I’ve been using Proton Mail and VPN for a while now, and I’m just wondering how everyone else feels about them. I have this kind of inherent alight distrust of them just because they seem like they offer a lot for free and kind of have a Big Tech vibe about them, but there’s nothing for me to really substantiate that distrust with, its mostly just a feeling. That being said, I do use their services as mentioned and they work pretty well, even on the free teir. So aside from that one instance where they gave that guy’s info to the feds, is there any reason not to trust them with my data?

    • hemko@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      12
      ·
      edit-2
      1 year ago

      You can’t create proton account anonymously very easily. If attempting to create account using for, you’re prompted to enter phone number or existing email iirc.

      Edit: just tested, existing email is needed. This already tells they do not want people to create accounts in a privacy respecting way even if it’s somewhat trivial to bypass if you know how

      • MrMonkey@lemmy.world
        link
        fedilink
        arrow-up
        6
        ·
        1 year ago

        Tell me you don’t understand the difference between privacy and anonymity without telling me

        • hemko@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          2
          ·
          1 year ago

          I’m not talking about anonymity, even though it’s also implied. Proton claims to offer privacy in a similar fashion as Google, they protect your data from everyone but themselves and whichever party they “need” to share the data with.

          • MrMonkey@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Google is an advertising business, so the “need” for our data is built into their business model. Proton is not an advertising company and doesn’t have any relation with any other party where our data drives their business. If you are concerned that Proton will record your IP when you create an account (which they are very clear on in their privacy policy), you are pretty much looking for anonymity if even you claim not.

  • Cheradenine@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    53
    ·
    1 year ago

    So aside from that one instance where they gave that guy’s info to the feds, is there any reason not to trust them with my data?

    They were under a court order. They still have to follow their country’s laws.

    That is not to say you shouldn’t question them, but that particular example should not be used.

    If that person had better opsec it never would have been a thing.

    • sudneo@lemmy.world
      link
      fedilink
      arrow-up
      27
      arrow-down
      1
      ·
      1 year ago

      Plus, the data they gave was minimal, basically just the recovery email address, if I remember. That person got caught because they used the same address on Twitter (or something) and then they could get more data, if I recall correctly.

      • meseek #2982@lemmy.ca
        link
        fedilink
        arrow-up
        14
        ·
        edit-2
        1 year ago

        This is the key bit. So long as whatever they hand over still meets their services guidelines, the fact they cooperate with law enforcement is not in the least a knock to the promises they made.

        It would be another matter altogether if they were providing law enforcement with logs or information they said they don’t collect.

        People’s deductive reasoning is weak sauce.

    • meseek #2982@lemmy.ca
      link
      fedilink
      arrow-up
      16
      arrow-down
      4
      ·
      edit-2
      1 year ago

      Yeah I think most people confuse privacy with criminal behaviour. Proton has your back when it comes to the former, but they aren’t there to enable you to pirate or cause trouble, hiding behind their service.

      I don’t see how making sure criminals are brought to justice is the same as protecting your anonymity on the net.

      And even if mandated under law, it’s not like they actually log your travels and are handing that to law enforcement. Whatever they hand over still falls under their services guidelines.

  • FIST_FILLET@lemmy.ml
    link
    fedilink
    arrow-up
    41
    arrow-down
    1
    ·
    1 year ago

    seem like they offer a lot for free

    i gladly pay for proton knowing that i’m helping fund a critical tool for activists under oppressive regimes :)

  • archchan@lemmy.ml
    link
    fedilink
    arrow-up
    20
    arrow-down
    1
    ·
    1 year ago

    Based on my own privacy/security criteria, I chose and payed for protonmail when that was the only thing Proton had. I’ve been very happy with them and it’s nice to see how much they’ve since popped off.

  • Papanca@lemmy.world
    link
    fedilink
    English
    arrow-up
    19
    arrow-down
    2
    ·
    1 year ago

    I trust them, but always remain vigilant, because things can change over time. But the founders initially were scientists who met at CERN, not a company that launched a product. That tells me quite a lot. Yes, over time they are becoming more professional, maybe more like a regular company, but i feel that privacy is still the main priority for them. They also organize a yearly event and the money they raise goes to certain projects that are related to privacy and freedom (if i remember correctly for instance to help journalists remain free press and things like that). Yes, it’s one of the few companies that i really trust.

    Also, yes, they sometimes are forced to give info to authorities (and they are quite open about that and explain what happened if people ask about that), but don’t forget that they don’t have much info on their clients, because everything is encrypted and they just cannot see what’s inside a mail, for instance. So, they can’t share that.

  • TylerDurdenJunior@lemmy.ml
    link
    fedilink
    arrow-up
    10
    ·
    1 year ago

    Proton used to have a deal with the Israeli company Radware, for DDoS protection. They have written a few disclaimers about how Radware only handled incoming traffic still with two encryption layers intact (SSL & OpenPGPjs), as if that was some sort of real protection if a company has access to raw incoming traffic.

    Honestly, a company aimed at privacy, boasting of Swiss privacy, should know better than to route anything through Israeli companies.

  • Izzy@lemmy.ml
    link
    fedilink
    arrow-up
    9
    ·
    1 year ago

    I don’t trust them implicitly, but I do believe they are less likely to do certain things than Google which is enough to use them instead of Google for Email.

  • mo_ztt ✅@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    2
    ·
    1 year ago

    Proton Mail + Tor Browser + diligent OPSEC

    Bingo bango, you don’t even have to trust them.

    • hperrin@lemmy.world
      link
      fedilink
      arrow-up
      7
      arrow-down
      2
      ·
      edit-2
      1 year ago

      You very much do have to trust them. They make the client you’re using.

      If someone injects malicious code into their client, it can transmit your mail unencrypted, or even just transmit your private key. Will they inject malicious code into their own client? Almost definitely not. The chances are basically zero. But if they get hacked and someone else does, then it’s the same result.

      Also, unless all email you receive is encrypted with OpenPGP, you’re still trusting ProtonMail to encrypt it for you before they put it in their database.

      So yes, you still have to trust them.

        • hperrin@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          edit-2
          1 year ago

          Tor Browser only protects your IP address.

          Emails received from outside senders are only end to end encrypted if the sender is using OpenPGP or S/MIME. Otherwise, Proton receives them in plain text (the TLS encryption is terminated at their SMTP server). They promise that they don’t look at them before encrypting them for storage, but you have to trust that promise.

          Injecting malicious code means either XSS or if their build pipeline gets hacked. These companies release builds through a pipeline (usually download source -> download dependencies -> build from source -> package -> sign -> notarize (for Apple) -> release), and anywhere along that pipeline can be vulnerable. They might update a dependency that got hacked and now they’re hacked too. One of their build servers might get hacked and now they’ve released a malicious build. You’re trusting them to verify not only their code and their build servers, but also every dependency update. That’s potentially millions of lines of code per year to vet. It’s probably fine, but you’re still trusting them.

          As for whether an attack is their fault, it really doesn’t matter. The end result is your leaked data. They could do everything they possibly can to protect you, but they could still get hacked. You are trusting them when you use their service. I believe they’re trustworthy, which is why I’ve been using their service for years.

          A note about me: I know all of this because I have worked in big tech for ~11 years (Facebook, Google, then LinkedIn), I wrote an end to end encrypted messenger (called Tunnelgram, now discontinued), and I wrote my own email service over the past two years (called Port87).

      • mo_ztt ✅@lemmy.world
        link
        fedilink
        English
        arrow-up
        4
        arrow-down
        2
        ·
        1 year ago

        Wait… okay, I think we’re talking about two different things.

        Emails you send or receive are not private. End of story. That’s nothing to do with the provider; they’re just not. SMTP is from the stone age of internet when nothing was private, and the attempts to graft a layer of encryption on top of it are from the bronze age, when encryption wasn’t very standardized or well-tested against real threats, and all of that shows. Even if you put a significant amount of work into grafting full end-to-end PGP encryption on top of the best your provider can do to keep your emails private, it doesn’t work. Emails are not private.

        What I assumed you were interested in was in separating your non-private collection of emails from your real world identity. Proton + Tor will do that, bang on. If you’re trying to send and receive messages which are genuinely private, use one of the fairly good options which can do that (Signal or Matrix maybe). If you’re trying to send and receive your non-private emails without it being linked to your real world identity, use Proton + Tor. If you’re trying to send and receive SMTP emails without people being able to read them, you need to rethink what you want, because you’re not going to be able to get that.

        • hperrin@lemmy.world
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Proton can be anonymous, yes, just like every other email service. I think OP was wondering more about how they protect your privacy when you’re using them non-anonymously. I could be wrong though.

          But yeah, don’t use email if you don’t trust your email provider. Setting up your own email server for receiving mail isn’t too hard. Most ISPs don’t block incoming traffic on port 25, only outgoing traffic. It’s the sending part that sucks when you run your own server. Even if your ISP doesn’t block outbound port 25, your IP is probably already on several spam blacklists. :(

          • mo_ztt ✅@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            1 year ago

            But yeah, don’t use email if you don’t trust your email provider.

            Not sure how much more I can simplify this: The “if you don’t trust your email provider” has no place in this sentence. Don’t use email if you need the content of your messages to be private. If someone’s looking at Proton because they think it’ll keep their emails private, then yes, that’s a bad idea. But that’s not because of the “Proton” part of that sentence; it’s because of the “emails” part, and setting up your own SMTP service will do nothing to remedy that (in fact it’ll make things worse because it’ll put your own IP address into the “Received-By” headers of every email you send out).

            • hperrin@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              If you’re communicating with someone you know who’s also running their own email server, there is no problem with using email. Email is a good protocol, and it runs over TLS.

    • Kalcifer@lemm.ee
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      The issue with email, unless you are comumnicating between two Proton Mail accounts, is that your message will likely be stored on another server which is extremely likely to be unencrypted. The bottom line is that you can never trust the rest of the infrastructure, and you have no control over it. You can end-to-end encrypt using PGP, but this is extremely impractical.

      • mo_ztt ✅@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        1
        ·
        1 year ago

        Yeah, email is unsafe, agreed. I addressed that below, saying I thought they just wanted to separate their real-world identity from their un-private emails. If you’re trying to use Proton to keep your un-private emails private, you’re gonna have a bad time and you should use some good end-to-end solution that isn’t email instead.

  • hperrin@lemmy.world
    link
    fedilink
    arrow-up
    7
    arrow-down
    1
    ·
    edit-2
    1 year ago

    For that one instance, not doing so would have been illegal and probably gotten them hit with a major penalty.

    Any email sent to Proton in clear text is 100% accessible to them at the point of entry. They basically promise you that they won’t look at it before encrypting it for storage. So if you trust their promise, it’s all good.

    Any email that comes in already end to end encrypted with OpenPGP is not accessible to them ever, kind of. If their client gets hacked and starts sending unencrypted messages to them or someone else, then they have access.

    The only way to have a zero trust environment is always having people (or businesses) send you messages encrypted with OpenPGP, and never using Proton’s clients (webmail, mobile app, and desktop bridge). That’s fairly unreasonable, and you might as well use any other email service at that point.

    So, you can trust them as much as any other company, because unless you write and run your own email server (which, trust me, is a huge pain in the ass*), that’s your only option.

    * I wrote and run an email service called Port87, which launched recently, and there are so many obstacles to doing this, even if you’re only running one user on one domain on one server.

  • Lolors17@feddit.de
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    1
    ·
    1 year ago

    I do not trust any company, even if it is “privacy-friendly” or “anonymous”. There is no way to proofe this, sure I could view the code but there might just be a slight possibility that the company is saving and stealing your data.Self-Hostinmg is for me the way to go.