from the don't-do-this dept
For years, I’ve been trying to convince people that there is value in having an email server in your closet. But few seemed to really get it, so I often found myself wishing for a high-profile example to illustrate why it is a good idea. That wish has, in a way, come true: The casual news consumer has had the pleasure of hearing about a “private email server” quite a lot over the past year.Except, beyond that, he's basically wrong. Yes, if you're really technologically savvy and want to do it, you can absolutely run your own email server. Though, honestly, it's probably going to be kind of a pain, because you'll need to constantly be patching it and protecting it, and even then it will probably be significantly less secure than if you use an online provider. Meysenberg is right on only one point, barely, and it's that if you run your own email server, and the government wants to get access to it, at least you'll know about it:
When your emails reside on a cloud provider’s server, the owners of that server are ultimately who decide when to let the government, or any other party, access those emails. In the case of your work’s server, those choices are made by your employer. In the case of Gmail (or any other cloud provider), this choice is typically made by the company’s legal team, based on its evaluation of the government’s demands. Most of the big companies, including Google, do have a policy of notifying users about demands before they hand over the requested data, which would give you an opportunity to assert your rights in court. However, there are many cases in which the government’s demand will be accompanied by a gag order forbidding the company from providing that notice.And, thus, he notes:
Having a private server in your home side steps these uncertainties. At home you as a private individual have the ability determine who has access to your email inbox—just like you have a right to determine who has access to that box of old love letters from high school. By owning the server, all requests for data have to go through you (and/or your lawyers), and any confiscation of the physical hard drives on which your emails are stored requires a search warrant for your home. And unlike with email stored in the cloud, it will always be obvious if and when the police seize your email server.But, of course, none of that stops the government from getting your server if they want it... it's just that in this one case you'll know about it.
And for what tradeoff? Well, there are some pretty big ones. If you're not particularly skilled and experienced with online security issues, your personal email server is almost certainly significantly less secure than the big companies that have strong security teams and are constantly making it stronger and on the lookout for attacks. If you're that good, you're not learning about the issue of hosting your own email server for the first time in... Slate.
The article insists that it's a myth that running your own server is a security nightmare, but I've yet to see an online security expert who agrees with that even remotely. Even the comments to the Slate piece are filled with IT folks screaming about what a bad idea this is.
In the end, this seems to be an issue of tradeoffs and skills. If you're quite skilled with online security and you think the government might want secret access to your email, then maybe in some limited cases, it might make more sense for you to run your own server -- though, even then you're exposing yourself to being hacked by the government too, because, you know, they do that kind of thing also in some cases. Otherwise, you're almost certainly opening yourself up to a home IT nightmare and a lot more trouble than it's worth for significantly less security.
In short, even if you're not Hillary Clinton, running your own email server is a bad idea. And if you're just now getting the idea from Slate... then it's a really bad idea.