It is a bit overkill, but the closest you can get to owning your online identity is to "own" your own domain. sarcastiquotes used because you don't really own a domain you only rent it.
I run my own mail server because I am a sys-admin and running a mail-server is something I do for fun. but the amount of agency you gain once you have a domain is staggering. people without a domain are pretty much second class net citizens.
I wish municipality offered domains, for example: you move to St Louis you would get name.stlouis.mo.us this would give you the same agency online that a mail address gets you offline.
I run my own mail server as well, on my own domain, own server, physically present in my home.
It's increasingly becoming a hassle.. Especially sending mail from a "consumer" line is tricky, they block outgoing port 25 and no longer really provide a relay host for you to go through either..
I basically had to infiltrate my current ISP to get access to people in netops and gaslight them into configuring reverse-dns and leak enough info to me to get access to use their relay..
Back when I got my first ADSL, the ISP apologized for blocking port 25 and explained how to use their relay.. Things sure have turned sour in that regard.
To this end, I've become convinced that the only fair thing to do is make email a human right. Nation states absolutely should provide and host, e-mail accounts for their citizens. (it can be up to the citizens how they want to use these accounts, if they want to use them only for receiving mail from the state, or if they want to use them for everything else too).
> Nation states absolutely should provide and host, e-mail accounts for their citizens
Because nation states are well known for producing usable software at a reasonable cost to tax payers? IRL this would cost billions and everyone under 60 would forward their gov’t mail to gmail.
>Because nation states are well known for producing usable software at a reasonable cost to tax payers?
The largest transfer of public property into the hands of private enterprise in human history was the Internet. At that time it was wild and limitless and full of promise. It’s pretty much stagnated from there.
Just like scientific and medical research, tech research is the most effective and has the largest societal benefit when done at public universities on the taxpayer’s dime.
Inventing and turning into usable product are not the same skill sets, nor is maintaining. If, today, you survey which websites are the most robust, the most user friendly, the most performant, the most functional, or most economical, you are very unlikely to settle on one produced and maintained by the government, or even a university. I've noticed in recent years that some government websites have actually become fairly usable, but I would not say I've ever been impressed by one.
Also, maybe I'm missing your point, but it seems very strange to say they internet was transferred to private enterprise. Private enterprise built on a government foundation, but almost everything that people use the internet for now was built by private enterprise, and the standards which constitute the most important contribution of the government were not, and are not now, under corporate ownership.
The public internet backbone (NSFNET 41) was officially decommissioned on 30 April 1995. This essentially marks the birth of today’s commercial internet.
The ground was set by the Scientific and Advanced-Technology Act on October 2, 1992. This passed Congress with almost no debate. However, there were innovative politicians who attempted to allocate a certain amount of bandwidth for a public right-of-way.
The United States has very little publicly-owned internet infrastructure and few advanced digital public services. The USA also happens to lag behind other nations in simple metrics like the speed that ISPs deliver. Maybe it's a coincidence that many of these nations have more robust public services.
> Just like scientific and medical research, tech research is the most effective and has the largest societal benefit when done at public universities on the taxpayer’s dime.
Was that entirely private? I thought Bell Labs was getting operating budget from Western Electric, which while also private, as I recall, was getting massive investment from the US government to develop infrastructure across the USA? And then wasn't there also DARPA funding? Also, they seemed unaggressive with their patents, licensing tons of them quite freely.
Also, is it good that Bell labs was the way it was? Americans seem to have quite a hard go with telecom, maybe not as bad as some countries, but from what I can see the country is riddled with regional functional monopolies, gaps in service, high prices for rural areas, and bad behavior regarding net neutrality on the part of ISPs. Perhaps the situation wouldn't be so bad if the USA had nationalized, or at least partially nationalized, its phone and internet systems?
Actually in Brazil the government has been providing tax-filling software for the last 20 years, and for its purposes it is quite good. If you just get a wage and don’t do anything too complex in your financial life like flipping houses, owning multiple companies, filling your yearly tax returns is a 10 to 20 minutes affair.
Also, the instant payments network that you can use to send money from any bank to any bank in seconds from your cell phone, the PIX, is government software.
Also, I am a small company owner and I can access a lot of government web applications online using a SSO with my optional digital certificate, or I can login into them by using my banks identity services as an oauth provider. No SMS funky business.
If anything, it is the private banks, that while in my experience have far better software than American banks, that is behind. I, for one can use the same digital certificate that I use for fiscal purposes to access my vaccination certificates, but I can’t use yet on most banks.
Of course there is a lot of government software that is basically enterprise software, bad software, but a lot of it, and usually the ones that I need to use more frequently are pretty good. They may not follow the latest flat design fashions, but they are accessible, ease to use, responsive, safe and fit for their purposes. And mind you, we are talking about Brasil, not exactly a model of good governance.
> Because nation states are well known for producing usable software at a reasonable cost to tax payers?
Well, actually - yes? My country has lots of problems, but government-issued software is surprisingly good. I would have trust issues however after it came up, that they used Pegasus very liberally.
They might be forwarding their mail to Gmail but at least they can easily switch from Gmail to an alternative and theie identity isn't locked to using Google services this way.
Much of the world already relies on nation-states for message delivery through the post office.
Because everyone utilises such systems, everyone has a vested interest in the privacy of such systems. Under liberal democratic governments, protections for privacy, security, and integrity are typically quite strong. Not inviolable, and you'll likewise find a significant set of criminal laws for crimes transacted utilising postal systems (mail and wire fraud, etc.), but specified and typically balanced.
Mind: that emerged over time, and a significant early interest of governements in operating messaging services was of course message intercepts.
That said, the early history of telegraphic and telephonic communications (both often privately owned and operated) is hardly much better. See the case of AT&T and the Republican Party swinging presidential elections, as told in Tim Wu's The Master Switch.
> Because nation states are well known for producing usable software at a reasonable cost to tax payers?
Yes, they are. The software, hardware, and automated systems underlying transit systems in Japan, Taiwan, some of the UK, and a couple other countries, continues to make trains not crash into eachother for just about a hundred years now depending on the system. I don't know too much about it, but it seems the same to be true for whatever runs the stoplights around town.
It's not always nationalized, but the software used to plan trash pickups and routes, bus routes, bus signage, sewer planning and control, shipyard signaling, and numerous other public works is at least tangentially taxpayer funded and government organized. Those seem to work pretty swell considering their level of complexity (at least in the countries I've lived in).
Here in Taiwan the government websites can be notoriously terrible, but some are really fantastic, for example https://data.gov.tw . There's also strict requirements for accessibility that are rigidly enforced, which is a nice thing you don't often get from private software (you have to depend on a disabled person suing a site before it'll be made accessible in the USA - abled people don't have "standing" it seems).
Honestly, it sounds like you're making a very generalized libertarian argument, and I don't want to risk a politics flamewar, but I'm really not sure what alternative you're offering for governments building software, that doesn't involve total dissolution of the government. The department of motor vehicles needs a website one way or the other, they're either going to build it in house or pay contractors to do it, either way, taxpayers are paying for the website, and any additional app-like online services.
Was there some specific examples you had of unusable software or unreasonably priced software that would justify such an extreme solution? Cause the dichotomy to me seems false: surely there are ways to improve the quality or reduce the cost of taxpayer funded software, if necessary? Surely that's easier than... whatever it is you're suggesting?
edit: Some other good examples of nation-state provided software in Taiwan, there was some fantastic contact tracing apps and backends implemented by the government. The UI was admittedly quite.. sparse, but it was undeniably functional and accessible. And, it came with strong guarantees about data anonymity, which you can never trust from a private company.
Mostly static websites that just serve out data are fairly easy to produce and maintain, especially when they are relatively low traffic. I won't attempt to evaluate Taiwan's websites (although your own qualifications tend to support OPs claims) but those US websites are mostly just publishing information. They don't demonstrate the government is capable of providing quality email to all citizens because they don't demonstrate the ability to operate at high scale with high reliability and adequate performance while delivering highly personalized pages.
The only example I can think of for the US government attempting to offer something like that at scale was the notorious healthcare marketplace created for the ACA. It catastrophically failed at launch, took months to fix, and the people who fixed it were people who left private industry to do so for philanthropic reasons. If you read the story of how it came to be in that state, it's pretty much what you'd expect. Lots of different departments arguing, contractors coming and going, tons of coordinating meetings, budget overruns, finger pointing. This despite this being a crucial piece of infrastructure for the biggest health care reform in years. That pretty much set my expectations for how good at software the federal government is, but I'm open to hearing proper counterexamples if you can supply one.
Sadly the vast majority won't realize they not only deserve it, but need it, until it's too late.
The best time to use a custom domain name under your control for personal email was when you first started corresponding via email. The second best time is now.
And a phone number, and a bank account/CC number (so that you won't get escalatingly locked out of stuff because your direct debits fail. Don't ever use N26, kids.)
But N26 is (allegedly) the only bank you can use without your government paperwork proving you live at an address which you have to rent using your bank account.
The point is that since so many services require email it's getting to the point that not having an email is a major hurdle, and therefore government must recognize it as being part of critical infrastructure and provide this service, just as they do with USPS. IRS (US govt tax authority) requires email account to register and pay taxes. So that the state government, and the county where I live as well. My kids school requires email to register kids for school and for their many educational systems; so does their pediatrician office. Bank accounts require email. The list goes on. All of these cannot and should not be anonymous and I do not have any problems with using government-provided email provider to use these.
I do want to have an option to use other emails for my streaming accounts, shopping, and all the other stuff, so that I'm not required to use the same email address everywhere. I can rent my own domain name and use the email service tied top that.
And I _too_ run my own email server on my own domain. Though it resides on a dedicated server that I own in a data center somewhere in the Mid-West. The web mail cient it has is kind of crap though. I run a secondary "mail server" in my home, with a better webmail client, and is also configured with better spam protection and syncs with my android phone and outlook on my laptop, and that local email server that is configured to retrieve email from the data center server, along with retrieving email from gmail and a few other old email systems that I still have access too. Controlling my own email server, and my online identity that goes with it, is far better than entrusting it to someone like Google (who got about one step away from cancelling my Google account when they lost a phone I returned for repair, but that's a different story).
Interestingly, running my own server in a data center lets me run a permanent, private VPN from my home network to the data center, effectively hiding me away from any monitoring from my cable provider, using the DNS I want to make use of, blocking traffic I don't want leaking out or coming in. I have a smaller, less capable server in the UK also running a permanent, private VPN. Depending on which WiFi SSID I connect to within my home, determines if I appear as being in the US or the UK, which gives me access to different streaming services, different streaming content, different website experiences, etc.
You could always use a service like Mailgun to work around problems like that. It could help with IP/network reputation problems, too. I think that’s a reasonable option if it enables running a mail server at home.
In my experience (from a few years ago) Mailgun had terrible deliverability to Microsoft and Yahoo. There would be long periods where those providers would return nothing but anti-spam errors, based on Mailgun's own logs.
This kind of exists in Norway in the sense that we have at least two systems for communicating with government offices and, to some degree other organizations and people (haven't quite figured that out). This isn't an email solution as such though.
The thing is, all of these solutions are much maligned - despite being a lot better than what we had before (send/receive paper). If the state were to offer email accounts, people would complain about how bad they were (whether true or not) and argue that we should "let the market sort it out".
Which brings us to where we are now. With the market "sorting it out".
Personally, I'm fully capable of doing that, but even then, it's all entirely dependent on the graces of random VPS providers, it's another route I'd rather not go, I already find it repugnant that the Internet service itself is in the hands of private entities which are under no obligation to provide any specific quality of service (not an enforceable one anyway, as I cannot really chose whose running the actual network fabric, even if I can chose which "company" I pay the bill to). Geez, if water and power delivery was as unregulated as Internet delivery, we'd be like "well, it's mostly AC, maybe DC offset a few thousand volts, on sundays it's 10 hz slower, and it's somewhere in the range of 100 and 500 volts"
"Yeah, this is what we call water.. No, we don't support Hydrogen molecules, they're dangerous you see."
On top of that, most people don't care (don't know why they should) and don't have the ability to host this infrastructure themselves, and frankly, they shouldn't have to either..
I find RackNerd suits me just well. They are a great provider. I found them on Low End Boxes. I pay $25 a year. The only thing I ran into was the IP that was assigned was in one blacklist. It was one of the notoriously overzealous blacklists that hate everyone, though it was simple enough to request removal. No problems since.
Of-course even with end to end encryption, the amount of meta data available to the government in this configuration would be a systematic risk to democracy.
While less private if you have a domain instead of hosting youself you can delegate the handling to a mail provider.
This way you retain the ability to seamlessly change mail provider. And you gain other benefits like infinit number of alias while requiring a low level of technical knowledge and maintenance.
That's what I do as well. In addition, all my emails are backed up in my local email client (which I back up locally to another location once in a few days) so if things go south I have a way to restore my accounts.
Yeah I found them a few months ago when looking for providers, and it's insane how cheap they are. $1/mo gets you a custom domain email, and a bunch of online office/productivity apps.
Only issue I see is that their mobile apps seem to be a joke when it comes to privacy. I wouldn't trust them not to read/scan my emails either, but that's not always a deal breaker.
A domain is an address. If you have a home address you are a citizen, if not you are homeless. That's is.
However there are few issues we have anyway even being Netizens:
- some DNS hierarchies are NOT domestic to our country so in case of political issues between countries or in case of legal issues we do not have much domestic legal protection, witch in Democracy is the protection of our people between us;
- there are too many intermediaries who only resell, they are a danger. Registars MUST BE national and international public bodies ONLY, not private companies and domains must be NOT allowed for sale, people can register them, de-register them but no commerce on them;
- a minor, but no so minor, email issue, is that with modern anti-spam or to be more precise modern bully-sheriff companies hosting their own mailserver is hard. It works of course, but some giants often simply drop your mails.
Personally while I'm a fierce against PRIVATELY controlled digital IDs I favor public ones, not mandatory of course, BUT if you are a Citizen than choose a domain name, it will be on your ID card who happen to be a smart-card PCSC/Java/something OPEN in both middlewire and hw design itself. That's yours and you can use from your homeserver as you wish. Then you are perfectly free to use anything else not much tied to your identity.
I run my own email server too, many will not because of fear of missconfiguring it- and in some respect they are correct, first thing I have done wrong 11-ish years ago was to make my server an open relay which was cought in 5 minutes from setting up and luckily I figured it out 5 minutes later. No big deal, I love postfix and dovecot :)
This is my fear. It's not really the running or configuring that scares me, it's the unceremonious bouncing/filtering at the other end.
I have run some mailers (postfix) for some clients who didn't want to spring for a MAAS provider, I would to my knowledge, set up everything correctly with SPF, DMARC, DKIM, stuff would still land in the spam folder half the time.
Maybe still my mistake, maybe over eager receivers, maybe my hosts were just in a bad net block.
And this was just for low volume transactional stuff, they would add manual "not spam" rules which is OK for them receiving sub-LOB notices but really put me off trying to run my life out of a self hosted machine.
I saw someone post the Helm the other day, which is an interesting idea of having on-prem storage with an off-site dns/sig layer. Still kind of beholden to another service though - and I personally don't want to host my mail in my house but on a VPS. Did make me wonder about how viable a low cost "we just provide the DNS stuff" mailer service would be or if that exists.
> Maybe still my mistake, maybe over eager receivers, maybe my hosts were just in a bad net block.
A common problem with new mail setups is the receiving end marking your messages down because the domain is newly registered, as this is seen (correctly in some cases) as a potential spam flag. Nothing you can do about that one except double-check you SPF & DKIM config and wait.
One of many gotchas with hosting your own mail. I still consider it to have been with doing so all these years.
There is also a half-way solution which is to run your own mail server for inbound traffic and use a mail delivery company to relay the outbound mail.
This gives you full control of receiving emails (for the online identity part) and gmail can't lock you out of your life with no recourse. But you don't need to deal with outbound email handling which is a bit more work.
Bouncing on the other end has nothing to do with running your own mail domain. In e-mail, sending and receiving are decoupled. Some people use the same local mail server to do both: to relay outgoing mail and to receive. But these are independent functions, and you don't have to send mail through your server. You can configure your mail client(s) with the SMTP credentials from you mail provider (such as your ISP). That's used for sending. For receiving, you connect to your own server via IMAP4.
Basically your sending side (if you choose to) can be essentially unrelated to your self-hosted mail receiving infrastructure except in the small fact of using your sending identity in the From: headers of your e-mails: you@yourdomain.com.
Doesn't that depend on my ISP running basically an open relay, if I'm trying to mail from me@hn.com and they only provide me@isp.net? Always figured they'd just dump the request with a "i don't know you".
No because relays can be closed, and usually are. Your ISP's SMTP server requires authentication, using the credentials they gave you, and almost certainly uses TLS also.
Your me@isp.net address (or perhaps the me part of it) is used for authenticating, along with the password. It will likely be used as your envelope address when sending; the SMTP command will be MAIL from: me@isp.net, though there could be flexibility there to accept other sending envelope identities.
In any case, your mail's From: header will have the me@hn.com.
If the ISP were to filter on the From: addresses after receiving the content of the e-mail, you'd have to negotiate something with them.
arkhramud@maprikhoychich.stlouis.mo.us? How hard is to trace a person from one location to another?
To fix this email problem abandon the email as an account identifier. Use a 'username', or as I do a random set of characters and digits. There is no reason my account (login) has to be indexed as "john.smith@example.com". It can be "SDf23wfwef". And, at an other site, it can be "hdf3gf0s", and so on.
I believe this would also reduce spam.
An alternative is to use what freenet used with your idea. Just issue sequentially lettered & numbered emails with aaaaaaaa.stlouis.mo.us. a through z and 0 through 9 would give 2.8 billion addresses just for stlouis.mo.us. Moved away? forward the email for a period, bounce (?) for a period with new address, then re-issue.
Could just extend the logic and tie it all the way down to your house address. john.124mainst@stlouis.mo.us and finally commit to a real-world identity to match the cyber one. Why not have a mail server in every house and then it's private and everybody can understand your email address. When you move house, the mail server spits out a thumb drive with your emails and deletes the local storage. You move email address to the new house. You could eventually replace the abc@xyz.com format and just autofill the email for John at 124 Main St in St Louis.
For some reason (probably a good reason) the internet can never be grounded, we always are going to stick to obscure formats that don't necessarily line up with real life and then get surprised when gov agencies collect that data and corps make money selling that exact data, out from under us.
That gets unwieldy in a hurry for apartments and other multi-unit addresses. Not to mention 124 East Main St vs 124 West Main St.
Then what happens when John (who is actually John Jr., but never uses the Junior unless legally required) has a son John III? Then John Sr. moves in rather than to a nursing home.
Same as whatever people do with their physical mail. Someone goes by a middle initial or you add a title to one and not the other.
Your physical home address used to get printed under your photo in the 1940s newspapers. They stopped when people started to get murdered. I think there's good reasons we don't publicly ID off home addresses anymore. It sure would make life somewhat simpler if we could though.
Probably the photo and adress published together would make it much easier to trigger murdering psychopaths whereas phonebooks had no pictures. Just my assumption as I am not familiar with this practice, though I do believe it is quite a bad idea
For most services, the email address is also mandatory for verification, marketing materials and other stuff. So, from user experience point of view, it makes sense to use the email as the unique identifier for the account, as it avoids remembering another id for login.
Using 8 characters from a-z and 0-9 would be begging for trouble, starting with 0/O and 1/l confusion. Most humans are really bad with arbitrary alphanumeric strings.
> I wish municipality offered domains, for example: you move to St Louis you would get name.stlouis.mo.us this would give you the same agency online that a mail address gets you offline.
Australia kinda does this with their `.id.au` second level domains for 'Individuals (by real name or common alias)'
It costs more wholesale than a regular .com, requires handing over PII to a small company and isn't subject to the same price increase limits.
Obviously won't work for everyone but I bought <firstname><lastname>.com instead and its 50% cheaper per year than the equivalent .id.au which should have maybe a few dozen other people in Australia vying for it with first/last name and I assume no one else with my middle names included.
Registrars are not infallible, but are a big step above in term of stability.
There is the ideal view that you should be able to have your own virtual island where absolutely nothing can deprive you of ownership (including existing govs. depending on your beliefs), and I kinda root for the people who try to push it as far as possible. But pragmatically, registering your domain goes a very long way and is IMO the best trade-off you can get without going crazy.
I agree and it's what I do. But I think there is one valid counter argument. If you have to pay for something, then there is always additional potential for loss of access that doesn't exist with free services.
That potential is perhaps even greater with domain registrars and all the other service providers involved in email services (registrar, domain host, email provider). Any issue with any of these services could mean you're not getting notified of problems and you may no longer be able to get into the admin account.
And if you try to avoid that by storing a different notification/recovery email with them (if at all possible), it opens another can of worms. My main domain almost expired on one occasion because I didn't get the renewal reminders at the alternative address I had stored there years ago. I had simply forgotten about it.
And after I had canceled my legacy G Suite account recently, I received a message from Google at one of my old recovery addresses telling me that this G Suite (Workspace) account was going to be automatically upgraded unless I log in to check some box. Only I could no longer log in as the account didn't exist any more, nor could I contact support as that requires logging in as well.
Every single account I pay for requires some sort of constant monitoring and maintainance. Otherwise, things just degrade and access is eventually lost. That's why I'm not sure whether I would really recommend everyone rent their own domain.
Some people straight keep renewal schedules in their calendar like they do for anniversaries and tax filing deadlines. Funnily enough, registering domains at specific occasions makes it easier to remember to check the status (credit card registration etc)
At the core of it, I’m not sure it’s that different from anything you actually “own”. Someone “owning” a house would still probably get it seized if they disappeared for years without ever paying property and local taxes. Losing a house is pretty extreme, but to your point a domain name is also becoming a pretty big deal nowadays.
>Some people straight keep renewal schedules in their calendar
I do too, but will I still be using that same calendar in 6 or 7 years when the renewal comes up? The calendar is linked to some of the same subscriptions.
> If you rely on a registrar, it just move the identity owner from an email provider to a registrar.
OP put own in quotes because of this.
Still, while horror stories with registrars certainly exist, they are vastly outnumbered by horror stories of gmail/et.al. locking people out for no reason and no recourse.
You can't transfer to a different registry (since there is only one registry for each TLD) but where have you had problems transferring to a different registrar? Is this a case of the registry also being the (only) registrar? I don't think that's common.
Having the gov't control you email isn't a good solution for various reasons. We've all seen the privacy abuses as well as abusive enforcement/gov't seizures from police and prosecutors. This is better in some countries and dystopianly worse in others.
What we need is a system where we can efficiently route messages to/from public keys like the tor url system.
This way you always own your address and no one can ever take it away without the private key.
Public keys as addresses would be great for the perfect user but for real people they can come with their own failure modes that are much more real concern than abusive governments for most users (especially since your government will always have ways to get to you):
- How do you deal with a private key being lost? You can't treat this as a "almost never happens" scenario so you need a way to find people's (new) public keys which will be subject to all the same threat models as current domains or any other addressing scheme: there will be some kind of central authority.
- How do you deal with private keys being leaked? Again, you will need a way to revoke keys without having access to the private key which again is only doable with an external source of trust.
I own my domain name, however I opted to go through google apps for hosting my email. Most of the time it's fine, however the part that breaks down (and many have already commented about this) is that I can't make use of any of the google services via that email (nest, voice, etc). So I ended up creating another gmail account that is only used for those services.
All that said: can someone point me in the direction of a hosted email service that is reliable (this is a must, I don't want emails to bounce and I don't want spam), has native mobile apps w/push notifications, has a good web ui, and generally just works? And can anyone confirm that once I pull my email from google apps that I could then use it for those google services?
> All that said: can someone point me in the direction of a hosted email service that is reliable (this is a must, I don't want emails to bounce and I don't want spam), has native mobile apps w/push notifications, has a good web ui, and generally just works? And can anyone confirm that once I pull my email from google apps that I could then use it for those google services?
I've set up my custom domain with iCloud mail and it's been 100% painless. The web client is pretty basic but also snappy and reliable. YMMV if you're not in the Apple ecosystem; but if you are, it's all super smooth.
I have no idea how it works with the Google stuff, as I'm actively trying to avoid it; but last time I checked, you could create a Google account with any email you like, and things just work.
My concern is that once I switch off of Google for hosting, their internal systems might not forget about the prior account status and still disallow me from using said services. But yes I agree, everything google has touched in terms of services I use has made them worse. I used to have a reliable set of cameras :/
I wish more people did this. Self-hosting email is quite advanced, but most domain registrars offer a very reasonable mail package that is very. Since so few people do this, it's becoming increasingly harder to use such email adresses with important services - eg I set up something like this for a relative, and I remember it wasn't straightforward to set up an Apple ID with this custom email for them (I think I might even have had to call their support).
> I wish municipality offered domains, for example: you move to St Louis you would get name.stlouis.mo.us this would give you the same agency online that a mail address gets you offline.
While a US municipality may or may not operate their locality-based domain (here, the university does), ordinary persons are able to get subdomains under them. The only reason I haven't is because the university here doesn't bother to respond when I follow the process. But you may have better luck where you are.
You have to trust a third party company either way, so I don't think you're closer by having the domain, from a trust / vulnerability standpoint. In fact I think that email is best hosted by specialists with experience - and I'm saying this after hosting email for quite some time.
Domains are much less of a wild west than accounts at a mail provider. Whil you do need to go through a private registrar, that registrar has to follow certain rules including letting you transfer the domain to another registrar.
This is a good reason for not using any of the new vanity gTLDs though as they can make their own rules unlike old gTLD (which are regulated much more closely by ICANN) and ccTLDs (which are regulated by the corresponding country).
The domain situation is something that I don't have a good understanding on, and part of the reason why I outsource the responsibility to a third party email provider - namely that they will do a better job protecting their own domain, than I'd do protecting mine.
I understand that some domains carry some legal attachment. That the new vanity domains are not as trustworthy as others, some are even filtered, as email validators reject it for not being a "valid" address even. Some TLDs need to have a business registered on a location, etc. And I understand that the oldest ones (com, org, net) are among the most universally accepted. But I don't know what carries greater risk: 1. me losing control over my domain, or 2. me losing access to my email account (Posteo in particular - I wouldn't just trust any email provider).
but if you stop renting from the registrar then whoever rents the domain next gets access to your email. seems like a horrible solution to this problem. at least i can be reasonably confident that google will never recycle my email address and send all incoming mail to a rando.
> at least i can be reasonably confident that google will never recycle my email address and send all incoming mail to a rando.
What do you base that confidence on? Short, meaningful names are valuable and there is no reason to believe that somewhere down the line they won't be recycling ones that aren't used anyway as premium accounts.
just like mail you would have to get a new address. under my imaginary scheme if you wanted better you would pay for a domain. but everyone would always have a local address to use if you wanted to participate(not just consume) online.
As the article says... "This is considerably more difficult with email because of the huge number of companies and services we want to have our updated email address. It takes a lot of time and effort to change your email address and it involves the risk of losing access to some critical service. There are so many of these services in our lives that we don’t even remember who they all are anymore!"
Including a city in the domain seems like it unnecessarily complicates things. If the goal is to provide free access to a more permanent online "identity", people shouldn't be forced to change it when they move.
what is the safest registrar? If for instance you own a domain with a TLD managed by a shady jurisdiction, it may not be so secure, right? What's the safest TLD? Other than .com
If you’re living in a country with reasonably low levels of corruption and a somewhat functional judiciary, why not use your country’s TLD? It also helps when verbally relaying your mail address.
Also, you're familiar with whatever laws govern that TLD already, and your local registrars will be by most familiar with them when any issues come up and likely have the quickest turnaround for solving issues. I'd probably avoid using one of the huge registrars (because big companies invariably have poor and slow support that's unable to account for exceptional cases), and of course avoid resellers.
This all seems too vague. Is there no registrar making more specifc availability and stability guarantees backed by law or at least believable rationale? Or is there some technical solution that bypasses the entire registrar system altogether?
Whilst not entirely without controversy[1], they do allow any man or his dog to become a member[2], you only need to have "an interest in the operation of the .UK domain".
Nominet membership gives you the ability to maintain your names directly and bypass the middlemen.
The alternative (as others have already pointed out) is to write out a (very big) cheque to ICANN and setup your own TLD where you are the registrar.
Gandi.net gives you two mailboxes with unlimited aliases in France for every domain you rent. This is a very easy alternative for most people who cannot run a mail server.
I used Gandi for exactly this purpose years ago. Then emails from certain popular domains suddenly stopped getting through to me. When I complained, they told me in somewhat vague language to use a proper email service instead of a free add-on to a cheap domain plan.
Did you have difficulty receiving or sending mail? I haven't noticed such problems with my Gandi inboxes, but I know the big email providers like Google and MS do a lot of gatekeeping. If the host in France is the problem, you can use your domain at another host such as Proton.me which I do for my main account.
Yes, receiving. I just got the impression that email wasn't really something Gandi actually wanted to do rather than a box they needed to tick. And I think that may well be the case with a lot of domain registrars and their basic plans.
once you have a domain you now have the ability to own stuff online. that is, independent of any corporation. The main benefit this gives your average person is the ability to move email around between server providers. but you can now have a web presence that is not (facebook, twitter, hackernews). nothing against sites, they are fine, but it is nice to have an online existance that is independent of them.
Unfortunately the bar is a bit high for most to realize most of this. I miss the days when your isp would offer web, ftp and email hosting.
It's good for having your own website. That's super easy to host and use.
It's quite another thing for email. While it might not be that difficult to set up a basic email server, but to actually get it set up all correctly, and secure, and whitelisted, and get anything else on the 'net to actually interact with it is a little less trivial. And an email server that can't effectively send email (that won't be ditched along the way by some anti-spam measure somewhere) would be pretty limited.
Maybe useful for receive-only stuff like password reset links or one-time authentication links though?
You can host your email with your own domain with one of several services that take care of all the details (mailgun, fastmail, protonmail, etc), If you have problems with the provider you change your domain configuration to a different provider. Does ot solve all the issues but it is more flexible.
You don't have to self-host it, you can point it to an email provider (Gmail, Fastmail, Zoho...) and let them do the hosting for you. If they ban you (like Google likes to do), just point to another service and keep your email address (and therefore access to other services).
I work as a sysadmin and I don't want to bother with self-hosting my own email. I happily pay someone else to do that for me.
You can give unique throwaway addresses to people you don't fully trust (e.g. newsletters, recruiters) and apply the rules you want. It would be very naive to think that Big Tech won't abuse their market positions.
I’m very rigorous about including the full domain name in my email address (consistency helps me remember what I used. I made the mistake early on of using myname-paypal@mydomain.com instead of myname-paypal.com@… and it drove me insane until I changed it), but every once in a while there’s a site (or occasionally a customer service rep) that refuses to accept that, in which case I just make up some unique three letter suffix to use instead and make a note of it in my password manager. My email for my kids’ school whose name starts with a W, for example, just ended up being mynane-w@mydomain.com. Luckily these exceptions are rarely necessary and I’ve only had to do half a dozen of them in about 17 years of doing this.
I've had a few occasions that employees thought I worked for the company based on my email.
On one occasion, I was checking into a Hilton hotel and the employee thought I worked for corporate due to my email, hilton@domain.tld.
In the past, I used to explain to them how I control the domain and I have separate emails for every company due to spam reasons. However, this usually caused confusion so now I sometimes go along with what they think or hint that I'm some 'mystery shopper'.
Another solution that the article doesn't mention: separate the email address from the email provider. It really is the domain name that is your legal identity. Make it as easy for people to register a personal domain name as it is for them to sign up for free email so they can switch from Gmail to Hotmail to Protonmail without changing their email address.
Edit: We then need a standard for discoverable DNS settings that providers can publish, together with an endpoint that the domain name provider calls to inform the email provider that it should accept email from person@personaldomain.person and forward it to person@emailprovider.com. Then your domain name provider can discover these, and switching email provider can be done with a click of a button without you having to have any knowledge of DNS. Of course email providers will have little interest in supporting something like this, so this is where regulation would be needed.
But what credentials do you use to log into the personal domain name provider, to manage it? Another email?
Unless there is state-guaranteed ownership of a domain name, this will remain to be chicken-and-egg problem: to manage a domain one needs an account with an email, and to have an independent email one needs a domain. Even then, moving between countries is normal now which poses a huge challenge to the concept of "online identity", because what one state guarantees is not necessarily what another recognizes.
A physical address to receive recovery codes? In Denmark, every person has a digital identity and they can authenticate themselves using either a smartphone or a dedicated TOTP key fob, and that could also work. Heck, we even have digital mail boxes for every person.
The reason that email is popular as an online identity is that it is an easy and cheap method for the service provider and user to establish an identity. It would be acceptable for a domain name provider to use a more expensive way of establishing identity since you only have to go through this process for this single provider. A physical office could work if you don't live in a country where people have government-issued digital identities.
Edit: Actually, why would we need all that? We don't need anything but a username, password and maybe a phone number to sign up for GMail, so why should it be different for a domain name provider? Sure, you need some recovery mechanism if you lose your credentials, but that problem is already solved by current email providers by using phone numbers, recovery codes, TOTP, Yubikeys, etc.
This is the most important comment in this entire post/thread. This is what needs to be addressed to truly solve the problem. I don't know how to solve it other than perhaps using a token on a blockchain to indicate ownership of a domain.
More than that, your spare email to control your main domain needs to be on a different domain, else you risk to be unable to solve any problems with your domain, because your email won't be accessible.
Ideally your domain registrar would allow to use a username, multiple emails, a phone number, and a 2FA not connected to any of them, like TOTP.
Managing this all is a tall order. This is why gmail and hotmail are so popular.
And this is why, back in 2007, I registered my own domain, and signed up for then-free Google Apps for Your Domain (then GSuite, Google Workspaces, whatever they're calling it now). Earlier this year I moved my email to Fastmail, and I can move it elsewhere if I want to, with zero disruption or downtime.
I really wish email providers would make custom domains either the default, or a very obvious option when signing up. Google is already a domain registrar, and other providers could partner with one. Granted, this option would not be free (though Google could probably swing making it free; they just wouldn't let you use the domain for anything else unless you start paying for the registration), so that would reduce its desirability for most people, unfortunately.
(On the downside, I wish I could convert my GSuite account to a regular Google Account, because GSuite accounts are occasionally crippled in random ways, and now I'm not even using the email part of it anymore. But that's a separate complaint.)
> though Google could probably swing making it free
Even if it was cost-effective for Google (which I doubt), it's not going to happen because it would mean that, to be effective, Google would have to allow you to transfer it out of their hands (to change your provider) and thus, it would also mean that you could basically use Gmail to hold domains for free.
I was in the same boat as you, got a free GSuite account with custom domain, then moved my email to FastMail. I’m considering just removing my GSuite account, and registering a new one, although still evaluating the implications that might have.
State-funded email with E2EE. Every citizen gets an email address. You don't have to use it (and it will probably suck compared to competitors), but you'll have it as a permanent fallback address. And presumably it will come with some legal protections and due process.
India has come close to this. At one point they proposed one IPv6 /64 per citizen as an absolute right. It doesn't fit current address allocation models, or even routing models, but I can see what took them there. As an overlay network? It might be interesting.
One assumes that the /64 may change if they change providers, or else there's a big central routing point for these and you can only host them in India.
I think, but cannot verify right now, they intended it to be a static assignment, tied to you. Initially a geographic prefix model. Yes, over time, it would decay as people move. But for rural poor, dalit, it would become a de facto routable identity. Analogous to voter ID maybe (I am told that there was a big push on voting rights for the agrarian poor)
Alternatively, give everyone an assymmetric encryption key associated with you identity. To prove your identity, you sign a challenge with your private key, and the other party verifies it using your public key (which could itself be signed your government).
Although, for that to fully work,you would need international cooperation on a standard for that protocol.
Nah. Just have people generate their own keys. Then distribute a token to everyone, like registering to vote or NYC ID. Finally, have an official mixer like tornado cash that only works with these tokens. Ring signatures baby !
Now you distribute UBI, allow voting etc. And it is all pseudonymous.
That’s what we are building out at Intercoin.org/applications btw :)
But out of curiosity, what exactly do you imagine happens in vote selling? Someone pays off each individual in half the population to vote a certain way? How do they do this at scale and how do you know it isn’t more cost—effective to just influence them?
Most people who voted for Biden instead of Bernie ahead of Super Tuesday made up their minds on the way to the polls. Biden wouldn’t have even won if nearly all the other participants wouldn’t have dropped out and endorsed him. He was losing badly to Bernie (and Pete) but as soon as he managed to prove electability in one state, all the other candidates fell on their sword. It’s like in a poker tournament where the chip leader loses to some guy who isn’t even 2nd or 3rd because everyone else stands up and gives him their chips.
And also, there are trade offs the other way. There are tons of failure modes in voting non electronically. I write about them here:
What good is the paper trail? Does it prove to the voter that the electronic machine recorded the vote as intended? If so, how?
A sister comment just asked what we would do about selling votes. Well, if you can use the piece of paper to prove how you voted, I guess you “can sell your votes”
Many countries have something close to that, actually. I've seen this used for various eGovernmnet-type services, although the UX isn't really different from any 2FA-authenticated service. But it allows you to perform some official legal acts online (filing taxes,...).
Given that many countries already use national id systems for age verification if you say want to buy booze online i always wanted a vault for every citizen, with healthcare, education, banking services, an email, maybe even a personal domain thrown in. Have one api for it that every company can hook into for verification.
The amount of physical disparate papwerwork you have to still do for these things is incredibly annoying.
Wer have something similar for companies in Portugal. The state pays the former state-owned mail service to host a "inbox" of sorts (not a full fledged email) that every company has to have. I am not sure if it covers individuals, though.
It is mostly used to notify the companies of tax dates and such.
Also if you want good E2EE, it's not going to be email (at least not with current protocols).
Especially if you want interoperability with the existing web.
Also would be cool to have a distinguished (via UI) inbox for government only communications that can't be phished. This way people can access more government services online. And if there are any security problems they can be resolved by the DMV.
Then conservatives win, sell off state assets to reduce government/patch a deficit and suddenly a private company is data mining anonymized emails for money again :(
This wasn't an excuse to expand scope to a team bitching session. Conservatives, even in my country (which isn't America), are famous for privatising public assets. The key point is that I can't see how a service like this that operates at a net-loss, that provides what people who aren't into computers would consider an 'optional service', can survive a cost cutting exercise when you'll have a line of businesses out the door who promise they can make it profitable at the expense of users (who are poorly protected outside of Europe).
For me it's Fastmail with a side of Namecheap (or maybe vice versa). Thankfully I pay both companies, thus there's an incentive to keep me happy so I keep paying... In particular, Fastmail has real support staff, which provides at least a modicum of peace of mind.
I've been using the same setup for several years now. I purchased my own domain, and have Fastmail do all the email hosting for me. Super simple. I also forward my gmail to my custom domain email, because I was only able to transition about 95% of my various services to my new email.
I use the same setup, had to contact Fastmail support once during the initial week of transferring from gmail. Support response was quick and professional.
Thanks! And what about using a Fastmail calendar?
For example, can I receive a calendar invite from someone, accept the invitation in my email, and have it automatically show up in my calendar app of choice (e.g. iOS calendar)?
That's another thing where Proton makes me use their app, which can be annoying.
> The only real solution is to rethink online identity and stop depending on email addresses.
I think that is true, but it would have to be a better solution. Some groups heavily push for this reformation of online identity but most of them have in common that they want to strongly bind online identity to your offline one. That simply isn't desirable in many cases.
iirc online identity used to be tied to your public key signature ? Might be too technical for most population to use, but the ideal solution is already there I think ?
"You can take some control over your own identity in the current email-based online ecosystem by renting a domain name"
Originally, the idea was that you owned a domain name. Gradually, domain registrars have moved this to the concept that you're just renting it from them. Although you can still transfer domains to another registrar.
I'd like to find a domain registrar whose contractual terms stated that you own your domain name, and they are contractually prohibited from cancelling it or revoking it without a court order. Basically, a contract that forbids what lawyers call "self-help".
For ICANN accredited registrars, aren't there rules about when and how a registrar can delete or revoke a domain? You can submit complaints to ICANN here: https://www.icann.org/compliance/complaint
If you didn't have to keep paying for domain names, big businesses would have registered all the interesting ones two decades ago. Same for physical property.
The Costa Rican NIC has the concept of personal domains for costa-rican citizens, but it isn't free [0]:
> Personal .cr domain names may only be registered by Costa Rican citizens over the age of 12 having an identity card and included in the Citizens' Registry of the Supreme Electoral Court of Costa Rica. In order to certify that they are citizens of the Republic of Costa Rica, the identity card must be valid at the time of submitting the application to register the personal domain name.
> NIC Costa Rica shall only approve a personal domain name once it verifies that its holder meets the requirements set forth in Section 9 of this document for the registration of personal domain names. The applicant must also send a copy of both sides of the identity card to the email info@nic.cr.
> Requests for personal domain names under .cr shall be reviewed by NIC Costa Rica using the tools provided by the National Registry and the Supreme Electoral Court of Costa Rica, as well as any other means NIC Costa Rica considers necessary.
This is largely true for myself as well. 1Password helps me and my family from going full in, but if I lost my gmail i would have a lot of problems.
The recent discussion of CP flagging wreaking havoc[0] has caused us to start evaluating because we do have young children and we do take pictures for healthcare providers. Feels like a ticking time bomb for us.
Google stood by their decision even when the police cleared the man. Wow, that's hostile. Google's motto: Guilty until never.
The software Dad probably should have known better than to assign Google the task of handling that type of image. But still, that he lost his account when valid explanation provided is unforgivable.
I don't understand how people can ignore the big "eye" of Google and other tech giants, watching everything we do, treating everyone like a low-life suspect. Scanning our shit and forcing our content through a kind of twisted police line-up. I stopped using Google for anything personal years ago, but feel sorry for people caught up in their clumsy joke of a service.
The bastards even refused to restore access after the individuals involved were cleared by police. That part alone has made me start considering other options. No company should be allowed to wield that much power over a person.
I think they refused to right the case as there are many others and they don’t want to set the precedence of people getting anything out of challenging them.
Absolutely, this part frustrated me the most. People were saying well Google likely did that because they didn't want to admit they were wrong.
From my point of view they didn't really do anything wrong. They flagged something that was suspicious, which is fine. Then relied on the authorities to clear any wrongdoing due to the nature of what they flagged. At that point they should have reinstated the account.
I too run my own mail server, using a mixed approach of a dumb cloud server as a point of presence on the public internet and a private server at home as the actual email store. That gets the benefit on being a non-consumer presence as far as the internet is concerned, but with all personal data stored locally.
With a little practice and experience, it's not difficult for those with technical skills to host their own email on a cheap rented server (along with a personal website etc). Buy a suitable domain, host at a reputable supplier on a dedicated host (i.e. IP) and there should be few problems (test with free accounts from the bit tech outfits).
Even nicer is to use Dovecot for IMAP either locally or remote. I run it locally with fetchmail to periodically (or on demand) grab email from the public server, with a little utility that lists the remote headers first so I can decide which/whether any are worth even downloading and reading - quite often it's a single click to delete everything unread.
The problem with several of these email subscriptions is that they will reissue your email address to another if you leave them, with all the risks that entails. The answer is to buy and use your own domain or get someone else to do it.
This is a good idea but in practice it just shifts the problem onto the domain registrar. Maybe/hopefully they are friendlier than email provider but if you do Gmail vs Google Domains, what's the difference?
> if you do Gmail vs Google Domains, what's the difference?
Google Domains has (at least in theory) the option to transfer the domain to another registrar. Gmail does not let you transfer the email to annother mail provider (because that would be impossible).
That only states that you currently can't get past names using the normal signup pocess. It makes no promises about the future and does not guarantee that there is no separate VIP signup process that has fewer restrictions.
I definitely would not want my mail to be regulated by Deutsche Post AG so this only works for countries that are not already prone to privatizing their essential services.
Before writing about your bulletproof technical solution to this problem, think about all of your older relatives on facebook. Is the solution something they'll be able to handle?
This the reason I use my own domain and a paid email service.
I used Gmail before but got super worried about all the stories of accounts getting blocked with no way of contacting a human.
Sure domain registrars and email providers are not infallible, but it's a huge step up from trusting Googles customer service to do the right thing
It's a technical board so everyone propose technical solutions. But I really hope that the solution will be a legal one. That the law will change to make it as hard to kick someone from an email service as to cut running water. And to forbid the companies to define anti litigation, private courts etc. in their TOS.
After the NYT article [0] I purchased (rented) my own domain, created a cloudflare account and started using their email routing to forward all the email to my gmail address. I also configured gmail to allow me to send emails from the new email address.
As I have a small child and use a lot the telemedicine services I do have a fear that I will be blocked soon.
A drawback to this is that cloudflare does not allow you to forward to multiple email addresses.
Somewhat tangential, but I wonder where do people using their own domain draw the line.
I personally use a "stable" firstname@lastname.com for supposedly trusted, long-term services (e.g. bank, utilities, etc.) and for services that require my identity for obvious reasons (e.g. shipping/billing address).
For sites where I prefer not to reveal my identity (not even to the site operator), I use Fastmail’s Masked Email (akin to iCloud Hide My Email). This, however, means I don't own those addresses, and if I need to change email provider for whatever reason, it's a PITA to update the email address field on possibly hundreds of sites (assuming you can).
I could buy a domain like randomstring.com to use with catch-all, but then I would be more likely to be tracked across sites, especially in the case of data leaks (which do happen eventually).
Then there are those awkward in-person situations when somebody asks my email and I have to say firstname@lastname.com.
I also use firstbame@lastname.com for personal and professional communication. But for signing up for services, I have a custom domain name with a catchall email address. Then I register with something along the lines of servicename@mycustomdomain.com. All of those emails go to the same place. The only downside is sometimes a person I work with or whatever will go ahead and sign me up for some third-party service using my main first name last name email address, which is kind of annoying.
I think the intersection of [service where I prefer not to reveal my identity] and [matters if I lose access to the service and therefore control of the email address at 1000-1 odds] is very small.
It is going to be mostly for things like a spare "fun" Reddit account, or some one off crappy give your email to download the PDF sort a thing.
Shameless plug here, but that is the purpose of [ImprovMX](https://improvmx.com).
We forward emails from a custom domain to a destination email that can be updated.
My personal email is contact@{custom domain} and currently points to Gmail because I never took the hassle to change it, but if someday I decide to move elsewhere (I'm contemplating Fastmail and Protonmail), all I will have to do is update my destination email at ImprovMX and that's all.
This is a liberty that only us, tech people, can grasp.
My parents, even my wife, doesn't see the importance of being locked to mail provider.
> people should stop and think carefully when choosing the @example.com part of their email address. It’s a decision you’re probably set to live with for life
Really? I’ve had dozens of email addresses over decades. I have a few favorites but even those have changed over time. I think your is hyperbole.
Jobs exepted for pretty clear reasons. And yes Gmail has been dominant for quite a bit of time - especially since the period where it was possible to have your email be your digital identity.
I have the feeling that we are gradually shifting from email-centric to phone-centric systems. With 2FA and recovery, ultimately, your unique phone number becomes more and more THE foundation of everything online, and switching phone number is harder than switching email.
I agree. Our online identities are ultimately based on our phone numbers, and email provider can only serve as identity provider since they require your phone number.
Is there email counterpart of HTTP 301? This could be the solution. But it would have to be much more secure and would require human confirmations to make the "301" to take the effect.
I've spent the last year or so moving from a Gmail address to my own domain (hosted on Worksplace). I kept reading report after report of people having their Google accounts banned for any and no reason, and I realised how many services I have tied to me email. I'd be spending a lifetime trying to recover them all, and I don't think I'd be successful for half of them. Now, if my Workspace account is ever banned, I can immediately take my domain elsewhere and retain access to everything.
You can be your email provider, or own your own domain at least. Honestly owning a domain should be a minimum for anyone that is capable and their email is almost their identity
For those afraid of misconfiguring/running their own server, you can use a ready to use docker with everything in it and with nice security defaults (no relay, for instance):
https://github.com/docker-mailserver/docker-mailserver
In order to have an email with my own domain I need to own (rent technically) a domain.
Registering a domain requires an existing email. Which is obviously going to be from a third party / consumer email provider whose domain I don’t have control over.
A crypto based toplevel domain like the Ethereum Name Service. But with a twist:
If I lose my private key, the domain is not lost, but locked for 3 months and nobody, not even the registry can move it. After the 3 months, if I stay "silent" and not confirm my ownership via my private key, the registry can move the domain.
The registry should have this process: During these 3 months, I have to start an expensive process at the registry to validate my identity and ownership of the domain. When completed successfully, the registry will move the domain to my new public key.
So the worst thing that could ever happen to my domain (and my emails under that domain) is that I end up in a situation that is normal for domains today: That the registry has control over it.
You mention losing your private key, what about somebody else getting it (data leak, hack...) and controlling your identity before the end of the 3 months?
Blockchain-based "solutions" are not actual solutions because they don't account for this fairly common case. Once they do, they rely on a 3rd-party, and you're back to square one.
Could you explain how the tracking via the cell provider works with 2fa? Do you mean they have an idea of the services you use based on the phone number of the sender and perhaps the format of the message? Or do you mean they actually tie the 2fa code to your identity through agreements with third party services?
would i rather have an entity that i have no power against (google) or only my own error? the outcome is the same, i had x, now i don't. personally, i'd prefer being responsible, but it is a by a thin margin.
that being said, key management has and will continue to get easier. so over time, the risk of key loss should diminish.
> Personally, I'd prefer being responsible, but it is a by a thin margin.
I'd wager that's not the case for 90% of users choosing the email provider they trust the most, both in terms of what they expect the risks are, and what they actually risk in practice.
> key management has and will continue to get easier
You're talking about the blockchain space where it was not even the state of the art when it started. Key management remains a problem in all spaces, but it has even more dramatic consequences when you have no recourse.
It's a pretty accurate assessment. A large number of people depend on freemium email addresses provided by the likes of gmail and many others as well as some ISPs. Those are only valid for the duration of your relationship with the companies behind those and that relation may be terminated for reasons beyond your control. Then there are a lot of company email addresses that are only valid for the duration of people's employement. Only a small minority of people have their own domain. And saying that they own it would be a stretch. They merely own the right to pay to renew their lease every year.
Then there is the wide spread practice of tying identity to a single email address that may be used to reset passwords. There is no good technical reason to limit it just one email address or indeed just email addresses; that's just a historical quirk that gets mindlessly copied by world + dog when they spin up a new service because of the mistaken belief widely held by non technical product managers that that just is how things are done. Only a minority of websites provide 2FA, which enhances security but does not solve the root problem of people not owning their identity. Changing your email address is not a feature that is commonly supported either. Whatever email address you pick when you signup is what you are stuck with.
If your email provider shuts you down, you lose the ability to reset passwords, receive notifications, etc.
IMHO the way out of this mess is to start making multi modal signins more common. Some companies already do this but it is not a widespread practice. Simply encourage users the ability to add multiple ways of authenticating themselves. Phone number based authentication, device based authentication (using e.g. QR codes), public key based authentication (ssh or otherwise), social media account based verification, etc. are all viable strategies to authenticate. And why have just one? Combined with 2FA this makes for a much more durable account ownership. It can also remove a lot of onboarding friction as you don't actually need users to provide a lot of information about themselves.
A lot of the reasons for this not being so common has to do with a misguided notion of big trillion dollar companies wanting to "own" the relation with their users. So Google will not allow people to use their MS owned identities to sign in or vice versa. Even though both implement variations of OpenID 2.0 and generally have a large overlap in terms of how they implement security technically. It's a simple matter of ownership. They own you. They consider you their property. Your identity is theirs to control. This is the notion that needs to be challenged for this to ever be resolved.
Imagine that citizenship worked like that. It doesn't of course. But imagine. There would be a lot of stateless citizens no longer able to prove who they are because gmail shut them down or whatever. That would be unacceptable of course. Banks can't get away with that either. A passport is all you need to reclaim ownership of your bank accounts. And in case of your death, a death certificate and some paper work from a notary is good enough for your surviving relatives. Online identity should be just as strong. People confuse the means of authentication with the actual identity.
> These extra trips through different email servers strip the emails of information about the sending server which is critical to protect against spam and email forgery.
Sure, a forwarder can strip information from a forwarded message; but that's a rogue SMTP server. And this would be your previous email provider; so you'll know whether they're rogue before you start forwarding messages through them.
> Email was designed in the 1960s
s/1960s/1970s/
You get your own domain; then host your email at a provider that offers bring-your-own-domain. Now you have a portable email. Your domain registrar cannot interfere with your messages, unless you choose to host your email with your domain registrar.
I agree that an email address is a poor identity token. As with SQL, an identity should be an opaque object with no embedded meaning. In addition to being an identity, an email address is a communications endpoint, and is parseable, so it's not opaque.
I run my own mail server because I am a sys-admin and running a mail-server is something I do for fun. but the amount of agency you gain once you have a domain is staggering. people without a domain are pretty much second class net citizens.
I wish municipality offered domains, for example: you move to St Louis you would get name.stlouis.mo.us this would give you the same agency online that a mail address gets you offline.