Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
seem like they offer a lot for free
i gladly pay for proton knowing that i’m helping fund a critical tool for activists under oppressive regimes :)
more than google at least
Based on my own privacy/security criteria, I chose and payed for protonmail when that was the only thing Proton had. I've been very happy with them and it's nice to see how much they've since popped off.
I trust them, but always remain vigilant, because things can change over time. But the founders initially were scientists who met at CERN, not a company that launched a product. That tells me quite a lot. Yes, over time they are becoming more professional, maybe more like a regular company, but i feel that privacy is still the main priority for them. They also organize a yearly event and the money they raise goes to certain projects that are related to privacy and freedom (if i remember correctly for instance to help journalists remain free press and things like that). Yes, it's one of the few companies that i really trust.
Also, yes, they sometimes are forced to give info to authorities (and they are quite open about that and explain what happened if people ask about that), but don't forget that they don't have much info on their clients, because everything is encrypted and they just cannot see what's inside a mail, for instance. So, they can't share that.
In my view it's either my ISP seeing everything or someone else. I don't trust my ISP, I route my traffic to a different country where I don't live in and them viewing my activity is potentially less of a problem, in my view (just in case they do manage to de-anonymize me)
route my traffic to a different country where I don’t live in and them viewing my activity is potentially less of a problem
Depending on where you live, and where your service resides, this could be tricky.
In the US, for instance, if you've chosen a provider in Australia, then a FVEY agreement could be in place to share that data. This gets around the technicality that intel gathering is not occurring on US soil and is not being done by the gov.
And again with the US, if you've chosen a country that's not amiable to sharing user data, the US could very well be justifying that country as a target for pilfering data anyway.
So, that would leave choosing a service provider within the US, which should need to go through the FISA courts for any access to citizen data, but who knows after the Snowden revelations.
I guess that's the state of privacy if you've got a nation state that's targeted you for surveillance. Only way around it I can think of is data to be encrypted in transit and at rest, and only you control the keys. But that's not something that's going to happen with something like mainstream email anyway, too inconvenient for most folks (and you also don't know if your recipients are security conscious either).
For my threat model and use case, I trust them.
I don't trust them implicitly, but I do believe they are less likely to do certain things than Google which is enough to use them instead of Google for Email.
Proton used to have a deal with the Israeli company Radware, for DDoS protection. They have written a few disclaimers about how Radware only handled incoming traffic still with two encryption layers intact (SSL & OpenPGPjs), as if that was some sort of real protection if a company has access to raw incoming traffic.
Honestly, a company aimed at privacy, boasting of Swiss privacy, should know better than to route anything through Israeli companies.
No.
I trust no single hosted service, but you can use them with caution.
For that one instance, not doing so would have been illegal and probably gotten them hit with a major penalty.
Any email sent to Proton in clear text is 100% accessible to them at the point of entry. They basically promise you that they won’t look at it before encrypting it for storage. So if you trust their promise, it’s all good.
Any email that comes in already end to end encrypted with OpenPGP is not accessible to them ever, kind of. If their client gets hacked and starts sending unencrypted messages to them or someone else, then they have access.
The only way to have a zero trust environment is always having people (or businesses) send you messages encrypted with OpenPGP, and never using Proton’s clients (webmail, mobile app, and desktop bridge). That’s fairly unreasonable, and you might as well use any other email service at that point.
So, you can trust them as much as any other company, because unless you write and run your own email server (which, trust me, is a huge pain in the ass*), that’s your only option.
* I wrote and run an email service called Port87, which launched recently, and there are so many obstacles to doing this, even if you’re only running one user on one domain on one server.
Proton Mail + Tor Browser + diligent OPSEC
Bingo bango, you don't even have to trust them.
You very much do have to trust them. They make the client you’re using.
If someone injects malicious code into their client, it can transmit your mail unencrypted, or even just transmit your private key. Will they inject malicious code into their own client? Almost definitely not. The chances are basically zero. But if they get hacked and someone else does, then it’s the same result.
Also, unless all email you receive is encrypted with OpenPGP, you’re still trusting ProtonMail to encrypt it for you before they put it in their database.
So yes, you still have to trust them.
Wait... okay, I think we're talking about two different things.
Emails you send or receive are not private. End of story. That's nothing to do with the provider; they're just not. SMTP is from the stone age of internet when nothing was private, and the attempts to graft a layer of encryption on top of it are from the bronze age, when encryption wasn't very standardized or well-tested against real threats, and all of that shows. Even if you put a significant amount of work into grafting full end-to-end PGP encryption on top of the best your provider can do to keep your emails private, it doesn't work. Emails are not private.
What I assumed you were interested in was in separating your non-private collection of emails from your real world identity. Proton + Tor will do that, bang on. If you're trying to send and receive messages which are genuinely private, use one of the fairly good options which can do that (Signal or Matrix maybe). If you're trying to send and receive your non-private emails without it being linked to your real world identity, use Proton + Tor. If you're trying to send and receive SMTP emails without people being able to read them, you need to rethink what you want, because you're not going to be able to get that.
Proton can be anonymous, yes, just like every other email service. I think OP was wondering more about how they protect your privacy when you’re using them non-anonymously. I could be wrong though.
But yeah, don’t use email if you don’t trust your email provider. Setting up your own email server for receiving mail isn’t too hard. Most ISPs don’t block incoming traffic on port 25, only outgoing traffic. It’s the sending part that sucks when you run your own server. Even if your ISP doesn’t block outbound port 25, your IP is probably already on several spam blacklists. :(
But yeah, don’t use email if you don’t trust your email provider.
Not sure how much more I can simplify this: The "if you don't trust your email provider" has no place in this sentence. Don't use email if you need the content of your messages to be private. If someone's looking at Proton because they think it'll keep their emails private, then yes, that's a bad idea. But that's not because of the "Proton" part of that sentence; it's because of the "emails" part, and setting up your own SMTP service will do nothing to remedy that (in fact it'll make things worse because it'll put your own IP address into the "Received-By" headers of every email you send out).
...Tor Browser?
Also by "injecting malicious code" do you mean XSS? Yeah, that can happen, and it's usually not Protons fault. The emails are end-to-end encrypted and encrypted while in your inbox with public and private keys.
When I tried to register with a tor ip they asked for my phone number.
Not at all. It woul be trivial for them to steal your private keys from their web client. And yes, we have the code. But it's impossible to verify that the code that is on Github and the one they send to your browser every time you log in is exactly the same.
Also, they make it quite hard to make an anonymous registration. And they've been cooperating with governments. Don't get me wrong, I don't support criminal activity. But I don't trust any government with citizen's data, Snowden proved that.
Edit: Oh and they have bribed various privacy related sites with their affiliate program to recommend their services, which I consider a shady tactic.
I do not trust any company, even if it is "privacy-friendly" or "anonymous". There is no way to proofe this, sure I could view the code but there might just be a slight possibility that the company is saving and stealing your data.Self-Hostinmg is for me the way to go.
Yeah I would trust them. But I don't think I would use them because I just find their mail service to have too much friction in a lack of interoperability with clients unless you not only pay money, but also download a whole extra program just to decrypt your email. It's essentially a walled garden
Let's say that I trust Swiss laws more than other alternatives.
They apply only to Swiss citizens.
I stopped using them because their Android app is absolute dog shit. But I would trust them more than Google.