I’ve been using Proton Mail and VPN for a while now, and I’m just wondering how everyone else feels about them. I have this kind of inherent alight distrust of them just because they seem like they offer a lot for free and kind of have a Big Tech vibe about them, but there’s nothing for me to really substantiate that distrust with, its mostly just a feeling. That being said, I do use their services as mentioned and they work pretty well, even on the free teir. So aside from that one instance where they gave that guy’s info to the feds, is there any reason not to trust them with my data?
‘So aside from that one instance where they gave that guy’s info to the feds, is there any reason not to trust them with my data?’
They were under a court order. They still have to follow their country’s laws.
That is not to say you shouldn’t question them, but that particular example should not be used.
If that person had better opsec it never would have been a thing.
Plus, the data they gave was minimal, basically just the recovery email address, if I remember. That person got caught because they used the same address on Twitter (or something) and then they could get more data, if I recall correctly.
This is the key bit. So long as whatever they hand over still meets their services guidelines, the fact they cooperate with law enforcement is not in the least a knock to the promises they made.
It would be another matter altogether if they were providing law enforcement with logs or information they said they don’t collect.
People’s deductive reasoning is weak sauce.
Yeah I think most people confuse privacy with criminal behaviour. Proton has your back when it comes to the former, but they aren’t there to enable you to pirate or cause trouble, hiding behind their service.
I don’t see how making sure criminals are brought to justice is the same as protecting your anonymity on the net.
And even if mandated under law, it’s not like they actually log your travels and are handing that to law enforcement. Whatever they hand over still falls under their services guidelines. It’s not like they are handing over logs of your travels to the FBI.
“Criminals” such as climate activists?
The service could not appeal because a Swiss law had actually been broken and because “legal tools for serious crimes” were used.
Yep under Swiss law he was a criminal, we may not agree with the law but unfortunately that’s the case here
Yes. It’s not really Proton’s fault, but definitely unattractive to a user/customer
That’s the thing. Anonymity on the internet should enable people to protect themselves against unethical laws. Law is not correct, it’s just law
more than google at least
Yeah i trust them more than the alternatives.
seem like they offer a lot for free
i gladly pay for proton knowing that i’m helping fund a critical tool for activists under oppressive regimes :)
Based on my own privacy/security criteria, I chose and payed for protonmail when that was the only thing Proton had. I’ve been very happy with them and it’s nice to see how much they’ve since popped off.
I trust them, but always remain vigilant, because things can change over time. But the founders initially were scientists who met at CERN, not a company that launched a product. That tells me quite a lot. Yes, over time they are becoming more professional, maybe more like a regular company, but i feel that privacy is still the main priority for them. They also organize a yearly event and the money they raise goes to certain projects that are related to privacy and freedom (if i remember correctly for instance to help journalists remain free press and things like that). Yes, it’s one of the few companies that i really trust.
Also, yes, they sometimes are forced to give info to authorities (and they are quite open about that and explain what happened if people ask about that), but don’t forget that they don’t have much info on their clients, because everything is encrypted and they just cannot see what’s inside a mail, for instance. So, they can’t share that.
same here. one of a few companies that i actually trust. recent interview with CEO gave me even more confidence
Do you have a link for that interview?
Not sure if this is the one, but it is quite interesting regardless:
Here is an alternative Piped link(s):
Hard to find but nice to watch 😀
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
In my view it’s either my ISP seeing everything or someone else. I don’t trust my ISP, I route my traffic to a different country where I don’t live in and them viewing my activity is potentially less of a problem, in my view (just in case they do manage to de-anonymize me)
route my traffic to a different country where I don’t live in and them viewing my activity is potentially less of a problem
Depending on where you live, and where your service resides, this could be tricky.
In the US, for instance, if you’ve chosen a provider in Australia, then a FVEY agreement could be in place to share that data. This gets around the technicality that intel gathering is not occurring on US soil and is not being done by the gov.
And again with the US, if you’ve chosen a country that’s not amiable to sharing user data, the US could very well be justifying that country as a target for pilfering data anyway.
So, that would leave choosing a service provider within the US, which should need to go through the FISA courts for any access to citizen data, but who knows after the Snowden revelations.
I guess that’s the state of privacy if you’ve got a nation state that’s targeted you for surveillance. Only way around it I can think of is data to be encrypted in transit and at rest, and only you control the keys. But that’s not something that’s going to happen with something like mainstream email anyway, too inconvenient for most folks (and you also don’t know if your recipients are security conscious either).
Thank you for explaining the gov surveillance part of it, that is a good point you’re making. There’s also the commercial surveillance I’m trying to avoid, in particular having my “psyche” profiled.
Route them to a country of some number of eyes? 😅
I don’t completely trust any “privacy-focused” company, but I trust proton a lot more than most others.
For my threat model and use case, I trust them.
Not at all. It woul be trivial for them to steal your private keys from their web client. And yes, we have the code. But it’s impossible to verify that the code that is on Github and the one they send to your browser every time you log in is exactly the same.
Also, they make it quite hard to make an anonymous registration. And they’ve been cooperating with governments. Don’t get me wrong, I don’t support criminal activity. But I don’t trust any government with citizen’s data, Snowden proved that.
Edit: Oh and they have bribed various privacy related sites with their affiliate program to recommend their services, which I consider a shady tactic.
Why is it trivial for them to steal your private keys? Does your computer unable to verify public keys?
I’m a bit of a novice when it comes to HTTPS handshakes
One of the bold claims of proton is that all your data is encrypted and they can’t see it (not 100% sure how they do it, probably your key is encrypted with your password as a symmetric key? Then when you log in, the client unlocks your private key and then that key unlocks the emails and stuff).
Now, it also turns out that they write the software that uses your key to decrypt the emails. It would be trivial for them to just send the keys back to themselves and decrypt all your stuff.
I don’t think this is a huge point against proton, as AFAIK no one else even offers encrypted email. But nonetheless I would like to see an api and some third party clients.
I see now, so it’s more on decrypting my data rather than stealing private keys in the context of httpscommunications. I thought for some reason it was about Proton VPN specifically.
Thank you for explaining!
Depends. Are you on a wanted list?
😀
I don’t trust them implicitly, but I do believe they are less likely to do certain things than Google which is enough to use them instead of Google for Email.
Proton used to have a deal with the Israeli company
Radware
, for DDoS protection. They have written a few disclaimers about how Radware only handled incoming traffic still with two encryption layers intact (SSL & OpenPGPjs), as if that was some sort of real protection if a company has access to raw incoming traffic.Honestly, a company aimed at privacy, boasting of Swiss privacy, should know better than to route anything through Israeli companies.
No.
I trust no single hosted service, but you can use them with caution.
Proton Mail + Tor Browser + diligent OPSEC
Bingo bango, you don’t even have to trust them.
When I tried to register with a tor ip they asked for my phone number.
The issue with email, unless you are comumnicating between two Proton Mail accounts, is that your message will likely be stored on another server which is extremely likely to be unencrypted. The bottom line is that you can never trust the rest of the infrastructure, and you have no control over it. You can end-to-end encrypt using PGP, but this is extremely impractical.
Yeah, email is unsafe, agreed. I addressed that below, saying I thought they just wanted to separate their real-world identity from their un-private emails. If you’re trying to use Proton to keep your un-private emails private, you’re gonna have a bad time and you should use some good end-to-end solution that isn’t email instead.
For that one instance, not doing so would have been illegal and probably gotten them hit with a major penalty.
Any email you send to Proton in clear text is 100% accessible to them at the point of entry. They basically promise you that they won’t look at it before encrypting it for storage. So if you trust their promise, it’s all good.
Any email that comes in already end to end encrypted with OpenPGP is not accessible to them ever, kind of. If their client gets hacked and starts sending unencrypted messages to them or someone else, then they have access.
The only way to have a zero trust environment is always having people (or businesses) send you messages encrypted with OpenPGP, and never using Proton’s clients (webmail, mobile app, and desktop bridge). That’s fairly unreasonable, and you might as well use any other email service at that point.
So, you can trust them as much as any other company, because unless you write and run your own email server (which, trust me, is a huge pain in the ass*), that’s your only option.
* I wrote and run an email service called Port87, which launched recently, and there are so many obstacles to doing this, even if you’re only running one user on one domain on one server.