Proton is not perfect, but nothing is. We need more competition on the internet, and if Proton has a chance to provide an email and storage for an upfront price without trying to distract me with ads or pimp my data to advertisers, I want to support them. As a data point, I have been a very happy user of their plus service for the last 3 years.
There is a silent backlash against Proton, the most obvious is the domain is blocked by the US Antivirus company who scans all UK politicians emails through the UK parliament email address parliament.uk or British politicians are ignoring their constituents, some website contact forms reject protonmail email address as well. So I hope they give Google a run for their money.
Edit
IF its not politicians ignoring emails, then we have evidence that a private US antivirus companies is illegally interfering in the democratic process of so called allies and you can work this out with mxtoolbox.com, but we all know the US of A views everyone including allies as an enemy, because their actions and occupations speak louder than words! Can send a man to the moon but cant stop a shooter speaks volumes!
My company VPN also blocks ProtonMail. I'm not sure exactly why, and I have zero evidence, but I suspect it's because it's the email that a whistleblower used a while back that was featured in congressional testimony.
I've definitely blocked protonmail domains before. The calculus is that 100% of the accounts from that domain are fraud and 0% are legitimate, so it just saves a lot of time to block it. Stops fraud before it even starts. This is, of course, annoying for the 1 legitimate customer mixed in with the billions of bots. But basically, they have an abuse problem that they need to solve. Gmail also has plenty of fraudulent accounts, but it also has a lot of legitimate accounts, so they avoid the *@gmail.com ban.
It sucks that people use wide swaths like this, but that's how the cookie crumbles when you have a problem at 3 in the morning that you need to fix now and then go back to bed.
The only thing that bugs me with Proton is that it's still very complicated to integrate with thunderbird (or any mail app?), which makes it practically unusable for my needs.
Having a tab always open in my browser for my mail seems so wrong.
Their mobile apps are also very lackluster and devoid of basic features. I understand that they are unable to open up to other mail apps due to the encryption, but for the past few years there have been little to no updates to their iOS suite.
I agree it's not perfect but they have some pretty great instructions. I've been using the Bridge with thunderbird for multiple accounts and it works awesome.
Genuine question, how is a browser tab different than thunderbird? Besides storing a local copy of mail (which is obviously a huge win), I don't see a big difference. If anything I like the web UI better.
However, for my uses I simply installed proton bridge + apple mail. It just works with all email services I use.
I use it with Thunderbird. There is an initial step (you need to set up ProtonMail Bridge) but after that it's seamless. And they have really good instructions for how to do that initial setup.
Asserting "private email" is a modern litmus test for someone's technical understanding and capabilities, or lack thereof. Snake oil companies will always hide behind "it's encrypted" and "it's hosted in Switzerland" tropes that mean nothing to anyone who has done a modicum of research. Real privacy is not the result of some product, especially not when its so desperately and obviously shilled.
Its the best you can get.
Its fully end-to-end encrypted when stored, they don't scan anything, no ADs, no tracking, and they support laws and organization that improve individuals privacy.
Why wouldn't I support them ? If i care about privacy I should support companies that care about it too, no?
Proton is not perfect, the android mobile app currently doesn't have conversion view neither contact sync, and the desktop bridge doesn't implement Dav protocol, but its the best out there for people who want to protect their privacy.
And if you care about privacy, you shouldn't be using anything made in Australia.
Are you suggesting that because the only way to have truly private email (in the U.S. at least), is to own the server hardware, the property it's colocated on, and the Internet connection. Because this is true, but not helpful.
There isn't such a thing as "secure/private email" because its design was not conceived with such things even in mind. The "secure" solutions like Protonmail are something other than email, which is probably the way forward, but I wish it was done without twisting language giving others a false sense of security and understanding.
Threat modeling is the only logical way to reason about privacy and security. It is quite a tedious exercise of listing all the adversaries you're worried about, their capabilities, and data they want to compromise. Such a model will reveal gaps and additional controls you can implement to improve your state.
>Snake oil companies will always hide behind "it's encrypted" and "it's hosted in Switzerland" tropes that mean nothing to anyone who has done a modicum of research.
Do you have evidence that Proton does not actually encrypt their emails?
>Real privacy is not the result of some product,
I do wholeheartedly agree with this, at least. Privacy is a scale and there are many, many pieces which tip the scale one way or the other.
> Do you have evidence that Proton does not actually encrypt their emails?
Their encryption is based on PGP and therefore only message contents are "E2E" encrypted. Subject, From, To, etc. are not. These fields contain most of the information already. For example, Amazon puts the name of the ordered item in the subject line, so they can still see what you ordered.
And I'm putting "E2E" in quotes because if the sender does not send encrypted emails, then they can read the full content at delivery time, obviously. They immediately encrypt them with your public key and they claim that they discard the unencrypted version after that but there is no way we can verify that.
Long story short: you still have to trust your email provider after all. If I'd want to switch away from Google, I'd probably switch to some "normal" email provider (Fastmail, Apple, etc.). The benefits of "E2E" encryption for email are questionable and the drawbacks huge (for example search is very limited). But competition is good and I'm glad they are advancing.
> Do you have evidence that Proton does not actually encrypt their emails?
It doesn't matter. Proton supplies the client software, so if they want (or are forced to by law enforcement), they can easily push an update that exfiltrates decrypted data back to their server.
What does "encrypting" an email mean to you? If a Gmail user contacts me on Protonmail and Protonmail "encrypts" the message to me after receipt - what problem have we solved?
Couldn't have said it better myself! Privacy is first and foremost a discipline and a practice, just like security. It's a form of self-respect, in my eyes. Some would say it's even a natural human right.
Commoditizing it is a recipe for disaster.
Edit: Expansion of the self-respect tidbit. Lack of privacy enables others to have control over you. Feeling like you are not in control, or actually being controlled by someone (shame, blackmail, etc.) can be very damaging to your mental health. Respect yourself, strive for privacy. You deserve it as much as anyone else.
I don’t know. I don’t think all “commoditization” of privacy is a bad thing. WhatsApp commoditized it, Signal; SSL/TLS; Tor; Privacy Coins; these all vastly improved the privacy of comms on the planet. One needs to determine outcomes rather than declaring it app disasters.
maybe democratizing privacy is a better way to phrase than commoditization — which implies some cost savings rather than the just consumer availability.
As the article states, they were forced to by Swiss authorities. They tried to fight against it, but in the end no reputable provider is going to put the whole company on the line for 1 user against a lawful order from their government.
You always have the option of connecting to PM over tor [0] if you are concerned about this. You can also use any of the VPN services that are available. Get yourself an anonymous mulvad account, and pay with some laundered btc good luck to anyone that wants to track down your IP.
> You always have the option of connecting to PM over tor [0] if you are concerned about this. You can also use any of the VPN services that are available. Get yourself an anonymous mulvad account, and pay with some laundered btc good luck to anyone that wants to track down your IP.
Yes, you could do all that. But if you're doing all that, you can also just use Gmail.
> We believe the best way to protect user data is to not have it in the first place
I like the exchange of value that comes from paying money for a service. With free products from companies like Google you do not pay for the service and there is no exchange of value. This results in the myriad of HN threads discussing how Google Docs did them wrong (locked out, privacy violation, etc.)
The problem with Proton email is that is full of fraudulent accounts this they domain and emails send via proton are blocked by many companies, ISPs and firewalls.
I tried it and it was unable to send email to my wife’s work.
In short alot of dickheads use it for spam/scam and ruin it for the rest of us.
You should see the @protonmail.com adresses as a demo, people use them for spam so the domain has a bad reputation. If you decide to pay for the service then it’s better to use your own domain, you should have no problem with delivery.
> I do think they'll try harder & more earnestly than the rest of the gang attempting it.
Why, though? What do people base this assertion on, other than clever marketing materials which extol virtually meaningless controls like "it's hosted abroad" (which is actually much worse for foreign nationals' privacy, for example)?
Not US based for starters - definitely willing to pay a premium for that.
Nor five eyes or any of the other [0] eyes.
> extol virtually meaningless controls like "it's hosted abroad"
There is no value in abroad in itself, what matters is how trigger happy countries are with warrants etc.
I'd like to be in a jurisdiction where it is possible for law enforcement to get to the data...but I'd like the logistically/legal hurdles to be rather high so that it is only done for serious concerns not trawler net catch all surveilance operations. Switzerland seems to tick those boxes
> The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens.
Yeah, Wired, they only did the spying during the Bush era... edit: I guess it was less secret after the Bush era
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.
Not a very popular argument at this particular instant in time / news, bold of them to write this without a giant asterisk.
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.
This is not how I’d articulate it. We tolerate some terrible things because trying to stop them would be even worse. There are really bad people out there. Unfortunately those bad people can also run for office and/or get hired on to 3 letter agencies.
A pedophile with a camera is less dangerous than a senator without the 4th amendment. A racist on social media is less dangerous than a president without the first amendment.
Fascism doesn’t happen because you elect a fascist president. The seeds of fascism had to be sown long before that. Fascism is the result of eroding protections designed to prevent a leader from over-reaching. The path to fascism is paved in good intentions.
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen
Except that every big kiddie porn case was cracked by old-fashioned policework--"Get someone inside". And, most of the time, it isn't even that difficult to pull off.
It particularly grinds my gears because the powers that be only trot out kiddie porn when they want to shove legislation down our throats. The rest of the time enforcement against kiddie porn stays heavily underfunded.
> Yeah, Wired, they only did the spying during the Bush era... edit: I guess it was less secret after the Bush era
I don’t understand - it never ended. In fact, Obama ran on a platform of protecting whistleblowers and cracking down on government overreach. But, once he took office, he legalized the Presidential Surveillance Program that Snowden whistleblew and doubled down on pursuing Snowden.
This is a rather interesting interview style, it seems as if the interviewer is presenting the viewpoints of the national security state complex ("we need total access to all data to prevent terrorism and child abuse") and of the major tech conglomerates ("competition reduces privacy"), aka Big MAMAA (FAANG is obsolete), but it does provide the interviewee with opportunity to counter those points, so I guess it's a decent interview approach.
I'd add that the solution to child abuse and terrorism is the same it has ever been, i.e. targeted investigations relying on tactics like infiltration of criminal rings with undercover officers. There's no justification for Gestapo/NKVD authoritarianism and mass surveillance tactics.
However, there doesn't seem to be any plausible way to communicate with others using any infrastructure-type system (from postal mail to fiber optic cable) that doesn't reveal the network of communication (i.e. metadata), and Tor is hardly an exception. Tor seems to have been designed to allow remote government agents (aka spies) operating in hostile environments a means to communicate with a known base of operations without revealing their actual remote locations or identity. Similarly it could be used by individuals to communicate with journalists (as Edward Snowden did) without revealing their identity or location, but only if they take a lot of precautions (i.e. not using their device for any other online activity that could be traced to them). I imagine NSA has backdoors into almost all Tor nodes anyway. The content can be securely encrypted, but location/identity? Probably not.
What was that in the news a year or so back about the FBI having a significant number of Tor endpoints, making the routing effectively transparent? I would imagine if the FBI pulled that off, so did many other state actors.
But now we can talk about "the outsized influence of Big MAMAA on the tech industry", which has a nice ring to it. MAGMA has a decent ring as well, though.
> There's no justification for Gestapo/NKVD authoritarianism and mass surveillance tactics.
I think many people are missing the point and see the issue as "Governments trying to get capabilities".
No, they always had the capability because of lower population, slower communication, more effective mass media and information bubbles. Now, they're losing this capability, and want to keep their abilities while making them automated & cheaper.
Also, there's CryptoAG stuff, which is the same thing, but international.
Readit News
Edit IF its not politicians ignoring emails, then we have evidence that a private US antivirus companies is illegally interfering in the democratic process of so called allies and you can work this out with mxtoolbox.com, but we all know the US of A views everyone including allies as an enemy, because their actions and occupations speak louder than words! Can send a man to the moon but cant stop a shooter speaks volumes!
It sucks that people use wide swaths like this, but that's how the cookie crumbles when you have a problem at 3 in the morning that you need to fix now and then go back to bed.
Having a tab always open in my browser for my mail seems so wrong.
However, for my uses I simply installed proton bridge + apple mail. It just works with all email services I use.
Why wouldn't I support them ? If i care about privacy I should support companies that care about it too, no?
Proton is not perfect, the android mobile app currently doesn't have conversion view neither contact sync, and the desktop bridge doesn't implement Dav protocol, but its the best out there for people who want to protect their privacy.
And if you care about privacy, you shouldn't be using anything made in Australia.
Depending who is your enemy (threat model), I guess proton tools can help you protect your intimacy though.
Deleted Comment
It seems to me that the only private email would be no email.
Do you have evidence that Proton does not actually encrypt their emails?
>Real privacy is not the result of some product,
I do wholeheartedly agree with this, at least. Privacy is a scale and there are many, many pieces which tip the scale one way or the other.
Their encryption is based on PGP and therefore only message contents are "E2E" encrypted. Subject, From, To, etc. are not. These fields contain most of the information already. For example, Amazon puts the name of the ordered item in the subject line, so they can still see what you ordered.
And I'm putting "E2E" in quotes because if the sender does not send encrypted emails, then they can read the full content at delivery time, obviously. They immediately encrypt them with your public key and they claim that they discard the unencrypted version after that but there is no way we can verify that.
Long story short: you still have to trust your email provider after all. If I'd want to switch away from Google, I'd probably switch to some "normal" email provider (Fastmail, Apple, etc.). The benefits of "E2E" encryption for email are questionable and the drawbacks huge (for example search is very limited). But competition is good and I'm glad they are advancing.
It doesn't matter. Proton supplies the client software, so if they want (or are forced to by law enforcement), they can easily push an update that exfiltrates decrypted data back to their server.
Commoditizing it is a recipe for disaster.
Edit: Expansion of the self-respect tidbit. Lack of privacy enables others to have control over you. Feeling like you are not in control, or actually being controlled by someone (shame, blackmail, etc.) can be very damaging to your mental health. Respect yourself, strive for privacy. You deserve it as much as anyone else.
maybe democratizing privacy is a better way to phrase than commoditization — which implies some cost savings rather than the just consumer availability.
Why's a privacy-first service logging IPs in the first place?
> Why's a privacy-first service logging IPs in the first place?
[0] https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...
Yes, you could do all that. But if you're doing all that, you can also just use Gmail.
I like the exchange of value that comes from paying money for a service. With free products from companies like Google you do not pay for the service and there is no exchange of value. This results in the myriad of HN threads discussing how Google Docs did them wrong (locked out, privacy violation, etc.)
In short alot of dickheads use it for spam/scam and ruin it for the rest of us.
I do not know how they can overcome that…
Don't think they'll keep me private & safe...but I do think they'll try harder & more earnestly than the rest of the gang attempting it.
Why, though? What do people base this assertion on, other than clever marketing materials which extol virtually meaningless controls like "it's hosted abroad" (which is actually much worse for foreign nationals' privacy, for example)?
Not US based for starters - definitely willing to pay a premium for that.
Nor five eyes or any of the other [0] eyes.
> extol virtually meaningless controls like "it's hosted abroad"
There is no value in abroad in itself, what matters is how trigger happy countries are with warrants etc.
I'd like to be in a jurisdiction where it is possible for law enforcement to get to the data...but I'd like the logistically/legal hurdles to be rather high so that it is only done for serious concerns not trawler net catch all surveilance operations. Switzerland seems to tick those boxes
[0] https://protonvpn.com/blog/5-eyes-global-surveillance/
Yeah, Wired, they only did the spying during the Bush era... edit: I guess it was less secret after the Bush era
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.
Not a very popular argument at this particular instant in time / news, bold of them to write this without a giant asterisk.
This is not how I’d articulate it. We tolerate some terrible things because trying to stop them would be even worse. There are really bad people out there. Unfortunately those bad people can also run for office and/or get hired on to 3 letter agencies.
A pedophile with a camera is less dangerous than a senator without the 4th amendment. A racist on social media is less dangerous than a president without the first amendment.
Fascism doesn’t happen because you elect a fascist president. The seeds of fascism had to be sown long before that. Fascism is the result of eroding protections designed to prevent a leader from over-reaching. The path to fascism is paved in good intentions.
Except that every big kiddie porn case was cracked by old-fashioned policework--"Get someone inside". And, most of the time, it isn't even that difficult to pull off.
It particularly grinds my gears because the powers that be only trot out kiddie porn when they want to shove legislation down our throats. The rest of the time enforcement against kiddie porn stays heavily underfunded.
I don’t understand - it never ended. In fact, Obama ran on a platform of protecting whistleblowers and cracking down on government overreach. But, once he took office, he legalized the Presidential Surveillance Program that Snowden whistleblew and doubled down on pursuing Snowden.
Deleted Comment
Funny, that's the exact deal with have with guns - we accept some amount of mass child murder as the cost of the 2nd Amendment.
Another datapoint that the 2nd is now considered more absolute the 1st.
Deleted Comment
I'd add that the solution to child abuse and terrorism is the same it has ever been, i.e. targeted investigations relying on tactics like infiltration of criminal rings with undercover officers. There's no justification for Gestapo/NKVD authoritarianism and mass surveillance tactics.
However, there doesn't seem to be any plausible way to communicate with others using any infrastructure-type system (from postal mail to fiber optic cable) that doesn't reveal the network of communication (i.e. metadata), and Tor is hardly an exception. Tor seems to have been designed to allow remote government agents (aka spies) operating in hostile environments a means to communicate with a known base of operations without revealing their actual remote locations or identity. Similarly it could be used by individuals to communicate with journalists (as Edward Snowden did) without revealing their identity or location, but only if they take a lot of precautions (i.e. not using their device for any other online activity that could be traced to them). I imagine NSA has backdoors into almost all Tor nodes anyway. The content can be securely encrypted, but location/identity? Probably not.
Deleted Comment
I think many people are missing the point and see the issue as "Governments trying to get capabilities".
No, they always had the capability because of lower population, slower communication, more effective mass media and information bubbles. Now, they're losing this capability, and want to keep their abilities while making them automated & cheaper.
Also, there's CryptoAG stuff, which is the same thing, but international.