At first glance it makes no sense for a privacy respecting service to ask for personal information as important as an email. Notesnook is not indifferent to this critique and continues to stick to this approach for a couple of reasons.
Why not email?
Before we can get to why email still makes sense we need to first discuss how email can be abused to put things in perspective.
1. User identification
If you only ever sign up for a single account in the entirety of your digital lifespan, you'd be safe. However, that's not the case for most users. As long as you use a single email address to sign up for multiple services (doesn't matter how separate they are), your email address can become a point of identification.
This is the primary danger to your privacy.
User identification can be used to build a profile on you which can then be sold or used for ad targeting.
Every year a lot of people fall for email spam which primarily happens due to data leaks by services either intentionally or accidentally. If you never give someone your email nobody can reach out to you & hence you remain safe.
A lot of spammers these days mine user data using different identifiers including email address & phone number to build a profile. This profile is then used to compose a very authentic looking spam email which anyone can fall for.
A few months ago we received an email from Apple requesting more information to process our monthly payments. The email listed everything including our company name, phone number, full name etc. and hence looked extremely authentic. Even the email address domain was apple.com.
So why email then?
The above 2 points should be enough for anyone to stop signing up using their email. However, it is important to get a clear picture of why all the services including Notesnook depend on email.
1. Preventing account spam & bot accounts
As a service provider blocking bot accounts & preventing abuse is necessary to keep everything running smoothly. Email address offers one way to do that without worsening the UX too much.
Email signups require an additional verification step during account creation which discourages bulk account creation.
This is in no way bulletproof but requiring an email can significantly slow the attacker down. As opposed to a username which can easily be randomized & automated.
2. Memorable & accessible
Email has become like a phone number. (In fact, phone number & email pose very similar risks to privacy due to their widespread adoption.) Everyone with Internet access has an email account which makes it tremendously accessible.
People still forget their email but generally speaking it is much harder to remember a different username for each service. This is exactly why a lot of users stick to a single username. However, usernames can easily be hijacked.
Since each email address is inherently unique it's not a trivial task to hijack it without hijacking the whole email account first. This makes email addresses irreplaceable & easy to use.
3. Account recovery
The first thing users forget after signing up is their password. At this moment no private notes app except Notesnook offers account recovery which is very frustrating for a lot of users. The fault obviously lies on the user side: they should use a password manager or remember the password well but this is already a losing argument. As a service it is our job to provide rescue when things go wrong, not the user's.
The fact that privacy always comes at some cost to convenience is the very reason most people hesitate when it comes to protecting their privacy. In short, account recovery is mandatory regardless of whether a service is E2EE or not.
Notesnook offers 3 ways to recover access to your account:
- Using a recovery key
- Using a backup
- Resetting everything & starting from scratch
The primary way account recovery works is:
- You enter your email address
- The service provider sends you an email with a link or a code
- You click on the link in the email to start the account recovery process
Without an email address it becomes impossible to verify the ownership of an account.
Server breaches are real. Data gets compromised or some other critical issue can happen. Having a way to reach out to our users in a reliable way is vital to ensuring their safety and email is the way of communicating with our users.
Aside from email, Notesnook also has an in-app announcement system for notifying users about critical issues & ways to avoid them. However, not everyone always has Notesnook open in which case they can miss an important announcement.
In addition to this, some services including Notesnook use email to regularly update about the product's progress. All these non-critical emails are optional, of course but they provide a really great way to keep the user in the loop with minimal effort on the user's side.
Sharing your email safely
The first instinct after reading this might be to ditch email entirely. It's an old technology full of holes patched over & over again. Try as we might, however, we have to live with email.
Since almost all services have a way to sign up via email, it's necessary to know how to anonymize yourself without depending on any single service. It's inevitable that at least one service out there will be careless with your personal data. Trusting the vendor to do all the heavy-lifting will leave your security full of holes.
1. Anonymize your email
It's cool to have a recognizable email address (e.g.
<lastname>.<firstname>@<domain>) but it's also the first thing connecting the email address to you. The first step should always be to randomize your email address in such a way that it cannot be used to know who's behind it just by reading it.
Instead of using your full name or initials in your email, you can adopt a fake persona and use that.
Doing the above can be quite inconvenient if your email is already connected everywhere. For this I recommend slow migration.
2. Email aliases
Email aliases cloak your real email offering complete anonymity while sharing the same email address. A sender sends an email using the alias but it arrives in your real inbox. Simple & convenient.
An email alias acts as a proxy.
Since you can create unlimited aliases for a single email address, this can be an easy way to dissociate one account from another.
You can use any of these services to set up email aliasing:
Email aliasing can also help you narrow down potential culprits in case you start receiving spam emails. This obviously requires you to use a unique email alias for each service or each group of services which might not always be convenient.
3. Disposable emails
I generally don't recommend using disposable emails (unless you are creating a disposable account as well) due a variety of reasons. However, they can be a good way to sign up without exposing your real email address.
Do note that disposable emails are transitory i.e., you can lose access to an email address at the worst possible moment and there's no way to get it back. This makes disposable email a risky way to ensure anonymity.
The Future of Notesnook & Email
At this point in time (
July 30, 2022 PKT UTC+5) if Notesnook's database is compromised the only data at risk is users' email addresses. While we recommend each user to take the necessary steps to anonymize their emails (as listed above), it is also mandatory as a private note taking app to improve our security.
These are some of the practical steps Notesnook is going to take to prevent potential leakage of users' email addresses.
1. Ephemeral email address storage by default
Most uses of email listed above (account recovery, spam prevention etc.) do not require storing the email at all. However, it is essential to verify that the entered email address is the right one. For this we can store a one-way hashed version of an email address (instead of plaintext) for the purpose of verification.
Whenever the user starts a process that requires email verification, the client app can ask the user for their email. This is already being done for some processes (e.g. account recovery, account creation, log in etc.).
All this, however, requires trust since the emails will still be transmitted as plain text and it'll be up to us to decide whether to store them or not.
2. Opt-in email address persistence
Storing emails ephemerally offers greater security but it prevents us from reaching out to the user in case of a critical issue. Currently, this is not a problem because all email addresses are stored in the database as plain text & can be easily retrieved.
To solve this problem, we will give the user the choice of whether they want their email stored for external communication or not. This would allow users who have already anonymized their email address to continue to benefit.
We can further increase the security by encrypting the stored emails using an asymmetric key. The public part of the key can be stored on the server whereas the private part can be isolated to a different machine.
I haven't thought too much on this but it's possible to do this in a safe way.
After all these measures have been taken, if Notesnook's database is breached there'd be no useful data for the attacker at all:
- All user generated data will be encrypted (notes, notebooks etc.)
- User's personal information will either not exist or will also be encrypted (email address)
Email is a necessary part of our digital lives & learning to share it safely is essential for our online privacy. Employing techniques such as email aliasing we can easily anonymize our online presence because we cannot always depend on the service provider to protect our privacy.