During a group dinner in a small town in Norway in 2015, at an international conference for investigative journalists, a Ukrainian reporter told me that he used both Gmail and Mail.ru, Russia’s most popular email provider. “Every time I write an email,” he said, “I have to decide if I want Obama to read it, or if I want Putin to read it.”
It may be hyperbolic to suggest that world leaders personally comb through individual email accounts, but the reporter’s point stands: When you use services like Gmail, Mail.ru, Facebook, Dropbox, Slack, or any other site that stores your data, they will hand your private information to governments when compelled to do so and in some cases, merely when asked. Last year, the Supreme Court ruled that the government usually needs a warrant to access private data held by third-party companies. But even with new legal protection, email remains all too easy for governments to quietly obtain. Many companies, like Facebook, have shared personal information even more widely, with private entities. When your personal data is stored on a company’s servers, as with the email in your Gmail account, there are no technical barriers to the host company sharing it when it sees fit.
Google provided private information to government agencies around the world more than 60,000 times in 2017, often turning over data from multiple Google accounts at once, according to its transparency report. And that doesn’t include over 100,000 Google accounts from which the company gave data in response to secret orders from the Foreign Intelligence Surveillance Court, a U.S. national security tribunal whose meetings and decisions are kept from the public. Mail.ru doesn’t provide a transparency report, but the situation is no doubt much worse in Russia: All Russian internet companies are required to retain data they collect about their users and to hand it to FSB, a Russian spy agency, if asked.
Google gave data from over 100,000 accounts in response to secret national security orders — in one year.
If you want an email account that’s actually private, one solution is to run your own email server from your house. This way, if governments want to secretly ask your email provider for a copy of your inbox, they’ll have to ask you.
Until now, this hasn’t been a viable option for most people: Not only would you need an extra computer to act as a home email server, but you’d also need enough system administration skills to install, configure, and secure this server. In addition, you’d need to deal with headaches related to your broadband internet provider; such providers typically try to block email servers by interfering with connections to a particular networking channel, port 25, associated with mail delivery. After you solved that problem, you’d need to configure your router to forward inbound email deliveries to your server. Then you’d need to register a domain name where your email address will live, and then point that domain to your email server using a system known as DNS. This is complicated by the fact that most residential internet addresses change on a regular basis. And as much work as it is to initially set up this home email server, it’s even more work to maintain it over time — to promptly install security updates, set up monitoring so you’ll be notified when something breaks, block spam, and avoid getting your server added to spam block lists.
With the release of Helm, that has changed. Helm is a triangle-shaped personal server that can host email (on your own custom domain name), contacts, calendar, and a file server, and is about as easy to set up as a new smartphone. For being basically a sophisticated product for hosting your most private data — where there are many opportunities to screw up — Helm’s technical choices and business model are surprisingly well-thought-out. All you need is internet access at your home and an iPhone or Android phone to configure it.
The biggest hurdle prospective users will face, I suspect, is the price: You have to drop $500 to buy Helm to get started, and then pay a $100 per year subscription to continue using its cloud gateway and encrypted backup components.
I’ve been hosting my personal email, micah@micahflee.com, on a Helm device plugged into my router in my living room for several months now. Here are some of the things I’ve learned, starting with what it’s like to switch to Helm, then an assessment of Helm security, a comparison to Gmail, a nitty-gritty examination of how Helm works technically, a look to the future of Helm, and some important caveats about the product and the policies and realities around it.
My Helm device, with the power cable, ethernet cable, recovery key, sticker, and my cat Nova (not included).
Photo: Micah Lee/The Intercept
The first step to switching to Helm is picking out the domain name you want to use for your new personal email address — in my case, micahflee.com. After ordering my Helm, I received simple instructions on how to proceed.
Properly configuring a domain name for an email server is complicated, and misconfigurations can cause other email servers to suspect that you’re running a spam operation. To avoid this, and to make it simpler for users, Helm handles the DNS for your domain name for you. If you ever need update your domain name’s DNS records, you can do it from the Helm mobile app.
If you don’t already own a domain name, you can get one while buying your Helm; all the fees associated with buying and renewing the domain name are included in the price. If you do already own a domain, you’ll need to log in to your registrar’s website and update your domain to point to DNS servers that Helm controls; Helm will handle the rest. If you host a website on your domain name — like I do with micahflee.com — you’ll also need to let Helm know about it first. (Helm supports multiple domain names, but this feature was added after I tried the product.)
The next step is waiting for the Helm device to ship to your house. Once mine arrived, I had it up and running in about 10 minutes, with an additional hour and a half to migrate all of my email from my old provider into my Helm.
Following the instructions, I plugged the Helm device into a power outlet in my living room, next to my Wi-Fi router. I connected the Helm to the router using the ethernet cable (you can also connect your Helm to your router over Wi-Fi, but ethernet is more reliable, faster, and more secure). And I installed the Helm mobile app on my Android phone, turned on Bluetooth, and paired with the Helm.
A quick note about the Android app: When I first opened the Helm app, it asked for permission to use my location. “This is an unfortunate requirement from Android since our app uses Bluetooth to pair with the Helm,” Helm CEO Giri Sreenivas told me. Apparently, Android apps can’t have Bluetooth permission without also requesting location services permission. “We do not note or store any location information.” The iOS app does not have this issue.