Update: The owner of CTemplar has offered further clarification for the reason why CTemplar is shutting down. The explanation has been added to the bottom of this article.
CTemplar is a secure “armored email” service that launched in 2019. Now, just three years later, the CTemplar team has announced they will be shutting down the service in May 2022.
The announcement was made on CTemplar's blog here and also shared on their Reddit channel here.
Why exactly is CTemplar shutting down?
This is the million-dollar question and nobody seems to have the exact answer. The official CTemplar Reddit account has not answered any questions as to why and has also not been active for the past seven days since the initial announcement. The blog post that announced the closure also does not list any reasons.
I have reached out to CTemplar for comment and have not heard anything back. If more information becomes available, I'll update this blog post. Until that time, however, the only thing we can do is speculate.
Here are three potential reasons that may explain why CTemplar is shutting down (pure speculation):
- Funding – Many tech companies struggle to remain financially solvent. This is especially true for small startups entering a competitive space, as we saw with CTemplar launching in 2019. Additionally, they hosted everything in Iceland, which is a very expensive location for servers.
- Government intervention – CTemplar always promised to provide an “armored email” solution for its customers, keeping user data very secure and protected. However, if a government somewhere came and demanded access to everything, one response could be to abruptly shut down.
Note: This is exactly what we saw with Lavabit back in 2013. The US government demanded encryption keys and access to the servers, but the owner decided to just pull the plug instead. - Life changes – Most people change career paths and directions in life. Many people working in the tech startup world get burnt out with trying to run a business on a shoestring budget with a small team. Who knows. This could also be a factor in the decision to shut down.
Ultimately, the reason for closing down does not really matter. Either way, we still need to go on with life and securely and privately communicate with others. So let's look at some alternatives.
Alternatives to CTemplar (email)
To start with, you can check out our roundup of the top secure email services here. There you will find a list of the best alternatives to CTemplar that provide you with some level of privacy and security.
Here are also some other secure email services we have tested and reviewed over the years:
- ProtonMail Review
- Tutanota Review
- Mailfence Review
- Mailbox.org Review
- Hushmail Review
- Runbox Review
- Posteo Review
- Fastmail Review
Note: We are currently in the process of updating all of our old reviews, particularly older reviews of email services. This all takes time and we appreciate your patience.
Who can you trust? Anyone?
Over the past few years, my confidence in secure and private email has been eroded based on real-world events. Specifically, I am talking about court cases involving various “private” email providers.
The court cases below are disappointing because they set a bad legal precedent that will apply to many other services. Looking at Germany alone, we see three big players that are affected by bad legal decisions:
- Tutanota
- Posteo.de
- Mailbox.org
2019: German courts rule that government agencies can force email services to log IP addresses
In a major blow to email privacy, a court ruled in 2019 that the private email provider Posteo can be forced to log user IP addresses for government agencies. Of course, this paves the way to even more logging and the erosion of privacy. ZDNet covered the situation in this article a few years ago.
2020: German courts decide governments can force private email services to log email content in real-time
This specific court case involved Tutanota and it required them to log and record incoming and outgoing emails and provide this data directly to authorities. We discussed the situation in the Tutanota review, but it was also covered in various news reports:
“According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox,” Pfau told The Register. “Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”
It's important to note that this is not a blanket ruling for all Tutanota users, and instead was only required for specific accounts named in court proceedings.
Nonetheless, it is a major blow to privacy and this marks a legal precedent that can be used against all other German email providers.
2021: ProtonMail forced to log IP addresses
Is Switzerland really a secure, safe, and private jurisdiction for email services?
Well, it's a lot better than the US, UK, and Australia — but it's not perfect.
As we noted in the ProtonMail review, every email provider must comply with government laws and regulations in the country in which it operates. ProtonMail sells itself as a private email service, but ProtonMail also logs users for various government entities.
In this specific case, French authorities simply went through Swiss courts to get ProtonMail to log the IP address on an account suspected of engaging in criminal activity. ProtonMail complied and the user was subsequently arrested by French police.
Unfortunately, when digging deeper, we found this is not an anomaly. To their credit, the people behind ProtonMail provide us with a Transparency Report detailing these types of cases. Unfortunately, we can see in the transparency report that there are thousands of such logging cases.
Now look at that number above in the right column: 3,017 “orders complied with” for 2020 alone!
What will the number be for 2021? What will it be for 2022? The trend is not looking good.
Returning to CTemplar, perhaps they were getting bombarded with government data requests, court orders, and/or demands for user data. Dealing with these data requests and navigating the legal complexities would certainly be daunting, especially when three-letter-agencies come knocking…
Secure messaging services for more privacy and security
Secure, end-to-end encrypted messaging apps are probably your best option for private communications. While email is a necessity for day-to-day life and an online presence, you can still look to other alternatives when privacy is paramount.
We have a guide on good encrypted messaging apps here. And if you want to dive deeper on this topic, then check out these encrypted messenger reviews:
These messaging apps may be a good alternative to CTemplar if you want to avoid email for truly private conversations.
So should you just go back to a free Gmail account?
Answer: no.
At least with the email provider examples above, your account is not getting monitored 24/7 by advertisers and other various third parties. A little bit of privacy is much, much better than zero privacy. And it's worth paying for as well.
And using one of the big, mainstream email providers probably gives blanket access to any agency that wants it. A recent Bloomberg report highlighted just how much the FBI requested data on Americans:
The FBI searched emails, texts and other electronic communications of as many as 3.4 million U.S. residents without a warrant over a year, the nation’s top spy chief said in a report.
If you are using an overseas email provider that promises more privacy, there is a much larger barrier for access. In other words, it would be a lot harder for the FBI to go through German courts and get logging requests for a Tutanota user than it would be to call the folks at Gmail and get fast access.
Lastly, if you aren't doing anything to attract bad attention, you likely don\'t have much to worry about. Recall again that with all of the cases above, the different agencies involved were only targeting specific users, not every user of the email service.
Use a VPN and other privacy tools to secure your data
When you log into an email account, or any account online for that matter, you expose your IP address to the world. To solve this problem, you really need to be using a good VPN service. This will hide your real IP address and location and replace it with the VPN server's IP address and location.
Furthermore, if you are using a good VPN and happen to be the target of an IP address logging situation, like the ProtonMail user we mentioned earlier, then IP address logging will not reveal anything. Instead, it will simply trace back to a data center somewhere and a VPN server that is being used by thousands of other VPN users. No big deal.
Of course, there are many other factors that you need to consider when selecting the right privacy tools for different adversaries and threat models, but a good VPN is particularly important for basic online privacy. This is especially true since your internet service provider is probably logging everything you do online and handing this information over to other various agencies.
Returning to CTemplar, it's too bad to see the decision to pull the plug. Nonetheless, there will continue to be other good alternatives and solutions you can start using today to keep your data more secure.
UPDATE: CTemplar can no longer guarantee the security of user accounts
The owner of CTemplar, recently sent out an explanatory email to CTemplar users that provides further clarification for why the service is shutting down. Here is the explanation (emphasis is mine):
Some of you have asked why we’re shutting down. There are several reasons, but I will suggest one of them to you. When we created this service, we made a promise to ourselves that we would shut down the email service if we couldn’t guarantee our security claims to our users. That day has come, and we would rather shut this service down than make security changes that would have been harmful to you.
Digging deeper, this may be a situation similar to Lavabit in 2013, where high-profile targets were using the service and government agencies demanded access to go after them. I know of two high-profile ransomware gangs that were using CTemplar email, but this is only speculation.
Here is a screenshot of the announcement:
Updated on May 20, 2022.
T-Mobile Users Affected by 2021 Data Breach at Risk of Identity Theft and Fraud
I was sad to see ctemplar go. It held a lot of promise.
One thing I’m in the process of doing is setting up an e-mail address that I will only use for communications with banks and credit cards and for notifications from them. The address would never be used anywhere else.
Also, the PGP key for the address would be entered on the key server https://keys.openpgp.org since they do not let someone perform a blanket search for addresses. Someone could use it to retrieve my PGP key for the address if and only if they already have the address.
The idea is that once I get the e-mail addresses switched over for the banks and credit card companies, when I get an e-mail from the bank or credit card about an issue, if it is not to that address, I will immediately know that it is bogus and a scam.
It would help more if the banks and credit card companies would digitally sign their messages so that with the public key on my computer, any bogus message would really stand out.
Currently, I have a separate account on my workstation that is only used for checking banks and credit cards on-line. In the very near future, I intend to migrate that to another computer that will be almost entirely used for the one purpose.
By the way, I have recently seen that Vivaldi has e-mail hosted out of Iceland. I got a vivaldi.net account and it seems to handle PGP pretty well. Is this something new or has it been around a while? If it is new, I wonder if they might have acquired and repurposed ctemplar.com for this.
I still have the Ctemplar iOS app installed; I can not login (500 error), however, I’ll still get push notifications every time an email is sent to the mailbox.. this would indicate they have NOT shutdown and “deleted” everything.
Thoughts?
hi, my sister and i signed up for proton mail at least two years ago, but had a bad feeling bout it. then one time was checking my account to see if my forwarded emails had arrived, and right in front of my EYES i saw someone was deleting my emails one by one in front of me. One by one that vanished while I was looking at the screen!! lol
so tried ctemplar, and went in to my account one day to find 30 of my emails had been stolen! they wernt there any more!! just wow….lo
Great website!! all the best!
Southern Hemisphere xo
That would lead me to believe you have a virus/keylogger on your system or your passwords are very weak and have been leaked rather than someone from Proton or CTemplar was doing it.
Non-Swiss ownership (undisclosed) was an issue with the vpn & I’m sure, the same would be a factor with the iOS app. Browser logins not as bad- but as you’ve pointed out visibly the bugs are there. Keystroke type gestures seemed to also be a problem in-app.
Glowie great try
I recently opened a Tutanota account, I mainly use email for subscription in other online services, i hardly even message anyone, but still i was affraid google was logging everything I was doing around the net in Gmail, since I use it to receive all my online accounts verification/notification messages, it essentially became a window to my online life, that`s why i decided to go for Tutanota, but now I`m concerned it may someday shutdown as well, and make me lose all my accounts registered using it, I`m thinking about whether should I stick with Gmail despite the privacy flaws or trust Tutanota will stay forever operating , I cant afford paying any email so I`m stuck . Google`s privacy policy states it does not scan Gmail for advertising, and i have smart features disabled , plus my messages aren`t sensitive, like i said only use Email for online subscription.
You can check out these free and ad-free email alternatives like Proton, Mailfence, Zoho, Infomaniak and Vivaldi. Also, you may consider using email forwarding / alias service like SimpleLogin along with your email of choice.
Mailbox has released its transparency report for 2021:
https://mailbox.org/en/post/transparency-report-2021
Quite a lot of requests, and many were correct (–> complied with).
For secure messaging services for more privacy and security, I suggest considering https://jami.net
It is a Libre Software (Open Source). And a drop-in replacement for Skype. Jami focus on privacy and security.
I was using the Ctemplar app on iPhone (it wasn’t good btw) and purely by chance saw an article about the closure on the web. No info from the company. So now I have to migrate all contacts and download emails by 26/5. If I hadn’t seen the article by chance I’d have lost all my email. Pretty inconsiderate of the company I think.
I’m not surprised they are shutting down if the quality of the iOS app is a general reflection of their service.
I had Protonmail for 5 years, Tutanota for 2 years, Runbox for 1,5 years and Ctemplar for 2 years.
I lost my trust in Protonmail as they act as a US honeypot. The whole lie about the mail regarding the plane to Belarus was the last straw.
The 3 others had so many problems and bugs that I gave up the last one 2 weeks ago.
Now I have my 2 custom domains at iCloud+. At least I get my mails every time now. I have simply giving private emails up. There is not such a thing btw.
I am still with Tutanota. Though I agree with you, mail should be used only when it’s absolutely necessary. But that’s the case with internet in general. The less time you spend online, the better for your data and privacy.
Is disroot, like privacy email in general?
I don’t know where to post this, so I’ll put it here…
I think it is important to include the behavior of the installed VPN apps in the reviews (like for any other privacy app, if people are serious about online privacy, tracker blocking, fight against data harvesting etc.). For example, two most popular VPN apps here are constantly “sending” trackers to Google and Facebook. You can test this pretty simply, by installing a good open source DNS firewall, like AdGuard or Lockdown.
This must trigger question about credibility of these services, what they promise and what they do behind the scenes. For me, this is thumb down really. You can find better audited (tested) apps in that regard.
Thank you for keeping this place open for different opinions.
Hi Bronco,
I am a Windows user and don’t know much about Apple devises.
I note your comment about RP being an open place and agree with you.
In your testing, what makes you sure that it is the VPN app sending info rather than other apps on your devise? Do the tools establish the offending app?
I had a look at what who is is making connections from my devise and it is 90% MS. I saw nothing that would point me to my VPN provider.
With Respect,
BoBeX
Hi Bobex
I have tried to make some points and draw a conclusion. You can’t fill your apps and your website with trackers if you are a privacy company, full stop. No excuses and no reliable explanation if you are constantly track your user, like Surfshark and Nord does (in mobile apps). I know it’s about their profit, but if I want to be a price I wouldn’t use VPN. So it is very important matter to me, the trust in the company. For example, Mullvad and IVPN are much more straightforward, no trackers, and their privacy policies are clear. So the bigger guy is not always the better in privacy space. It’s often opposite, as we can see…
Most vpns now have WebRTC leaks, including mullvad (if you can ever get it to work) and IVPN. Only thing one can do is get yet ANOTHER app that tests, prevents or limits/minimizes leaks.
–or–
as another here suggests, limit your use of the web; acknowledge beforehand you’re being followed, and act accordingly; or use deliberate subterfuge.
signed, (not my real name nor email address)
BoBeX & Sven
It’s known:
“When we created this service, we made a promise to ourselves that we would shut down the email service if we couldn’t guarantee our security claims to our users.
Sven maybe it was a scenario like lavabit or maybe it lays within something rooted in their claimed – 4 Wall Protection. Since changed?
[https://web.archive.org/web/20200103135929/https://blog.ctemplar.com/ctemplar-4-wall-protection/]
BoBeX here’s their 4 wall breakdown.
Has anything of these noted below…changed within these places or with the revelant facts that Ctemplar pointed out in giving them their armor?
Wall 1: #2
Icelandic law protects us deleting all logs of your metadata.
Wall 2: #2
End to End Encryption” using javascript has flaws. The CTemplar team was the first to solve the flaws making our End to End Encyprtion the very first “Zero Access”.
Wall 3: #1,#2,#3
#1 Iceland has no data retention laws that apply to webmail. When you press “delete” it’s instantly deleted.
#2 Iceland legally allows us to offer total anonymity.
#3 Iceland is outside the “14 Eyes” and has no US MLAT Treaties.
Wall 4: #1, #2
#1 We formed the company in Seychelles because it gives the maximum protection for company records in the world.
#2 We do not record or list any of our users data for corporate reasons and our Seychelles corporation legally allows this.
Now that I recall, wasn’t Ctemplar early to boast that it maintained a legal department to keep watch on privacy laws world-wide for changes that affected their business and service wise to their users?
I think it’s a combo of a few tough realities that surfaced and their dream didn’t meet their lifestyle anymore.
Hey let’s let the criminals take over. If you don’t stand for something, you’ll fall for anything – – like internet privacy.
Good summary Lelow. I read somewhere that the founder and/or key team members were residing in the US (not Iceland). Maybe they got the heat?
Hi RP Community,
More info on the degrading of privacy in Australia…
(And elsewhere so it appears)
https://www.abc.net.au/news/science/2022-05-06/workers-returning-to-offices-covid-surveillance-software/101019128
Hi RP Community,
I hadn’t used CTemplar and I don’t know what is meant by “armored email.”
Is “armored email” an industry term or a CTemplar specific term?
Regards,
BoBeX
Hi BoBeX, I think it’s just a marketing term, kind of like “military grade encryption” that we see being used with VPNs.
Well. You’ll need to create and use a static VPN address or you’ll run into account access issues. To combat ads you should use an adblocker.
I don’t think you made a solid or good case to pay for any email service. I’ll be watching should you’re able to convince me.
Another reasons:
1. Loosing all data, means client emails last year, 2021.
2. Bad customer service.
3. A lot of bugs, so many that I couldn’t work with it……as you can see the comments at your Templar review I’m not alone.
4. High price.
Wonderful, it seemed like the only decent email provider without any history of bending the knee.
For me Protonmail is a no go considering the history listed here and not; Tutanota is much the same.
Not really certain which to go to since a I need a free account, any suggestions?
I went to Disroot, locked everything down with PGP, and then routed all my emails through Anonaddy (I had already done the Anonaddy thing for CTemplar, so I just needed to enter the new Disroot email address and give them the public key).
I’m not sure what app you’ll need to access them on Android, but you can set up the Canary app to work with it on iOS (just be sure to use Fetch notifications – Push notifications require your login credentials to be kept on Canary’s servers, while Fetch notifications keep them on your device).
Good luck!
Not sure how far your “locked everything down with PGP” will really go. In a TV program about fighting the Moroccan mafia in The Netherlands it was stated that investigators were able to decrypt PGP.
https://en.wikipedia.org/wiki/Moroccan_mafia#Communication_through_PGP
While it is good that crimes could be prevented, however it is still sobering that PGP was decrypted, even if it is not said how they did/do it.