Anonymous (Paid) E-Mail Account

11 min read Original article ↗

A brief writeup describing how to open a (paid) e-mail account without having any personal information (e.g. credit card) directly attached to it.

Alright, it’s time to dust off your tinfoil hats again and dive into the paranoid world of online privacy with me! Today we’ll be looking at e-mail services and walking through the steps of opening a paid e-mail account without having any personal information directly attached to it.

Why would we want to do this in the first place? First and foremost, because we cannot trust any online service to safeguard our data anymore. According to NordLayer, 2024 has been one of the worst years yet on the cybersecurity front:

2024 has been another banner year for data breaches, with cybercriminals accelerating their efforts to steal and monetize confidential information. The stats below show that data theft is commonplace, and organizations face a challenging data security environment:

  • National Public Data (NPD) will probably be 2024’s biggest data breach. The mammoth breach potentially impacts 2.9 billion records, close to the most significant data leak ever.
  • Change Healthcare suffered the largest health-related data breach of the year, affecting over 100 million customer records. This could make it the largest healthcare breach in history.
  • The average cost of a data breach reached $4.88 million in 2024.
  • The cost of a data breach in cloud environments was even higher, averaging $5.17 million.
  • 40% of breaches involved data stored across multiple environments.
  • 68% of 2024 data breaches involved human errors, such as falling for phishing scams.
  • 14% of attacks involved security exploits, three times the 2023 total.
  • On average, organizations took 194 days to identify data breaches.
  • The average attack took 64 days to contain.
  • Meta (Ireland) was fined 91 million euros for exposing customer data, the largest GDPR penalty in 2024.

Having even just your credit card with your full name attached to that my-ashley-madison-account@hotmail.com e-mail address of yours could put you in an uncomfortable situation if either the e-mail provider, or any of the services that account is used on ever gets hacked and the data is leaked online. It is safe to say that these days you cannot trust any service with your real information anymore. While online accounts that don’t require payment can usually be created using fake data, those accounts typically monetize their service by selling the data they generate, even when they say they don’t.

With a paid e-mail service, there is at least a slight chance that they will remain true to their mission and not sell any data generated by their paid accounts, as they already make money from those accounts and would risk losing them if they were to misbehave.

This is not the case for paid services like Google Workspace, Microsoft Office 365 and similar big tech offerings. Even though you pay them money, they will still make you the product and use your data to spy on you, train AI and potentially sell it to third parties.

The paid e-mail services referred to in here are small businesses that truly depend on the income generated through their paid services.

So what is the best way to create an e-mail account with a paid service provider without giving them any PII?

Step 1: Payment method

Ideally you could simply mail a letter with the yearly fee in cash or precious metals to an address, but unfortunately that’s not always possible. However, decentralized currencies allow us to do just that but digitally.

If you are only concerned about having your PII directly attached to the e-mail account, you can use any regulated DEX to buy Bitcoin that you can afterwards pay the service provider with. Even though your PII is not available to the mail service provider, the transaction will be traceable and your DEX will have your PII.

If you’re concerned about the possibility that the DEX might get hacked and leak account data (and through that your PII), which would in turn make it possible to trace your payment to the mail service provider, and at the very least reveal what e-mail provider you are using, then it definitely makes sense to find a DEX that allows you to purchase untraceable cryptocurrency like Monero.

If your paranoia level is above that, your best bet is to purchase cryptocurrency on a peer-to-peer marketplace with cash-offers, or to find cryptocurrency ATMs around you that do not require KYC and accept cash. At that point it doesn’t really matter which cryptocurrency you purchase, as you can use platforms like fixedfloat and changenow later on to convert the currency into one accepted by the mail service provider (most likely Bitcoin). Ideally, however, you would want to have at least one conversion-hop in XMR to break the transaction chain and make it harder to trace the full transaction. While you could use a tumbler, I would not recommend it, as such transactions are immediate red flags that might raise eyebrows and, in worst case, put your wallet(s) on a list.

Most services these days accept payments in cryptocurrency, regardless of what their public landing-pages might be saying. As soon as you identified a trustworthy service that you would like to use, it’s worth contacting their support via e-mail, to ask about the options to pay with cryptocurrency.

At this point we’re encountering a chicken-and-egg problem, where you need to have an e-mail account to write the support to open an e-mail account. However, for this short interaction a (free) throwaway account that won’t require PII can be used.

Remember that every interaction with a cryptocurrency wallet, a DEX or any e-mail provider should ideally be done from an IP address that is not linked to your PII. A coffee shop with WiFi is the easiest and cheapest way. Tor is another possibility, however, you might encounter obstacles creating accounts via the Onion network. Another alternative is a VPN for which you are able to purchase scratch cards.

When contacting support, be brief but state your reason for why you would like to open an account using cryptocurrency instead of conventional payment methods. Explain, that you don’t feel comfortable having your PII attached to online accounts. The more reasonable your request is, the more likely it is for the service to agree. While working on this post I have tested this approach with a handful of different services and was able to ultimately open e-mail accounts with all of them.

Mail services these days suffer a lot from malicious use (fraudsters, spammers, etc.) and might hence be careful to open e-mail accounts using cryptocurrency. This is especially true for the ones that don’t openly advertise to accept crypto payments. Hence, don’t be irritated by follow-up questions from the support.

Step 3: Pay and use

In most cases the support will send a wallet address for you to transfer the fee to. Keep in mind that if crypto payments are being offered, it’s usually only for yearly plans and in many cases refunds won’t be possible. Make sure to investigate the desired mail provider thoroughly beforehand, including its privacy policy and terms of service. Ideally you can make use of a trial phase under a different account, unless a payment option is required for that.

If you’re e.g. a political activist who’s looking to open an e-mail account this way make sure the provider in question is as far away from your own jurisdiction as possible. Ideally you’d want the e-mail service to be operated under a jurisdiction that is cumbersome to deal with, especially for the one you’re located in. Example: If you are a French climate activist, do not use a service based right at your doorstep (e.g. Switzerland). Find the jurisdiction that is likely to be the least cooperative towards your own jurisdiction and use a service that is based there and ideally runs its servers there as well.

It is important to remember that the yearly fee won’t be charged automatically and that failure to pay in time will result in the account getting shut down. Set up a payment reminder so that you can contact the support and communicate future payments when due. If you are likely to stick with the services for longer, ask for multi-year payment options.

Stuff you should know/do/don’t

  • If you are going to have Amazon send you delivery confirmations that contain PII like delivery addresses to this account, you basically did all this voodoo dance for nothing. In fact, if you use this e-mail address on any platform that has your PII, you’ve just stabbed yourself in the back, regardless of whether you use VPNs, GPG, and whatnot.
  • Use individual per-service addresses when signing up for things. Either through the widely available plus-alias (myaccount+theservice@example.org) or, better, through a custom e-mail alias address, which many services these days offer. If yours doesn’t, there are third-party services that do.
  • Do not leave e-mails longer than needed on the mail server. Depending on what e-mail client you use, you can usually have a local mailbox account. In Mozilla Thunderbird this can be found under Settings, Account Settings, usually at the very end of the sidebar. If you’re using a more advanced setup (e.g. neomutt), make sure to have whatever tool you use to download your mails (getmail, offlineimap, mbsync, …) delete them afterwards.
  • Configure your e-mail client to either not store e-mail drafts on the server or only store them GPG encrypted. Also make sure to enable encryption of the e-mail subject.
  • Always consider the metadata: When you write an e-mail to someone, you’re creating a relation from your account to that other person’s account. If you’re using this account to write e-mails within a group of relatives/friends/co-workers, it is relatively easy (for the e-mail provider or anyone with access to server logs and/or e-mails on either end) to find out who’s in charge of the e-mail account.

Happy mailing!

You are now likely the owner of an e-mail account that has no PII attached to it. Keep in mind that just because you paid for it, it doesn’t mean that the service won’t boot you off the platform, especially if you’re planning to do dumb things with it. Don’t be a d!ck and enjoy the little privacy we have left responsibly.

FAQ

I thought most services don’t store payment information?

Correct, most services let the payment processor (e.g. Stripe) handle the PII involved with payments, to a certain degree. Services are usually still obliged by law to store invoicing data (name, address) on their end, usually for multiple years even after you might have already closed your account with them.

Even if no PII is stored in the provider’s database, your account is usually still linked to it through a common identifier used by the provider and their payment processor.

Is it more expensive to pay subscription fees in cryptocurrency?

Usually it isn’t, although conversion/transfer fees might accumulate, depending on how elaborate the flow gets. However, some services might even offer a discount when paying via cryptocurrency.

Some services use crypto processors to handle crypto payments. Often times the processor will require you to create an account, which in turn might be subject to KYC procedures.

If you can’t pay without creating an account, ask the e-mail provider to send you a simple wallet address. If they refuse, find another e-mail service provider.

Does it make sense to use an “encrypted” e-mail provider?

If you’re referring to encryption at rest, sure, it won’t hurt. If, however, you’re talking about end-to-end (or “zero-knowledge”) encryption of the mailbox, no. Services that offer this feature usually require you to use non-standard ways to access your e-mails (with some exceptions), introducing additional software (telemetry) and hence potential security-issues into an otherwise battle-tested setup.

If you encrypt your mails using GPG, and the people you’re communicating with do the same, your e-mail content is effectively E2EE. Any service promising you “zero-knowledge” is trying to sell you smoke, as the real issue with e-mail isn’t necessarily the content, but the metadata. (see below)

So I can simply use GPG and be completely private/anonymous?

No. GPG encrypts the content of your messages and maybe the subject line (depending on your client), but there’s more to anonymity than e-mail content. E-mail will unfortunately never be fully anonymous because it leaks metadata on so many different levels, regardless of what the marketing departments of paid services try to sell you. If you’re curious about PGP/GPG and its issues, refer to this excellent write-up. Even though I don’t agree with the author’s verdict to not encrypt e-mails at all, he is nevertheless right with his criticisms of PGP/GPG as a whole, and the suggested alternatives for various scenarios.

If I can’t be 100% private/anonymous, why bother?

Because not everyone wants to LARP as secret agent, and because the main goal of this exercise is to limit your own exposure to data breaches. As most online services these days require an e-mail address to create an account, it makes sense to have an e-mail account that has no PII linked to it.

What if I do want to LARP as secret agent?

Find a state actor that is willing to sponsor you a passport that lists your name as Christopher Condent, Edward Teach, Charles Johnson, Alaric Arabel, or similar, and use e-mail like everyone else.