Should i trust proton?
from somerandomperson@lemmy.dbzer0.com to privacy@lemmy.ml on 23 Jul 13:17
https://lemmy.dbzer0.com/post/49596887
from somerandomperson@lemmy.dbzer0.com to privacy@lemmy.ml on 23 Jul 13:17
https://lemmy.dbzer0.com/post/49596887
If not, what alternatives can i use?
threaded - newest
It’s a corporation, so, no.
You need to specify what you want an alternative to, as Proton hosts a lot of services.
OK then, what alternative do i have to Proton Mail?
Tuta are better, but not much. They’ve been getting worse every year.
I switched to Disroot early this year and it’s been smooth sailing. They’re not a corporation, and I can talk to them directly and not some dumb outsourced support staff.
OK, will switch to Disroot now. I wonder what my adress will be now…
Your best bet is to purchase your own domain name for email and learn how to switch DNS / MX records, so if you need to switch email providers you aren’t constantly changing your email address
This is slightly more involved but it is the best option. This way it does not matter if proton is a good alternative or not, you can easily switch whenever you want.
Agreed. The only general issue is moving or archiving your emails if you need to move services or servers, but thats easy enough to ensure you aren’t locked into somewhere as opposed to keeping each old account and setting up email forwarding
Ty for sharing. This like something I can get behind! ✊
Murena Mail (Workspace, with several apps, similar to Google Docs, but better) is also a good choice. Murena products rely on open-source software, including the deGoogled operating system /e/OS and NextCloud, partner companies, among others, Fairphone. EU
<img alt="" src="https://lemmy.ml/pictrs/image/3ecf6f12-89fa-48a0-b7ec-7ff82195bd8d.png">
I think you can trust the operational side of it. I don’t think they’ve had many detrimental oopsies, the services work. I used them for a year and then jumped ship. One reason is the favorable comments by their CEO about the 47 administration, which I didn’t like. Another reason is the nitty gritty - they don’t clearly advertize what’s part of what package and I felt that was by design to get you to upgrade. And they definitely see themselves as a basket for all of your eggs. If you are moving there because you want to degoogle your life you end up just protonizing it. It’s better to spread around your stuff so you’re not dependent on one provider. If you just want a good VPN and don’t care about the rest of their services and the politics, you could make worse choices.
I want to boost this approach. At first I just whole sale swapped to the full Proton Suite as a G-Suite replacement. But I quickly decided I did not want all my eggs in their basket, so I kept their VPN because it’s got good interfaces for mobile while also playing nice with OpenVPN on Linux, and then I’ve used other solutions for email and cloud and such, self hosting wherever possible.
That depends on your risk tolerance, which is a decision you have to make yourself.
The real question is, where do you draw the line. You can even make a convincing case that gmail can be trusted with your data. Actually, many people feel that way, so it’s not a bizarre or rare stance. Alternatively, you can also say that self hosting everything is the only way to be sure.
Yup. I’ve weighed the costs and benefits, and I’m still using Gmail myself.
Exactly. if you’re worried about random hackers getting their hands on your emails, gmail is totally good enough. If you’re worried about something else, it might not be. Depends on what exactly “keeps you awake at night”.
I recently moved away from Gmail and when I was researching what my new email client would be I considered Proton seriously for a while. But what I realized is that the privacy aspect of it is pretty much useless unless everyone you are communicating with is also using Proton. I went with iCloud, it’s free and it’s good enough for my use case.
My main issue with iCloud is that it’s American and that they may open my data to institutional monitoring upon request. Great in general, but it’s not designed for privacy.
Use Filen, it’s a German cloudprovider, encrypted, zero knowledge and 10 GB for free.
its worse, snowden has already leaked they do open it.
techstory.in/proton-mail-faces-backlash-over-clai…
It’s fine, closed source is fine. Trust us bro
All Proton apps and services are OpenSource.
This article is somewhat biased, yes, they handled out an IP of an to the authorities, this is mandatory for every service in a criminal investigation if there is an court order present, they must give the data which they have about the user, even Lemmy must do it if there is an court order about an user. Any service in the web must fullfit the laws of the country in which it’s operating. This has nothing to do with privacy or trust about the service, also not if it is OpenSource or Proprietary. A service also can’t avoid that it is used by republicans in the US, or that one of the employees is a right winger. The CEO of the Brave Browser (FOSS) as example. Can Lemmy avoid that an Nazi use it in a own instance?
Their LLM is not
Neither are there mail servers.
They’ve open sourced their clients.
Made with 100% real oranges and also a load of preservatives in sugar.
Their PR department lies and tells partial truths way too much for a privacy company.
Depends on your threat model. What are you defending against?
I am defending against anyone that uses my data for non-essential purposes. Well, not all non-essential purposes; i mean ads, personalization, AI, selling it for profit, etc.
To my knowledge Proton doesn’t sell your data and there were no leaks in the past. It is also true for a lot of its competitors though.
Note: I use Proton for some things.
But, here’s the twist: there’s a controversy because of the recent AI and the CEO being Pro-trump.
I don’t think that controversy about Trump is concerning in any way. The AI could be interesting instead.
Having an AI isn’t problematic at all; Forcing it into places where people don’t want it is.
And the CEO being pro Rump is a stretch. He approved of one Rump policy. Hell I hate the man and believe him a cancer to the world, but even I can point to a couple things I like he did.
Let me take your encrypted data and put it through my service where I can see all of it...
That’s not how LLMs work.
Well then please do educate the class on how it works
They do text prediction based on the training data. If the training data is all encrypted gibberish, it’ll only output gibberish.
I assumed you would need to let LLM to access your data for it to be any market advantage v generic llm.
If this is just a generic llm that doesn't have access to your data them my point above is not an issue.
Then Proton should be fine. As far as I know, they don’t sell user data.
Of course as soon as you send an email or receive it from someone else, there’s a chance it will be mined, but while it’s ”at rest” on Proton servers it should fulfill your model just fine.
excuse me ignorance, but I understand that once you receive mail from someone with shared pgp keys, they’d have no way to read the contents.
But when I receive an email from any service that sends me mail, or from a friend that doesn’t use PGP, it sits encrypted in my account… but how do we know proton isn’t ‘reading’ the contents when it is delivered and before it is encrypted in the account?
Is there a possibility of data mining or them storing the contents on their end? like a mirror image?
If and when you send or receive e-mail encrypted by PGP, the body (contents) of the message is indeed encrypted and you’re safe from snooping and data collection, which is great. However, privacy-wise this might actually be a bad thing, because almost no one uses PGP and using it makes you stand out in a sea of normal e-mail users for someone who collects and analyzes lot of data. So if that’s your threat model, using PGP might actually be dangerous. Also, you have to remember and remind everyone to use PGP, which is cumbersome if you correspond with non-techie people. You don’t really know how they handle “their side” and PGP software is notoriously not very user friendly.
Whenever you send someone unencrypted e-mail from your Proton account, there’s a chance that the recipients e-mail provider (most likely Google or Microsoft) reads it. Same when they send it to you. It doesn’t actually matter that the message sits encrypted “at rest” in your Proton accounts Sent Items -, the contents have already been read, indexed and sold to a broker.
It’s very hard to do e-mail privacy because the protocol itself doesn’t have any built-in. It’s better to use other communication methods for sensitive transactions.
Good explanation, and I figured the same.
I feel the ‘encrypted at rest’ is then a false sense of security. Alas it is much better than gmail, etc.
Swiss have one of the strongest privacy laws and Proton is pretty save to use.
Laws don't mean shit when it comes to national security issues and everything is a national security issue nowadays.
Also, Swiss are changinge their national security laws and proton is looking to move some servers out of there so how good these laws really are?
Proton is good for to ZK encryption that has yet to be debunked.
Iirc just reading proton’s own stories page showed that they keeled over for any and presumably every request that came their way.
Sure but thats nothing to do with anything that's how all corpo parasite behave... They are here to make money on you, not to protect you from state actors
This is absolutely not the case. Swiss courts compel them to act on whoever asked them for information they’ve doxed activists. theverge.com/…/protonmail-swiss-court-order-frenc…
Edit: more
cybernews.com/…/proton-considers-relocation-from-…
Can you list countries with stronger privacy laws that woud not have forced Proton to provide this information to law enforcement of a friendly country?
You need a place that’s not in this list
protonvpn.com/blog/5-eyes-global-surveillance?
That’s for government intelligence agencies though? Proton had to identify the activists due to a French court order which Switzerland enforced since these two countries cooperate to some extent.
Are there countries with solid privacy regulation which refuse to enforce court orders by friendly/allied nations?
Not for long: vice
I trust Proton’s privacy aims as much as I can trust any corporation, which is to say very little but way more than Google. I do feel the company prioritizes privacy and eg. bases itself in countries with privacy respecting laws (hence leaving Switzerland after their recent legal changes that risk privacy). I think this is a more important signal than the CEO’s tweet supposedly favorable to Trump (which I dont like but also dont find damning enough to override their commitment to privacy).
When I researched alternatives after leaving Google I ended up choosing Proton (I also considered Tuta) for Mail & Calendar. For me they are the best option for privacy and usability, and something my non-tech family can use, which is a major win because otherwise they would not be able to leave Gmail.
I dont use their other services because I don’t want to put more eggs in the same basket.
If you’re using Gmail, and you’re considering alternatives for privacy reasons, then 100% without a doubt, objectively and unequivocably, Proton is the better choice of the two.
There are other email providers with privacy assurances, and yes, you can self-host, but don’t let perfection be the enemy of the good.
To address the trustworthiness of Proton directly: I’ve been a Proton user for about 10 years. It gets the job done. I have complaints, but privacy is not among them.
Proper analysis. .. The only issue with proton is lack of focus on the people who use their product and bootlicker CEO tried kisisng pedo king's ring
They over hype their marketing which can lead to a false sense of security. Reign in the marketing department and present their tools for what they are and they’d be more trustworthy.
I think they are trustworthy and the sexy alternative to Gmail. I’ve been testing both Proton and Tuta as my replacement. Proton is more expensive, but provides more services. Tuta is smaller, cheaper and gives off a user centric vibe. Proton seems to be emulating bigtech a bit too much with their release of a privacy chatbot today. I’m personally leaning towards keeping Tuta over Proton.
Proton just completed their SOC 2 Type II audit:
proton.me/blog/soc-2
Accomplishments like this are why I continue to trust Proton and remain a paid user.
Gonna be honest after working in the industry and seeing how corrupt auditing is (incompetent auditors, even some auditors getting paid off) these things don’t make much of a dent to my decision making.
I say this as someone who pays for Proton.
Valid to an extent. I’ve personally experienced various audits whether for ISO, PCI or SOC and the quality of the auditor certainly does vary though I’ve not encountered one I would consider incompetent; the audits have always been rigorous. I’ve not personally seen bribery though I have seen where an auditor might relax how aggressively they look for issues over the years of getting to know the people and quality of the company.
I think soc 2 type ii is nice, but I also don’t think it really says much about privacy in the context of me trusting what a business will do with my personal data. its been 4 or so years since if done an soc audit, so please correct me if I’m wrong. From what I recall its primarily geared toward security in general and when they say privacy, they mean securing your data from use unauthorized by the business.
The distinction im making here is that, from what I recall, soc 2 type ii says nothing about what can be done with your data (e.g. selling data to brokers, training ai, targeting ads, unclear/communicated eula changes, etc.). During these, and most other, security audits you can make business arguments as to why you should be exempt from various security mechanism or configs. These systems also don’t protect from techno fascist douchebaggery like feeding the government information on individuals without warrant or just cause, to assist in targeting minorities or activists for example.
To be clear, I use proton, I think its great, and MOSTLY trust them with my data. I do also like that they got soc 2 type ii, i wasnt aware till now so thanks for the heads up. I’m not accusing or trying to infer any wrong doing either. Mostly trying to point out this doesn’t resolve potential abuses some folks may have concerns about after ceo/board member/whateverthefuckingtitleis drama.
Thanks for coming to my ted talk…
the ceo is potentially fascist. they might be ok now, but there’s no way to trust it long term if that’s what you are hiding from.
if you are coming from gmail or hotmail its gonna be better, but that’s kind of a low bar.
Is there more evidence for that aside for a single tweet made after the election?
.
no need for further ‘proof’ of something he just up and said himself in a couple of tweets. with a service you don’t host yourself, you have to trust they won’t do funny business.
here is the thing: you should be questioning that trust when their ceo feels like publicly praising a fascist who is already doing a lot of damage to whats left of the privacy he was supposed to uphold. it goes without saying but total surveillance and open fascism won’t do well to mix.
because of that even if the dude is doing that by ignorance (and time may tell anyway), the trust in their decisions is still eroded, except its out of ignorance instead of malice.
I just dont think soapboxing on the internet really accomplishes anything. Donald Trump is an fascist cunt but if he can be tricked into doing something decent by some brown nosing then sure.
that schmuck is definitely not ‘tricking’ the sitting president of one of the biggest empires in history and his advisors, that’s a bit out there. honestly just looks like he’s shutting up and sweeping it under the rug, business as usual.
being safe with tech and who you trust is much more important with the circumstances mentioned in mind though, and this very comm shows why frequently.
if you don’t want or care to take it, then leave it. this thread has other takes to peruse.
theverge.com/…/protonmail-swiss-court-order-frenc…
Not sûre how that shows evidence that the CEO is a fascist ?
it definitely shows evidence proton is not that trustworthy
Maybe but it doesn’t answer the question afaik
i don’t think it matters if between bumbling idiot or covert fascist, the end result ends up being almost the same.
run mailbox.org bring your own encryption
.
i use them there good my only issue is some of there docs dont have good english versions but other then that there great and they support custom domains
Just switched there from Tuta. I was having a lot of issues with the mobile app being slow. So far everything is working well and they also offer storage and video chat
For what ? Security or anonymity ? Likely yes for the first but no for the second. For example
theverge.com/…/protonmail-swiss-court-order-frenc…
People get their panties in a twist over this one, but they still operate within the law. What should they have done here, not complied? It’s a court order, from their country.
I think OPs question is still relevant in that context. Does that case reduce their effort towards privacy? I believe the answer is yes.
I was actively looking to move my family over there.
When the CEOs spouted his Trump BS it made me look a little harder.
I see that they’ve doxed an activist.
They claim to be open source and then as you drill down you find out that some of their stuff is open source and some is not.
Switzerland looking at amending their privacy laws to further force companies to log and dox VPN users. Proton claim they would be willing to move the company outside of Switzerland if these laws take effect but will have to wait and see I guess.
There’s a crap ton of either PR or fanboying going on for this company. I really want to see them get their shit together but you can’t just discount this stuff like it’s not happening. 400 people running around going I have never had any trouble with them privacy wise, and I don’t think they all sell any of my data, It’s not a good indicator of a company’s privacy prowess.
I think we have good enough reason not to trust the CEO from his Twitter, and I think their marketing department is slimy as shit. I think the country they’re based out of is going to force them to comply with too many court orders.
I’d say there less likely to market your data than Google/Microsoft. But they’re also less likely to anonymize it correctly if they do so. Since Google runs their own ad network they don’t need to sell your private data to other people to use it to market against you.
If Trump called up Andy Yen and asked him for a name, home address, IP address, phone number, and credit card mapping for all of his users he would fall over himself to provide that for hopes of a government contract. That doesn’t sit well with me for a privacy concept.
If you’re not worried about being doxed by a state agency, and would just prefer your data not be sold rather than it being a absolute critical thing because they might not sell your data, there definitely good enough.
If you’re a little worried about putting all your eggs in one basket and want to be able to move from company to company without turning the world over, I would look at tuta and disroot, mulvad and backblaze. Or maybe even self-hosting nextcloud for the storage component on one of those services that allows you to just spin up nextcloud on a vps with single click.
You shouldn’t “trust” as a basis for security or privacy. Eg for protonmail, Proton can still read your incoming emails if they arrive unencrypted; the only way to avoid that is to send E2EE email, which unfortunately most email is not. You should assume that if they can, then they are.
If you have to use proton for whatever reason (can’t afford to pay to self-host things, don’t know how to and don’t have time to learn, etc), it’s perfectly fine for everyday use for things that are not particularly sensitive ie you don’t have a highly resourced state actor actively trying to obtain that data. Just always keep the first thing in mind. Too many people treat anything that calls itself “encrypted” as a silver bullet.
Do you self-host email?
Yes
.
Posteo.de