There’s a small up-and-comer in the private/secure email community that you may have heard of: CTemplar. CTemplar is a lot like ProtonMail in that it works off PGP, allows you send password-protected secure emails to non-PGP users, allows payment in Bitcoin, and some other similar features, but it also has a few perks that make it a potential serious competitor to ProtonMail, like being based in Iceland (Swiss privacy laws are great, but they’re not as foolproof as everyone makes them out to be), allowing Monero payments, a no-IP-logging policy, and a few other things. Overall, CTemplar has some real potential.
Then this week, disaster struck. CTemplar doesn’t keep backups – or at least, didn’t prior to this – as part of their security strategy. This came back to bite them when they suffered a “catastrophic data loss.” This affected different customers to differing degrees, and it seems to have nothing to do with your status as a paid or free user. From what one reader told me, CTemplar claims they had recently moved their infrastructure to a “Replicated Dispersed Cluster with GlusterFS.” That is way over my head, but from what a quick web search told me this was a sort of decentralized infrastructure which explains why only certain users were affected and to varying degrees.
CTemplar has responded by helping users restore accounts and in many cases (possibly all) given them a free period of the next paid tier up (for example, as a free user I was given at least 6 months of Prime, existing Prime users should’ve gotten Knight, etc). They have also vowed to review their “no backups” policy to find a solution that ensures this won’t happen again.
Here’s what I want to talk about this week: what can we learn? I have a CTemplar account, mostly so I can experiment with it and see what they have to offer. I’m pretty happy with them, and I’ve kept that account and even considered a few times making it my primary account. They claim to have been audited, they are open source, and minus a few features they seem pretty on-par with ProtonMail, my current default. So here’s the lessons I took away.
1: Trust Is More Than Security
Often, when we talk about “trusting a service,” we talk about trusting them with our data. We trust VPNs not to keep logs, we trust our mail providers to be telling the truth that they can’t read our mail, and I personally trust privacy.com to fight against a non-court order for data, etc. But rarely do we say “do I trust this company not to go under?” Back in 2013, Lavabit – who was Edward Snowden’s email provider of choice – was served a warrant for all user encryption keys and data along with a gag order. In other words, they couldn’t disclose this request. Infamously, many users were surprised when they woke up and found that their email accounts no longer existed. Lavabit had chosen to pull the plug and scrub everything rather than hand it over. To this day, many in the privacy community laud them as heroes for refusing to give in, but it’s also worth considering how many unsuspecting, unrelated people woke up one day and found that they’d lost everything. Imagine if you woke up tomorrow and your email account that you’d be using for a decade (usually Google, for most people) was locked out through no action or fault of your own. No more access to your inbox, no new emails, etc. For some CTemplar users, like myself, this wasn’t a big deal as we weren’t heavy users. For some, they had made CTemplar their primary email address and now they had lost everything – past correspondence, access to new emails, everything. When picking a service and asking yourself “do I trust them?” make sure that also includes “do I trust them to stand the test of time?” Startups are risky. They often sell and/or get absorbed once they get big enough. Do you trust this company to last?
Something I didn’t even realize until this incident happened: CTemplar has no way to export and save emails. Proton has a bulk email export tool as well as IMAP for paying members, Tutanota lets you export emails one-by-one, but CTemplar has nothing (except copy/paste, I suppose). Putting aside whether or not CTemplar was at fault for not keeping backups, I find it troubling that there’s no way for me to take it upon myself to do backups. I personally try to fire up Thunderbird at least once a month if not once a week to download all my Proton emails. I export all my Tutanota emails as soon as I receive them (note: all my drives are full-disk encrypted with Veracrypt AES-256 or LUKS, 6-word randomly generated passphrase, your correspondence is safe with me and never shared). But the fact that I have no way of backing up my CTemplar emails is troubling. On my site, I preach the importance of backups because we’ve all probably been there at least once or twice, but this is equally important when it comes to online data. Just because something is in the cloud doesn’t make it immune to failure. Remember the 3-2-1 rule: 3 copies of your data (including your live, in-use copy), 2 formats (such as hard drive and CD), at least 1 of them offsite (such as in the cloud or at a friend's house).
This is a topic I covered earlier this year when Signal crashed for a weekend, but this incident simply bears repeating it and demonstrates how truly vital it is: it’s human nature to one make one thing your primary method of doing that thing. I don’t take multiple routes to work each day (though in a security sense I should) because I know the fastest route and it’s easy. I don’t use multiple email accounts for things – though again, I should – because I have one that has all the features I want, including privacy and security. However, it’s still important that I have access to those things. Popular life coach Jordan Harbinger has a very powerful saying: “dig your well before you’re thirsty.” If you’re an introvert like me, you may have found yourself in a position where you wanted a favor from a specific friend only to realize you haven’t talked to them in months and now you’d feel like a jerk contacting them out of the blue to ask for help. The same applies with communications redundancy. As someone with multiple custom domains, I can assure you that it’s not a quick process. Once your email provider of choice goes down, that’s not the time to sign up for a custom domain and change your email addresses. Likewise, once Signal goes down is not the time to start asking your friends and family to download Matrix or Session as a backup. You need to have these systems in place ahead of time. Fortunately, as I said, I didn’t use CTemplar as my primary so in terms of any lost communication I probably didn’t miss anything, but don’t wait until this does happen to your primary services. Sign up for both Proton and Tutanota. Sign up for Signal and Session (if your threat model fits it). Let people know where they can reach you in such an emergency. When Signal crashed earlier this year, my partner already knew I had Matrix and had tried it. I sent an email to my less-frequenlty-messaged contacts about what was going on and that they could reach me at Matrix if they needed and we rode out the storm. While I have been lucky enough to be unaffected (for the most part) by this CTemplar incident, it is forcing me to rethink my own redundancies in regard to The New Oil, as well as my own life. Whether that means using a custom domain you can redirect or having multiple accounts and letting people know where to find you, dig your well before your thirsty.
Before I go, I guess I should weigh in on what I think of this incident. First off, I am unhappy that at the time of this writing – over a week later – CTemplar STILL has not issued any official comment on this incident. There has been one Reddit post, but otherwise no tweets, no Facebook posts (that I’m aware of), no blog post, no emails sent out to recovery email addresses, nothing. I completely understand that this is an embarrassing incident and it’s painful to admit your mistakes, but the lack of transparency and the amount of unethical-corporation style “keep it on the down-low” PR I’m seeing is unsettling to put it nicely. Having said that – and second – it is worth noting that this could’ve been much worse. Data lost, while still tragic and frustrating, is in my opinion better than data exposed. I’d rather them lose my data than leak it onto the dark web. But third, having said THAT, I find it hard to believe that keeping backups would compromise their security. In my non-technical opinion, if a friend gave me an encrypted file and said “hey hold this for me,” I don’t see how it would be a security risk for me to make a copy of that file and put it on my backup drive. It’s not like I’m able to decrypt it or like I’m keeping the password/keys in the same place. I dunno, maybe someone who’s more tech-savvy than me can explain that. I get why it seemed like a good idea at first, I don’t blame anyone for throwing the idea out there, but I feel like it should’ve been pretty obvious that the risks outweigh the rewards. I digress. The important thing is, again, the data itself wasn’t compromised. So do I still recommend CTemplar? Personally, yes*. The asterisk is to remember that CTemplar is still a small, unproven company and mistakes like this are not only possible but likely. Until CTemplar has an email backup feature or strategy of some kind (such as IMAP or export), I would strongly advise against making them your primary email, but given that this incident has given us no indication whatsoever of data leakage, privacy invasion, or any other unethical behavior, at this point in time I have no reason to question them in terms of their privacy or security. I will be interested to see what steps they take to ensure this doesn’t happen again, and again I look forward to their external backup features.
With all that in mind, remember that no company is born a monolith. ProtonMail, Mullvad VPN, DuckDuckGo, none of these companies were perfect out of the box and they all had their growing pains. Once upon a time there were people like you or me who took a chance on them and said “I think there’s potential here, I’m gonna support these guys.” Don’t be afraid to support the little guys, but just remember that they are little and we’re placing a lot of trust in them in more ways than one. Dig your well before you’re thirsty.