[iliketosleep]

I am being monitored for using a privacy focused email address when signing up for services operated by a government entity. Yep, it happens. Their AI determined that people using particular email providers need to be watched. Not only that, I have had payments mysteriously fail with big online merchants, and after following it up through multiple layers of support I was told that particular email services are automatically flagged. You can guess which ones.

Now what do I do? Avoid privacy-focused email addresses for anything in daily life. It seems to be a battle that cannot be won.

[wolverine876]

These sound like common blacklist-style defenses. As examples, mail services use RBLs to prevent spam, Cloudflare services often require captchas from Tor exit node IP addresses, many websites decline signups from throwaway email addresses like Mailinator. Credit card companies use various indicators to prevent fraud.

I'm not saying these measures are perfect or fair, but they are not related to government (though government may also use them); they are just obvious ways to prevent unwanted activity such as spam, fraud, hacking attacks, etc.

> Their AI determined that people using particular email providers need to be watched

How do you know that government has concluded 'particular providers need to be watched', and that the decision was performed by an AI?

> for using a privacy focused email address when signing up for services operated by a government entity

How do you know the cause?

[iliketosleep]

The type of monitoring used was disclosed as was the "likely cause" of me being flagged. This wasn't a secretive kind of thing. Of course one can't "know" anything as it's a black-box. But it's not a stretch to see how such systems may conclude, from automated profiling, that users of privacy-centric services are more likely to be associated with fraud and hence flagged. This also represents a more general issue with the application of machine learning.

[trutannus]

You're basically saying that you've been caught up in some surveillance dragnet/watch list, and that you have no proof but think it is for for using ProtonMail on a government website.

When your payment was declined, the company 1) had access to this watch list that you're on, 2) was able to share with you that you were on a watch list, and 3) you were able to figure out why this is. This sounds very unbelievable to me. The data that comes from programs like this isn't generally being passed around to businesses, and if it is, the support folks are not going to be in the know.

It still sounds more like you're being hit by algorithmic blacklisting than that you're on some secret not-secret blacklist. That, or you got added to a public sector blacklist, by some security company because you use ProtonMail which has issues with abuse by fraudsters.

[iliketosleep]

No, you've misconstrued what I've said. I am not implying that the payment being declined by a merchant is anything related to the government. Nor am I implying that the government shared my information with any company. Nor I am on any kind of blacklist (at least that I'm aware of). Read my original post, they are two separate issues.

[trutannus]

> The type of monitoring used was disclosed as was the "likely cause" of me being flagged

You're correct, I misremembered how you wrote that. Unfortunately, that makes it even less believable. How did you find out that you were being monitored, and why was that disclosed to you? Who disclosed this monitoring to you? Did you run some sort of FOIA request (whatever your nation's version is)? You're making a very big claim with very little to substantiate. Keep in mind ProtonMail has over 50 million users, It beggars belief that using PM is sufficient to get yourself monitored in any serious capacity.

[fnord77]

all this nonsense would go away if we had some sort of universal identification system on the internet.

people act like anonymity is some kind of right, but it really wasn't in the past. You needed to prove who you are to get a loan, drivers license, etc.

[gyam]

Anonymity is the default, we don’t walk around with our names and all our interests and thoughts attached to a label to be read by anyone. If anything, internet made it go away. Eg. even if you knew a person’s name you wouldn’t be able to look up other information about them before, now you can. Previously, you’d be able to go to a store and buy a thing without giving any information, now you have to give the “email” that collects most information about you. Your examples of loan, licence etc are not like 99% of interactions, and those can be handled as special cases like before.

[visualradio]

> Previously, you’d be able to go to a store and buy a thing without giving any information

We can still do that, it's called paying with cash. Paper money is the people's money.

> Your examples of loan, licence etc are not like 99% of interactions, and those can be handled as special cases like before

With regards to loans, it is possible for state governments to establish regional public land loan offices to issue equity loans in reference to the production and replacement cost of existent tangible personal property fixed or held on site without monitoring all of the purchases of movable personal property by the borrower to determine credit-worthiness. The borrower just has to prove there is some tangible artifact of personal property which exists, which the loan office can auction if the debt goes bad or write off if the artifact is destroyed.

We just have to mandate the loan offices don't do something stupid, like issue loans against the excess value of real estate attributable land scarcity and resell mortgages to private investors which will resell derivatives, to avoid generating a real estate bubble and the accumulation of $100+ trillion in derivatives. Additionally we'd probably need to replace many regressive taxes with distributive land taxes to ensure that households and cooperatives had cheaper access to land in order to obtain a deed or long term lease granting the security for spatially fixed personal property necessary to qualify for such loans.

[fnord77]

for most of human history, people knew the names and interests of people around them

anonymity is a recent thing

[sidewndr46]

I don't know where you live, but at least in North America the requirements for a loan are laughably low. I once was interested in getting a vehicle loan on a new vehicle purchase. I gave the financial guy all my information and he showed me the terms. I agreed to them and bought the vehicle.

I have no idea how, but he issued me a loan on that vehicle using incorrect information for basically everything except my address. Name, birthday, etc. did not match. Somehow the system had a completely different set of records. When I called the lender about it, they didn't even seem surprised. Just took a phone call to get everything corrected and a new set of paperwork mailed out to me.

[the_other]

It is and should be a right for a lot of things.

I imagine few people doubt the practicality of trust in a transaction or application as you mention.

But we should be able to sit in a cafe and discuss our plans for cultural subversion and last night's sports event without the *till* shopping us out to the thought police.

[wolverine876]

Can you see downsides to that? How do you address it?

I think it's not that anonymity is a right, it's that other rights are strongly impacted by the lack of anonymity.

[someguyorother]

Just make it zero-knowledge. You use the ID server to prove that you're not a sock puppet of someone already registered, but that's all the site needs to know.

[loriverkutya]

> people act like anonymity is some kind of right, but it really wasn't in the past

it was for tens of thousands of years in the past

[wolverine876]

> it was for tens of thousands of years in the past

I wonder: Few people traveled and communities were smaller, so generally everyone knew you.

[FridayoLeary]

what's your name then?

[conjectures]

User called fnord posts bait ideas, yeah I'm not biting.

[Hyolobrika]

What about whistleblowers?

[handrous]

> Not only that, I have had payments mysteriously fail with big online merchants, and after following it up through multiple layers of support I was told that particular email services are automatically flagged. You can guess which ones.

You don't need nefarious motives to explain that particular behavior. Operate a store or payment system without rejecting easy-to-sign-up-for-anonymously email addresses, especially ones with a free tier, and you'll find out very quickly why they downrank the trustworthiness of, or simply block, such services. Automated credit card fraud is huge and no fun at all to deal with.

[swiley]

And that is why some people really like crypto currency. You get what is essentially ssh for money with all the pro and con implications.

[imglorp]

Note BTC and others are pseudo-anonymous, because the whole world knows the source and destination wallet of every transaction. If someone is ever serious about finding you, they can follow the chain to wherever you cashed out and a subpoena will do the rest.

There are fully anonymous coins like Monero, ZCash, etc.

[swiley]

Right, but you also don't have to deal with fraudulent claw backs like with credit cards. It's not secret but it makes the integration/code easier. This is why a lot of obscure/experimental services tend to have bitcoin payment support early on and struggle with paypal/credit cards.

[handrous]

Right: a vendor's not forced to care whether any bitcoin they accept was stolen, but they are forced to care whether a credit card they accept was stolen. Doing a sufficiently shitty job of keeping out purchases with stolen cards can literally end a business, in a hurry. Meanwhile nothing's going to happen about stolen bitcoin you accept—probably you'll never even know—unless there's an actual police investigation you get wrapped up in. In that respect, it's more cash-like.

[swiley]

I would strongly recommend running your own email. I've done it since I was 17 and it's a lot easier than you would think.

[raxxorrax]

It got a lot easier, but mail server hosting should be done with care if you don't want it used as a relay and be put on blacklists. Still takes a while to setup.

[vaylian]

Any tutorials/software you can recommend for this?

[nobody9999]

>Any tutorials/software you can recommend for this?

Not GP, but the process is pretty simple:

You'll need to be able to send, receive, store and forward emails. A variety of resources are required to do this. Note that pretty much all of the software suggestions are available through the default software trees of just about every Linux/BSD distribution.

1. You'll need a domain;

2. You'll need DNS services to publish your MX records with DMARC/DKIM/SPF[17] and/or DANE[18] support. If you can/want to host your own (not difficult), lots of folks like Unbound[0][1]. And while some folks hate on BIND[2][3], it's always a good choice. There are many others[4] as well;

3. You'll need a Mail Transfer Agent[5] (MTA) to send and receive emails. Postfix[6][7] is very popular. Some folks use Exim[8][9]. And others use the venerable sendmail[10][11];

4. You'll also need a Mail Delivery Agent[12] to store your mailboxes and serve them via a web interface and/or your mail client. Lots of folks like Dovecot[13][14]. Others use Cyrus[15][16].

[0] https://www.nlnetlabs.nl/projects/unbound/about/

[1] https://www.redhat.com/sysadmin/bound-dns

[2] https://www.isc.org/bind/

[3] https://www.firewall.cx/linux-knowledgebase-tutorials/system...

[4] https://en.wikipedia.org/wiki/Comparison_of_DNS_server_softw...

[5] https://en.wikipedia.org/wiki/Message_transfer_agent

[6] http://www.postfix.org/

[7] http://www.postfix.org/documentation.html

[8] https://www.exim.org/

[9] https://www.exim.org/exim-html-current/doc/html/spec_html/ch...

[10] ftp://ftp.sendmail.org/

[11] https://www.sendmail.org/~ca/email/doc8.12/op.html

[12] https://en.wikipedia.org/wiki/Message_delivery_agent

[13] https://www.dovecot.org/

[14] https://doc.dovecot.org/

[15] https://www.cyrusimap.org/

[16] https://www.cyrusimap.org/quickstart.html

[17] https://trendlineinteractive.com/resources/article/what-are-...

[18] https://en.wikipedia.org/wiki/DNS-based_Authentication_of_Na...

Edit: Added link for DMARC/DKIM/SPF and reference/link for DANE.

[rootsudo]

Great reply, I would say this is the way to go to learn and then if you get lazy, mailinabox https://mailinabox.email/ it combines everything above into a few hours to deploy.

But you still need to know everything above.

Then once you done this a few times, you have your own niche in tech - email is old and going no where and job security is ensured, it's funny, tech really is a circle.

[nobody9999]

>Great reply, I would say this is the way to go to learn and then if you get lazy, mailinabox https://mailinabox.email/ it combines everything above into a few hours to deploy.

Thanks!

A fair point. Although the bulk of that deployment time is, regardless of platform, going to be the configuration.

And since pretty much all the tools needed can be installed via 'apt-get'/'dnf install', etc. through default software repositories, is there any real advantage for more technical folks (as we generally see here)to use mailinabox over someone's preferred *nix configuration?

I'm not being snarky here, I'm not familiar with mailinabox and genuinely curious.

[rootsudo]

The people that run mailinabox and the subscription list/slack/chat are nice. If you know exactly what you're doing, and can put it all together in a bash script, then it's no different. Especially the later configuration part.

But having a place where to exchange (haha get it) info and see whats targeting/affecting most self hosted email users is really a time savings vs having to scope through your own logs and wonder what broke, or what's wrong.

[maybelsyrup]

+1 on this, I'd be very interested too. I own a domain I'd like to use, and the entity I bought it from offers prepackaged email services I can attach to it. But it's not really running my own thing.

[trutannus]

> I am being monitored for using a privacy focused email address

How exactly did you find this out? I don't think you generally get letter mail saying "Hey, we're monitoring you now". How do you differentiate monitoring behavior from something like an individual service flagging an individual transaction because of your email and killing it?

I'm always deeply skeptical of claims like this since they're almost always unverifiable by any party (including the commenter).

[8jef]

By the way, your email address provider is only one metric by which you are being monitored. Everything happening online is now being monitored, stored and AI analysed, and will be for a long time in the future as technology is evolving and new meaning can emerge from everything that is recorded.

Therefore, encryption is their enemy. For now. Until they break it all. Or until we break away.

[hncurious]

It's a cruel fate of any privacy-focused service, as they are more likely to be used by criminals. Be it mailinator or TOR or monero.

This is ultimately a question of freedom vs security. Said government entity is prioritizing security over freedom.

[shapefrog]

Now you know what it is like to be a black person walking down the street. Instead of a chosen email provider it is an inherited skin color.

[C19is20]

".....in certain countries".

[DINKDINK]

>Now you know what it is like to be a black person

What makes you think this person isn't black?

Maybe the first step we can take to ensuring all people are treated with dignity and respect is to not assume Group X is that group other there, an other. Maybe we can instead assume Group X is everywhere.

[shapefrog]

You sure are making a lot of assumptions while lecturing others about how they should not make assumptions.

[8jef]

Very true.

[8jef]

That make sense. That's why I'm using two regular service addresses redirected to my privacy focused email address, and assign different tasks to each one of them. It even help me filter out more unwanted messages and subscriptions.

[Lunrtick]

That sounds extremely frustrating. Maybe a good workaround is a custom domain?

[8jef]

Be aware that custom domains come with their own problems. Not being blacklisted is one of them.

[bengale]

I've never had this issue with a personal custom domain. Basically all businesses have custom domains so blacklisting all of them can't make sense, surely?

[tomxor]

Using a custom domain doesn't necessarily mean using a custom mail server, they can point to a really common mail server such as gmail for instance. This is how a lot of business emails are set up.

[8jef]

True, but then I would assume that serious monitoring apparatus would include mail server monitoring, therefore defeating the need for a custom domain, which may contribute to identify you and/or stigmatise you further. Especially if one is accounting for other traffic carried by the said custom domain.

[bengale]

Oh I see. Yeah we use google mail for our business and I use fast mail, both with custom domains.

[lostlogin]

> particular email services are automatically flagged. You can guess which ones.

I can’t - is there a reason you can’t name the service?

[shiftpgdn]

It’s protonmail. Using a protonmail address will automatically cause a failure flag in the MaxMind checker which a ton of merchants use for fraud screening.

[8jef]

How about Tutanota?