Avoid Surveillance With Helm, a Home Server Anyone Can Use to Keep Emails Truly Private

Helm is a well-thought-out product that’s as easy to set up as a smartphone. It’s $500 and $100 per year.

Helm, a triangle-shaped personal server that can host email, contacts, calendar, and a file server. Photo: Helm

During a group dinner in a small town in Norway in 2015, at an international conference for investigative journalists, a Ukrainian reporter told me that he used both Gmail and Mail.ru, Russia’s most popular email provider. “Every time I write an email,” he said, “I have to decide if I want Obama to read it, or if I want Putin to read it.”

It may be hyperbolic to suggest that world leaders personally comb through individual email accounts, but the reporter’s point stands: When you use services like Gmail, Mail.ru, Facebook, Dropbox, Slack, or any other site that stores your data, they will hand your private information to governments when compelled to do so and in some cases, merely when asked. Last year, the Supreme Court ruled that the government usually needs a warrant to access private data held by third-party companies. But even with new legal protection, email remains all too easy for governments to quietly obtain. Many companies, like Facebook, have shared personal information even more widely, with private entities. When your personal data is stored on a company’s servers, as with the email in your Gmail account, there are no technical barriers to the host company sharing it when it sees fit.

Google provided private information to government agencies around the world more than 60,000 times in 2017, often turning over data from multiple Google accounts at once, according to its transparency report. And that doesn’t include over 100,000 Google accounts from which the company gave data in response to secret orders from the Foreign Intelligence Surveillance Court, a U.S. national security tribunal whose meetings and decisions are kept from the public. Mail.ru doesn’t provide a transparency report, but the situation is no doubt much worse in Russia: All Russian internet companies are required to retain data they collect about their users and to hand it to FSB, a Russian spy agency, if asked.

Google gave data from over 100,000 accounts in response to secret national security orders — in one year.

If you want an email account that’s actually private, one solution is to run your own email server from your house. This way, if governments want to secretly ask your email provider for a copy of your inbox, they’ll have to ask you.

Until now, this hasn’t been a viable option for most people: Not only would you need an extra computer to act as a home email server, but you’d also need enough system administration skills to install, configure, and secure this server. In addition, you’d need to deal with headaches related to your broadband internet provider; such providers typically try to block email servers by interfering with connections to a particular networking channel, port 25, associated with mail delivery. After you solved that problem, you’d need to configure your router to forward inbound email deliveries to your server. Then you’d need to register a domain name where your email address will live, and then point that domain to your email server using a system known as DNS. This is complicated by the fact that most residential internet addresses change on a regular basis. And as much work as it is to initially set up this home email server, it’s even more work to maintain it over time — to promptly install security updates, set up monitoring so you’ll be notified when something breaks, block spam, and avoid getting your server added to spam block lists.

With the release of Helm, that has changed. Helm is a triangle-shaped personal server that can host email (on your own custom domain name), contacts, calendar, and a file server, and is about as easy to set up as a new smartphone. For being basically a sophisticated product for hosting your most private data — where there are many opportunities to screw up — Helm’s technical choices and business model are surprisingly well-thought-out. All you need is internet access at your home and an iPhone or Android phone to configure it.

The biggest hurdle prospective users will face, I suspect, is the price: You have to drop $500 to buy Helm to get started, and then pay a $100 per year subscription to continue using its cloud gateway and encrypted backup components.

I’ve been hosting my personal email, micah@micahflee.com, on a Helm device plugged into my router in my living room for several months now. Here are some of the things I’ve learned, starting with what it’s like to switch to Helm, then an assessment of Helm security, a comparison to Gmail, a nitty-gritty examination of how Helm works technically, a look to the future of Helm, and some important caveats about the product and the policies and realities around it.

MVIMG_20181127_144251-1556055823

My Helm device, with the power cable, ethernet cable, recovery key, sticker, and my cat Nova (not included).

Photo: Micah Lee/The Intercept

Switching to Helm

The first step to switching to Helm is picking out the domain name you want to use for your new personal email address — in my case, micahflee.com. After ordering my Helm, I received simple instructions on how to proceed.

Properly configuring a domain name for an email server is complicated, and misconfigurations can cause other email servers to suspect that you’re running a spam operation. To avoid this, and to make it simpler for users, Helm handles the DNS for your domain name for you. If you ever need update your domain name’s DNS records, you can do it from the Helm mobile app.

If you don’t already own a domain name, you can get one while buying your Helm; all the fees associated with buying and renewing the domain name are included in the price. If you do already own a domain, you’ll need to log in to your registrar’s website and update your domain to point to DNS servers that Helm controls; Helm will handle the rest. If you host a website on your domain name — like I do with micahflee.com — you’ll also need to let Helm know about it first. (Helm supports multiple domain names, but this feature was added after I tried the product.)

The next step is waiting for the Helm device to ship to your house. Once mine arrived, I had it up and running in about 10 minutes, with an additional hour and a half to migrate all of my email from my old provider into my Helm.

Following the instructions, I plugged the Helm device into a power outlet in my living room, next to my Wi-Fi router. I connected the Helm to the router using the ethernet cable (you can also connect your Helm to your router over Wi-Fi, but ethernet is more reliable, faster, and more secure). And I installed the Helm mobile app on my Android phone, turned on Bluetooth, and paired with the Helm.

A quick note about the Android app: When I first opened the Helm app, it asked for permission to use my location. “This is an unfortunate requirement from Android since our app uses Bluetooth to pair with the Helm,” Helm CEO Giri Sreenivas told me. Apparently, Android apps can’t have Bluetooth permission without also requesting location services permission. “We do not note or store any location information.” The iOS app does not have this issue.

helm-screenshot-1-1556118975

Screenshot from Helm’s Android app after pairing over Bluetooth with my Helm device.

Screenshot: The Intercept

The next page asks for your activation code, which I already had in an email from Helm. After typing it in, the Helm app walked me through creating an administrator username and password for my domain, micahflee.com.

 

helm-screenshot-2-1556118976

Setting up the administrator account.

Screenshot: The Intercept
After creating an account, the app prompts you to insert the “recovery key” into the Helm device. This is part of Helm’s strategy to make sure you can access your data in case of disaster — like if you spill soda all over your Helm or your house burns down. If you ever need to restore your encrypted backups to a new Helm device, you’ll either need your logged-in phone or this recovery key. And if you get a new phone, you’ll need this recovery key to log in to the Helm app as your administrator user again.

helm-screenshot-3-1556118979

Saving the recovery key.

Screenshot: The Intercept

Saving the recovery key.

Photo: Micah Lee/The Intercept

After getting your recovery key squared away, put it in a safe location where you won’t lose it. I suggest a safe, if you have one, or a locked drawer.

The next step is to configure email on your devices, like your phone and laptop. Each device gets its own unique, unguessable password to login to your email. Unlike many email services, Helm doesn’t support web mail — you must use a standard email client, like the one built into your phone or laptop’s operating system, or like Mozilla Thunderbird.

Adding a new device to my Helm account.

Screenshot: The Intercept

After I set up Thunderbird to connect to my new home email server, I was presented with an empty inbox. About one minute later, I received my first email to my home email server. As soon as I activated my Helm device, incoming email for micahflee.com stopped getting delivered to my old provider and started getting delivered to my Helm.

The next step is importing your old email. Before going into how I did that, here is a quick aside: I used Gmail a decade ago. But as a privacy advocate, I was keenly aware that Google had access to all my email and couldn’t be relied on to protect it from government requests. This anxiety was heightened in 2013, around the time that National Security Agency contractor Edward Snowden blew the whistle on the NSA’s overreach, revealing, among other things, that the agency had “direct access” to the servers of major U.S. companies, including Google, through a mass surveillance program known as PRISM.

So I went searching for an email provider I felt I could trust more. Since then, I’ve hosted my email with a handful of small entities that, while lacking Google’s massive engineering, security, and usability resources, I judged were much more likely to protect my email from government requests based on their privacy policies and, in some cases, conversations with staff at these providers. These included Riseup, a tech collective that hosts communication tools for activists; Electric Embers, a tiny Bay Area work-owned cooperative; ProtonMail, a Swiss-based encrypted email provider; and Soverin, a tiny privacy-focused email provider based out of Amsterdam. (Unlike most email providers, Riseup and ProtonMail store your email encrypted to your password, but there’s still a lot of information they could provide to a government if compelled, including all your email metadata.)

Back in the Helm app, I started the process of importing my email from Soverin. I chose to import from Soverin’s IMAP server, so I had to supply an IMAP hostname, as well as my Soverin username and password. The process is even simpler if you’re switching from Gmail or Yahoo Mail.

Importing email from my old provider to my Helm.

Screenshot: The Intercept

It took about an hour and a half to download all of the emails from my old provider. When it was done, I logged into my Soverin account and deleted all of my email from its server. At this point, I was successfully self-hosting my email from my house! (If you’re changing email addresses while switching to Helm, like if you’re switching from a gmail.com address to a custom domain name, you’ll also want to configure your old email account to forward emails to your new address and set up an auto-responder message that tells people who email you that you’re using a new email address.)

Importing email from your old provider into Helm is simple and straightforward. But contacts and calendar, on the other hand, are quite a bit more complicated (after much troubleshooting, I ended up adding both my new and old contacts and calendar accounts to Evolution, a Linux-only email app, then exported data from my old accounts and imported it into my new accounts). I’d love to see future versions of Helm make migrating your contacts and calendar just as simple as it is to migrate your email.

How Secure Is Helm Against Hackers?

When you talk about the security of an email server, you’re really talking about two separate things: The security of individual user accounts and the security of the technical infrastructure itself, which includes server software choices, system hardening, monitoring, intrusion detection, incident response, and the operational and endpoint security of system administrators.

I believe that Helm’s technical infrastructure is well-engineered from a security prospective. It uses best practices (I go into greater detail in the “under the hood” section below), I don’t see any obvious flaws, and, though I haven’t made a thorough comparison, it appears to offer similar security as most small, well-run email providers. Basically, the only attackers who can get in are those armed with expensive zero-day exploits — exploits that rely on bugs that the software-makers themselves don’t even know exist and thus have not been able to release security updates for. An attacker would need to find a zero day for software Helm is known to run, like Dovecot, the open-source email server. The vast majority of attackers will remain locked out.

That said, there are some security tradeoffs involved with using Helm and some areas in which the system’s security could be improved.

If someone does manage to hack your Helm, you probably won’t notice, unfortunately. Sreenivas told me that Helm doesn’t have an intrusion detection system at this time. “We plan to summarize failed attempts in a weekly digest email,” he told me, “but alerting on actual intrusion is something we haven’t defined yet.”

Additionally, running a home server increases the risk to your home network. If someone successfully hacks your Helm, they could pivot from it, probing laptops, smartphones, and other devices in your house for weaknesses. But I don’t think this is much riskier than connecting your laptop or smartphone to a public Wi-Fi network, where anyone else on the network could try attacking your device.

Individual Helm email accounts are more secure than individual Gmail accounts.

Also, while Helm’s infrastructure is pretty good, you will get more robust security protections from a major enterprise like Google, which has a team dedicated to hunting, and fixing, zero-day exploits and warns you when state-sponsored hackers try to compromise your account.

Unlike Google, however, Helm will never share your emails with anyone or scan them to target advertisements at you, because it can’t. By design, the Helm company simply doesn’t have access to your email. So while Helm is probably not as secure as Gmail, it’s vastly more private.

What’s more, individual Helm email accounts are more secure than individual Gmail accounts, I would argue. Unlike with Google, and most other web-based services, hackers can’t use spearphishing to compromise your Helm account. It’s possible to lock down your Google account to defend against spearphishing, but accounts aren’t locked down by default, and adding security measures like 2-Step Verification, which I recommend every Google user enable, make it more annoying to use on a daily basis.

Before I go into how Helm account security works, first let me describe how spearphishing works. One of the most consequential email hacks in recent history happened against a Gmail account in March 2016. Officers working for GRU, Russia’s military intelligence agency, sent the following email to Hillary Clinton’s 2016 presidential campaign chair John Podesta.

 

helm-podesta-4-1556118971

A reconstruction of the spearphishing email that GRU officer used to compromise John Podesta’s Gmail account.

Image: Courtesy of Matt Tait
While it looked legitimate, it was far from it. When Podesta clicked the “change password” button, it actually linked to the URL shortener service Bitly, which redirected to a fake Gmail login page hosted at the domain myaccount.googlecom-securitysettingspage.tk. This fake address was the only visual indication that this was a spearphishing attack.

 

helm-podesta-5-1556118973

A reconstruction of what the spearphishing website that was used to steal Podesta’s Gmail password looked like.

Image: Courtesy of Matt Tait
Like most people would, Podesta typed his password into the hackers’ convincing fake page. After GRU officers successfully gained access to his Gmail account, federal officials have said, they used their fake Guccifer 2.0 persona to send a copy of his inbox to WikiLeaks, which began publishing the messages at key points during the 2016 election.

In contrast, here’s how Helm security works. Managing your Helm account and devices is done exclusively through the mobile app and initially requires what the company calls “proximity-based” authentication: To associate your smartphone with the Helm, you need your username and password, and you also need to physically be in the same room as the Helm so you can pair with it over Bluetooth, which will create a shared authentication token between the Helm and the smartphone. So even if you use a weak password, or reuse the same password for Helm that has appeared in a data breach, attackers can’t log in to your account without getting physically close enough to your Helm to pair with it. Once you log in to the app, you stay logged in and generally won’t need to log in again unless you get a new phone. This means you do not need to be in the same room as the Helm merely to access your email, calendar, or other services.

(Proximity-based authentication has its downsides: If you want to give a friend who lives in another part of the world a user account hosted on your Helm, they’ll need to come visit you in person to login to their account for the first time, and again every time they switch phones.)

After logging into your account, you can add and delete devices that you’ll use to access your email. Each of these devices has a secure, unique device password such as “3mdxmh23kzjkv6hs.” For example, the password I use on my phone is different than the one I use on my laptop. If I get a new phone, I’ll delete the device name associated with it (“trackingdevice”), revoking access from my old phone, and I’ll add a device for my new phone, which will have its own unique name and password.

helm-screenshot-6-1556118981

Managing my email account in the Helm mobile app.

Screenshot: The Intercept
There is no way to check your Helm email from a web browser — you have to use native email clients installed on your computer or phone.

All of this together means that Helm is immune from spearphishing. If GRU hackers went after a Helm user with the same technique they used against Podesta, it wouldn’t work. They could send a spearphishing email, perhaps disguised as official communication from the Helm company, with a link they trick the user into clicking. But there’s no login page on Helm’s website for them to imitate — you host your email from the Helm device in your house, not from Helm’s website, after all. And that device also lacks a login page. If an attacker made up a login page anyway, and even if the Helm user typed their username and password into it (even though Helm users never do this, unlike with Google where users log in all the time), the Helm account is still protected by proximity-based authentication.

If resourced hackers, like GRU officers, really wanted access to your email, their best bet is to either compromise the Helm device itself, or compromise one of your devices that you’ve authorized to check your email. This is definitely possible, but it’s a much higher bar than compromising a single account, especially if you keep your devices updated (you don’t need to worry about the Helm device, which automatically updates itself).

Your User Experience Could Change

If you’re accustomed to Gmail, switching to Helm might take some getting used to. Here are a few differences to expect.

Helm does not have any web mail interface. This is undoubtedly a good thing for security — it protects you from spearphishing attacks, it allows you to strictly control which devices have access to your email, and it makes it simpler to encrypt your email with PGP, if you’re that type of nerd. It also means that you’ll have to use an email client with a user interface totally different from Gmail’s; Thunderbird isn’t as pretty or easy to use, for example. And finally, you can’t check your email on someone else’s computer — you can only log in on devices that you’ve added to your Helm account using the mobile app. This might be inconvenient, but it, too, is good for your email security. You don’t know what spyware is running on other people’s computers, and you don’t have to worry about forgetting to log out.

If GRU hackers went after a Helm user with the same technique they used against Podesta, it wouldn’t work.

I get a lot of email, including all sorts of email notifications, and I’m subscribed to several mailing lists. To keep things organized, I automatically filter incoming emails into their own folders. At the moment, Helm doesn’t support server-side filters, so if you want to filter your email, you need to do it from one of your email clients. For example, as a software developer, I get a lot of GitHub email notifications that I want filtered into my “github” folder, so I set up an email filter in Thunderbird that does this, and it works great. But because it’s a Thunderbird filter, when I check my email on my phone, new GitHub emails appear in my inbox and don’t get moved to my “github” folder until the next time I open Thunderbird. It’s not a big deal, but it would be nice for Helm to support server-side filters in the future.

Finally, there is the fight against spam. Gmail is excellent at recognizing and blocking spam because they use the private emails of their 1.5 billion users to create an incredibly accurate model of what spam looks like. Helm’s spam filtering isn’t bad, but chances are more spam will get through than you’re used to, at least to begin with. Every time you mark email as spam in your email client, Helm’s spam filtering will learn from this and get better at recognizing it, all while not sharing the contents of your email with any third parties.

How Helm Works Under the Hood

Helm includes different components: the mobile app, the recovery key, the gateway server in the cloud, and, most importantly, the Helm device itself, which stores all of your data on its 128GB solid-state hard disk. Since I’m trusting Helm with hosting my own email, I put effort into learning exactly how it works. This section dives pretty deep into the weeds and uses tech jargon without always explaining what it means. Feel free to skip ahead if this isn’t your thing.

The Helm Device

The Helm device is a computer running Linux, the popular open-source operating system. It doesn’t have a microphone, and it’s completely silent; instead of cooling with a loud fan, it dissipates heat through its aluminum base. And compared to a typical home Linux server, it’s quite a bit harder to hack thanks to hardware and software hardening tricks.

First, Helm uses a system called full-disk encryption to protect data stored on its local drive, ensuring that people with physical access to the device, like a burglar, can’t extract any private information from it, since everything on the drive would be indecipherable to the attacker. As with iPhone hardware, Helm has a “Secure Enclave” built into its processor — basically, a tiny, separate computer designed to be impenetrable and that manages encryption keys, tightly restricting in what circumstances, and by what software, the keys may be used to unlock stored data. And secure boot is enabled, meaning that an attacker cannot create malware to intercept encryption keys by impersonating the operating system as Helm starts up (a tactic classified as a type of “evil maid attack). (If you want to run unauthorized bootloader code on your own Helm, check out the reverse engineering section below.)

Once the Helm device is booted, the next security trick is that it stores files used to boot the system on what is known as a read-only root filesystem, where data cannot be changed. If your Helm gets compromised, this makes it more difficult for malware to modify any core operating system files or to survive a reboot. The server is also packed with proven open-source software for running email, contacts, calendar, file hosting, and user management services — these include Postfix, Dovecot, OpenDMARK, Apple’s Darwin Calendar and Contact Server, Nextcloud, OpenLDAP, and more — and each service is isolated in its own Docker container (a sort of virtual jail enforced by software). In another security win, Helm automatically keeps this wide array of software updated in order to eliminate vulnerabilities as they are discovered.

Finally, when you configure your Helm for the first time, it automatically enables a type of encryption known as TLS. TLS is often used to encrypt web traffic, but it is also used to allow email clients to connect securely and privately over the internet to your email server, which in my case, has the hostname of helm.micahflee.com. Helm gets a trusted TLS certificate using a popular nonprofit service known as Let’s Encrypt.

But, wait, how do connections to your hostname end up making it to your Helm device in your living room?

Gateway in the Cloud

Each Helm device makes a persistent, encrypted network connection to a dedicated gateway server hosted on Amazon’s platform for making cheap, virtual internet servers, known as Elastic Compute Cloud, or EC2. Unlike most residential internet connections, which are periodically assigned new IP addresses, EC2 provides gateways with static IP addresses and none of the headaches — blocked mail delivery ports, router reconfiguration — that make it hard to host an email server at home. Your Helm server, connected to your home network, connects to the gateway using the same technology you might use to access your employer’s office network from home: a virtual private network, or VPN. The gateway’s purpose is to forward encrypted traffic, including email delivery connections, through the VPN tunnel to the Helm device in your house. This architecture explains why, if you look up the IP address of my public email server, helm.micahflee.com, it resolves to the location of my gateway in an Amazon data center, not of my home.

For example, I configured the email app on my phone to connect to helm.micahflee.com, encrypted with TLS. Each time my email app checks for new messages, it connects over the internet to the gateway, which then forwards this encrypted traffic over the VPN tunnel to the Helm device in my house. In other words, the connection between my phone and my Helm device is end-to-end encrypted. Similarly, when there’s an incoming email, the connection between the remote email server and the Helm device is also end-to-end encrypted, but forwarded over the gateway.

So, while both Amazon and Helm (the company) have the technical ability to spy on this server, this spying can’t reveal my emails or my email metadata — all they can see is encrypted traffic. The exception to this is if I’m emailing with someone using a grossly insecure email server that doesn’t support TLS encryption. In this case, Amazon and Helm, and every router that forwards emails to and from that server across the internet, can spy on them. “Over 92% of email traffic is over TLS globally,” Sreenivas wrote in a blog post explaining how Helm’s networking works, “and we will have an option for Helm customers to require all email be transmitted over TLS with the consequence that insecure transmission of emails will be rejected.”

Encrypted Backups and Recovering From Disaster

As discussed previously, Helm protects all its files using full-disk encryption with a key stored in the Secure Enclave. In addition, it encrypts all private data, including emails, contacts, calendar events, and files, a second time using a separate key called the “recovery key.” When you authenticate as a Helm administrator using the mobile app, a copy of this recovery key gets copied to your phone. (Once on your phone, to provide additional security, it is stored in a private area that is not included in phone backups.) And during the Helm setup process, you also copy this key onto the physical key-shaped USB device (this USB device is designed only to store the recovery key; it doesn’t work like a normal USB drive). Having multiple backups of the recovery key, on your phone and on the key-shaped USB device, prevent a “single point of failure,” Sreenivas told me. Also, you’ll need to use the USB recovery key when you login as the administrator user on the mobile app — for example, the next time you get a new phone.

Both Amazon and Helm have the ability to spy on your gateway — but all they can see is encrypted traffic.

On the Helm device, the private data is stored in its own filesystem, encrypted using dm-crypt, an encryption system provided by Linux. The Helm then uses an open-source system known as duplicity to regularly upload incremental, encrypted backups to Helm’s servers. (This backup service, in addition to DNS hosting and your Helm’s gateway server, are what the $100 per year subscription goes toward.) While the Helm company has access to your backups, they don’t have access to the recovery key needed to access any of the data locked inside. Only you do, on your Helm device, your phone, and your key-shaped USB device.

If your Helm breaks, is stolen, or is otherwise destroyed in a disaster, you can get a new Helm device and restore the backup. But to do this, you’ll need either your phone (logged in as the administrator user) or your key-shaped USB device. If you don’t have either of these, you’re out of luck, and there’s nothing the Helm company can do to help you. Such is the price of using encryption and having control over your own keys.

The Mobile App

The final component is the mobile app, available for Android and iOS. As discussed above, this is the sole interface for configuring your Helm. Every user who has an account on the Helm uses the mobile app to log in using their username and password, as well as Bluetooth pairing for proximity-based authentication. Once logged in, users can add new devices, which create unique device passwords, as well as delete devices to revoke access. As an administrator, you can also use the mobile app to manage the DNS on your domain name and add new accounts.

Email Is Only the Beginning

One of the things I’m most excited about as a Helm user is that, over time, Helm plans to add new services to their plug-and-play home server beyond email, contacts, calendar, and files.

In fact, support for a home file server that allows you to sync files between your devices, share files with other users, and privately back up photos from your phone — powered by the open-source Nextcloud project — is a new feature I haven’t fully explored yet.

“We are working on a VPN service that runs off your Helm, which we plan to connect with an ad-blocker,” Sreenivas told me. This would allow you to securely connect into your home network from anywhere, making it more secure to use public Wi-Fi networks and allowing you to access services like Netflix, which normally block VPNs.

Helm also plans on building a password manager that syncs your password database to the device, as well as a private “family chat and messaging” service. New services will appear in updates and won’t cost anything extra, Sreenivas said. Instead they will all be covered in the $100 per year subscription fee.

How Helm Restricts Your Use of Your Server

While Helm is powered by open-source software, and the company has shown a commitment to transparency about the inner workings of its product, it’s important to remember that Helm is an investor-funded startup, and the Helm product is proprietary. Unlike a home Linux server, you can’t log in to it with software like SSH, install software packages (like, say, a web server), or tweak configuration files. You can’t inspect its source code or install Helm’s custom operating system on a computer of your choice, like you could with an open-source operating system such as Ubuntu. With this in mind, here’s what I learned from reviewing the legalese I had to agree to to become a Helm user.

The first thing that stood out in the privacy policy is that, like Google, Mail.ru, and all other companies everywhere in the world, Helm must comply with lawful government requests for data. “We may disclose your information if required to do so by law, in response to a court order, judicial or other government subpoena or warrant,” the privacy policy reads.

So if Helm received a data request, what information would they hand over? Sreenivas said the company will return customer information, including the customer’s name, billing address, shipping address, email address, domain name, and their DNS records; device information, including the serial number, software version, which services are enabled, and some diagnostic information like the operating temperature of the customer’s Helm device; and any emails or chats with customer support. They will not, however, be able to return any data that’s stored on the Helm, such as your private email, contact list, calendar events, or files. Sreenivas also told me that Helm will publish a transparency report about how many data requests the company receives and will alert its customers if it receives a request for user data, so long as the company is not prohibited from doing so with a gag order.

Next, Helm can’t guarantee your security. “Please be aware that no security measures are perfect or impenetrable,” the privacy policy states. “We cannot and do not guarantee that your information will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.” This is true of Gmail too — just ask John Podesta. This is also true of everything else that relies on computer security. Perfect computer security is a myth, and companies that claim their products are “hacker-proof” are lying to you.

But the thing that stood out to me in Helm’s terms and conditions as most worrisome is this passage, forbidding users to reverse engineer their Helm devices: “Buyer acknowledges that the Product sold by Seller hereunder contains and embodies trade secrets belonging to Seller and Buyer shall not reverse engineer any products purchased hereunder.”

This is a ban on reverse engineering, preventing a type of close examination of computer hardware and code that can help uncover defects and add new functionality. Such bans are deeply problematic. Sreenivas outlined some plans to mitigate the ban, but at the moment, these are merely promises.

Reverse engineering bans like Helm’s have historically been abused by companies.

Reverse engineering bans have historically been abused by companies wanting to prevent security researchers from publicizing security flaws in their products. “We want to encourage security researchers to engage with us, so they will be granted an exception,” Sreenivas told me. In addition, Helm offers a bug bounty program in which security researchers can report vulnerabilities they discover and receive a bounty of up to $20,000.

The other way bans on reverse engineering have been abused is by going after “jailbreak” communities. You spent $500 on your Helm device, so what if you want to hack it yourself to run custom software? Sreenivas said that the company plans to make it easy for users to do this by including “effectively an unlock for a developer mode.” This seems like a reasonable compromise to me and is similar to how developer mode in Google’s Chromebooks works, allowing users who want complete control over their Helms to have it, but at the expense of security.

Even Though Helm Can’t Access Your Data, You Still Need to Trust It

If it were malicious, there are a few ways that the Helm company itself could launch an attack against your Helm device. Helm controls the DNS of your custom domain name and your gateway server, which means, if it were so inclined, it has the power it needs to conduct a man-in-the-middle attack against your email service, in which the company would spy on all of your email traffic by impersonating your Helm. The company also controls the updates that your Helm device receives, so it’s within its power to slip into one of the updates a backdoor — a way to surreptitiously log into your Helm device while it’s running, access your data, and install other software.

However, I don’t find this very likely to occur. Not only would it be against Helm’s own interests — the company’s entire business model is based around designing a product in which it does not have access to your emails — an attack like this would ultimately knock your email privacy down to the level of Gmail and Mail.ru, which already has all of this access. They wouldn’t be able to read any emails encrypted with PGP, for example. And additionally, Helm is far from the only company you need to trust not to be malicious. If your domain name registrar were malicious, they could also perform a similar man-in-the-middle attack against your mail server. And the makers of any software — from Microsoft Word to “Fortnite” — could slip a backdoor into an update without you knowing. So, while it’s something to consider, I’m not nearly as worried about this threat when compared to the threats posed by hackers and lawyers.

Helm will do a better job at securing your home email server than any lone individual could — myself included — with the possible exception of a talented DevOps engineer who does this work professionally. And by design, Helm protects your data from the much more serious threats of your email provider pilfering through your inbox, using it to target ads against you, and sending copies of your email to cops or spies who ask for it without your knowledge or consent.

Update, May 3: My explanation of proximity-based authentication has been changed to clarify that you need to be physically near the Helm to create a user account. It is technically possible to give a distant person an email address on your Helm, but you will have full access to their account, which most people would not want.

Join The Conversation