Basically create an alias for every combination to prevent privacy cross contamination.

For instance, not only should you make an email alias for an Eventbrite account, but for every organization you sign up for events with. You are required to enter an email (any email) for the event, which can be seen by both Eventbrite and the organization. If you enter in the email of your Eventbrite account then the org could give that away, resulting in email spam and you can’t be sure if it was either Eventbrite itself or the org that sold you out. If that happens then you would probably want to delete email address but then you have to change it in other places you need to send/receive emails from.

Another example is Discourse forum sites. While Discourse is open source and self-hostable, you may not always be sure if a Discourse site is self-hosted or using paid hosting. A lot online places have both their own website and a separate discourse site. Bitwarden’s forum site doesn’t have a sign-in option using your Bitwarden.com account, and Raindrop.io uses canny.io to track app feedback which has also uses its own login. (I’m actually glad I made an alias for every single Discourse forum site before realizing all of this).

  • rhymepurple@lemmy.ml
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    3
    ·
    8 days ago

    There is no one-size-fits-all solution and there likely isn’t a solution that works for everyone even in specific situations due to different threat models. Purchasing and using a custom domain is often listed as a good practice for maintaining a person’s privacy. However, it can be even more detrimental to a person’s privacy than just using a trusted email masking/forwarding service and trusted email provider. For example:

    • The domain is purchased without WHOIS protection (or without using non-personal information) or the WHOIS protection is not renewed
    • The email server is hosted on hardware that can be linked to other services that identify the individual (eg: the email is self hosted using a home IP address)
    • A self hosted email server is configured in a way that leaks information or is configured insecurely
    • The email domain is used by only one person, which enables agencies to link each individual, unique email address back to that individual and create an aggregated profile across various accounts/services
    • If the domain/DNS is not configured properly (or if the domain is not renewed), then the domain (and thus the email accounts) can be hijacked, which could lead to any additional accounts/services that are still using the domain vulnerable to a take over attack
    • The email server is hosted by a privacy invasive company/service
    • The person assumes that all emails are private since they use a custom domain on a trusted email provider (or self hosted email server), but continue to send emails containing sensitive information to email accounts running privacy invasive email services (eg: Gmail)

    Please note that I am not saying that this is not a good option, but I just wanted to note some of the things that should be considered if a person decides to use a custom email domain to improve their digital privacy.