Great list, I'm glad the crew in the comment threads put it together. 2 observations:
* These lists are often made but are never kept up to date as recommendations change. Will this list be any different?
* Use Gmail? We can't pick some other web based, 2FA capable non-US hosted service that doesn't specifically use machines to scan your content for ad serves? This recommendation was the only one that furrowed my brow.
A weakness in the way these guidelines are worded is that it's not clear enough how much security experts discourage people from using email. Email is the single largest risk most at-risk people have, and not just because only 2 email providers have a team capable of securing their infrastructure or because the protocol is weak, but also because of existing collection capabilities and because of its "archive-by-default" design.
Yes: if you are using email at all, you should use Google's email service. Virtually every concern you'll state about using Google Mail is better articulated as a concern about using email at all (especially because 90% of the people lawyers and activists communicate with also use Google Mail).
If you want, instead, to militate against using email at all, I'll agree and also tell you that I expect this guide will get clearer about that.
Why g-mail instead of a more security focused provider like proton-mail? It seems to me like the only downside of proton-mail is that it is less well-known, but I'd compare it to signal vs whatsapp. And you can get journalists to use signal.
Only other thing I can think of is google being more secure by virtue of being bigger.
Given Google's standing policy of requiring a search warrant for access to user confidential data, as detailed in their Transparency Report[0], my reading is that law enforcement needs to go to the same legal effort to access your data-at-rest stored with Google as they would if it were stored offline in your own house. (And results in the same level of notification to you, modulo NSLs, which are a practical worry for some groups but not others.)
Google can change or ignore its policy at any time, without telling you. Depending on your level of risk, you might not want your security to depend on someone else's goodwill, especially someone for who has very many, much larger concerns than you.
Will Google forgo massive government contracts to protect you? Risk expensive lawsuits? What if you are politically unpopular; will Google risk its reputation for you?
My guess is it's because Google's security team is top notch and happy to share their threat intel with their users and that's much more relevant to journalists than using a non-US based service or one that avoids content based ad serving.
Except support is nonexistent, so if anything happens to your gmail access you're screwed there's nobody to contact. I would think any non profit who relies on emails for fundraising/networking would want a paid service like FastMail or other paid service with 2FA
Only in the alternate timeline where customer support and nerd optics are more important than platform security, which nobody other than Google does better.
Until you get locked out of your account of course, for a number of reasons such as heavy use that triggers an arbitrary lockout and there's nobody to contact. Somebody might also wish to purposely DoS your account with incorrect logins for a number of reasons too, like hiding a money transfer notification or just to screw with you.
* These lists are often made but are never kept up to date as recommendations change. Will this list be any different?
* Use Gmail? We can't pick some other web based, 2FA capable non-US hosted service that doesn't specifically use machines to scan your content for ad serves? This recommendation was the only one that furrowed my brow.