Replying to Avatar Final

Regarding the recent situation with Proton Mail, I have nothing to comment that I haven't said countless times already. I would need to understand more context about what the users they suspended did, which is in the clouds of social media conflict right now. It is abnormal to suspend a researcher, so I personally would like to see a more formal response from Proton on their justifications -- especially since accounts were reinstated after the matter went public.

In the meantime, let us go through a refresher your need-to-know on encrypted email providers. If you are aware already on how Proton Mail works technically and as a business, it should be of no surprise to know the following:

- Email is not end-to-end encrypted. Proton Mail encrypts received emails from external domains when they arrive unencrypted. The only encryption is in the transit between the two email providers, NOT the individual users. In theory, a service provider could be legally compelled to intercept email traffic and keep the readable copy as they arrive. Only Proton to Proton emails are end-to-end encrypted.

- "Zero-access encryption" is NOT "end-to-end encryption".

- Providers suspend accounts on their own due diligence. Should be no surprise companies suspend accounts from reporting from sources like CERTs, ISACs, anti-spam registries etc. If an email provider can't read the mailbox, then this or email contents being reported is the most information they get. Don't act shocked when they aren't on your side.

- Don't think irrationally: Removal of service is not at all related to information disclosure.

Certain information you provide to the service cannot be encrypted in a way that is unreadable to the service, for example, email account recovery information. It wouldn't be possible to restore accounts using information they don't know. Understand what information you provide to a service provider.

Overall: Don't use email for personal highly sensitive communications you believe could be disrupted by a service provider. If there is no way around this, encrypt the email contents and attachments yourself and leave a generic non-sensitive subject line so neither providers can read it. The same applies to self-hosting your own email. Use end-to-end encrypted messaging apps for communication. Keep emails for accounts.

Mail providers with mailbox encryption like Proton and Tuta provide encryption as a protection mechanism against data breaches. Using such services are a reasonable choice for someone who needs an email provider with a focus on account security and requiring only the minimum amount of information required to function. But, they are not an opsec silver bullet.
Avatar
cadayton 3mo ago

About a year or two ago ProtonMail suspended my account for no reason after being a paying customer for about 5+ years. Their only support contact method at that time was email. 😉

Anyway, they gave me some bullshit reasons (lies) as to why the account was suspend but did reactivate the account after contacting them by an alternate email address.

Anyway, I dump them like a hot potato and I'm now using tuta.com.

Bottom line ProtonMail does value their paying customers.

Sure will be nice to see the need for email to become absolute zero.

Reply to this note

Please Login to reply.

Discussion

No replies yet.