[mossTechnician]

A recovery email address is your data, and a company that prides itself on encryption could figure out a way to hash it too. Maybe I'm just below average here, but I expected that from them at a minimum. I was shocked to discover they didn't bother.

It's not unreasonable to think Proton should significantly tone down promises like "We support peaceful protest" while seriously downplaying what they will turn over[0], or promising "We are... committed to defending your freedom" on their homepage[1]. It's certainly reasonable to have a complete list of data processors in their own privacy policy.

[0]: https://proton.me/blog/protesters-free-speech

[1]: https://proton.me/

[Tadpole9181]

Proton cannot destructively hash the email address for recovery because they need to use it. And if they can use it, they are legally mandated to give it to LEO in warrants that include that data as scope.

You can argue they should have a password the user holds to encrypt the recovery address, but that's going into the territory of hurting normal users. You use a recovery address when you don't have your password or recovery phrase. Requiring a password for the recovery email would just mean more customers locked out requiring human intervention (if it's even possible for that account) to get access back for the customer. And remember, many users also use the same account for their password manager.

And no, Proton is 100% welcome to publicly support free speech and protest while not destroying their company and going out of business with all their executives jailed for not complying with non-optional, legally required, minimally exposing warrants from law enforcement.

[mossTechnician]

Proton can claim what they want, but when they promote themselves as supporters of peaceful protests while quietly handing over account details for people engaging in them, that is false advertising.

[array_key_first]

If proton hashed your email how the fuck would they send you an email? Did you even think this through?

They're doing the best they can, but at the end of the day it's literally impossible for them to have absolutely zero data.

They need your credit card number stored somewhere so they can repeatedly bill you. That's just how billing works. They need a recovery email on file so they can email that address.

That doesn't mean that they're not committed to defending freedom.

I'll echo what other people have said: this feels like a psyop. If I were the CIA, I would be doing exactly what you're doing here: spewing unreasonable nonsense about proton in an effort to discredit it so that I can push people towards insecure services.

Nothing even comes close to proton when it comes to email security and privacy. That doesn't mean that we cant criticize proton - we can, and we should. But it has to be legitimate critique.

[mossTechnician]

> If proton hashed your email how the fuck would they send you an email?

By asking you to provide it again if you click the "recover account" button, comparing what you enter against the hash, and then sending recovery into to the valid email you provided