Privacy

32947 readers

628 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
Don't promote proprietary software
Try to keep things on topic
If you have a question, please try searching for previous discussions, maybe it has already been answered
Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago

MODERATORS

Asking online stores to stop sending receipts via email. (lemmy.ml)

submitted 1 day ago by tiz@lemmy.ml to c/privacy@lemmy.ml

16 comments fedilink hide all child comments

This post is not really about questions I have. I just feel like I need to write this somewhere to express my concern.

First of all, online stores have become a huge part of our society and I admit I heavily rely on that. That alone could be privacy issue but I’d ignore that for the sake of not missing the point of this post.

The problem is rather in the way these online stores send out their receipts. You might already know that emails are by default not client side encrypted. That means your email server admin (Google if you use Gmail, Apple if you use iCloud mail. And Proton if you use Protonmail. Yes Proton claims it stays encrypted as soon as the emails arrive to their server but who can really vouch this? It’s behind the curtain anyway. ) has access to your receipts including of the past.

Now email has been around for a really long time. And the client side encryption part has been worked in a lot of forms such as S/MIME. But none of the online services really implement it even though they contain critically personally identifiable info such as items I bought along with my name & address.

And the thing is even though these online sellers acknowledge this privacy risk, they don’t have options to not email us receipts. For example, Amazon has a dedicated page on their site where I can see the list of everything I bought. That’s literally enough for me. They can stop sending me the receipts in the worst possible way! At least they could provide us with better way (even WhatsApp will do) yet they don’t. This is a severe privacy issue.

I can’t help feeling, with all the sophisticated technology we have at hand, that we deserve better.

you are viewing a single comment's thread
view the rest of the comments

[–] theRealDonaldDuck@lemmy.ml 3 points 5 hours ago

Given that an E2EE solution requires all online stores switching technologies, it's unlikely to happen. The next best option is using a VPN-like solution for email. I use Privacy Portal email aliases with email encryption for this. There are multiple other alternatives but I like Privacy Portal because it has one of the strictest privacy policies and because I'm a little biased (I'm an engineer on the team).

Emails sent to you from online stores get sent to Privacy Portal's relay servers. These servers act like VPN servers meaning no logs, no writing to disk, zero storage, ... The emails get encrypted in memory with your public PGP key (or certificate) and get sent encrypted to your email provider. Only you will be able to decrypt them on device.

If you use Proton mail as your email provider, it supports PGP encryption by default. You can simply copy your public PGP key from proton and submit it to Privacy Portal and you're done. Proton won't have access to your emails. Alternatively you can use any email provider with an email client that supports PGP (e.g. Thunderbird, K9). And if all else fails you can even use S/MIME with Apple Mail on iOS but that has some drawbacks.

With this solution you would be separating providers into 2 categories:

The first provider receives the unencrypted data but has no authorization to log or store anything.
The second provider is responsible for storing your encrypted emails but does not access the unencrypted version.

On top of that, you can also reply to emails without exposing your the unencrypted versions to your email provider because encrypted emails sent by Privacy Portal contain public keys used for decrypting outbound mail before relaying it to its destination.

The cherry on top is that the online store won't have access to your personal email. So if they start spamming you, you can stop the email alias.