There’s no doubt that Gmail has changed the way we consume email. It’s free, it gives most of us all the storage we’ll ever need, and it does a better job than most in weeding out spam and malware. But there’s a cost to all of this. Storing years' worth of messages in a corporate-owned place gives end users less control than many would like. They rightfully worry about Google either being hacked or legally compelled to turn over contents.

On Wednesday, a Seattle-based startup called Helm is launching a service designed to make it easy for people to securely take control of their email and other personal data. The company provides a small custom-built server that connects to a user's home or small-office network and sends, receives, and manages email, contacts, and calendars. Helm plans to offer photo storage and other services later.

With a 120GB solid-state drive, a three-minute setup, and the ability to store encrypted disk images that can only be decrypted by customers, Helm says its service provides the ease and reliability of Gmail and its tightly coupled contacts and calendar services. The startup is betting that people will be willing to pay $500 to purchase the box and use it for one year to host some of their most precious assets in their own home. The service will cost $100 per year after that. Included in the fee is the registration and automatic renewal of a unique domain selected by the customer and a corresponding TLS certificate from Let's Encrypt.

When free isn’t free

“I think more and more people are learning that what they get for free is not actually free,” Giri Sreenivas, cofounder and CEO of Helm, told Ars. “They’re learning that they give up their data, and companies like Google and companies like Facebook and others are figuring out anything and everything they can do under the sun to make money with that data and the corresponding online behaviors. This rising awareness is driving people to ask questions like 'How do I own my data? How do I own my online identity?'"

The service takes a best-of-both-worlds approach that bridges the gap between on-premises servers and cloud-based offerings. The server looks stylish and is small enough to be tucked into a drawer or sit unnoticed on a desk. It connects to a network over Ethernet or Wi-Fi and runs all the software required to serve email and calendar entries to authorized devices. An expansion slot allows an additional five terabytes of storage.

The server also provides a robust number of offerings designed to make the service extremely hard to hack, including:

A system-on-a-chip from NXP that stores keys for full-disk encryption and other crypto functions to ensure keys are never loaded into memory, where they might be leaked. The disk encryption is designed to prevent the contents from being read without the key, even if someone gets physical possession of the device.

Support for secure boot and keys that are hardwired during manufacture so the device can only run or install authorized firmware and firmware updates. The devices are manufactured in the US or Mexico to ease concerns about supply-chain weaknesses.

Firmware that only communicates over an encrypted VPN tunnel. This measure prevents employees of the user’s ISP, or anyone monitoring the home or office connection, from knowing who the user is communicating with. The firmware also automatically generates TLS certificates from the free Let’s Encrypt service.

Before being backed up in the cloud, messages are encrypted using a key that's stored on the personal server and is available only to the end user. That means if the cloud server is ever hacked or the provider is legally compelled to turn over the backed up data, it can't be decrypted without the key.

Two-factor authentication that’s based on what Helm calls “proximity based security.” The tokens that generate one-time passwords can only be installed on a smartphone that has come into close physical proximity with the Helm device during pairing by someone who knows the device password. Pairing new phones, adding email accounts, or making other changes not only requires a device password but also an OTP from an already-paired phone.

“We think this is a pretty huge advance forward in protecting people’s email accounts,” Sreenivas said of the proximity-based design. “It’s actually taking advantage of something distinct that we have that cloud service providers don’t have, which is the server has a physical presence in your home.”

While the on-premises device forms the guts of the service, Helm’s best-of-both-worlds approach does borrow a few things from the cloud. Anyone who has ever run their own home email server knows how maddeningly difficult it can be. In a bid to block spam, ISPs generally close port 25. ISPs can also make it hard to use static IP addresses and configure firewalls. To get around these shortcomings, Helm runs a security gateway that’s currently hosted on Amazon. The device communicates with this gateway over a VPN, meaning employees or hackers who get access to it can't read any of the messages passing through it. The gateway, in turn, is the server that sends and receives the email and backs up encrypted email.

“All the gateway does is forward packets back and forth,” Sreenivas said. "All TLS terminates on this device. All we’ve done is introduce an extra hop on the Internet. We’re funneling encrypted traffic.”

Breaking up is hard to do

The idea of eliminating Google as my email provider has great appeal to me. I mostly dislike knowing that Google scans my messages, but I’m also concerned that the unimaginably vast amount of data Google hosts makes it a juicy target to just about every advanced hacking outfit on the planet. In theory, being able to run my own server would allow me and me alone to decide who can scan or view my messages. And while my device and the apps that connect to it are still vulnerable to hacking, a single box hosting only my data has considerably less return-on-investment to would-be attackers than Google servers, which the company says host more than 1 billion accounts.

But as attractive as it would be to say goodbye to Gmail, I’m not yet ready to take the final plunge. Yes, my home Internet service is reliable, with almost no downtime I can measure. And I’m guessing Helm can be trusted to reliably back up my encrypted mail. Still, it’s a service that has yet to be tested in production the way Gmail has. If my home Internet service goes down, I won’t be able to send or receive new messages. While new messages will be spooled on senders' servers and sent as soon as Internet service is restored, that’s still a major disruption. It will also be enlightening to see how Helm's service fares once whitehat and blackhat hackers have a chance to pore over the hardware and software. The company plans to announce a bug bounty program by year's end. In the meantime, whitehats can contact Helm security people at security@thehelm.com.

Helm comes with even more uncertainty for power users who may use a variety of server-based filtering rules to block spam or funnel certain types of messages into different folders.

“It’s a great product right now for someone who has one email box and they don’t have tons of filtering rules or they do all their filtering on the client side,” said HD Moore, an enterprise security expert who has provided a seed-stage investment to Helm and has also advised it on technical and security matters. “It’s really different if your entire existence is based on your email flow and you want to have a little more visibility into what’s happening before you’re willing to trust it. One of the features I’m waiting on right now before migrating myself is more visibility into what emails are received and which ones are dropped.” (Moore is vice president of research and development at Atredis Partners.)

To put it mildly, it's a highly uncertain prospect that people will pay $500 for the first year and $100 per year thereafter and that Helm will deliver the same reliability and security Gmail has for more than a decade. But the company is betting there’s pent up demand for a service that allows people to take control of their email, contacts, and calendaring. The bet is by no means a sure thing, but, at the very least, it’s a noble experiment that I hope one day might allow me to sever my reliance on Gmail.

Post updated in the last paragraph to clarify the $500 fee is only in the first year. It was later updated in the first paragraph to make clear that Google no longer scans email to personalize ads.