What is the best secure email service?

[ioneja]

Quote:

Originally Posted by TenFour

Seems awfully tinfoil hat to me. Being one of the larger, if not the largest, providers of encrypted email I would imagine they are much more thoroughly vetted than most of the others. What exactly worries you about them?

Hi TenFour, I also said:

Quote:

Originally Posted by ioneja

I could be completely wrong so I'm trying to keep an open mind as I read and test them out.

and

Quote:

Originally Posted by ioneja

I like their webmail design, but the potential ethics issues bug me. I don't like what I've read, but it can be tough to see through opinions to the facts in things like this, without having first-hand info, so I don't want to count them out yet. Some critics just have an axe to grind, but there may be some legit concerns.

and

Quote:

Originally Posted by ioneja

I have some unverified concerns about ProtonMail's ethics ( for example https://privacy-watchdog.io/protonmails-false-claims/ and there are other reports of concerns from other sources too), but for the most part, ProtonMail reviews are positive and I do like the interface.

So I hope I don't come across as a "tinfoil-hat" wearing ProtonMail critic, as I thought I made it pretty clear I was trying to keep an open mind about them, but the sources/references alone in the link I gave above ( again, https://privacy-watchdog.io/protonmails-false-claims/ ), whether or not the author has an axe to grind, are worth considering for anyone doing personal research on a company/service they want to entrust with their private email. That author's website has a bunch of stuff he's collected against ProtonMail, and I don't know anything about the author, and don't know specifically why he's spent time doing that, but at least he is actually posting links to source material that one can follow up on directly and form their own opinion.

Further reading through Reddit, for example, will show some related concerns, just quoting ProtonMail from - https://www.reddit.com/r/ProtonMail/...ts_associated/ - and https://www.reddit.com/r/ProtonMail/...iated/dm7cvqv/ - makes me a little uneasy trusting them. You can see a philosophy on display that is not very inspiring, at least to me. Here's an example, quoted from ProtonMail:

Quote:

"In other words, what is politically tolerated on ProtonMail, is also in some sense, controlled by the politics of the community that dominates the ProtonMail userbase. Right now, we have an even mix of left and right, but if one side were to become the overwhelming majority, we would also be beholden to that majority. This is why we are strictly neutral in order to preserve the balance that currently exists, and do not overtly lean to the left or the right."

He goes on to say:

Quote:

"We thankfully haven't had anything very controversial occur yet. We're just stating that if it were to occur, and we were forced to take a position, we would take the position of the clear majority, and it would probably be self evident at that time what the majority is."

And:

Quote:

"It's a theoretical example, about what would happen if we didn't ban a group that a large segment of our userbase really wanted us to ban, even if ToS is not broken."

You can read the whole discussion to get more of the gist, but in short, his comments definitely concern me, indicating that even if I do NOT break the ToS, but yet if I wind up on the wrong side of the political majority userbase on ProtonMail, I can theoretically be banned. Again, he mentioned politics... but yet isn't this just the kind of service that people want or need so they CAN discuss things freely and privately -- politically popular OR unpopular?

So let's look at those statements at face value. This great highly-respected private email service that promotes private, secure communications, with "Swiss Data Security and Neutrality" made those statements above. They say on their homepage that "Privacy is a fundamental human right" and they want to protect freedom of speech and freedom of expression... and yet they would theoretically ban people, even if those people did NOT break the terms of service, if the majority of their userbase demanded it.

Now that was all hypothetical, according to the thread, and I'm guessing they have not actually banned anyone like that. However, that was pretty bad communication if you think about it -- there are many other ways ProtonMail could have answered in that thread, by showing true neutrality and focusing on the core human rights philosophies of the company, rather than diverging off the deep end of a hypothetical that shows, to me at least, what some of their internal philosophical and ethical alignment really could be. For me, that doesn't sit well. YMMV of course.

And there are a bunch of other little things that bug me that add to my lack of confidence... like this -- https://web.archive.org/web/20200427...lks-claim-back

So in that example, IF indeed ProtonMail actually hacked the guy back, then deleted the tweet and changed their story, just think about that for a second. Hacking back, while it may make sense to some people as a justified action/retaliation/mitigation, is actually illegal. So I can't confirm they really did that, but they did tweet about it, then deleted the tweet. That's fact. Raises an eyebrow... again. That was August 2017.

It's this kind of pattern that keeps popping up here and there over time that makes me uncomfortable with ProtonMail... at least on a philosophical level. Maybe they're all little gaffes and don't mean anything. And yes, I get it, they are one of the "best" of this little niche group of email service providers, and they are supposedly more "vetted" and really well respected, etc.. And well funded apparently. They even received a €2 million grant from the EU to further develop the "Proton ecosystem." Supposedly there are no expectations/ties to that money. We'll take them at their word of course.

Still, I have been trying to be open minded about them, like I mentioned above, and I realize that no company is perfect, and sometimes mistakes are made... but after re-reading some of my notes, I think you helped me realize that ProtonMail is not really the provider for me. YMMV of course. There are plenty of options, everyone has their own needs of course. Cheers!

[TenFour]

You could find a similar list of links for almost any mainstream provider of online services--shows they're big enough to attract the attention of the professional trolls. The small ones just don't gather the attention. It sounds like some people don't like the idea that ProtonMail might take action against "accounts associated with inciting violence." At least that is what the title of the Reddit thread is about, and I didn't read every post. I'm certain that some are using these encrypted services for illegal activity, and that is one reason I won't use any of them. I'm not sending my money to a service that winks and nods at illegal activity. To me that is a clear ethical problem, that many people seem to ignore because they think that somehow they are protecting their own free speech. In reality, I have no doubt that if you are doing something serious enough to warrant attention from a state-level actor your email choice will do absolutely nothing to protect you, but lots of lower-level criminals will fly below the radar on the same service because they aren't doing something to attract the attention of the state-level intelligence services. Think of it this way, if I learned my business was being used by criminals I would call the police, wouldn't you? Or, do you seek out businesses that look the other way so they can claim plausible deniability? I wouldn't trust a business like that. That's one of the basic problems with the business model.

[ioneja]

Quote:

Originally Posted by TenFour

You could find a similar list of links for almost any mainstream provider of online services--shows they're big enough to attract the attention of the professional trolls. The small ones just don't gather the attention. It sounds like some people don't like the idea that ProtonMail might take action against "accounts associated with inciting violence." At least that is what the title of the Reddit thread is about, and I didn't read every post. I'm certain that some are using these encrypted services for illegal activity, and that is one reason I won't use any of them. I'm not sending my money to a service that winks and nods at illegal activity. To me that is a clear ethical problem, that many people seem to ignore because they think that somehow they are protecting their own free speech. In reality, I have no doubt that if you are doing something serious enough to warrant attention from a state-level actor your email choice will do absolutely nothing to protect you, but lots of lower-level criminals will fly below the radar on the same service because they aren't doing something to attract the attention of the state-level intelligence services. Think of it this way, if I learned my business was being used by criminals I would call the police, wouldn't you? Or, do you seek out businesses that look the other way so they can claim plausible deniability? I wouldn't trust a business like that. That's one of the basic problems with the business model.

1) Clearly these kinds of services are not for you, and I think we have a philosophical difference, which is obviously okay, we're both of course entitled to our own opinions.

2) Just because professional trolls come out against a service does not invalidate legitimate concerns about a service. Each concern can be evaluated objectively, or at the very least, reasonable minds can form opinions based on available evidence.

3) The Reddit thread in question was only initially about accounts associated with groups inciting violence, which was *already* against ProtonMail's terms of service. Every one of these services has terms of service BTW which covers illegal activity. The quotes from ProtonMail I have issues with are the ones specifically mentioning politics and hypothetically banning people even if they DO follow the terms of service. For you, that may not be an issue. For me that is an issue. I also find it pretty rare (and even kind of odd) that a representative of a privacy-oriented, free-speech, human rights service would say something like that in a public forum, and I think it's a valid concern that folks can consider in evaluating if they want to use such a service. Even if it's just an innocent gaffe and not official company policy, it's at the very least very poor messaging from a company. In any case, these kinds of services are not your cup of tea in general, I get that.

4) Of course some people are using these kinds of services for illegal activity. People are also using Google, Outlook, Yahoo, and every other provider on the planet for illegal activity. No one here is condoning illegal activity. Again, these businesses have terms of use that prohibit illegal activity. And that has absolutely nothing to do with why these services got into business in the first place. If you really want to get into the philosophy of illegal, immoral, unethical usage of online services, there are plenty of examples of massive companies turning a blind eye to those kinds of things happening on their platforms while they rake in huge profits. But again, this has nothing to do with illegal activity.

5) And honestly, we could spend the next 50 pages of this thread discussing what some people believe are the legitimate philosophical reasons why these kinds of services exist in the first place. Why some people prefer these kinds of services or even consider them essential, especially in this world of massive profile harvesting and tracking by huge corporations, even for something as innocuous as reducing web advertising tracking. But there are countless other legitimate reasons for people, such as those dealing with human rights issues, other kinds of invasion of privacy by businesses and/or governments, private political party communications, protecting business communications, protecting personal health information, yes, protecting to some degree even government overreach, political persecution, freedom of expression, and so on and on. Some people use these services between themselves just because they don't want their email floating around Google hard drives for the next decade, ready to be harvested by some slick new algorithm or hack. Some do it for purely psychological reasons that none of us might understand. Some are just writing their memoir and sending drafts to themselves and want to keep it to themselves. Any one of those reasons is enough for someone to want to gain some higher level of privacy or control in their lives, depending on their own unique needs and/or threat model. Some just like a cool feature that a provider has. And yes, obviously, if a state authority really really wants your information they're most likely going to eventually get it one way or another, we all know that. None of these services could 100% protect against a state power that is determined to get your info. Again, that's part of an individual's threat model assessment, and may not have anything to do with why someone would choose to use one of these services. Sometimes a fence is all someone wants. They may not need or want a hardened bunker.

6) And if you're going to avoid using any of these small services that care about your privacy because you think they are "winking and nodding" at criminals as a primary revenue stream, I think you don't understand their business model. It is not in their interest, for profit or otherwise, to protect any criminals on their networks. They are in business for legitimate business reasons or philosophical reasons, not to make money from criminals. Its costs these small businesses time, legal headaches and frankly money when they do have to deal with an enforcement or compliance action, certainly not worth whatever profit they might get from the "criminals" that might be paying for those services. And if you're a purist about illegal, immoral, or unethical behavior happening on a platform, look no further than ALL of the major platforms we all use, which are riddled with abuses that go unenforced. Not to mention there are plenty of genuinely illegitimate services out there that criminals can use and they can easily roll their own or jump from provider to provider.

Of course you don't need to agree with any of those reasons. These services are clearly not for you as you've indicated, so we can probably at least agree on that! Cheers!

[TenFour]

https://protonmail.com/law-enforcement

ProtonMail is open about the fact they will cooperate with law enforcement, so that is a good thing, but I don't want to hijack this thread with a discussion about the pros and cons of encrypted mail.

[ioneja]

While I'm thinking about it, thought I'd quickly update this thread since it has recently been covering recommended secure email services, i.e. including: Tutanota, which has been experiencing an ongoing DDoS attack. IMO, the way they have handled this attack so far has taken them out of contention as a mature, reliable service, for me personally. I'll check in on them in the future, since I was really starting to like them, and perhaps they'll come up with a better plan for responding both publicly and privately to a crisis like this. For now, I'll be saying goodbye to them. Here's the thread in the forum with relevant info: http://www.emaildiscussions.com/showthread.php?t=77329

[TenFour]

This person says "stop using encrypted email." https://latacora.micro.blog/2020/02/...encrypted.html

[evfrson]

Quote:

Originally Posted by TenFour

This person says "stop using encrypted email." https://latacora.micro.blog/2020/02/...encrypted.html

Agree 100% with what this person is saying.

That's why I decided, when Tutanota were having their problems, to use Signal (as this person suggests) for secure messaging.

For day to day stuff I am going to use GMail/Fastmail due to their excellent reliability and if I need to share large secure documents I am going to use Internxt but encrypt the documents myself twice first before uploading, using open-source tools that are proven to be secure.

As I have said before these guys running encrypted email services are not (as far as I can tell) cryptographic experts and in my view we have to take them on trust not to snoop on our email. If they can give law enforcement access to unencrypted email who knows what goes on behind the scenes on a day to day basis.

[chrisretusn]

Quote:

Originally Posted by TenFour

This person says "stop using encrypted email." https://latacora.micro.blog/2020/02/...encrypted.html

That was a pretty good article.

[Tsunami]

I should know more about MailFence, being a Belgian myself and MailFence being a Belgian service, ... I know they're using the same platform as ContactOffice and Mail.be but there are some big differences as well.

I'm fairly pleased with Protonmail, and unlike some here, I do like their interface. It's not flashy, but I actually like that simplicity. It's very clear and user friendly, which is what matters to me.

I would add that, while not having used Runbox myself, their location doesn't seem a downside to me. Norway is not a EU member and I never heard of it becoming a surveillance state, none of my Norwegian friends ever talked about any such thing.

That said, I have no problems with using services based in for example the US, as I would say a law-obeying citizen doesn't have to fear preying eyes. Which doesn't mean I approve of staff members scrolling through mails or so, that is a breach of privacy. But to my understanding, this isn't happening with any of the widely used services.

[LinuxArie]

Quote:

Originally Posted by Tsunami

Norway is not a EU member and I never heard of it becoming a surveillance state, none of my Norwegian friends ever talked about any such thing.

Norway is in the 9 eyes, 5 eyes plus denmark, netherlands and france