[class3shock]

The articles format is awful and designed to wast your time.

This article also just points out the use of Livekit but doesn't deliver what that means for your security. Maybe instead of writing a hit piece you could have dug deeper, talked to Proton?

I've seen alot of articles and posters here being negative on Proton, calling it "shady", regurgitating facts that are supposed to be gotchas but have tons of nuance if you dig and am beginning to think there is some coordinated effort to get people not to use it.

[paulryanrogers]

I recall hearing some controversy around Australian legislation and Proton cooperation with authorities. Though haven't dug into court records or anything yet.

Is there a balanced view someone has summarized somewhere?

Are there some references you'd recommend where I can begin to read up?

[Tadpole9181]

From every instance I've seen, Proton has only ever done what is legally required of them by a warrant. They do not get to say no when asked to turn over what they do have; which is going to be things they can't avoid storing - like email addresses or recurring payment information an account has.

But they don't store logs and all actual data is E2E / at-rest encrypted, so that data does not exist for them to give away. There's no master key or back doors.

[mossTechnician]

The problem is the gap between marketing promises and realities. Proton markets itself as a safe Swiss product[0] for activists[1], but the reality is their accounts often expose more than a casual user may expect, like a secondary email address[2] (often required to sign up) or payment info[3]. The Swissness is even more suspect according to this article, if it's true that they rely so heavily on American infrastructure and don't responsibly disclose this even in their privacy policy.

[0]: https://proton.me/blog/switzerland

[1]: https://proton.me/blog/protesters-free-speech

[2]: https://www.theregister.com/2024/05/13/infosec_in_brief/

[3]: https://slashdot.org/story/453084

[Tadpole9181]

This seems unreasonable. The entire point of Proton is that they themselves cannot access your data, that's how I've seen it advertised. The Swiss thing is more just that they can't be compelled to enable logging. (To be fair, though, maybe that's changed. it's been a while since I saw their home page and I don't exactly make a habit of disabling my adblock).

But I don't see how any reasonable person would not know that the email addresses and payment information that Proton must have access to would therefore be subject to disclosure to law enforcement. And for the vast majority of people, they aren't exactly on a tight watchlist where intelligence agencies are making thread boards to catch them committing for international crimes to make this matter.

Anyway, I especially don't understand the flack they get on this forum with people who do understand and should understand how hard it is to advertise technical features to normies.

Normal people aren't cyber criminals who needs to hide every spec of their trail from all governments. They just want to feel like no one is reading their messages or Internet history or passwords. Proton offers that, full stop.

[mossTechnician]

A recovery email address is your data, and a company that prides itself on encryption could figure out a way to hash it too. Maybe I'm just below average here, but I expected that from them at a minimum. I was shocked to discover they didn't bother.

It's not unreasonable to think Proton should significantly tone down promises like "We support peaceful protest" while seriously downplaying what they will turn over[0], or promising "We are... committed to defending your freedom" on their homepage[1]. It's certainly reasonable to have a complete list of data processors in their own privacy policy.

[0]: https://proton.me/blog/protesters-free-speech

[1]: https://proton.me/

[Tadpole9181]

Proton cannot destructively hash the email address for recovery because they need to use it. And if they can use it, they are legally mandated to give it to LEO in warrants that include that data as scope.

You can argue they should have a password the user holds to encrypt the recovery address, but that's going into the territory of hurting normal users. You use a recovery address when you don't have your password or recovery phrase. Requiring a password for the recovery email would just mean more customers locked out requiring human intervention (if it's even possible for that account) to get access back for the customer. And remember, many users also use the same account for their password manager.

And no, Proton is 100% welcome to publicly support free speech and protest while not destroying their company and going out of business with all their executives jailed for not complying with non-optional, legally required, minimally exposing warrants from law enforcement.

[array_key_first]

If proton hashed your email how the fuck would they send you an email? Did you even think this through?

They're doing the best they can, but at the end of the day it's literally impossible for them to have absolutely zero data.

They need your credit card number stored somewhere so they can repeatedly bill you. That's just how billing works. They need a recovery email on file so they can email that address.

That doesn't mean that they're not committed to defending freedom.

I'll echo what other people have said: this feels like a psyop. If I were the CIA, I would be doing exactly what you're doing here: spewing unreasonable nonsense about proton in an effort to discredit it so that I can push people towards insecure services.

Nothing even comes close to proton when it comes to email security and privacy. That doesn't mean that we cant criticize proton - we can, and we should. But it has to be legitimate critique.

[throwaway27448]

This isn't much comfort when the swiss government bends over and takes other states up the ass at the slightest issue, eg https://www.404media.co/proton-mail-helped-fbi-unmask-anonym.... Why on earth is the swiss state acting like stooge for the fbi? Tell them to go fuck themselves like a normal person.

PGP/GPG (can never remember the difference) is the only privacy solution worth a damn and proton is just a gmail alternative with a nice interface.

[harimau777]

If they advertise that they will protect their users privacy, then I don't see how complying with government snooping is an excuse. Either provide what you say you will or don't say that you will provide it.

[Tadpole9181]

Proton has never said they will refuse a warrant for what your email address or recovery account are. They say that the contents of your emails, calendars, notes, passwords, etc are not accessible to them and therefore cannot be spied on even if a warrant is fulfilled.

[mossTechnician]

Proton's homepage says:

We are a neutral and safe haven for your personal data, committed to defending your freedom.

[Valodim]

If you read that as "we'll break the law for you", it's a you problem.

[class3shock]

The balanced view is Proton is a service that does not treat you as the product and does what I would describe as, the best it can, to provide privacy. They seem to avoid keeping data where they can but do cooperate with government when legally required to. The location they are in has more legal protections for privacy than most places.

If you are a normie wanting to not have your data sold and not have a company violating your privacy for non-legal reasons, they seem like a solid choice.

If you are worried about government level actors working against you or are the sort that gets put off at the idea of a service marketed as "privacy respecting" using any US based sub services, look elsewhere.

If you want references just start reading through comments on any topic here pertaining to proton.