CTemplar Email Shutting Down – Can No Longer “Guarantee Security” of Accounts

Update: The owner of CTemplar has offered further clarification for the reason why CTemplar is shutting down. The explanation has been added to the bottom of this article.

CTemplar is a secure “armored email” service that launched in 2019. Now, just three years later, the CTemplar team has announced they will be shutting down the service in May 2022.

The announcement was made on CTemplar’s blog here and also shared on their Reddit channel here.

Why exactly is CTemplar shutting down?

This is the million-dollar question and nobody seems to have the exact answer. The official CTemplar Reddit account has not answered any questions as to why and has also not been active for the past seven days since the initial announcement. The blog post that announced the closure also does not list any reasons.

I have reached out to CTemplar for comment and have not heard anything back. If more information becomes available, I’ll update this blog post. Until that time, however, the only thing we can do is speculate.

Here are three potential reasons that may explain why CTemplar is shutting down (pure speculation):

1. Funding – Many tech companies struggle to remain financially solvent. This is especially true for small startups entering a competitive space, as we saw with CTemplar launching in 2019. Additionally, they hosted everything in Iceland, which is a very expensive location for servers.
2. Government intervention – CTemplar always promised to provide an “armored email” solution for its customers, keeping user data very secure and protected. However, if a government somewhere came and demanded access to everything, one response could be to abruptly shut down.
   Note: This is exactly what we saw with Lavabit back in 2013. The US government demanded encryption keys and access to the servers, but the owner decided to just pull the plug instead.
3. Life changes – Most people change career paths and directions in life. Many people working in the tech startup world get burnt out with trying to run a business on a shoestring budget with a small team. Who knows. This could also be a factor in the decision to shut down.

Ultimately, the reason for closing down does not really matter. Either way, we still need to go on with life and securely and privately communicate with others. So let’s look at some alternatives.

Alternatives to CTemplar (email)

To start with, you can check out our roundup of the top secure email services here. There you will find a list of the best alternatives to CTemplar that provide you with some level of privacy and security.

Here are also some other secure email services we have tested and reviewed over the years:

• ProtonMail Review
• Tutanota Review
• Mailfence Review
• Mailbox.org Review
• Hushmail Review
• Runbox Review
• Posteo Review
• Fastmail Review

Note: We are currently in the process of updating all of our old reviews, particularly older reviews of email services. This all takes time and we appreciate your patience.

Who can you trust? Anyone?

Over the past few years, my confidence in secure and private email has been eroded based on real-world events. Specifically, I am talking about court cases involving various “private” email providers.

The court cases below are disappointing because they set a bad legal precedent that will apply to many other services. Looking at Germany alone, we see three big players that are affected by bad legal decisions:

• Tutanota
• Posteo.de
• Mailbox.org

2019: German courts rule that government agencies can force email services to log IP addresses

In a major blow to email privacy, a court ruled in 2019 that the private email provider Posteo can be forced to log user IP addresses for government agencies. Of course, this paves the way to even more logging and the erosion of privacy. ZDNet covered the situation in this article a few years ago.

2020: German courts decide governments can force private email services to log email content in real-time

This specific court case involved Tutanota and it required them to log and record incoming and outgoing emails and provide this data directly to authorities. We discussed the situation in the Tutanota review, but it was also covered in various news reports:

“According to the ruling of the Cologne Regional Court, we were obliged to release unencrypted incoming and outgoing emails from one mailbox,” Pfau told The Register. “Emails that are encrypted end-to-end in Tutanota cannot be decrypted by us.”

It’s important to note that this is not a blanket ruling for all Tutanota users, and instead was only required for specific accounts named in court proceedings.

Nonetheless, it is a major blow to privacy and this marks a legal precedent that can be used against all other German email providers.

2021: ProtonMail forced to log IP addresses

Is Switzerland really a secure, safe, and private jurisdiction for email services?

Well, it’s a lot better than the US, UK, and Australia — but it’s not perfect.

As we noted in the ProtonMail review, every email provider must comply with government laws and regulations in the country in which it operates. ProtonMail sells itself as a private email service, but ProtonMail also logs users for various government entities.

In this specific case, French authorities simply went through Swiss courts to get ProtonMail to log the IP address on an account suspected of engaging in criminal activity. ProtonMail complied and the user was subsequently arrested by French police.

So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police https://t.co/KtKF4wn3wv

— Etienne – Tek (@tenacioustek) September 5, 2021

Unfortunately, when digging deeper, we found this is not an anomaly. To their credit, the people behind ProtonMail provide us with a Transparency Report detailing these types of cases. Unfortunately, we can see in the transparency report that there are thousands of such logging cases.

Now look at that number above in the right column: 3,017 “orders complied with” for 2020 alone!

What will the number be for 2021? What will it be for 2022? The trend is not looking good.

Returning to CTemplar, perhaps they were getting bombarded with government data requests, court orders, and/or demands for user data. Dealing with these data requests and navigating the legal complexities would certainly be daunting, especially when three-letter-agencies come knocking…

Secure messaging services for more privacy and security

Secure, end-to-end encrypted messaging apps are probably your best option for private communications. While email is a necessity for day-to-day life and an online presence, you can still look to other alternatives when privacy is paramount.

We have a guide on good encrypted messaging apps here. And if you want to dive deeper on this topic, then check out these encrypted messenger reviews:

• Wire Review
• Signal Review
• Threema Review
• Telegram Review
• Session Review
• Wickr Review

These messaging apps may be a good alternative to CTemplar if you want to avoid email for truly private conversations.

So should you just go back to a free Gmail account?

Answer: no.

At least with the email provider examples above, your account is not getting monitored 24/7 by advertisers and other various third parties. A little bit of privacy is much, much better than zero privacy. And it’s worth paying for as well.

And using one of the big, mainstream email providers probably gives blanket access to any agency that wants it. A recent Bloomberg report highlighted just how much the FBI requested data on Americans:

The FBI searched emails, texts and other electronic communications of as many as 3.4 million U.S. residents without a warrant over a year, the nation’s top spy chief said in a report.

If you are using an overseas email provider that promises more privacy, there is a much larger barrier for access. In other words, it would be a lot harder for the FBI to go through German courts and get logging requests for a Tutanota user than it would be to call the folks at Gmail and get fast access.

Lastly, if you aren’t doing anything to attract bad attention, you likely don’t have much to worry about. Recall again that with all of the cases above, the different agencies involved were only targeting specific users, not every user of the email service.

Use a VPN and other privacy tools to secure your data

When you log into an email account, or any account online for that matter, you expose your IP address to the world. To solve this problem, you really need to be using a good VPN service. This will hide your real IP address and location and replace it with the VPN server’s IP address and location.

Furthermore, if you are using a good VPN and happen to be the target of an IP address logging situation, like the ProtonMail user we mentioned earlier, then IP address logging will not reveal anything. Instead, it will simply trace back to a data center somewhere and a VPN server that is being used by thousands of other VPN users. No big deal.

Of course, there are many other factors that you need to consider when selecting the right privacy tools for different adversaries and threat models, but a good VPN is particularly important for basic online privacy. This is especially true since your internet service provider is probably logging everything you do online and handing this information over to other various agencies.

Returning to CTemplar, it’s too bad to see the decision to pull the plug. Nonetheless, there will continue to be other good alternatives and solutions you can start using today to keep your data more secure.

UPDATE: CTemplar can no longer guarantee the security of user accounts

The owner of CTemplar, recently sent out an explanatory email to CTemplar users that provides further clarification for why the service is shutting down. Here is the explanation (emphasis is mine):

Some of you have asked why we’re shutting down. There are several reasons, but I will suggest one of them to you. When we created this service, we made a promise to ourselves that we would shut down the email service if we couldn’t guarantee our security claims to our users. That day has come, and we would rather shut this service down than make security changes that would have been harmful to you.

Digging deeper, this may be a situation similar to Lavabit in 2013, where high-profile targets were using the service and government agencies demanded access to go after them. I know of two high-profile ransomware gangs that were using CTemplar email, but this is only speculation.

Here is a screenshot of the announcement:

Updated on May 20, 2022.