I’m trying to get rid of my Google dependency and one of those steps was moving over to Protonmail. Now in the past few days i have been picking up signals that even Protonmail is not as clean as it might be.

Does this really impact the privacy of how i use email and so is moving to Protonmail a step forward from Google, or is Protonmail just as bad?

If so, what could be alternatives?


edit:

Some of the alternatives being mentioned in the comments are:

Email:

VPN:

edit 2 (2023):

There seems to be some new activity around this post. At the time of writing the post (2 years ago) there were some stories going as user @UnfortunateShort described in their comment. This made me question the best options available at that moment. Currently i am still a Proton user, using their Mail and Calendar service, and Mullvad for VPN.

  • WhosMansIsThis@lemmy.world
    link
    fedilink
    arrow-up
    30
    arrow-down
    1
    ·
    1 year ago

    I’ve been using protonmail/vpn for a few years now. I’ve had nothing but positive experiences. That said, I think its healthy to question any business, especially those that claim to care about your privacy. I’m curious to hear what signals you’ve picked up on.

    • UnfortunateShort@lemmy.world
      link
      fedilink
      arrow-up
      21
      ·
      edit-2
      1 year ago

      There was this thing where a court forced them to log the IP and recipients mail addresses of a Prortonmail user, which was used as evidence against them in a legal process.

      They released a statement that they do not collect this data unless a court orders them to, that they can’t and won’t collect the content of mails, which is within the law apparently, and that the law cannot force them to collect data from their VPN. They also removed the promise to never collect any data from their sites and documents, because they felt it was not appropriate under the legal circumstances.

      If you want to hear my opinion about it: I give them credit for handling this transparently, explaining exactly what happened and removing a false claim from their marketing voluntarily. I do also agree that they should have never misled people into thinking Protonmail is an anonymous way of communication.

      As the data collection is very limited and has to be ordered by a Swiss court, I do not feel threatened and continue to use their services.

      Frankly, I think if you’re actually fearing to be persecuted for something and don’t want people to figure out who you talked to, you shouldn’t use mails to begin with. And if you do, at least use a VPN or Tor. That’s how they got the user, because they didn’t and law enforcement figured out they use Protonmail + their IP with the help of the ISP.

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      It was two years ago, and it had to do with what @UnfortunateShort explains in his comment. 2 years later and i am still a happy Proton user.

  • Stowaway@lemmy.world
    link
    fedilink
    arrow-up
    16
    ·
    1 year ago

    Is this post two years old? If so I think we can wait a long time for a reply from OP. I too would like to know what signals they picked up on.

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      1 year ago

      Has it been two years already?! Well that’s quite some time!

      In short, with the steps Proton has taken in the past two years to improve their products, i am a very happy customer! Currently i am using Proton mail and Proton calendar. For a VPN i use Mullvad at the moment and i can really recommend them for a VPN service.

      Regarding the VPN, i had been using Mullvad before Proton started offering theirs. Currently i am weighing of if i should use Proton for my VPN services as well, or keep some things separated between different companies, just in case.

      • Stowaway@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Hah, well, two years later here you still are. Amazing!

        Love to hear it! I’m also on proton, if only for mail. I’m looking forward to a storage service with support for sync, so far I’m not so happy with the product I’m using.

        • R...@lemmy.mlOP
          link
          fedilink
          arrow-up
          1
          ·
          11 months ago

          I check in here now and then. ;)

          So 5 months later, I still use Proton Mail, still loving it. Use it in combination with Proton Calendar which also works really nice and just started really using the Proton Drive as (in the future) an alternative for Google Drive now that they have added encrypted photo sync. That feature (for Android) is still very early and i have been in touch with the helpdesk for some of the issues i am running into. But they do really feel like issues because of it being a very first version.

          So for now i would say that their Drive option is quite robust and works very nice and can really serve as an alternative for one of the other big parties (yes i still do a lot with Google Drive and Dropbox so to fully migrate that will take ‘some’ time).

  • CriticalResist8A
    link
    fedilink
    arrow-up
    17
    arrow-down
    5
    ·
    4 years ago

    Protonmail is just the “latest” (it’s been open for a few years now) in the technocratic “online privacy” bubble. They probably willingly give backdoors to the NSA.

    Basically they sell you the peace of mind, not really any actual security as far as anyone can tell. Until their code is open-source and can be independently reviewed, it’s worthless. That they are based in Switzerland doesn’t mean much because backdoors are meant to be secret. Like in any other country, there is no official organ in Switzerland that will evaluate your app and say “yes, this app is secure. We give it five stars”. However if you find they don’t respect Swiss law you have to open a lawsuit, retain a Swiss lawyer, travel there for the court date, and at that point you start to realize they’re based over there more to protect themselves than you.

    There has been another encryption company operating since the 50s in Switzerland that was somewhat recently found to just be a front for the CIA. So clearly being based in Switzerland is not a gage of quality.

    Their support of the Hong Kong protest was also kinda suspicious because as far as I’m aware, they’ve never been that interested in any other event. And it wasn’t just a press release that gets picked up by a few hobbyist magazines; it was a full-length email sent to every protonmail customer, even those like me who hadn’t used their account in years.

    I also just read that ProtonMail would start using Google infrastructure. While the actual usage of Google’s services would be “limited”, again Proton does not explain the exact nature of this partnership and which services will be routed through Google.

    I don’t believe there is any way to be completely secure on the Internet unfortunately. Snowden showed how far backdoors run. So whether you want to keep using protonmail is up to you, but outside of a decentralised p2p system, I don’t think we could fully be anonymous and secure. Maybe though it would be possible to open your own email service – you just have to rent a space on a shared server like you would when hosting a website, and then encrypt it if possible… or open your own mail server in your basement lol. Email doesn’t consume a lot of resources.

    • Axaoe@lemmy.ml
      link
      fedilink
      arrow-up
      5
      ·
      4 years ago

      I’d argue that this:

      Basically they sell you the peace of mind, not really any actual security as far as anyone can tell.

      Is demonstrably false, as their encryption methods for emails at rest as well as other options (PGP) are tested. They’re also upfront with their threat protection model ("the ProtonMail threat model document specifically states that, “we cannot guarantee your safety against a powerful adversary.”) and as far as coming from Google or another free provider is concerned are a definitive step in the right direction. A good overview if OP is interested is this writeup here: https://www.techspot.com/news/82776-protonmail-review-secure-email-really-secure.html

      Personally I’d be hesitant to recommend self-hosting email unless really necessary (since that has it’s own risks/threat model) and think OP would do well to start off with Tutanota or Protonmail.

      As an aside if we’re alluding to Protonmail being a honey pot with the Hong Kong riots I’d rather see it stated as such; this is the second place on Lemmy I’ve seen such criticism levied when a company that has a privacy/security based product and did a statement on the protests and I don’t find it that suspect that they would be interested in furthering their brand or “putting their money where their mouth is” by coming out in support of anti-censorship/CCP measures.

      • dengismceo@lemmy.ml
        link
        fedilink
        arrow-up
        5
        arrow-down
        1
        ·
        4 years ago

        Hong Kong riots

        support for the riots is not “support of anti-censorship”. it had nothing to do with censorship. a brief summary of how things began:

        1. a man murdered his pregnant girlfriend while on holiday in taiwan
        2. taiwan wanted the man extradited to face charges but hong kong did not have an extradition treaty with taiwan
        3. an extradition bill is introduced in hong kong listing 46 crimes for which extradition may be requested by taiwan, macau, and the PRC. nine crimes listed were financial (these were later removed)
        4. angry rich kids realized they would not be able to commit the same financial crimes their parents did

        it was never about being censored. it was about wanting to continue to exploit others without consequence.

        protonmail didn’t just “come out and support” the color revolution by merely making a statement. i’m not making the assertion that their support means that they are a honey pot. i am asserting, however, that their support means that, unlike their claims, they are decidedly not “pro-freedom” (unless, of course, their definition of “freedom” is getting away with murder).

        • Axaoe@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          4 years ago

          Taiwan later criticised the government of trying to strong arm the citizens with the bill and withdrew their extradition request.

          Proton’s support of the what the riots turned into isn’t tainted by what sparked the controversy in my opinion.

          I’d agree with you that it’s about wanting to continue to exploit without consequence, though I’d say were talking about different parties doing to exploiting.

          Link for those interested in a news recap: https://www.bbc.com/news/world-asia-china-50148577

          • Nevar@lemmy.ml
            link
            fedilink
            arrow-up
            3
            ·
            edit-2
            4 years ago

            Taiwan withdrew the extradition request of the murderer of a pregnant woman for the sake of politics? That’s messed up.

          • dengismceo@lemmy.ml
            link
            fedilink
            arrow-up
            1
            arrow-down
            1
            ·
            edit-2
            4 years ago

            edited: the first part of my comment was irrelevant to the true matter at hand so it has been removed

            Proton’s support of the what the riots turned into isn’t tainted by what sparked the controversy in my opinion.

            and in my opinion, this actually makes it worse. because then it becomes them promoting a blatant misrepresentation of hong kong in support of a color revolution. this means those deciding to fundraise are openly supporting the interests of the US government. which makes them less trustworthy, not more.

            the argument could be made that they saw how many westerners ate up the propaganda around the situation and wanted to capitalize on it. i think that is a fair argument. but them being money-hungry makes them less trustworthy, not more.

            • Axaoe@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              4 years ago

              I’d much prefer you to source your claims especially when refuting others, we simply don’t agree on this matter (though I do like reading a different side of things) - I appreiciate the discussion though all the same!

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      5
      ·
      4 years ago

      Thanks for the extensive answer, I will keep looking into it (and other alternatives) to see if there is something that fits my needs (which at this point is having multiple gmail adresses, so the only way is up i guess).

      • abbenm@lemmy.ml
        link
        fedilink
        arrow-up
        4
        ·
        4 years ago

        Huh?? Everything in that comment was speculative. I keep trying to figure out what specifically wrong Protonmail, and so far it’s all been nothingburgers. This is just a wall of speculative text. I don’t understand why it’s being treated like some knock-down evidence that Protonmail is bad.

    • verassol@lemmy.ml
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      4 years ago

      thank you for the detailed comment. i didn’t see disroot being mentioned. do you have any comments on it?

      • Nevar@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        4 years ago

        My opinion on disroot is that any organization that has a business model run on donations is inherently unsustainable. If disroot became popular, they would no longer be able to host accounts for free. They may end up creating a subscription service after that but it creates uncertainty as to how and what they will do in the future. They might decide to fold. The same thing can be said for paid services but I wouldn’t use Disroot as my main email address if a few years from now the donations stop and they say they’re shutting down. IMO

    • ufra@lemmy.ml
      link
      fedilink
      arrow-up
      3
      arrow-down
      1
      ·
      4 years ago

      nice link about google infrastructure

      it could mean that some information — such as IP address and knowledge of their attempt to connect to ProtonMail — will become visible via those third parties.

      disappointing, google has their hands in everything. I just learned that Standard Notes implemented an opt-out api call to bugsnag, a company backed by Google Ventures.

      ProtonMail does seem a bit fishy and flimsy. I tried their VPN for about an hour and kept getting marketing emails afterwards.

    • abbenm@lemmy.ml
      link
      fedilink
      arrow-up
      1
      ·
      4 years ago

      They probably willingly give backdoors to the NSA.

      Do you have any more elaboration on this? Is this based on a news article, or a part of their terms of service or something?

  • brombek@lemmy.ml
    link
    fedilink
    arrow-up
    11
    ·
    4 years ago

    If your threat model is “corporations spying on me and profiting from my private data” then it is good option IMHO. If your threat model is “a three letter agency is after me” then don’t use e-mail.

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      4 years ago

      I mean to be realistic, my email account is not more than corporations trying to profit from my private data. So to self encrypt in my tin foil basement is totally a lot of overkill.

  • Cyyris@lemmy.fmhy.ml
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    1 year ago

    I’ve been using Mullvad VPN for about 5 or so years now and it’s been really great.

    Very privacy centric - your account holds no personal information, it’s just a randomly generated number that you keep saved somewhere, and it’s really only used for payment.

    It’s very reasonably priced as well - I just keep it on autopay, and every year it charges the €60 to my PayPal - but you have a lot of options for payment - including crypto and even cash!

  • Dreeg Ocedam@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    4 years ago

    For email I suggest getting your own domain name. That way you can easily change provider without having to tell all of your contacts to use a new email. I don’t know about all domain providers, but some provide email addresses for free with all the domains that you bought from them. It’s a really good and way to have an interesting email address, and not be dependant on any tech giant.

    I personally gave up on the idea that my email will ever be secure, so I just try to use a provider that seems trustworthy, and avoid using it for anything critical. The email providers that tell you they encrypt your emails don’t really improve anything in terms of security, given that they have access to the clear text email before they encrypt it. It’s even worse if they offer a web client, they could steal your keys anytime.

    There are solutions (PGP), but they are really niche and don’t provide some critical security aspects like Forward Secrecy. If you want your communications to be truly secure, use a system that was built for that (Signal, Matrix, etc… all provide pretty decent security way ahead of whatever you’ll get with email).

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      4 years ago

      I like the idea of using a custom domain and changing providers if needed. Going to take that into consideration.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        4 years ago

        It’s not actually that expensive, most domains can be bought for less than 20€/year. If the registrar provides free email with it, it’s often cheaper than using a paying email service.

      • Dreeg Ocedam@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        edit-2
        4 years ago

        I don’t really understand how that does anything to actually add Forward Secrecy. If someone captures all the (encrypted) emails, and then has access to the private key of the receiver, they can decypher the one time key and then decypher the message.

        I looked for that before posting the first comment, and found this draft and a few discussion it. But I didn’t mention it because it’s just a draft, and because of what I said above.

        Edit: I noticed it’s actually a draft from 2001

    • dengismceo@lemmy.ml
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      4 years ago

      had to add some backdoors for an investigation warrant, so they could monitor a person involved in a blackmail case

      do you know where i can read up on this?

      edit: i read about it. it seems it is not an encryption backdoor but rather that they are intercepting new emails for one user before they get to the mailbox (because the emails in the mailbox are encrypted). here is a hackernews thread on it

  • kitsunekun@lemmy.ml
    link
    fedilink
    arrow-up
    5
    ·
    4 years ago

    The most concerning part about ProtonMail/VPN is that their funding came initially from the feds and many big names in Silicon Valley. Would you trust that combination of “donors” sponsoring a service that’s supposed to protect your privacy?

    Lookup Mullvad. It’s a great VPN. No gizmos, no bells and whistles, and more importantly: it has been audited frequently and their client is open source.

  • DoctorWhookah@lemmy.world
    link
    fedilink
    arrow-up
    5
    ·
    1 year ago

    I literally purchased 12 months of Proton VPN last night and this is one of the first posts I see today. Glad this is an old post and happy to see new positive responses.

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      My experiences in these two years have been nothing but positive, so (as far as i know) a good choice to go with their VPN service! :)

    • R...@lemmy.mlOP
      link
      fedilink
      arrow-up
      3
      ·
      4 years ago

      Both those organisations have been around for quite some time right? Having their roots in activism as far as i know.

      • Echedenyan@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        edit-2
        4 years ago

        The way you seems to use the word “activism” seems a bad sense I never knew. What do you mean?

        The Riseup political views are known and suggested, sometimes, in their own page.

        The case of Disroot is that it has a public statement about it basically and the pictures around the website are quite legit.

        • R...@lemmy.mlOP
          link
          fedilink
          arrow-up
          3
          ·
          4 years ago

          The way you seems to use the word “activism” seems a bad sense I never knew. What do you mean?

          It was in no way meant as a bad thing, sorry if it came over that way.

          • Echedenyan@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            Thank you for the reply.

            I don’t know if the second part of my reply helped you in some sense. At least the Disroot side which can be checked easily.

            • R...@lemmy.mlOP
              link
              fedilink
              arrow-up
              2
              ·
              4 years ago

              It did! Disroot has a huge mission statement where it is all written out, so that can’t be more clear than that. (i’ll also add them to the original posting as options for people in the future).

  • dengismceo@lemmy.ml
    link
    fedilink
    arrow-up
    4
    arrow-down
    1
    ·
    4 years ago

    a step forward from Google, or is Protonmail just as bad

    i would say it is a step forward but how much depends on your use case. if you are encrypting all your emails, protonmail allows you to do so with the body of the email (but NOT the headers). there are other providers who make this as easy. tutanota even encrypts your entire email, subjects and senders included but they recently had to comply with a court order to store new incoming emails for a certain user unencrypted.

    when it comes down to it, any secure communication should not be done over email. you can always encrypt the body of the message yourself but the sender/receiver information and subject line will not be encrypted.

    an alternative vpn would possibly be mullvad. the people over at privacytools also recommend ivpn so that’s another one you could look into

    • ghost_laptop@lemmy.ml
      link
      fedilink
      arrow-up
      3
      ·
      4 years ago

      No, the Tutanota court order said that they had to comply with the law if information is needed for a specific use, and they can only give what they have, meaning that if you communicate with other e-mail providers such as Protonmail (who encrypt e-mails by default) they can only give the court encrypt data, which is not so useful, but for example if you get an e-mail from Gmail then they can give them that information since it’s unencrypted.

        • ghost_laptop@lemmy.ml
          link
          fedilink
          arrow-up
          2
          ·
          4 years ago

          Yes, I know you were referring to that case.

          This is from the exact article in German you cited at the end:

          [Update, Nov. 30, 12 p.m.] As Tutanota emphasized, the monitoring measure only affects newly incoming unencrypted emails. The company cannot decrypt data that is already encrypted, as well as end-to-end encrypted emails in Tutanota. [Update.]

          Besides Tutanota, some other providers also store all incoming mail in encrypted form. At Protonmail it is also standard, Posteo and Mailbox.org offer encryption as an option. Tutanota provides an overview of the number of requests from authorities in its transparency report.

          • dengismceo@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            4 years ago

            you write as if you’re correcting me (first comment began with “no”, second citing what i already stated) but i said nothing in contradiction - already encrypted emails won’t be unencrypted. i did not state otherwise.

            • ghost_laptop@lemmy.ml
              link
              fedilink
              arrow-up
              1
              ·
              4 years ago

              It doesn’t say that, it says:

              As Tutanota emphasized, the monitoring measure only affects newly incoming unencrypted emails.

              This means only e-mails received after the the monitoring declared by the court was approved which are not encrypted will be sent to them. This is reinforced by the following sentence:

              The company cannot decrypt data that is already encrypted,

              Meaning they can’t do anything with old, encrypted e-mails.

              as well as **end-to-end encrypted emails ** in Tutanota.

              Meaning new encrypted e-mails.

              • dengismceo@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                4 years ago

                i understood but i now see i wasn’t clear enough in my original comment. sometimes i omit things for sake of clarity but it seems i omitted too much in this case. it was not my intention to imply that all incoming emails, regardless of encryption status, would be unencrypted.

                • ghost_laptop@lemmy.ml
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  4 years ago

                  No problem, it’s just I had this exact same discussion in a Privacy Tools issue and I was sure I knew what I was talking about, also I don’t to say X service has been compromised.

  • Kururin@talk.kururin.tech
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    I heard Tutanota is worser. But I been a long time customer of Proton, since they started. Its been great for me.

    • scytale@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Tutanota is ok. It’s not as mature as Protonmail yet, but they are on their way there.