Not a true FAQ, more of a disclosure. Some of this is specific to me, some of this is information about email in general.
I learned recently that most normal people don’t know this: email is basically insecure. There’s no support in the basic email protocol for end-to-end encryption. Don’t send PII or other sensitive information if disclosure of same would result in significant financial loss, liability, or safety/security issues.
If you receive email from me, even if it’s not end-to-end encrypted, please keep it to yourself and do not forward it to third parties or publish it.
If you are a client, and we have a business relationship, please treat it as confidential information per the terms of our services contract or any applicable nondisclosure agreements.
If you are an attorney and we have a business relationship, please treat it as privileged attorney-client information. (This is mentioned in the bottom of every email I send, as well.)
If you cold email me asking me a question, it’s probably better that you post it on the BBS instead. Three reasons: you’ll likely receive a reply faster, other people may weigh in on the question or the response (increasing the value to you), and both your question as well as my response will remain available on the BBS to others, potentially providing value to many other people over the years, increasing the ROI of the time you spent asking it and the time I spent answering it.
Don’t send me PGP email unless you really need to. If you send me PGP encrypted mail, don’t be surprised if I don’t get an opportunity to decrypt (and read/reply) for 90+ days. Most likely you can send me whatever you were going to send me in a PGP message without the PGP encryption and it will be fine. (It’s been years since I’ve received a PGP encrypted cold email from a stranger that seemed to need end to end encryption.)
If you really need to, you can get my key in the following ways:
gpg --keyserver pgp.mit.edu --recv-key 5539AD00DE4C42F3AFE11575052443F4DF2A55C2
curl -sf https://sneak.berlin/.well-known/pgpkey.txt | gpg --import
If you really need to send me something securely and it needs to be read/seen quickly, please send it via Signal:
I make efforts even beyond that which is generally commercially reasonable to maintain the data security of my email, however all of my email servers are hosted by third parties and are subject to many types of remote attacks (legal and otherwise) outside of my control.
The email address displayed on this site is my personal email address. Please do not email me about my companies or investments at this address: use the appropriate address for the business. I cannot engage in discussion of revenue- or business-related topics via my personal email address.
If you want to subscribe to my blog posts, use an RSS reader (like Feedly) and add my RSS feed:
If you’d like to receive ~quarterly updates via email about my projects, appearances, and other time-sensitive announcements and stuff, please subscribe to my mailing list.
I operate a BBS which serves as a general discussion and questions forum as well as the official comments section for posts on this site. All are invited to join and participate, provided you are willing to voluntarily agree to the rules.
Jeffrey Paul is a hacker and security researcher living in Berlin and the founder of EEQJ, a consulting and research organization.