I’m trying to get rid of my Google dependency and one of those steps was moving over to Protonmail. Now in the past few days i have been picking up signals that even Protonmail is not as clean as it might be.
Does this really impact the privacy of how i use email and so is moving to Protonmail a step forward from Google, or is Protonmail just as bad?
If so, what could be alternatives?
edit:
Some of the alternatives being mentioned in the comments are:
Email:
VPN:
edit 2 (2023):
There seems to be some new activity around this post. At the time of writing the post (2 years ago) there were some stories going as user @UnfortunateShort described in their comment. This made me question the best options available at that moment. Currently i am still a Proton user, using their Mail and Calendar service, and Mullvad for VPN.
You must log in or register to comment.
I’ve been using protonmail/vpn for a few years now. I’ve had nothing but positive experiences. That said, I think its healthy to question any business, especially those that claim to care about your privacy. I’m curious to hear what signals you’ve picked up on.
There was this thing where a court forced them to log the IP and recipients mail addresses of a Prortonmail user, which was used as evidence against them in a legal process.
They released a statement that they do not collect this data unless a court orders them to, that they can’t and won’t collect the content of mails, which is within the law apparently, and that the law cannot force them to collect data from their VPN. They also removed the promise to never collect any data from their sites and documents, because they felt it was not appropriate under the legal circumstances.
If you want to hear my opinion about it: I give them credit for handling this transparently, explaining exactly what happened and removing a false claim from their marketing voluntarily. I do also agree that they should have never misled people into thinking Protonmail is an anonymous way of communication.
As the data collection is very limited and has to be ordered by a Swiss court, I do not feel threatened and continue to use their services.
Frankly, I think if you’re actually fearing to be persecuted for something and don’t want people to figure out who you talked to, you shouldn’t use mails to begin with. And if you do, at least use a VPN or Tor. That’s how they got the user, because they didn’t and law enforcement figured out they use Protonmail + their IP with the help of the ISP.
deleted by creator
Very true, thanks for the remark 👍
deleted by creator
Yeah, I’d like to know as well. What ought to be wrong with Proton?
It was two years ago, and it had to do with what @UnfortunateShort explains in his comment. 2 years later and i am still a happy Proton user.
Is this post two years old? If so I think we can wait a long time for a reply from OP. I too would like to know what signals they picked up on.
Has it been two years already?! Well that’s quite some time!
In short, with the steps Proton has taken in the past two years to improve their products, i am a very happy customer! Currently i am using Proton mail and Proton calendar. For a VPN i use Mullvad at the moment and i can really recommend them for a VPN service.
Regarding the VPN, i had been using Mullvad before Proton started offering theirs. Currently i am weighing of if i should use Proton for my VPN services as well, or keep some things separated between different companies, just in case.
Hah, well, two years later here you still are. Amazing!
Love to hear it! I’m also on proton, if only for mail. I’m looking forward to a storage service with support for sync, so far I’m not so happy with the product I’m using.
I check in here now and then. ;)
So 5 months later, I still use Proton Mail, still loving it. Use it in combination with Proton Calendar which also works really nice and just started really using the Proton Drive as (in the future) an alternative for Google Drive now that they have added encrypted photo sync. That feature (for Android) is still very early and i have been in touch with the helpdesk for some of the issues i am running into. But they do really feel like issues because of it being a very first version.
So for now i would say that their Drive option is quite robust and works very nice and can really serve as an alternative for one of the other big parties (yes i still do a lot with Google Drive and Dropbox so to fully migrate that will take ‘some’ time).
deleted by creator
deleted by creator
Agreed! :)
So what are those signals you picked up? I am curious since I am a PM customer.
deleted by creator
OP post is two years old!
huh… :D
I’ve been using Mullvad VPN for about 5 or so years now and it’s been really great.
Very privacy centric - your account holds no personal information, it’s just a randomly generated number that you keep saved somewhere, and it’s really only used for payment.
It’s very reasonably priced as well - I just keep it on autopay, and every year it charges the €60 to my PayPal - but you have a lot of options for payment - including crypto and even cash!
I literally purchased 12 months of Proton VPN last night and this is one of the first posts I see today. Glad this is an old post and happy to see new positive responses.
My experiences in these two years have been nothing but positive, so (as far as i know) a good choice to go with their VPN service! :)
I heard Tutanota is worser. But I been a long time customer of Proton, since they started. Its been great for me.
Tutanota is ok. It’s not as mature as Protonmail yet, but they are on their way there.
Protonmail is most professional encrypted email service in industry.
Even if it be a honypot, you can compile their phone apps yourself and use them.
Also for those rumors that say they want to use google cloud, they won’t.
They just route your traffic from one of the big providers like azure, aws or gcs if their service be blocked in your region.
Also they pinned their cert into their app so that the potential to intercepting of your traffic to their servers via these third party routine services become low to about near zero.
Also you can disable that in their app and that feature is not in their web app!
The option is alternative routing.
You can easily disable it from their apps, although it won’t ever used if your traffic to their own servers not get blocked.
Also there is no data stored in these third parties, they just route you to proton’s actual server.
And to emphasize it, you can disable it completely from their apps and it isn’t enabled in their websites (it is impossible also to do that for their websites, technically)
Also if they be a honypot, still you can audit their apps source code yourself and then compile them yourself or in near future download them from fdroid.
So if they be a honypot, your data still is encrypted with strong openpgp (apps) and openpgpjs (javascript implementation of it) in their web apps and all of them is open source.
So when your data is encrypted and if you don’t do any unencrypted communications through their service, they can’t do anything with your data even if they be a honypot.
Openpgp is 20 years old protocol that still is well maintained and is proven to be really secure.
Also about tutanota, they use their own homebrew encryption that always is discouraged by cryptographer engineers.
Also about honk kong protests, they just don’t want to become more influenced by ccp as you probably seen that some people in mainland china are really brainwashed that accept everything their government do and say.
They just supported that, not any murder or anything else that is really terrible and the guy should get judgement for his creepy crimes.
Regards.
I don’t know much about protonmail and tutanota, since I don’t like that you need your contacts to also use the same provider in order to have the easy encryption they offer (so no federation), and it’s not much different than using any email provider and an email client which uses GPG encryption, or PGP encryptions for that matter (I prefer GPG), given the provider is not one of the giants, and not based in the 5 eyes or extended 5 eyes (in this case that really counts, given most of the email one receives is NOT encrypted, since not everyone uses GPG/PGP encryption). Enigmail used to have an option to full encrypt (included subjects) emails on Thunderbird, and I think the new Thunderbird encryption does the same (just that it doesn’t use GPG anymore, and other subtleties).
If not self hosting (as mentioned by others, keeping your service and host secure and safe when opening it to the internet is hard to accomplish), using /e/ email service might be an option, as long as you encrypt as much as you can what you must. But even encrypted emails are not as secure and private as messengers designed for that purpose. So I wouldn’t use email for confidential or personal stuff, or use it as little as possible, and GPG encrypting of course. And if going the GPG route, you should use ed25519 (elyptic curves) keys, same way those are the recommended ones for ssh keys, but the problem is that nothing forces your contacts to do the same, and they might use weaker keys…
For email I suggest getting your own domain name. That way you can easily change provider without having to tell all of your contacts to use a new email. I don’t know about all domain providers, but some provide email addresses for free with all the domains that you bought from them. It’s a really good and way to have an interesting email address, and not be dependant on any tech giant.
I personally gave up on the idea that my email will ever be secure, so I just try to use a provider that seems trustworthy, and avoid using it for anything critical. The email providers that tell you they encrypt your emails don’t really improve anything in terms of security, given that they have access to the clear text email before they encrypt it. It’s even worse if they offer a web client, they could steal your keys anytime.
There are solutions (PGP), but they are really niche and don’t provide some critical security aspects like Forward Secrecy. If you want your communications to be truly secure, use a system that was built for that (Signal, Matrix, etc… all provide pretty decent security way ahead of whatever you’ll get with email).
I like the idea of using a custom domain and changing providers if needed. Going to take that into consideration.
If your threat model is “corporations spying on me and profiting from my private data” then it is good option IMHO. If your threat model is “a three letter agency is after me” then don’t use e-mail.
I would suggest you Disroot and Riseup for e-mail and Riseup for VPN.
I tend to use riseup all time , for VPN , mails , file transfer , pads etc… i find that their views are very clearly exposed and like their politics , but should we be concern about the fact that their servers are US based ( heard some args this)? Also id like to have details about how RiseupVPN is working , and if all traffic go throug or just part , for example does it really take in charge P2P /torrent ? ( real question is can i use it to protect from Hadopi ? ) . Also the service is based on donations so dont forget to give what you can so they can continue to offer free pricing vpn to us :)
Both those organisations have been around for quite some time right? Having their roots in activism as far as i know.
The way you seems to use the word “activism” seems a bad sense I never knew. What do you mean?
The Riseup political views are known and suggested, sometimes, in their own page.
The case of Disroot is that it has a public statement about it basically and the pictures around the website are quite legit.
Try Zoho mail
Protonmail is just the “latest” (it’s been open for a few years now) in the technocratic “online privacy” bubble. They probably willingly give backdoors to the NSA.
Basically they sell you the peace of mind, not really any actual security as far as anyone can tell. Until their code is open-source and can be independently reviewed, it’s worthless. That they are based in Switzerland doesn’t mean much because backdoors are meant to be secret. Like in any other country, there is no official organ in Switzerland that will evaluate your app and say “yes, this app is secure. We give it five stars”. However if you find they don’t respect Swiss law you have to open a lawsuit, retain a Swiss lawyer, travel there for the court date, and at that point you start to realize they’re based over there more to protect themselves than you.
There has been another encryption company operating since the 50s in Switzerland that was somewhat recently found to just be a front for the CIA. So clearly being based in Switzerland is not a gage of quality.
Their support of the Hong Kong protest was also kinda suspicious because as far as I’m aware, they’ve never been that interested in any other event. And it wasn’t just a press release that gets picked up by a few hobbyist magazines; it was a full-length email sent to every protonmail customer, even those like me who hadn’t used their account in years.
I also just read that ProtonMail would start using Google infrastructure. While the actual usage of Google’s services would be “limited”, again Proton does not explain the exact nature of this partnership and which services will be routed through Google.
I don’t believe there is any way to be completely secure on the Internet unfortunately. Snowden showed how far backdoors run. So whether you want to keep using protonmail is up to you, but outside of a decentralised p2p system, I don’t think we could fully be anonymous and secure. Maybe though it would be possible to open your own email service – you just have to rent a space on a shared server like you would when hosting a website, and then encrypt it if possible… or open your own mail server in your basement lol. Email doesn’t consume a lot of resources.
I’d argue that this:
Basically they sell you the peace of mind, not really any actual security as far as anyone can tell.
Is demonstrably false, as their encryption methods for emails at rest as well as other options (PGP) are tested. They’re also upfront with their threat protection model ("the ProtonMail threat model document specifically states that, “we cannot guarantee your safety against a powerful adversary.”) and as far as coming from Google or another free provider is concerned are a definitive step in the right direction. A good overview if OP is interested is this writeup here: https://www.techspot.com/news/82776-protonmail-review-secure-email-really-secure.html
Personally I’d be hesitant to recommend self-hosting email unless really necessary (since that has it’s own risks/threat model) and think OP would do well to start off with Tutanota or Protonmail.
As an aside if we’re alluding to Protonmail being a honey pot with the Hong Kong riots I’d rather see it stated as such; this is the second place on Lemmy I’ve seen such criticism levied when a company that has a privacy/security based product and did a statement on the protests and I don’t find it that suspect that they would be interested in furthering their brand or “putting their money where their mouth is” by coming out in support of anti-censorship/CCP measures.
Hong Kong riots
support for the riots is not “support of anti-censorship”. it had nothing to do with censorship. a brief summary of how things began:
- a man murdered his pregnant girlfriend while on holiday in taiwan
- taiwan wanted the man extradited to face charges but hong kong did not have an extradition treaty with taiwan
- an extradition bill is introduced in hong kong listing 46 crimes for which extradition may be requested by taiwan, macau, and the PRC. nine crimes listed were financial (these were later removed)
- angry rich kids realized they would not be able to commit the same financial crimes their parents did
it was never about being censored. it was about wanting to continue to exploit others without consequence.
protonmail didn’t just “come out and support” the color revolution by merely making a statement. i’m not making the assertion that their support means that they are a honey pot. i am asserting, however, that their support means that, unlike their claims, they are decidedly not “pro-freedom” (unless, of course, their definition of “freedom” is getting away with murder).
damn I really liked proton* too.
Huh?? Everything in that comment was speculative. I keep trying to figure out what specifically wrong Protonmail, and so far it’s all been nothingburgers. This is just a wall of speculative text. I don’t understand why it’s being treated like some knock-down evidence that Protonmail is bad.
