If not, what alternatives can i use?
According to Proton’s AI answers:
Proton Mail is designed with a strong commitment to user privacy and security. Here’s what you need to know about the information Proton Mail can provide to law enforcement:
Encryption: Proton Mail uses end-to-end encryption, which means that the content of emails is encrypted on the user's device and can only be decrypted by the intended recipient. Proton Mail cannot read or access the content of your emails. Metadata: Proton Mail can access certain metadata associated with user accounts, such as: Account creation date Last login time IP addresses used to access the account Email headers (sender, recipient, subject line, timestamps) Legal Process: Proton Mail will only disclose user information to law enforcement if it receives a valid legal request, such as a court order or subpoena, that complies with Swiss law. Proton Mail is subject to Swiss privacy laws, which are among the strictest in the world. No Backdoor Access: Proton Mail does not have backdoor access to user data. The company is committed to protecting user privacy and will resist unnecessary or overly broad requests for information. Transparency Reports: Proton regularly publishes transparency reports detailing the number and nature of legal requests it receives. These reports provide insight into how Proton handles requests for user information.In summary, while Proton Mail can provide certain metadata to law enforcement under valid legal requests, the content of encrypted emails remains private and inaccessible to Proton or any third parties.
Metadata in the context of Proton Mail refers to the additional information associated with your emails that is not part of the actual email content. While the content of your emails is end-to-end encrypted and only accessible to the sender and recipient, metadata can include the following details:
Account Information: Account creation date Account status (active, suspended, etc.) Login Information: Timestamps of when you last logged in IP addresses used to access your account Email Headers: Sender's email address Recipient's email address Subject line of the email Timestamps indicating when the email was sent, received, or read Information about the email's path through servers (though Proton Mail minimizes this due to its encryption practices) Message Status: Whether an email has been sent, delivered, or read (if read receipts are enabled)It’s important to note that while metadata can provide some context about email activity, the actual content of the emails remains encrypted and private. Proton Mail is designed to minimize the amount of metadata collected and stored, and it will only disclose metadata to law enforcement if it receives a valid legal request that complies with Swiss law.
Yes, there have been instances where law enforcement agencies have made valid legal requests to Proton, and in some cases, these requests have led to investigations or arrests. However, Proton’s transparency reports do not provide specific details about individual cases to protect user privacy and comply with legal confidentiality requirements.
Proton regularly publishes transparency reports that summarize the number and types of legal requests it receives, as well as how it responds to those requests. These reports provide insight into the nature of the requests and Proton’s commitment to user privacy.
For example, Proton’s transparency reports may indicate the number of requests received from law enforcement agencies, the types of information requested, and whether Proton provided any information in response. However, the reports do not name individuals or provide specifics about individual cases.
If you’re interested in learning more about Proton’s transparency reports, you can find them on Proton’s official website. These reports demonstrate Proton’s commitment to balancing user privacy with legal obligations.
Just found out they have a proprietary AI service…
-
You shouldn’t “trust” as a basis for security or privacy. Eg for protonmail, Proton can still read your incoming emails if they arrive unencrypted; the only way to avoid that is to send E2EE email, which unfortunately most email is not. You should assume that if they can, then they are.
-
If you have to use proton for whatever reason (can’t afford to pay to self-host things, don’t know how to and don’t have time to learn, etc), it’s perfectly fine for everyday use for things that are not particularly sensitive ie you don’t have a highly resourced state actor actively trying to obtain that data. Just always keep the first thing in mind. Too many people treat anything that calls itself “encrypted” as a silver bullet.
Do you self-host email?
-
If you’re using Gmail, and you’re considering alternatives for privacy reasons, then 100% without a doubt, objectively and unequivocably, Proton is the better choice of the two.
There are other email providers with privacy assurances, and yes, you can self-host, but don’t let perfection be the enemy of the good.
To address the trustworthiness of Proton directly: I’ve been a Proton user for about 10 years. It gets the job done. I have complaints, but privacy is not among them.
Proper analysis. … The only issue with proton is lack of focus on the people who use their product and bootlicker CEO tried kisisng pedo king’s ring
They over hype their marketing which can lead to a false sense of security. Reign in the marketing department and present their tools for what they are and they’d be more trustworthy.
I was actively looking to move my family over there.
When the CEOs spouted his Trump BS it made me look a little harder.
I see that they’ve doxed an activist.
They claim to be open source and then as you drill down you find out that some of their stuff is open source and some is not.
Switzerland looking at amending their privacy laws to further force companies to log and dox VPN users. Proton claim they would be willing to move the company outside of Switzerland if these laws take effect but will have to wait and see I guess.
There’s a crap ton of either PR or fanboying going on for this company. I really want to see them get their shit together but you can’t just discount this stuff like it’s not happening. 400 people running around going I have never had any trouble with them privacy wise, and I don’t think they all sell any of my data, It’s not a good indicator of a company’s privacy prowess.
I think we have good enough reason not to trust the CEO from his Twitter, and I think their marketing department is slimy as shit. I think the country they’re based out of is going to force them to comply with too many court orders.
I’d say there less likely to market your data than Google/Microsoft. But they’re also less likely to anonymize it correctly if they do so. Since Google runs their own ad network they don’t need to sell your private data to other people to use it to market against you.
If Trump called up Andy Yen and asked him for a name, home address, IP address, phone number, and credit card mapping for all of his users he would fall over himself to provide that for hopes of a government contract. That doesn’t sit well with me for a privacy concept.
If you’re not worried about being doxed by a state agency, and would just prefer your data not be sold rather than it being a absolute critical thing because they might not sell your data, there definitely good enough.
If you’re a little worried about putting all your eggs in one basket and want to be able to move from company to company without turning the world over, I would look at tuta and disroot, mulvad and backblaze. Or maybe even self-hosting nextcloud for the storage component on one of those services that allows you to just spin up nextcloud on a vps with single click.
For what ? Security or anonymity ? Likely yes for the first but no for the second. For example
People get their panties in a twist over this one, but they still operate within the law. What should they have done here, not complied? It’s a court order, from their country.
I think OPs question is still relevant in that context. Does that case reduce their effort towards privacy? I believe the answer is yes.
run mailbox.org bring your own encryption
Is this legit? I’d rather give my money to an European company
i use them there good my only issue is some of there docs dont have good english versions but other then that there great and they support custom domains
the ceo is potentially fascist. they might be ok now, but there’s not way to trust it long term if that’s what you are hiding from.
if you are coming from gmail or hotmail, its gonna be better, but that’s kind of a low bar.
Is there more evidence for that aside for a single tweet made after the election?
Not sûre how that shows evidence that the CEO is a fascist ?
no need for further ‘proof’ of something he just up and said himself in a couple of tweets. with a service you don’t host yourself, you have to trust they won’t do funny business.
here is the thing: you should be questioning that trust when their ceo feels like publicly praising a fascist who is already doing a lot of damage to whats left of the privacy he was supposed to uphold. it goes without saying but total surveillance and open fascism won’t do well to mix.
because of that even if the dude is doing that by ignorance (and time may tell anyway), the trust in their decisions is still eroded, except its out of ignorance instead of malice.
I just dont think soapboxing on the internet really accomplishes anything. Donald Trump is an fascist cunt but if he can be tricked into doing something decent by some brown nosing then sure.
Proton just completed their SOC 2 Type II audit:
https://proton.me/blog/soc-2Accomplishments like this are why I continue to trust Proton and remain a paid user.
I think soc 2 type ii is nice, but I also don’t think it really says much about privacy in the context of me trusting what a business will do with my personal data. its been 4 or so years since if done an soc audit, so please correct me if I’m wrong. From what I recall its primarily geared toward security in general and when they say privacy, they mean securing your data from use unauthorized by the business.
The distinction im making here is that, from what I recall, soc 2 type ii says nothing about what can be done with your data (e.g. selling data to brokers, training ai, targeting ads, unclear/communicated eula changes, etc.). During these, and most other, security audits you can make business arguments as to why you should be exempt from various security mechanism or configs. These systems also don’t protect from techno fascist douchebaggery like feeding the government information on individuals without warrant or just cause, to assist in targeting minorities or activists for example.
To be clear, I use proton, I think its great, and MOSTLY trust them with my data. I do also like that they got soc 2 type ii, i wasnt aware till now so thanks for the heads up. I’m not accusing or trying to infer any wrong doing either. Mostly trying to point out this doesn’t resolve potential abuses some folks may have concerns about after ceo/board member/whateverthefuckingtitleis drama.
Thanks for coming to my ted talk…
Gonna be honest after working in the industry and seeing how corrupt auditing is (incompetent auditors, even some auditors getting paid off) these things don’t make much of a dent to my decision making.
I say this as someone who pays for Proton.
Valid to an extent. I’ve personally experienced various audits whether for ISO, PCI or SOC and the quality of the auditor certainly does vary though I’ve not encountered one I would consider incompetent; the audits have always been rigorous. I’ve not personally seen bribery though I have seen where an auditor might relax how aggressively they look for issues over the years of getting to know the people and quality of the company.
I think they are trustworthy and the sexy alternative to Gmail. I’ve been testing both Proton and Tuta as my replacement. Proton is more expensive, but provides more services. Tuta is smaller, cheaper and gives off a user centric vibe. Proton seems to be emulating bigtech a bit too much with their release of a privacy chatbot today. I’m personally leaning towards keeping Tuta over Proton.
I trust Proton’s privacy aims as much as I can trust any corporation, which is to say very little but way more than Google. I do feel the company prioritizes privacy and eg. bases itself in countries with privacy respecting laws (hence leaving Switzerland after their recent legal changes that risk privacy). I think this is a more important signal than the CEO’s tweet supposedly favorable to Trump (which I dont like but also dont find damning enough to override their commitment to privacy).
When I researched alternatives after leaving Google I ended up choosing Proton (I also considered Tuta) for Mail & Calendar. For me they are the best option for privacy and usability, and something my non-tech family can use, which is a major win because otherwise they would not be able to leave Gmail.
I dont use their other services because I don’t want to put more eggs in the same basket.
Swiss have one of the strongest privacy laws and Proton is pretty save to use.
Not for long: vice
This is absolutely not the case. Swiss courts compel them to act on whoever asked them for information they’ve doxed activists. https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification
Can you list countries with stronger privacy laws that woud not have forced Proton to provide this information to law enforcement of a friendly country?
You need a place that’s not in this list
That’s for government intelligence agencies though? Proton had to identify the activists due to a French court order which Switzerland enforced since these two countries cooperate to some extent.
Are there countries with solid privacy regulation which refuse to enforce court orders by friendly/allied nations?
Laws don’t mean shit when it comes to national security issues and everything is a national security issue nowadays.
Also, Swiss are chamge their national security laws and proton is looking to love some servers out of there so how good these laws really are?
Proton is good for to ZK encryption that has yet to be debunked.
Iirc just reading proton’s own stories page showed that they keeled over for any and presumably every request that came their way.
Sure but thats nothing to do with anything that’s how all corpo parasite behave… They are here to make money on you, not to protect you from state actors
Depends on your threat model. What are you defending against?
I am defending against anyone that uses my data for non-essential purposes. Well, not all non-essential purposes; i mean ads, personalization, AI, selling it for profit, etc.
Then Proton should be fine. As far as I know, they don’t sell user data.
Of course as soon as you send an email or receive it from someone else, there’s a chance it will be mined, but while it’s ”at rest” on Proton servers it should fulfill your model just fine.
excuse me ignorance, but I understand that once you receive mail from someone with shared pgp keys, they’d have no way to read the contents.
But when I receive an email from any service that sends me mail, or from a friend that doesn’t use PGP, it sits encrypted in my account… but how do we know proton isn’t ‘reading’ the contents when it is delivered and before it is encrypted in the account?
Is there a possibility of data mining or them storing the contents on their end? like a mirror image?
If and when you send or receive e-mail encrypted by PGP, the body (contents) of the message is indeed encrypted and you’re safe from snooping and data collection, which is great. However, privacy-wise this might actually be a bad thing, because almost no one uses PGP and using it makes you stand out in a sea of normal e-mail users for someone who collects and analyzes lot of data. So if that’s your threat model, using PGP might actually be dangerous. Also, you have to remember and remind everyone to use PGP, which is cumbersome if you correspond with non-techie people. You don’t really know how they handle “their side” and PGP software is notoriously not very user friendly.
Whenever you send someone unencrypted e-mail from your Proton account, there’s a chance that the recipients e-mail provider (most likely Google or Microsoft) reads it. Same when they send it to you. It doesn’t actually matter that the message sits encrypted “at rest” in your Proton accounts Sent Items -, the contents have already been read, indexed and sold to a broker.
It’s very hard to do e-mail privacy because the protocol itself doesn’t have any built-in. It’s better to use other communication methods for sensitive transactions.
Good explanation, and I figured the same.
I feel the ‘encrypted at rest’ is then a false sense of security. Alas it is much better than gmail, etc.
To my knowledge Proton doesn’t sell your data and there were no leaks in the past. It is also true for a lot of its competitors though.
Note: I use Proton for some things.
But, here’s the twist: there’s a controversy because of the recent AI and the CEO being Pro-trump.
Having an AI isn’t problematic at all; Forcing it into places where people don’t want it is.
And the CEO being pro Rump is a stretch. He approved of one Rump policy. Hell I hate the man and believe him a cancer to the world, but even I can point to a couple things I like he did.
Let me take your encrypted data and put it through my service where I can see all of it…
That’s not how LLMs work.
Well then please do educate the class on how it works
I don’t think that controversy about Trump is concerning in any way. The AI could be interesting instead.
It’s fine, closed source is fine. Trust us bro
All Proton apps and services are OpenSource.
This article is somewhat biased, yes, they handled out an IP of an to the authorities, this is mandatory for every service in a criminal investigation if there is an court order present, they must give the data which they have about the user, even Lemmy must do it if there is an court order about an user. Any service in the web must fullfit the laws of the country in which it’s operating. This has nothing to do with privacy or trust about the service, also not if it is OpenSource or Proprietary. A service also can’t avoid that it is used by republicans in the US, or that one of the employees is a right winger. The CEO of the Brave Browser (FOSS) as example. Can Lemmy avoid that an Nazi use it in a own instance?
Their LLM is not
Neither are there mail servers.
They’ve open sourced their clients.
Made with 100% real oranges and also a load of preservatives in sugar.
Their PR department lies and tells partial truths way too much for a privacy company.
I recently moved away from Gmail and when I was researching what my new email client would be I considered Proton seriously for a while. But what I realized is that the privacy aspect of it is pretty much useless unless everyone you are communicating with is also using Proton. I went with iCloud, it’s free and it’s good enough for my use case.
My main issue with iCloud is that it’s American and that they may open my data to institutional monitoring upon request. Great in general, but it’s not designed for privacy.
may open
its worse, snowden has already leaked they do open it.
Use Filen, it’s a German cloudprovider, encrypted, zero knowledge and 10 GB for free.
That depends on your risk tolerance, which is a decision you have to make yourself.
The real question is, where do you draw the line. You can even make a convincing case that gmail can be trusted with your data. Actually, many people feel that way, so it’s not a bizarre or rare stance. Alternatively, you can also say that self hosting everything is the only way to be sure.
Yup. I’ve weighed the costs and benefits, and I’m still using Gmail myself.
