I recall when gmail first starting rolling out, getting into the beta was pure elite status. Hotmail at the time was the major alternative from an ISP email address (which was a terrible idea as well. What would happen if you had to change providers?), and an ISP email address was like wearing knock off Starter jackets.
Now, I may be dating myself here between pre-Gmail and 90’s fashion, but when internet transitioned from screaming devil noise into a POTS line to the first cable modems, who you had for email mattered. It was the email address you used to sign up for World of Warcraft, it was how you kept in contact with your guilds and sometimes school and work messages. GMail offering a free 1Gb of storage1, which was about as much storage as I had on my old frankenstein desktop, it was too good to be true. Hotmail was slow, it only had a few megs of storage, and you couldn’t do much with that space. With Gmail, I didn’t have to delete every email after I read it like some spy novel.
I trade in-game gear from World of Warcraft to get an invite to Gmail. I felt so cyberpunk doing it. I still couldn’t get an original email address without digits in the name, but it was so much closed to adult addresses than the Hotmail address I scoped when I was 17.
This is all to say I’ve had my Gmail account for a while, since 2004. 21 years later, with all of the changes and shiny ads and new utilities Google introduced I recognized something. I knew from day one they were using the data they could scrape to sell me stuff; at the time I thought “I’m not important enough to really be worth while, let them scrape it!” I’m realizing how foolish that truly is. Today’s era of mass surveillance, social media posts being used for legal proceedings and deportations, Border Patrol reviewing the contents of phones as folks come and go in an airport, I’m not unimportant. My ability to vote, to choose and reshape what I already see if a dystopian cyberpunk world of haves and have nots, and to resist pervasive invasion of my thoughts makes me much more important than those in power want me to believe.
Metadata
Metadata, or the data about the data, is not a fully new concept in information security. However, it’s not entirely understood. Imagine you are watching someone in an office. You can see they have bright lights on, that they have a big chair and a bigger wooden desk. Every once in a while they stand up and pace while talking on a cell phone. Someone else comes in with a small white mug a few times in the day. What could we tell from all of this, even if we can never hear their calls or read their messages? Could we determine they are important, an officer to the company of some sort to spend money on chairs and desks. They must have to read a lot with those lights so bright. Decision maker, given how many times they talk on the phone. And their routine is established if someone is bringing them a beverage like coffee or tea at several times in the day. The metadata is our observations, but the inferences can be just as important as us listening to this person’s call. And you leak this much data, and more, every day.
Google, Gmail, and Android
Google didn’t stop at reading the metadata in your email. Gathering which messages you read the most, open every time it comes in, or themes of emails you focus on tells them how to market to you. But it’s not enough. Your phone generates more information than anyone in tech ever believed they have access to. Now they can see almost everything about you.2 They can guess when you take bathroom breaks at work based on how quickly you unlock and lock your phone! There’s so much data they can get3 that I intend on writing an article on how I decoupled Android from Google in a later article.
Gmail accounts are used to activate Android phones now. No longer is an email address a communication medium; it’s now an identity. And is it a big one. We’ve seen a rise in attempts for account takeovers targeting Gmail providers. Originally it would have been used to propagate spam. Now, gaining someone’s Gmail account would give the attacker access to Google Drive for access to your files, your Youtube profile, and/or your Google Wallet which stores more than just credit cards now. How could I break this connection, blend into the background without fully losing out on the modern internet (even though the Dead Internet theory is gaining more and more ground).
PROTON
Proton has been around for a while. It started 11 years ago, and my initial impressions were “looks great for journalists and hackers. I don’t want to be associated with that”. Irony of ironies, I started my education as a journalist, and my career has led me to becoming a hacker. Life steers us that way sometimes. I couldn’t imagine a scenario where I would need encrypted email; who was emailing me anyway? That’s not was Proton mail is actually about, though. Encrypting email between sender/receiver is great, and with today’s issues it should be default on all email providers. PGP (Pretty Good Privacy) is a standard for email and supported by almost all, but it’s rare that it’s enabled by default. GMail offers it, and ensures that your web client uses TLS (Transport Layer Security) to encrypt traffic to and from the web site. But as we look at it, these aren’t quite enough. TLS makes sure your laptop isn’t intercepted as it’s reading and responding to Gmail, and PGP would prevent someone else from reading your emails unless they were either on your laptop or your recipient’s laptop. But Google doesn’t consider itself part of this issue. Once the email is decrypted on your side, it’s free for Google to read. This data sits on their servers, and you’re not downloading the message and removing it from their servers. You are actually just reading it from their system. And Google is good at determining everything about how you read your email.
Proton offers a complete encrypted mail service, including from themselves. Mailboxes are encrypted with a second password, one I created separately from my account password. No matter the device I log into I still have to provide the mailbox password to be able to read the messages. If CBP steals my phone, manages to unlock the screen, and open my email they’d still have to decrypt my mailbox to read my messages. The Fourth Amendment details that they need a warrant to search my devices; providing my passwords is covered by the Fifth 4. Finally, freedom to message.
Migrating
The migration actually was incredibly easy. Proton offers a migration tool5 that doesn’t just copy your email over, but sets up a forwarding rule to help you find out who and where you may need to update for your email change. I had this up and running within about 5 minutes, including migrating a ton of calendar invites and the like. But this wasn’t enough for me; I’ve wanted to run my own email domain of esquiretheduke.com for quite some time. I’ve been siting on the domain for years in AWS Route53, though it hasn’t been doing much. I self-host a lot of my personal tooling now, but email is difficult to host on a residential ISP and I don’t want to run the risk of VPS outages67 of moving what should be a very personal choice to a corpo-cloud.
Following Proton’s instructions8 lead to some…frustration. I prepared my DNS hosted zones with the TXT validation string provided in the console. No matter how I created the TXT record, though, Proton couldn’t pull and see the string. For four days the validation failed, never once referencing the DNS hosts and getting the full records. I tried to get it from my laptop using nslookup and saw almost nothing. I was really ready to just drop it, assuming I won’t get my vanity domain…until I wondered “is this still just relying on a corpo-cloud?”
Here comes Cloudflare, my savior. 9 I performed the DNS hosting transfer within around 15 minutes, including a $10 fee to renew the host name for an additional year. I went back to Proton’s documentation and added the first TXT entry on a blank domain. Green checkmark showed up immediately…I was stunned. I created my first mailbox, MX records, and all of the security mail functions such as SPF, DKIM, and DMARC entries via copy & paste. Holy shit, I had it running almost immediately, securely, and completely under my control. I created paul at @esquiretheduke.com and set it as my new default email address in Proton. This is a domain that will follow me, linked to an encrypted email service, and completely outside the monitoring from any of the major tech corporations. A new identity, no limits
- https://en.wikipedia.org/wiki/History_of_Gmail ↩︎
- https://www.wired.com/story/google-app-gmail-chrome-data/ ↩︎
- https://www.androidpolice.com/google-is-stockpiling-data-about-you-heres-everything-you-need-to-know/ ↩︎
- https://bannisterandwyatt.com/do-you-have-to-tell-a-police-officer-your-mobile-phone-password/ ↩︎
- https://proton.me/support/switch-from-gmail-to-proton ↩︎
- https://www.cnn.com/2025/10/20/business/video/amazon-aws-outage-lance-ulanoff-digvid ↩︎
- https://www.digit.in/features/general/microsoft-azure-aws-outage-experts-warn-internet-outages-are-unavoidable.html ↩︎
- https://proton.me/support/custom-domain ↩︎
- https://developers.cloudflare.com/registrar/get-started/transfer-domain-to-cloudflare/ ↩︎
