I’m currently migrating to Proton mail. It’s comlicated because I have nearly 25 years of gmail use, using it for everything requiring an email address.
“Proton must comply with Swiss law,” Protonmail founder and CEO Andy Yen said on Twitter. “As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.”
It doesn’t matter what country the service is from. If they have a court order and there’s a warrant for someone’s information, they have to provide it. You think they wouldn’t do that in Germany? Canada? Finland?
when MullvadVPN, sweden, was not only enforced by courts but raided by police to turn over data they replied “what data?” And the raid turned up nothing. Even with physical access to the servers- the authorities with legal right to search left empty-handed. That’s planning for privacy, I would assume since Proton doesn’t do this for their VPN they only plan for privacy of activists to a certain extent in face of (unfair) court rulings.
I highly recommend shelling out the $12 a year for a domain to tie to your email through Proton, that way, if Proton starts to enshitify, you can change email providers without having to migrate all your accounts to a new email. I am actually going through the exact same process, and I never want to have to do it again lol.
As someone who has gone to proton and back. I do not recommend it. The service is mostly OK, their android apo never delivers notifications probably because of the lack of play services, and while every client is open source and is guaranteed to be e2ee to other proton accounts, there are two huge issues with this:
In my case, the people I email are all on google and Microsoft, so they will be reading my emails anyway
When you communicate with non proton users the emails exchange HAVE to be plain text. So the only thing keeping proton from seeing you emails is a huge “trust me bro” that you can’t verify. There are no code or cryptographic guarantees.
Yes. That is correct. I’ve sent pgp emails from my gmail to protonmail. But nobody uses pgp. So in practice you are spending all of that time and effort for basically 0 gain.
I migrated off of Proton Mail, they have no way to access your calendar from outside Proton’s apps and web services, you can’t access Proton Drive on Linux (and the workarounds never worked for me), and you need to keep running their decryptor tool if you want to use an email client other than their mail client.
Email is inherently insecure, zero knowledge encryption is worth nothing when 99% of your emails are being sent and received in plaintext. I’m on Fastmail now.
Please explain to me how Fastmail is more secure if you can easily set up any client without encryption? Or am I missing something? And when Fastmail sends or receives email, isn’t it also sent in plain text because of the SMTP protocol anyway?
IMAP and SMTP, the protocols mainly used for emails besides whatever weird shit Microsoft is doing, nowadays all have variants going through a TLS encrypted session like HTTPS.
That doesn’t change the fact that email is not up to the task of modern secure communication (TLS is not end to end encryption for example, and smime and pgp are super user unfriendly and have their own weirdnesses), but makes it better at least.
It’s not. Proton’s “security” is mostly pointless and induces a huge hassle if you’d like to use anything else than the web client.
As you said, both Proton and any other mail client send mail in TLS encrypted plain text over SMTP unless also encrypted using PGP/GPG (or conversing with another Proton user in the case of Proton Mail).
Fastmail is just a much nicer email provider IMO, and I can consume emails / calendar / files using third party clients. There’s also Tuta and other mail providers, I’m just warning you to maybe steer clear of Proton unless you intend to use Proton-specific features, as usability greatly suffers.
Ideally, I’d pick an email provider with data sovereignty in Canada, but short of self-hosting (which isn’t a great idea with email), there are basically no decent options.
I often find the need for Proton’s encrypted email to be sonewhat dubious when Proton can’t (or won’t) fight secret court orders to collect logs on users. At the very least it means I typically don’t use a protonmail account more than once before signing up for a new one.
Agreed, and these rarely come anyway because most of the time, the US courts can simply subpoena Google or Microsoft for access to the interlocutor’s sent and received emails, this only really occurs with Proton to Proton communication, which I have personally never done as no one I know uses Protonmail.
Bref, better off just GPG signing and encrypting your emails and using a different provider. US courts can’t decrypt your mail more just because they subpoena’d it
I’m currently migrating to Proton mail. It’s comlicated because I have nearly 25 years of gmail use, using it for everything requiring an email address.
yeet Proton, those turn over any activist to authorities and soon will sell out more broadly
check out GDPR champions StartMail, same as StartPage, from the netherlands
Has that ever even happened???
uh yeah just look up what Proton has been doing in face of court requests and idk remember when the CEO of Proton sucked up to Donal J. Trump?
https://www.vice.com/en/article/protonmail-under-fire-for-sharing-clactivist-data-with-french-authorities/
It doesn’t matter what country the service is from. If they have a court order and there’s a warrant for someone’s information, they have to provide it. You think they wouldn’t do that in Germany? Canada? Finland?
when MullvadVPN, sweden, was not only enforced by courts but raided by police to turn over data they replied “what data?” And the raid turned up nothing. Even with physical access to the servers- the authorities with legal right to search left empty-handed. That’s planning for privacy, I would assume since Proton doesn’t do this for their VPN they only plan for privacy of activists to a certain extent in face of (unfair) court rulings.
https://mullvad.net/en/blog/2023/4/20/mullvad-vpn-was-subject-to-a-search-warrant-customer-data-not-compromised
I highly recommend shelling out the $12 a year for a domain to tie to your email through Proton, that way, if Proton starts to enshitify, you can change email providers without having to migrate all your accounts to a new email. I am actually going through the exact same process, and I never want to have to do it again lol.
Domains are just useful to have anyway
As someone who has gone to proton and back. I do not recommend it. The service is mostly OK, their android apo never delivers notifications probably because of the lack of play services, and while every client is open source and is guaranteed to be e2ee to other proton accounts, there are two huge issues with this:
If I understand their documentation correctly, you can set up PGP for communicating with non-Proton e-mail recipients.
Yes. That is correct. I’ve sent pgp emails from my gmail to protonmail. But nobody uses pgp. So in practice you are spending all of that time and effort for basically 0 gain.
I feel you. The recipients must be willing to use encrypted communication either.
I migrated off of Proton Mail, they have no way to access your calendar from outside Proton’s apps and web services, you can’t access Proton Drive on Linux (and the workarounds never worked for me), and you need to keep running their decryptor tool if you want to use an email client other than their mail client.
Email is inherently insecure, zero knowledge encryption is worth nothing when 99% of your emails are being sent and received in plaintext. I’m on Fastmail now.
Please explain to me how Fastmail is more secure if you can easily set up any client without encryption? Or am I missing something? And when Fastmail sends or receives email, isn’t it also sent in plain text because of the SMTP protocol anyway?
IMAP and SMTP, the protocols mainly used for emails besides whatever weird shit Microsoft is doing, nowadays all have variants going through a TLS encrypted session like HTTPS.
That doesn’t change the fact that email is not up to the task of modern secure communication (TLS is not end to end encryption for example, and smime and pgp are super user unfriendly and have their own weirdnesses), but makes it better at least.
It’s not. Proton’s “security” is mostly pointless and induces a huge hassle if you’d like to use anything else than the web client.
As you said, both Proton and any other mail client send mail in TLS encrypted plain text over SMTP unless also encrypted using PGP/GPG (or conversing with another Proton user in the case of Proton Mail).
Fastmail is just a much nicer email provider IMO, and I can consume emails / calendar / files using third party clients. There’s also Tuta and other mail providers, I’m just warning you to maybe steer clear of Proton unless you intend to use Proton-specific features, as usability greatly suffers.
Ideally, I’d pick an email provider with data sovereignty in Canada, but short of self-hosting (which isn’t a great idea with email), there are basically no decent options.
I often find the need for Proton’s encrypted email to be sonewhat dubious when Proton can’t (or won’t) fight secret court orders to collect logs on users. At the very least it means I typically don’t use a protonmail account more than once before signing up for a new one.
Agreed, and these rarely come anyway because most of the time, the US courts can simply subpoena Google or Microsoft for access to the interlocutor’s sent and received emails, this only really occurs with Proton to Proton communication, which I have personally never done as no one I know uses Protonmail.
Bref, better off just GPG signing and encrypting your emails and using a different provider. US courts can’t decrypt your mail more just because they subpoena’d it