Recently, I started to search for a mail client for my iPad. The requirements were simple, it needed to be able to receive and sent e-mail, without much of a hassle. And it needed to do so in a manner that respects my freedom and privacy.
What ultimately started as a search for a mail client that met my needs and wishes, ended in an unfortunate surprise: I discovered that a lot of clients share either the credentials or messages – or a combination of those two, with a third party – in most cases the developer of the client.
Why is this important?
Because you should be able to trust your mail client. Harvesting your private information on the sole basis of implient consent (eg, with a clausule hidden in a privacy disclaimer) is not only unethical, it poses both a threat and a risk to multiple aspects like confidentiality, privacy, security, trust and more.
It might be arguable that the credentials are required for some functionality, like delayed sending – where the message gets send to the recipient with a delay you set and without the requirement to leave your machine running.
However this should be done on a strict opt-in basis and with clear information on the impact of this functionality. Blindly storing the credentials “because a user might just use that functionality” is bullshit.
While clients are able to perform anti-SPAM measures locally, it could be argued that routing messages through different servers might allow for more efficiency – this too should be done strictly on an opt-in basis. And again, with a clear warning, rather than implied consent.
Last but not least: do you trust the developer of your mail client to store your login on their servers? Do you trust them not to take a peek at your messages, whether automated or manually? Do you trust them blindly to handle your private data while they can drastically grow their revenue streams by harvesting that exact same data?
What perhaps shook me the most, is on which scale this happens. To illustrate this, I dove into the privacy policies of the most popular mail clients for mobile devices.
The aforementioned applications are in no way an exhaustive list, there are a lot more clients that are just as bad and perhaps worse. If anything, this shows an unwanted business practice and users should demand that the apps they use respect their personal rights, freedom and security.
I might update this post soon-ish to include more clients and popular desktop clients for a more complete overview of this ongoing breach.
Feel free to respond through the comments section down below.