awesome-privacy
awesome-privacy copied to clipboard
pluja
Remove ProtonMail
Looking into the discussions on the stuff they gradually have done, such as back in the day where they gave away headers of an email and that was enough to prosecute, and the more recent https://old.reddit.com/r/ProtonMail/comments/pil6xi/climate_activist_arrested_after_protonmail/
The arguments for the action may be valid but the spirit of Privacy is just outright tainted and there's no reassurance it's not acting as a boiling frog and only going to stray against the path it advertised itself to be. As well as references listed here:
https://encryp.ch/blog/disturbing-facts-about-protonmail/
I agree, with this https://youtu.be/QCx_G_R0UmQ Instead of thumbs down, why don't you give your own argument.
I actually follow Mental Outlaw, I appreciate his work.
As far as ProtonMail privacy issues are concerned, there is nothing that wouldn't also apply to other email providers in the list. If ProtonMail is removed because they're subject to the laws of the land, so should every other email provider, and company more broadly for that matter, who is also subject to the laws of their land.
I'm not sure what the TOR issue is about. If I log in via TOR, it remains on TOR. Perhaps that was resolved since this video.
Email is inherently insecure. The technology is fundamentally flawed. It's pretty much impossible to communicate with normies via email in a way that is truly secure, and for everyone else, the issues outlined by Mental Outlaw apply.
On 21/05/2022 01:11, David Armstrong wrote:
Email is inherently insecure. The technology is fundamentally flawed.
The design of Email assumes trust in your mailbox provider.
I am my own mailbox provider, so now the weak link in every conversation I have over email is the other person's mailbox provider.
I would like to provide an easy way for everyone to become their own trusted mailbox provider, which would have to be software you run on your own (possibly mobile) computer coupled with a service to provide a static IP address. I'm not sure if there would be any market demand for something like that. (Anybody?)
It's pretty much impossible to communicate with normies via email in a way that is truly secure, and for everyone else, the issues outlined by Mental Outlaw apply.
But don't blame email specifically when it's not much worse than any other method of communication used by "normies" such as SMS (aka TXT) messages.
Even the end-to-end encrypted systems such as Signal (and others) track (or can track) meta-data about who sends messages to who (the “pen register”) which might be more important or compromising than the content of the messages.
So in addition to normal email my setup needs to support a simple extension to move email over TOR using hidden services. Perhaps in addition to an MX record, another record (could be TXT) indicating the .onion to use.
I agree, with this https://youtu.be/QCx_G_R0UmQ Instead of thumbs down, why don't you give your own argument.
The thumbs down are due to people's emotional investment assigned to being on the side of Protonmail. The climate of tying your identity/personality to brands is a feature humans seldom are able to undo and admit they were wrong and would double down on their associations of Protonmail than admit they were wrong. It has been the most recommended provider for privacy and the marketing of it was very slick.
I agree with the above that email that you do not fully self host would degrade the original premise of "Awesome Privacy". I wanted to try and avoid the consequence of the initial mass adoption only for things to change abruptly but that mass adoption already stopped paying attention. The dangerous "Set it and forget it" mentality. Trust is the single most important aspect in privacy IMO. The little things they have objectively done, even if they arguably didn't break any rules, still have shown a blatant lack of respect to privacy when it was inconvenient for them. Anything short of telling any requests for information to jump off a cliff should not be advertised for privacy. Legal obligation or not, it's all the same.
Trust is the single most important aspect in privacy IMO.
If you have privacy, you don't need to trust.
That's a good point and rule of thumb to follow. Which makes it all the more complicated when something is not self hosted. There's a level of trust that something IS E2E encrypted and nothing is tampered with in transit or a service is using something open sourced and not something privately modified.
The thumbs down are due to people's emotional investment assigned to being on the side of Protonmail. The climate of tying your identity/personality to brands is a feature humans seldom are able to undo and admit they were wrong and would double down on their associations of Protonmail than admit they were wrong. It has been the most recommended provider for privacy and the marketing of it was very slick.
- ProtonMail received a subpoena from it's own government. Penalties apply for non-compliance. How do you believe ProtonMail should have responded?
- If another email provider, such as Tutanota receives a subpoena from their government, what protects them from being compelled to comply?
- Self hosting. Lets say my government subpoena's my cloud hosting provider, or my ISP, or my mobile phone carrier, what prevents them from being compelled to comply and handing over metadata?
The thumbs down are due to people's emotional investment assigned to being on the side of Protonmail. The climate of tying your identity/personality to brands is a feature humans seldom are able to undo and admit they were wrong and would double down on their associations of Protonmail than admit they were wrong. It has been the most recommended provider for privacy and the marketing of it was very slick.
- ProtonMail received a subpoena from it's own government. Penalties apply for non-compliance. How do you believe ProtonMail should have responded?
- If another email provider, such as Tutanota receives a subpoena from their government, what protects them from being compelled to comply?
- Self hosting. Lets say my government subpoena's my cloud hosting provider, or my ISP, or my mobile phone carrier, what prevents them from being compelled to comply and handing over metadata?
Those are correct. Refer to my last statement saying Legal obligation or not, it's all the same. I'm in favor of no email provider being on the list. Being legally obligated to disrespecting your privacy does not exempt them from criticism when they are advertised for being "for privacy". I just find it a little silly having a list of "Awesome Privacy" when there is an implied footnote saying that you're still being watched, stay under an arbitrary radar.
You make an interesting point @AE720. I'm inclined to treat "Awesome Privacy" as a relative term. What I'd consider awesome for myself, is not what I'd consider awesome for my grandmother for example, for entirely practical reasons.
If a normie using say, Gmail, Hotmail, Yahoo, etc, stumbles across this site looking for a more privacy respecting email option, but they're only met with self-hosting options that are way over their head, that's a loss to the privacy community.
Or, perhaps they're just a little tech savvy, and fumble their way through the installation of a self-hosted option, because that's all that's here. Being inexperienced though, they inadvertently leave their server, and possibly entire home or business network, open to exploitation.
In both of these cases, it's a whole lot more than just their IP address and some browser metadata that's at risk.
That is also very true. I guess it boils down to the scope of the list and the goal here. Do we want to encourage no email use at all? Or do we want to work our way from email that is safe from everyone non government related. That makes a difference in my decision but it should at least be acknowledged. You stated everything I would have so I'll leave it at that.
I guess I'm just trying to gauge the interest for an easy service (easy for “normies”) that provides the experience of a mailbox provider but runs (under the hood) locally on your own hardware using free and open-source software. This would be a subscription service, so the other question is what price point would work for people? I'm asking: should I quit my day-job and go into business providing secure and privacy respecting email infrastructure?
So far everybody tells me this is crazy and impossible. I just don't see why this couldn't be made as easy as signing up for any other email provider.
I guess I'm just trying to gauge the interest for an easy service (easy for “normies”) that provides the experience of a mailbox provider but runs (under the hood) locally on your own hardware using free and open-source software.
Discussion of this scope probably warrants its own thread, so it can be given the thorough discussion it probably needs. If you have a repo where you'd like discussion on this, perhaps link it here. I'm certainly interested in understanding more about your initial ideas around implementation.
I think I will be leaving ProtonMail listed, it is a good service with open source clients and encryption. The e-mail is inherently insecure for average users.
I think that ProtonMail provides an easy gateway for a user that is starting to worry about their privacy, it is a first-step and also, why not, a good service to stay for most users. As @B-Interactive said in the comment, what happened with ProtonMail could have happened with other mail providers. ProtonMail also makes it "easy" to use PGP (although they have your keys, these are encrypted).
I will be adding a note commenting the security problems with email usage, encouraging users to use other messaging platforms such as Matrix, Signal or Session (for example) when possible.
What do you think about this?
I'm not sure what the TOR issue is about. If I log in via TOR, it remains on TOR. Perhaps that was resolved since this video.
The argument is that when you are using an onion site, there are 6 hops between you and the site, while with a clearnet site there are only 3. The issue has been fixed for a while now, but having 3 hops on tor is already more than enough for 99.99% of people whole use protonmail and way more for people using providers like gmail. It would be fair to say that it would be suspicious if they forced you to use the clearweb to create an account, but that isn't what they are doing.
While I do think there are some major issues with protonmail, such as censorship resistance option that uses amazon and google as proxies being enabled by default, you really cannot have a perfect email provider, just like how we cannot have a browser that doesnt have some major issues. So if you are at the point that you think protonmail shouldnt be seen as private, you might aswell not even use the internet as just by being on the internet, you are harming your privacy.
