this post was submitted on 18 Nov 2024
465 points (97.0% liked)

Privacy

32120 readers
382 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Post got deleted, posts removed...

you are viewing a single comment's thread
view the rest of the comments
[–] Sundial@lemm.ee 24 points 5 days ago (5 children)

Wait, what's wrong with Proton Mail?

[–] _cryptagion@lemmy.dbzer0.com 55 points 5 days ago (5 children)

They gave meta information like IP to the government in Switzerland, where they are based, after the government forced them to with a court order. Not the encrypted mail, mind you, because they can’t do that, just the additional information they have on a user like email and IP.

Because of that, a lot of redditers on r/privacy think they spy on their users for the US government. It’s a stretch, yes, but you have to remember they take turns using the one brain they collectively have.

[–] AnAmericanPotato@programming.dev 23 points 5 days ago (2 children)

Not the encrypted mail, mind you, because they can’t do that

Just want to point out for anyone new that ProtonMail does not use E2EE for email headers. That means they CAN access your subject lines, to/from fields, and other email headers. That means they CAN be forced to hand it over to the government.

Source: https://proton.me/support/proton-mail-encryption-explained

Subject lines and recipient/sender email addresses are encrypted but not end-to-end encrypted.

Personally I am disappointed in a lot of Proton's wording about this. They frequently promise they can't access "your data" and "your messages" when they do, in fact, store potentially sensitive data in a format they CAN access.

[–] jherazob@beehaw.org 7 points 4 days ago (1 children)

It's email, that's the best you can get with email, if you want to have more privacy, DON'T USE EMAIL

This is good advice, because email is very difficult to make reliably private. However, it's not the best you can get. Tutanota, for example, stores headers with E2EE, and still has a search function.

The goal should be to make it as private as it can realistically be. Ideally, any cloud service you use should only store end-to-end encrypted data.

I'm not trying to shit on Proton — it's a huge step up from the popular mainstream email services, and the inclusion of cloud storage makes it a much easier transition than going piecemeal with 2-5 different services.

[–] _cryptagion@lemmy.dbzer0.com 4 points 4 days ago* (last edited 4 days ago)

A bit more context is important here. They aren’t E2EE, but they are stored encrypted. In the case of the person whose meta information was turned over, ProtonMail wasn’t forced to hand over the information right away, they were forced to collect it the next time that person accessed and used their email. That tells us that they didn’t store the information beforehand and could not access it without preparing to intercept it the next time their service was used.

Ultimately, though, if something like that’s a dealbreaker, it’s likely you’re doing something that would benefit from a more secure way of communicating than email.

[–] Sundial@lemm.ee 15 points 5 days ago (1 children)

Yeah I agree, sounds a bit excessive. If that's correct, it doesn't sound like they're reading your data and at the end of the day they have to comply with things like warrants. Thanks for the clarification.

[–] underwire212@lemm.ee 14 points 5 days ago

It is all also very clearly stated in the information they must collect in order to provide their service. There should’ve been no surprises here, as you must assume that scenarios like these will happen eventually.

[–] SeekPie@lemm.ee 8 points 5 days ago (1 children)

If all they have on you is your optional backup email and your IP, I think they're doing pretty well in the no data-collecting part?

[–] _cryptagion@lemmy.dbzer0.com 8 points 5 days ago

Well, you don’t even need to provide an email or phone number when you sign up, so if you access the site via their onion address every time, they would have no information on you at all.

[–] EngineerGaming@feddit.nl 3 points 5 days ago (1 children)

I guess the issue here is overselling the safety of the service. Wouldn't rely on them encrypting the mail for you, for example. It's probably fine if you treat it just like you would any other email service - assuming you're fine with being unable to use a mail client at all on the free plan and using it in a weird roundabout way on the paid plans.

[–] ReversalHatchery@beehaw.org 6 points 5 days ago (1 children)

the issue is that they can't defy the law without shutting down and going into jail. proton has given the tool the activist would have needed to protect themselves: the service has an official onion site, which would have made IP collection impossible, and they could have just said they can't know it

[–] EngineerGaming@feddit.nl 2 points 5 days ago* (last edited 5 days ago) (1 children)

Yes, that was exactly my point. You would not treat any mail service like they would cover you during your unprotected use, and Proton is not an exception. So I don't understand why people are taking issue with them cooperating with LE - but take issue with some other qualities.

[–] ReversalHatchery@beehaw.org 2 points 5 days ago

So I don't understand why people are taking issue with them cooperating with LE

some believe they (proton) are invincible and can do whatever they want. maybe because they think that's what swiss privacy and swiss laws mean

[–] bumpusoot@hexbear.net 1 points 4 days ago* (last edited 4 days ago)

But.. basically every email provider or hosting service is legally obliged to give the information they collect to the government. It's not like this is exclusive to Proton in any way whatsoever. If anything, subpoenas are evidence Proton tell the truth and do at least stop themselves from having most of the important data so they can't give it away.

It's proprietary.

[–] Batadon@lemm.ee 5 points 5 days ago

I don't think OP was trying to say Proton Mail is bad or insecure. Rather the opposite.

[–] drkt@scribe.disroot.org 4 points 5 days ago

Privacy wise? Probably nothing. The company engages in shitty behavior, though, and will try to upsell you even if you're a paying costumer. I switched to Tuta because of that, and then Tuta started doing all the same bs...

[–] SwampYankee@mander.xyz 2 points 5 days ago

I would also like to know, lol.