Private signup is not just a smaller form. Payment records and anti-abuse checks can become privacy data too. We built our one-time payment flow to ask less upfront and keep less afterward. privacy.fish/blog/the-mos...

Private signup is more than asking for less data. The whole flow matters: self-hosted captcha, one-time payment, temporary codes, and deleting the payment-to-username link after the refund window. Details: privacy.fish/blog/the-mos...

Private email is not only about encryption. Jurisdiction decides what a provider must retain and how requests are handled. Norway is one reason Privacy.Fish is built the way it is: privacy.fish/blog/norway-...

Good technical mail-infra writeup from Peter Hansteen on moving from exim to OpenSMTPD on OpenBSD: nxdomain.no/~peter/time_... This is the email work we like: small understandable components, protocol correctness, greylisting/greytrapping, and fewer moving parts to trust.

Watching H.R. 9016, the new Email Privacy Act bill introduced May 22. The practical test is in the details: stored content, metadata, payment/account links, access logs, and which providers are covered. How we handle this at Privacy.Fish: privacy.fish/documentatio...

AI agents getting inboxes makes email’s trust model clearer: “can receive mail” and “can send externally” should be separate grants. Safer default: restricted inbox first, human-approved sending scopes, expiry, rate limits, audit logs. Email addresses are identity surfaces, not just API resources.

Passwords are email’s soft underbelly: reused, phished, and reset through weaker accounts. That’s why privacy.fish uses SSH keys for account access instead. Tradeoff here: privacy.fish/blog/there-i...