Why use Protonmail?
 

If i use a Protonmail account to send emails to people who only use Gmail or Outlook (whose services keep tabs on the data they receive), why bother using this secure email service? Only to send to someone who already has a Proton account?

That's one big reason why I tried ProtonMail and gave it up. Exactly zero of my regular contacts were willing to give encrypted email a try, and I have never received a request to communicate via encrypted email. I suppose there is some additional security in the way they handle your email storage, but in reality I think the most likely way to have your emails read is to fall victim to a phishing attack--be tricked into giving up your password. I don't think ProtonMail can protect you against that any more than other services.

When you send a Protonmail encrypted email to a non-Protonmail account, like Gmail, the receiver receives a link to the secure message and needs a password (that you set and provide) to view it.
Encrypted emails aren't sent to Gmail or Outlook so they can't be read/analysed by those services, although those services would have a record of the "You have received a secure message ..." email and the link.

@TenFour - and how is this secret code to open the link delivered to the receiver?

It wasn't me that described the process above, but you could deliver the link to the person via various methods like text, iMessage, etc. But, it is too awkward for most normal people to do this. Unless you have a crying need for more security than most people do I suspect using something like iMessage or Telegram would be plenty secure. Most people aren't sharing secrets that often.

My apologies to jproutledge!

@TenFour - you are right on that secret messages stuff.

Besides that, if you're on any "most wanted" list, sending secure message links will likely attract even more attention right?

I agree with the sentiment that secure mail such as Protonmail is overkill for most everyday stuff.

I have an account, though, that I use when I do want an extra layer of security. For example, when purchasing property in some parts of Australia it's necessary to provide proof of identity, such as drivers license, passport, etc. I realise that the real estate agents will probably save the scans I send them on a system that could be hacked, but I think it's worth my while to clearly annotate the scans (eg with 'Provided to xxx for the sole purpose of yyy') and then send them using an encrypted service like Protonmail. At least the scans are not sitting in somebody's inbox.

But for >99% of email I just use Fastmail.

If the security is achieved by sending a link to the content that is then sent over https when the recipient requests the content of the message, then one can just put the content on any web server, such as Fastmail's files storage, and send a link (that can be protected with a password).
Of course this kind of privacy protection protects the sender's privacy at the expense of the recipient's privacy, as the sender can know that the recipient has accessed the message, when the recipient accesses the message, from what IP address, and usually other stuff such as what browser etc.

True, the difference being whether you want to send email or a document/file/attachment. With Protonmail you're sending a link to an encrypted email, rather than a link to [an encrypted] document/file such as would be the case with a document/file on a server. (I used the example of sending scanned documents, but you could use Protonmail to send a simple private email.)

Also note that Protonmail encrypted email links only work for a specified time (I think the default is 28 days), whereas content on a server would persist until removed.

I'm not saying that either is better, just that both may be valid use cases.

Not sure about that. I expect that Protonmail would or could have a record of encrypted email being accessed, but as a sender I haven't been able to find anything to confirm that an encrypted email has been accessed by the recipient, nor IP addresses, etc.

My suggestion is to avoid at all cost.

Personally I have bad experience dealing with the support especially Billing. My paid account was inactive for a year and they forced me to pay prorated bill (which is not cheap) before I can view my inbox again, the only option left is to close the account. So beware if you accidentally left it unused.

I regret upgrading it because I was one of the first to register with a FREE account and even got a free upgrade to 40gb and then what I did was upgrade to paid account during black friday sales and now I lose everything.

How did you get a "free upgrade to 40gb"?

If you have occasional need to send encrypted messages you could install the “Mailvelope” extension in your browser. Its interoperable with OpenPGP.

Done nothing, it was automatically updated back then when i had a free account.

Because if YOU don't start the process of transitioning over to a more private/secure email workflow, who will? It takes time to make an impact on your circle of associates, but it can happen. Case in point just about my own family -- 100% of them were using GMail and Outlook (and some even Yahoo) and step 1 was simple and slow, but very worth it: many years ago I got them to start to understand if you are not paying for the product, you ARE the product. And also a variety of other privacy issues. So over time, I got about 1/2 of them to switch to paid services like FastMail. And in fact almost *ALL* the of the family members that I actually have frequent email contact with are using paid services now. So for me, I'm currently at about 90% of my family-related email never touches Google, etc... That took a while, but is a pretty good result from the effort. I even got my parents, who are not exactly technically savvy, to switch. So that's step 1.

Then, step 2 is that after they are acclimated with actually paying for email services, then the next step is educating them about encryption and other security matters, and what their options are. That includes social media issues, texting, file sharing/syncing, more private means of communications, etc. For those that care and ask me for more info in my family/circle, I give them a quick "risk assessment" discussion and they can make better decisions for their own unique situations and preferences. It empowers them to make their own choices with more info at hand. So right now the transition for some of them will be to something like Signal for messaging and Tutanota or ProtonMail or one of several other providers that provide encrypted email. It will take time of course.

All of them understand, as I have explained to them, that email is inherently insecure due to many factors. BUT the simple equation of explaining levels of privacy such as ProtonMail > FastMail > GMail helps. And they also understand that with more privacy (and in some regards security too) comes more inconvenience. So the "convenience" equation would be reversed from the privacy equation: GMail > FastMail > ProtonMail. That's grossly simplifying things, of course.

And some just don't care or won't bother, so the discussion doesn't go far. That's fine, that's their choice. I just don't share certain kinds of email with them, definitely nothing sensitive. I've still got a couple of family members holding out with irresponsible online patterns that post way too personal photos and personal info into free cloud services. They just don't care or don't bother to take the time to understand the ramifications and risk factors. Ironically and sadly, they are also the ones who have had identity theft issues or had their accounts hacked. But they still don't care and keep to the same patterns unfortunately.

But with the others, all that effort pays off. And that's just with family. I've personally migrated some friends and clients off of free services too. So while I don't have 100% of my primary contacts that are using more secure services, or at least NOT the free services, each year the number grows who have moved to better patterns, and that means fewer and fewer email exchanges get sucked into the giant processing machines of Microsoft, Google, for example.

The main point I'm trying to make is really just to pose the questions: at what point do you want to get started? Do you feel like you have to wait until more people in your circle are doing it? At what point are there *enough* people that you feel ready to make the leap yourself? Why not be the person in your circle that begins the process of educating your friends/family/colleagues?

So in my mind it's worth the effort to switch to a service like ProtonMail, Tutanota, Mailfence, Startmail, Posteo, Mailbox.org, etc.... YMMV of course. And there's really nothing major lost -- except for the convenience of some of the fancy features that you are used to... all the more secure providers have feature limitations in one way or another compared to the highly-polished GMail, for example... that's a small price to pay IMO, but you may feel differently.

BTW almost all of the good encrypted email services have a feature that allows you to send an encrypted email to an external non-encrypted email user by using a shared password/passphrase. So even just by sending an encrypted email from ProtonMail or Tutanota to someone at GMail with the shared password method, you'll be able to start the larger discussion of encryption and privacy in general, and you'll raise awareness with them about some of the issues. It may not result in an ideal exchange since they can (and sometimes do) just copy and paste the secure email contents into an insecure cloud service, but at least it starts the conversation.

Again, it will take a while, but eventually some people in your circle will catch on and you'll start to regain some ground in reclaiming some of your privacy.

And who knows where this will lead you? You might surprise yourself and learn about all sorts of fascinating other security and privacy issues that might change the way you use computers, devices, social media, communications in general. No one throws the switch and they are instantly better off by switching to a service like ProtonMail or Tutanota, but it's more like a gradual process of learning what is going on with your personal data, becoming more aware, and reclaiming a bit of your digital life, one bit at a time.

ProtonMail support is not exactly the best, I will agree there. For me, it's been very slow sometimes, but at least competent. For the most part, the service works well and so most people will never deal with support.

I actually like Tutanota a little more, even though they had a very rough time with DDOS attacks. They have come out of it doing much better now, and their price is still good. They're still going through growing pains, IMO, so they are not quite running perfectly smoothly yet, but I have come to like them again after their DDOS mess.

There are other good alternatives to ProtonMail too that are worth looking at besides Tutanota, including Mailfence, Startmail, Mailbox.org, Posteo, Countermail, CTemplar, and yes, I'll even mention Hushmail, although Hushmail still gets a bad rap due to some of their issues/controversies in the past, and they obviously have the worst jurisdiction of that group. But Hushmail might be a good option for someone who needs/wants HIPAA compliant email and doesn't mind the jurisdiction. It depends on your needs.

Runbox is also a possibility if you use the Mailvelope plugin, as well as FastMail, although Runbox has a better jurisdiction by far. And technically any provider will work with PGP if you know how to set it up. But I'd suggest that list above as a starting point.

But again, ProtonMail is a decent option. Frankly, those kinds of privacy services that are at least trying to fight for our privacy are worth support. If you can, sign up for more than one of them! Give one as a gift! Tutanota even has an easy gift option for your friends and family! :cool: