice so expensive" and "how does a local justice system address the bad behavior of a multinational". These questions tend to get resolved incredibly slowly.
Edit: see Which? who are always good on consumer issues: https://www.which.co.uk/news/2021/09/why-banks-are-freezing-... : alleged suspicious activity; https://www.theguardian.com/business/2020/oct/22/exclusive-h... inactivity
Traditional British solution: a QUANGO and an Ombudsman.
I wonder if the effort behind this is a Baptist and Bootleggers moment. Surely some maybe most want to solve something that they see as a societal problem, others see opportunity a la payday lenders, and others see an opportunity for social control. Maybe the people who see not-banking as a social problem also want to use the end result to "nudge" participants in the right direction.
Maybe not take it from you, but with new cars that are always connected (Tesla et. al). They can certainly make them quite terrible if they want to... access to superchargers has been removed when "owners" use unauthorized work shops for instance.
To put it more bluntly, my eyeballs are watched by AI to make sure I pay attention enough to deserve the full use of my vehicle.. it's beyond punitive, it requires my positive behavior.
ALSO bonus, if I did something with my vehicle that resulted in losing my account, I would also lose access to my home electricity system.
A normal car in 2022 will not constantly surveil you. No critical functionality is tied to an online account in any non-Tesla mass-produced car that I am aware of.
On the surveillance point, I worked for an auto software company that partnered with a big auto manufacturer on a feature. We were granted access to an API that could geolocate any vehicle made by this company in real-time given its VIN. I volunteered my car's VIN to test with (I drove the same make as the company we partnered with) and confirmed that the API returned real-time location data on my 2019 vehicle. If you own a car that was built in the last 10 years, you are more than likely emitting your location to an internal service maintained by the manufacturer.
https://www.toyota.com/privacyvts/
You do have the ability to opt-out, but it's not usually a simple process.
Alternatively, the government will just take over basic id services (think first.last@yourcountry).
This is true. Generally if you stab someone the police would seize the knife as evidence, but after your trial if the prosecution didn't file a forfeiture case against the knife, then it is still yours and you can get an order from the judge to return it :)
p.s. civil forfeiture cases give the best names, e.g. United States v. Article Consisting of 50,000 Cardboard Boxes More or Less, Each Containing One Pair of Clacker Balls, 413 F. Supp. 1281 (D. Wisc. 1976)
- Decentralized file hosting for all the emails using IPFS instead of Google's servers
- Decentralized login using ENS / Ethereum Name Service instead of Google's login
- a UI on top of your data, plus an outbound server for relaying to/from non-blockchain email accounts
Overall, you end up with portable data thanks to IPFS, and a login through ENS to whatever UI you want to use/pay for.
This seems like a win to me. Haven't seen anything yet that pulls this together but the pieces are there. Maybe someone here wants to prototype it.
The only part stored on the blockchain is the address itself. The files are not stored on the blockchain.
More here: https://docs.ipfs.io/concepts/what-is-ipfs/
Appreciate your question! That should get you started.
Beyond that, it depends on what you mean by "computations".
Our example is setting up decentralized email. What computation is needed to send and receive email?
1. You may mean the computation needed to encrypt and decrypt the emails. That would happen on your computer locally.
2. You may mean the computation to send and receive emails. I'm not sure how/where this would happen in this example. It might be on the blockchain somehow.
I'm curious about this as well so will be learning more about dapps (decentralized apps). Starting here
https://blog.chronobank.io/what-is-a-decentralised-applicati...
https://ethereum.org/en/developers/docs/dapps
For messaging dapps, check out the new Blockscan chat by the creators of Etherscan : https://decrypt.co/91226/etherscan-creators-launch-ethereum-... (note: NOT very decentralized yet)
This is past my level of expertise, but you could map out what those clock cycles of a mail server are going towards. For example, serving files, like we talked about, can happen on IPFS. No compute needed there beyond what IPFS already does.
Anything that you get from the internet is a service. Even connecting to the internet is a service. And providing a service is ongoing work.
What we need is recognizing services as essential and guaranteeing people has access to them. This is something for the government to do, and the guaranteeing access part is quite complicated when the service can be exploited like email.
Perhaps in the new era of tech we'll have better data portability and ownership. Sure, maybe Google can kick me off but they should still let me export all my data.
See my reply below about public blockchains.
That helps you ‘own’ who you are, but doesn’t stop someone like Google from refusing to work with you in case they think you’re a spammer (though your DID can provide enough evidence that you aren’t).
Do NOT send everything to gmail via forward. Every bit of spam you forward is going to count against your domain name. I had someone who did this on a community server and it wrecked our rating for a while.
Instead, have gmail pick up your email via pop3. This will avoid the "spam origin/relay" problem of forwarding.
The fetch approach has some significant caveats.
Firstly, it introduces something like 5–10 minutes of latency before you receive messages compared with forwarding, so it’s not suitable for every purpose. If you’re accessing via the webmail, forcing a refresh may trigger remote fetches too, if you know to expect something.
Secondly, if you leave messages on the server, there’s an undocumented limit at which point it will stop fetching mail, probably without notifying you. Back in early I think it was 2015, I went for a couple of weeks before I realised I wasn’t getting any email to what had been my primary address for six or so years (there were still just enough things going to my @gmail.com address that I didn’t notice), and on investigation, it told me that it refused to fetch from a mailbox containing more than 50,000 messages.
(Qualifier: I haven’t touched Gmail for five years (I now use Fastmail), so parts of this could be obsolete or altered.)
Ironically, you would not have this problem with POP3.
You can instruct IMAP fetches to delete too, and that’ll avoid this problem. Better would be to move emails into a new mailbox after fetching them, so that you don’t need to see them again but they’re still there, but I don’t know if anything supports that concept.
The best way to do this, in my opinion, is to tee the emails to another mailbox as they come in, not as they get pulled from the inbox.
I set this up a couple of weeks ago. I think Gmail only allows pop3 for email fetching, because I just couldn't get it to even try connecting to my IMAP. pop worked great though.
The settings even lists "POP Server", not "Server", even if you choose port 143 or 993
> I don’t think there’s a single legitimate reason to use POP3 any more
Well, pop was designed as a "download the messages" protocol, IMAP as a "keep messages on the server" protocol, right?
So while it doesn't prevent IMAP, pop is actually a better mapping in intent.
Pop is clear about what "the email" is. IMAP opens questions like "so… all email? Or just INBOX, or what?". And while it's not mandatory to delete the emails from the server with pop, it becomes even more of a complex question with IMAP.
The choice of pop3 very strongly implies answers to all of these questions, with no surprises.
Are there downsides to pop here that I'm not considering?
But y’know what, I’m going to retract my comment for the case where you don’t want to keep a copy of anything. For most places, POP3 is generally unsuitable, but for this specific type of destructive server-to-server fetching, it’s reasonable.
We should own our own stuff. Your email is your own data. No company should have the right to arbitrarily destroy or block your access to your data. Whether that service is free or paid for is irrelevant; offering a service for free isn't a license to rob and destroy.
I've argued this point multiple times (e.g [0]). Business who host your data should treat your data as your property and take responsibility for it. They don't have right to destroy it or put it through a virtual shredder any more than your landlord or car service should take your property to the junkyard.
I also consider it a security issue [1]; if you can't access your data (or worse: it's gone all of a sudden), security has failed. No, destroying data isn't the same as securing it. Google has poor security. Security should protect your data and your access to it.
[0] https://news.ycombinator.com/item?id=30242824
[1] https://news.ycombinator.com/item?id=30055397
Unfortunately law seemingly hasn't quite caught up with the idea of digital property.
Notice that Google's automatic suspensions may very well be illegal under GDPR. This was discussed here recently [2]. Having been rejected a credit card application (an example of a decision that should't be made automatically, under GDPR [3]) and lost access to a gmail account, I can say the latter was much worse.
[2] https://news.ycombinator.com/item?id=30138669
[3] https://news.ycombinator.com/item?id=30140312
I host my own email these days, and I am my own domain registrar. If someone wants to take away my domain, they have to take it up with my government.
There are some responsibilities that you get along with it (e.g. you're supposed to do risk assessment and document your approach to risks and security, etc.) but you don't actually have to deliver those documents unless they ask for it. They may also require you to respond to some questionnaires and such (I've received only one questionnaire over the years; they were conducting a study about how registrars verify the identity of their customers). Obviously these are primarily intended for commercial operators who have responsibility for customers' domains, and my risk assessment offering domains for myself is going to look pretty simple so I haven't actually written anything down. Will do if/when requested.
Excerpt from my whois records:
(It used to have my name along with other info in the registrar field, but this thankfully changed following GDPR)Free domain lock against NS changes and domain transfers with national TLD authority seems good enough.
Here is where I am heading (having given the matter much thought and some testing, trial and error)
Free Gmail/Cal account as I enjoy the software
My own custom domains with any registrar
Paid Fastmail account storing all my emails to all my domains/aliases at Fastmail
All Fastmail messages forwarded to Gmail
Mail from Gmail sent through Fastmail's smtp servers
This gives me the mail/cal app I like and the freedom to move. I don't have a problem with paid. Google are forcing Workspace on me when all I want is email with custom domains.
The configuration of the service is much easier than Google makes it. Filtering took some getting used to, but I have it working much better than I ever could on Google, so happy bunny there. And the Android client is OK too.
The only meh part (for me) is the web interface for email/calendar isn't as streamlined as Google, but being out of that eco-system more than makes up for it.
These days I pick a provider for each service that lives and dies by the quality of that service. Fastmail has 'mail' right on the tin.
For full porting, there's a long road ahead, starting with regulating domain names, which email addresses depend on. However, as long as the domain name _de facto_ remains in the possession of the original provider, this is technically possible, already.
Email address porting might even be possible without a persistent domain/DNS entry. After phone numbers get ported, the _sender_ (of sms, or a call) caches the new routing, and the original carrier doesn't know the ported phone number is getting a call in the new carrier's network. I'd be interested in discussing this sort of thing for well established internet services (such a central authority already exists, ICANN, but perhaps legislators can come up with a non-US authority for emails)
All people sending email will be required by law to first consult the porting server to determine where to send email. It could be as simple as an http endpoint. Total development costs and running costs could be pretty low - low enough that the government can argue it is more than paid for from increased tax revenue from mail providers.
In the event that an ISP or digital services provider wishes to cease providing email service, they could be required to provide minimal access to enable updated provision of either a forwarding email address (which the provider would forward mail to), or an MX to redirect the sender to use. This would avoid the need for a big central "porting server", and retain the simplicity of doing a DNS lookup for one or more current MX records.
Given spam challenges, the former is likely unattractive (who wants to use their own IP ranges to relay potential spam to former users?), but the latter could likely work, or be made to work.
I realise the MX approach doesn't quite work, and you'd likely need to relay the email, but this is more akin to how the phone number porting system works - you ask the number block owner on each call, and they can either accept the call, or point you towards the correct destination network.
This topic is of indirect relevance and interest to the UK telecoms regulator [1], since many households rely on an email address from their ISP, which could become a barrier to switching, or result in long-term extractive pricing from users who have no real choice other than to pay a former ISP over the odds for email service to retain an old address.
[1] https://www.ofcom.org.uk/about-ofcom/latest/features-and-new...
In your example, anyone who wants to legally run an email hosting business.
What could possibly go wrong?
In essence, in the regulated telecoms space, the number block owner retains responsibility for routing to the new network after a number port.
As for not allowing people to save their data before shutting down, I agreee. That's a consumer rights issue though, and not a technical one.
There's no reason for a complicated legal structure to ensure mail forwarding (which just begs for abuse). Users already have the power. Use it.
I agree though that there should be legal resort to not losing your email address.
If you think there's real demand for email portability, go into business! A service that lets you buy a domain and route to different email providers is well within the abilities of a single programmer. Make the UI idiot proof and charge a few bucks more than the registration fee.
There's a lot of scenarios where you wouldn't want purchase of service to transfer ownership. People providing services have rights too. You don't get to do whatever you want with their brand, trademark, copyright. And you don't get to expect more service than is promised, or that you won't have your service taken away if the service owner doesn't want to deal with you anymore.
So you ask, well how can I be protected as a user of services? And the answer is: competition, being an informed consumer, and the occasional regulation.
> Do we own our identities? Do we own our phone numbers, emails, handles, PO boxes, addresses?
Those are all great examples of why there is no simple answer.
You do not own your phone number, but you do have the right to transfer it between carriers, thanks to regulation. You don't own your own email address, but you can rent a domain name and do what you want with your email address while you're renting the domain. You don't own your handle unless it is your real name and you go to court to protect it. You don't own a PO box, but you can rent it while you pay for it.
Ownership is often just a matter of possession. Who possesses your email address? Who possesses your PO box? Hell, who possesses your house? The land it's on? The access people have to it? The impact it has on neighbors?
Identity and ownership are complex ideas that are involved in many different levels of our society. As much as people want it to be simple, it just isn't. And the world is not going to get less complicated.
I signed up to Quora with my Facebook account, back in the day. Deleted Facebook in 2013 and lost access to my Quora account, with no possible way to recover it.
I haven't used a social login since. In my case, it was fairly harmless, but it made me realise how dangerous social login is. Every time there's a signup, I look for "signup with email". It's the safer option. And if you can, use your own domain for email (Google's paid email offering supports this, as does Fastmail and countless other email providers). That way if your email provider decides to flip you off, you switch DNS records and you're up and running somewhere else, and everything keeps on running.
But: If you don't have a copy of emails then you lose all saved emails, so make sure you have a backup strategy in place.
I'd love to have webmail on my own domain, hosted by someone else, and with ads on the side. Those ads should generate ~$20 per user per year (after all, they can be targeted based on emails I'm sending and receiving, and I'll be looking at them many minutes every day - the perfect combination for high revenue ads).
With $20/user/year, there should be no difficulty paying the hosting costs of such a mail server and staff to look after it.
It looks like Zoho might have a free plan too but I've never tried it https://www.zoho.com/mail/zohomail-pricing.html
ImprovMX also does email routing for free along with webhooks and such
Been using Zoho for many years, switched from my free grandfathered Google Apps account to Zoho around 2014.
In GMail (and using Google Domains to host my DNS) I've configured this by inputting various settings as per the guide here:
https://support.google.com/mail/answer/22370?hl=en
The key relevant step is: "For school or work accounts, enter the SMTP server (for example, smtp.gmail.com or smtp.yourschool.edu) and the username and password on that account."
Is that kind of thing supported with Cloudflare?
I'll tell you why: because you are not worth that much to advertisers. If you are so cheap to the point of asking to get your data harvested, chances are you never going to be a high-value customer.
Though I think “high-value bit of cattle” or “high-value mark” are closer to how the stalking side of the advertising industry sees us!
But if you are so dumb as to not know your data us harvested, you are a great gullible idiot, er, I mean customer.
I don't think logic holds any water. There is no rational 'free market' reason you can't sell your data, it's just logistically too difficult to deal with millions of individual 'sellers' istead of paying $supplier to get all of it at once.
2) Even if the data is being harvested, doesn't mean that there is any morality in trying to get a share of the profits. That doesn't make you smart, it makes you a cheap accomplice.
3) "free market" would apply only if all exchanged data were offered by those that own the data, and if they could determine how and when the data could be used. GDPR has shown already that some sites would rather not serve their sites to European citizens than comply with data regulations. You can bet that the intersection of high-value prospects who would be interested in selling their data for some meager dollars/year is very, very small.
You can buy discounted TVs (and in some places they are the only TVs you can buy), which clearly have advertisements on them that others do not.
When more people wake up my bet is they will be accustomed to advertising, they will just want better advertising. And if one can get paid for receiving short-form entertainment with relevant product information, with appropriate branding I bet there is a market.
Brave's model has shown that you can have a ad distribution system that gives more power to the users, the ads are still relevant, fraud is much more easily detected and it can still reward the users for their attention.
With zero knowledge proofs, you can even have a system where the advertisers only get to show ads for those that match certain criteria, but no personal data needs to be given away.
If you are working on anything that depends on direct exploitation of user data, I urge to go back to the drawing board and seriously consider the morality of it.
No one is set up to explicitly monetize your data with consent. It doesn’t seem like a bad idea once society catches up with it.
Monetizing users' attention is enough.
Look at the Brave model. People get paid for the ads, no personal data is exchanged.
I'd like to self host data and webmail and pay somebody else manage the headache of delivering and receiving.
Get your custom domain, create a mail user with Fastmail: username@mydomain.com
Set things up nicely (do read the docs), particularly look at catchalls, wildcards and aliases
Give out separate email addresses to each and every service you use: service@username.mydomain.com
Bonus: You can easily send emails back from each address you give out and if you create a label called "service" for the example above, mail coming to that address will be automatically labelled without needing to create a rule.
I used to use spamgourmet and used to get some resistance from sites using misguided email validation considering it a spam service (oh the irony) - now with Fastmail, everything just works.
Except the domain renewal fees, it's free.
If Gmail blocks me, I can readdress the forwarding to hotmail or usa.net or whatever.
Unfortunately I doubt that would work. Any email solution hoping to get significant use will need to be able to send as well as receive and/or store & organise, because if someone is needing to run their own send route elsewhere they'll run their own receive route there too, and any free email solution that allows sending will be abused in any way possible by junk mailers and other scammy types.
It would be a constant fight to keep the service off black-lists and dealing with the backlash from:
* people blocked rightly because of service abuse
* people blocked because of a false positive in what-ever automated checks you do (the admin involved in doing all the checks manually will be excessive enough that it can't all be done manually)
* those who are inconvenienced by the service, even temporarily, being on a blacklist
And that mass of spammers such a service will attract will be worthless: they'll have everything quickly automated and won't even glance at a single one of the adverts.
> With $20/user/year, there should be no difficulty paying the hosting costs
I doubt $20/user/year would cover it unless you get a decent number of subscribers. And I doubt there would be enough people who would sign up for this, who are not already using gmail or similar big providers that already exist or mail provision included with their web hosting or domain registration service.
Of course my gut reaction could be quite wrong here: why don't you give it a go? If you are right then there is a market to corner that no one else is looking at yet so you could make it big.
If they cant make it work, why would anyone else have more success by offering even more features for free?
And if you're already buying a domain name then why not just pay for the email account too?
So, you can use social login (OpenID Connect in reailty), as an automated form filler and add your password, so your account will be effectively won't depend on that provider anymore.
I use a lot of services like that.
I think the whole point is not having to create yet another password.
One solution to all of this is to have some kind of durable identity verification that the user controls and can use everywhere. There are serious challenges with that of course, which is why we don't have it yet.
That's the fallacy. You're always creating a new password. Only its storage location is changing. You can store a password in a variety of ways and places. When you use a social login, you're using a time limited password stored in the OIDC provider. And if you lose your account there, you lose all your passwords.
Also, you can store your passwords in OS key chains (Linux, macOS), browser password managers (Mozilla Lockwise/Firefox), in myriad of other online/offline password managers, on a text file or paper.
Many sites allow you to "reset" your password for an account created with a social login. However, if you created an account with Google OIDC and lose access to your GMail account, that's another matter.
A secured password manager is the superior option, especially since you would not compromise every service in case your password is known by third parties.
However, I always sign-up with an e-mail directly if possible, and don't use OIDC login pathways. If I had to use or was lazy during registration, I change my password immediately, so I can use an e-mail/password/2FA path.
So they are always in my password manager, and that part of life is good.
I connect all my logins with my (custom-domain) E-mail and also do regular IMAP backups of my E-mails. I run Thunderbird once a week and sync all mails.
Ideally one goes in life forcing failures to be uncorrelated, but that's extra work. Anyway forcing them to be correlated is also extra work, so just don't.
Did the same but lost my Spotify account. Needless to say, but I haven’t used Spotify since then..
But you're far less likely to ever have any issues with your domain name provider, because you literally only have your domain with them, and don't interact with them outside of that.
I would say if you want to be extra safe, your domain provider would NOT be your hosting provider. Because you can lose your hosting, too, and we've seen stories like that here a few times.