If not, what alternatives can i use?
Swiss have one of the strongest privacy laws and Proton is pretty save to use.
Proton just completed their SOC 2 Type II audit:
https://proton.me/blog/soc-2Accomplishments like this are why I continue to trust Proton and remain a paid user.
Gonna be honest after working in the industry and seeing how corrupt auditing is (incompetent auditors, even some auditors getting paid off) these things don’t make much of a dent to my decision making.
I say this as someone who pays for Proton.
Valid to an extent. I’ve personally experienced various audits whether for ISO, PCI or SOC and the quality of the auditor certainly does vary though I’ve not encountered one I would consider incompetent; the audits have always been rigorous. I’ve not personally seen bribery though I have seen where an auditor might relax how aggressively they look for issues over the years of getting to know the people and quality of the company.
I think soc 2 type ii is nice, but I also don’t think it really says much about privacy in the context of me trusting what a business will do with my personal data. its been 4 or so years since if done an soc audit, so please correct me if I’m wrong. From what I recall its primarily geared toward security in general and when they say privacy, they mean securing your data from use unauthorized by the business.
The distinction im making here is that, from what I recall, soc 2 type ii says nothing about what can be done with your data (e.g. selling data to brokers, training ai, targeting ads, unclear/communicated eula changes, etc.). During these, and most other, security audits you can make business arguments as to why you should be exempt from various security mechanism or configs. These systems also don’t protect from techno fascist douchebaggery like feeding the government information on individuals without warrant or just cause, to assist in targeting minorities or activists for example.
To be clear, I use proton, I think its great, and MOSTLY trust them with my data. I do also like that they got soc 2 type ii, i wasnt aware till now so thanks for the heads up. I’m not accusing or trying to infer any wrong doing either. Mostly trying to point out this doesn’t resolve potential abuses some folks may have concerns about after ceo/board member/whateverthefuckingtitleis drama.
Thanks for coming to my ted talk…
It’s a corporation, so, no.
You need to specify what you want an alternative to, as Proton hosts a lot of services.
OK then, what alternative do i have to Proton Mail?
Tuta are better, but not much. They’ve been getting worse every year.
I switched to Disroot early this year and it’s been smooth sailing. They’re not a corporation, and I can talk to them directly and not some dumb outsourced support staff.
OK, will switch to Disroot now. I wonder what my adress will be now…
Ty for sharing. This like something I can get behind! ✊
Murena Mail (Workspace, with several apps, similar to Google Docs, but better) is also a good choice. Murena products rely on open-source software, including the deGoogled operating system /e/OS and NextCloud, partner companies, among others, Fairphone. EU
deleted by creator
Depends on your threat model. What are you defending against?
I am defending against anyone that uses my data for non-essential purposes. Well, not all non-essential purposes; i mean ads, personalization, AI, selling it for profit, etc.
To my knowledge Proton doesn’t sell your data and there were no leaks in the past. It is also true for a lot of its competitors though.
Note: I use Proton for some things.
But, here’s the twist: there’s a controversy because of the recent AI and the CEO being Pro-trump.
I don’t think that controversy about Trump is concerning in any way. The AI could be interesting instead.
Then Proton should be fine. As far as I know, they don’t sell user data.
Of course as soon as you send an email or receive it from someone else, there’s a chance it will be mined, but while it’s ”at rest” on Proton servers it should fulfill your model just fine.
excuse me ignorance, but I understand that once you receive mail from someone with shared pgp keys, they’d have no way to read the contents.
But when I receive an email from any service that sends me mail, or from a friend that doesn’t use PGP, it sits encrypted in my account… but how do we know proton isn’t ‘reading’ the contents when it is delivered and before it is encrypted in the account?
Is there a possibility of data mining or them storing the contents on their end? like a mirror image?
If and when you send or receive e-mail encrypted by PGP, the body (contents) of the message is indeed encrypted and you’re safe from snooping and data collection, which is great. However, privacy-wise this might actually be a bad thing, because almost no one uses PGP and using it makes you stand out in a sea of normal e-mail users for someone who collects and analyzes lot of data. So if that’s your threat model, using PGP might actually be dangerous. Also, you have to remember and remind everyone to use PGP, which is cumbersome if you correspond with non-techie people. You don’t really know how they handle “their side” and PGP software is notoriously not very user friendly.
Whenever you send someone unencrypted e-mail from your Proton account, there’s a chance that the recipients e-mail provider (most likely Google or Microsoft) reads it. Same when they send it to you. It doesn’t actually matter that the message sits encrypted “at rest” in your Proton accounts Sent Items -, the contents have already been read, indexed and sold to a broker.
It’s very hard to do e-mail privacy because the protocol itself doesn’t have any built-in. It’s better to use other communication methods for sensitive transactions.
Good explanation, and I figured the same.
I feel the ‘encrypted at rest’ is then a false sense of security. Alas it is much better than gmail, etc.
-
You shouldn’t “trust” as a basis for security or privacy. Eg for protonmail, Proton can still read your incoming emails if they arrive unencrypted; the only way to avoid that is to send E2EE email, which unfortunately most email is not. You should assume that if they can, then they are.
-
If you have to use proton for whatever reason (can’t afford to pay to self-host things, don’t know how to and don’t have time to learn, etc), it’s perfectly fine for everyday use for things that are not particularly sensitive ie you don’t have a highly resourced state actor actively trying to obtain that data. Just always keep the first thing in mind. Too many people treat anything that calls itself “encrypted” as a silver bullet.
Do you self-host email?
Yes
-
Removed by mod
