Page loading
Skip to main content

Email providers should be regulated

Hi, I’m jameshfisher@gmail.com. That’s not just my address; it’s my identity. An identity that Google can take away with no notice. In this essay, I argue that email providers, like other utility providers, should be required to give 30 days’ notice before closing an account.

My email account is not just my emails. It’s my life’s work in a Bitbucket account backed by that email address. It’s all my legal contracts on DocuSign. It’s my domains on Cloudflare. It’s every friend and message on Facebook. To those companies, I am not James Fisher; I am jameshfisher@gmail.com. If Google cancels my account, they cancel me.

In functioning states, citizens have rights to essential utilities. If your bank wishes to close your account, they must give you two months’ notice. If your landlord wishes to evict you, they must give you two months’ notice. If your energy supplier wishes to cut you off, they must obtain a warrant and give you 7 days’ notice.

Identity is perhaps the most essential utility; the one that I use to access every other utility. Governments recognize the essential nature of identity, by demanding I have an email address to access their services, and by supplying outdated forms of identity, such as passports.

And yet our modern digital identity goes entirely unregulated! Google can remove you at any time, for any reason, with no notice. This terrifies me.

I believe regulation is required. Here’s the proposal: If a provider intends to close the email account of an EU resident, the provider must give 30 days’ notice by email. During this time, the account owner must be able to receive, read and reply to their emails.

This proposal is deliberately conservative. But now let’s anticipate objections, and show how weak they are.

“C’mon, you really think Google will close your account?” Let’s have a look. Most recently, Google disabled an account that was falsely flagged for child porn. A bit before that, Google disabled an account for a falsely flagged Python script. And sometimes it’s just for no reason! Every story is the same. An automated scanner finds a false positive and disables the account. The human submits a Kafkaesque ‘appeal’. The appeal is swiftly, automatically, permanently denied. The cancelled human then screams into the wind about their lost life.

“Well then, you should have used ProtonMail.” Perhaps ProtonMail is not as faceless as Google, but they have just as much right to terminate you without notice. Besides, your email address is for life, and companies change.

“Even if they close your account, you can just update your email address!” Not in general, no. For example, to log in to my Cloudflare account, they send a challenge code to my email address. Ditto any other ‘magic link’. And if you use Google’s password manager, Google can also lock you out of every account secured by a password.

“Well if you want a secure digital identity, don’t use email! Look at Estonia! Yes, public-key crypto is a better system. But unfortunately, you don’t get to choose how society identifies you. And society has decided to use email.

“Fiiine, you need email, but email is decentralized! Just run your own!” Okay, try asking Grandpa to run Postfix. Even if he succeeds, his mail server will never be trusted to send email. Around 80% of people use Gmail.

“Won’t somebody think of the providers! The expense!” The providers are an oligopoly. This is a tiny price to pay for the right to profit off the world’s digital identities.

“Providers need to close spam accounts quickly! I hate spam!” Note that my proposal does not include the right to send emails to new addresses. This means email providers can still immediately restrict accounts that are suspected of sending spam.

“But, but you can’t regulate this!” Sure we can. We’ve regulated email since 2003. The EU forced every website to have an annoying cookie banner. Even cryptocurrency, the poster child of decentralized libertarianism, is now regulated. Compared to these, it would be a small act to force identity providers to operate with a little civility.

Do you have other objections? Let me know and I’ll tackle them here. Otherwise, let’s start fighting for the right to our identities!

Quoted text:

Your feedback will be sent privately to the author. They may reply to you by email. Thanks for helping make this course better!