Proton isn't opsec, it's just the best available commercial clearweb host that still has to follow all the laws and comply with warrants, but won't be arbitrarily selling your metadata or engaging in the adtech garbage.
Kagi is to google as proton is to gmail.
You get web mail, custom domains, decent security, decent spam detection, solid features, and no PII being sold. Nice, clean, simple - I like paying them money. I feel good about doing business with them, and I don't run into that often these days.
Fastmail requires payment meaning it is very closely tied to your identity. Proton is one of the very very few who do not tie a new email account to your identity via phone number, payment info or alternative email (which requires phone, payment info etc..).
Even proton only provides webmail free - pop3/imap/smtp require payment. But that's still better than 99.99% of other webmail - everyone verifies via some method that ties to your personal info.
I don't know if sketchy is the right word but every* time I encounter a proton mail user on a mailing list, they are tinfoil-hat paranoid. Like they are a random nobody, but they are convinced that "the Russians" or "the Chinese" are constantly hacking at their laptop and they are constantly trying to harden everything so much one wonders why they even bother using computers at all.
* OK "every" is an exaggeration but enough that the impression has been formed.
Yes it does have access to your data, at least any email coming from or going to another mail provider. Because those are not end to end encrypted. Only encrypted in transit (and even that is optional). So they need to handle the plaintext at the point of transmission.
I really don't like this about proton, they're always going on about their encryption but most emails they've seen in plain text on their SMTP servers. Because that's just how SMTP works. And so has the provider of the other party.
Once they've put them in your mailbox they can't decrypt them again but I always consider a single exposure a loss of confidentiality. The only emails this doesn't apply to are those from people using PGP (yeah all three of them) and those on proton themselves.
In my view this Achilles heel makes most of their protections irrelevant. But they still market it as if it's the email equivalent of signal, which actually can't see what you say at any point of transit. And non technical people have no idea about the difference.
Ps I'm not blaming proton for not having a technical solution for this because interoperability makes it an unsolvable problem. But I do blame them for their marketing around it.
Why do police need big training centers to learn about the constitution and our rights, escalation of force, etc? I learned all that stuff in a single room when I was in the military.
Look at the numbers for number of people who die from interactions with police (both armed and unarmed) and then compare that to the extra violent deaths that happen because of defund the police polices and then let us know what you find. Only then can you make the claim you are implying. Otherwise you are doing the conspiracy theory thing where you present random data and then imply the idea you are pushing.
If the person or politics / group,they don't support then they have no problem just straight up making stuff up.
Like the hit piece of Elons Grok where it was "doxing" pornstars names,but in reality all it did was just search web online and got the info from the first website it could find.
But they made it seem like it was some hidden info that only Grok and Elon would know...
Sounds like you don’t understand doxing and may be overly sympathetic to a reactionary billionaire’s propaganda machine.
Doxing for the most part is simply aggregating publicly available information on an individual and broadcasting it to a wider audience. Rarely does it require more serious sleuthing or even “hacking”, although those are the more notorious instances because it involves someone who may have been trying to hide their identity for various reasons.
No, it's that people keep misusing that word for a broader and broader class of things. Pushing back on dilution of meaning isn't a lack of understanding.
Journalists should work for free. Which means that they are going to be paid by governments and corporations to spout propaganda because everyone has a mortgage to pay off...
I really don’t think 404 Media having a login gate is a red flag. They’re a business that needs to make money and the alternative to subscriptions is ads, which would be exponentially worse for user safety than what exists today.
> Proton only has access to your IP and device ID, not your data.
I like Proton. I use Proton.
However, the problem with proton is that if you access your email via a web browser, there's nothing stopping protonmail (to my knowledge) from reading your email from within their webapp via JS. This type of attack could be targeted at the behest of authorities.
So, actually, Proton COULD read your email (IFF you use webmail).
>So, actually, Proton COULD read your email (IFF you use webmail).
The authorities can also read your self-hosted email if they had a warrant to search your house. Even if you enable FDE they can do a cold boot attack.
Simple solution: put your server inside of a cabinet or enclosure that immediately powers it off if opened with a hidden micro switch. Additionally, write a little udev rule to immediately power off if any new USB device is connected or Ethernet is unplugged.
Is even that needed? Nothing e2ee about the emails you receive normally, they could just read them right away if they really wanted to. And that is to say nothing about the metadata.
That's 404 media's approach. That's why I only read their headlines.
In theory you could open up your protonmail account over tor and with bitcoin (or does that not work anymore?).
Its been a good while since I tried them out. Why I don't recommend them anymore is because when I didn't extend my subscription in time (expecting an account downgrade), my mail was locked and emails hold on to as random. Allowed to login only for payment.
That was one red flag from me, the second was when they shared IP address logs of a French protestor. E̶v̶e̶n̶ ̶t̶h̶o̶u̶g̶h̶ ̶a̶t̶ ̶t̶h̶e̶ ̶t̶i̶m̶e̶ ̶t̶h̶e̶y̶ ̶h̶a̶d̶ ̶a̶ ̶n̶o̶ ̶l̶o̶g̶s̶ ̶p̶o̶l̶i̶c̶y̶,̶ ̶i̶f̶ ̶I̶ ̶r̶e̶m̶e̶b̶e̶r̶ ̶c̶o̶r̶r̶e̶c̶t̶l̶y̶.̶ ̶O̶r̶ ̶i̶f̶ ̶I̶ ̶d̶o̶n̶'̶t̶.̶
>the second was when they shared IP address logs of a French protestor. Even though at the time they had a no logs policy, if I remeber correctly. Or if I don't.
You probably aren't remembering correctly given that specifically have a "login logs" option that can be toggled on/off.
I let my subscription expire and my account was never locked down or emailed held for ransom. I suspect there is another piece to the story you're either neglecting to mention or don't know.
Yes, this happened 5-6 years ago, I've publicly complained before, and I paid with bitcoin. Those are the only details not included in my previous comment.
last time i tried they asked for an email to link the account to. I don't think they provide anonymous accounts anymore, but you can probably create one with another anonymous email.
Proton doesn't really protect anything email related unless the recipient is also using protonmail. The article also points out they sought payment data, not "IP and device ID" information.
This seems misleading inasmuch as your correspondents aren't all on the same mail servers.
Yes, correspondence between you and Build-A-Bear, and between you and your local terrorist cell, are unencrypted individually. But Build-A-Bear presumably doesn't know about your correspondence with the cell, and the latter presumably has some interest in not sharing organizational data access with the former.
I suppose you do have to trust that Proton isn't served a directive to snoop on your correspondence in transit with other providers. But that's still a much better position than leaving all of your historical data unencrypted at rest.
Or any similar service from another vendor? Or hosts their own email. If someone using Protonmail emails me, their data is also not getting sold for example, it's just stored on my laptop
Proton only has access to your IP and device ID, not your data. With IP and device ID, you can easily track an user like finding the ISP, etc.
Do you wanna do naughty things?? Don't use such services do to so.
And ironically,this 404 Media is the only place I found covering this information and they require you to login to read the whole thing.
Hmmmmmmmmmmmmmmmmmmmmm red flag big time!!!!