62
Should i trust proton? (lemmy.dbzer0.com)
submitted 2 days ago by somerandomperson@lemmy.dbzer0.com to c/privacy@lemmy.ml
70 comments fedilink hide all child comments

If not, what alternatives can i use?

top 50 comments
sorted by: hot top controversial new old
[-] communism@lemmy.ml 5 points 1 day ago

  1. You shouldn't "trust" as a basis for security or privacy. Eg for protonmail, Proton can still read your incoming emails if they arrive unencrypted; the only way to avoid that is to send E2EE email, which unfortunately most email is not. You should assume that if they can, then they are.

  2. If you have to use proton for whatever reason (can't afford to pay to self-host things, don't know how to and don't have time to learn, etc), it's perfectly fine for everyday use for things that are not particularly sensitive ie you don't have a highly resourced state actor actively trying to obtain that data. Just always keep the first thing in mind. Too many people treat anything that calls itself "encrypted" as a silver bullet.

[-] SpookyMulder@twun.io 49 points 2 days ago

If you're using Gmail, and you're considering alternatives for privacy reasons, then 100% without a doubt, objectively and unequivocably, Proton is the better choice of the two.

There are other email providers with privacy assurances, and yes, you can self-host, but don't let perfection be the enemy of the good.

To address the trustworthiness of Proton directly: I've been a Proton user for about 10 years. It gets the job done. I have complaints, but privacy is not among them.

[-] sunzu2@thebrainbin.org 14 points 2 days ago

Proper analysis. .. The only issue with proton is lack of focus on the people who use their product and bootlicker CEO tried kisisng pedo king's ring

[-] Jason2357@lemmy.ca 3 points 2 days ago

They over hype their marketing which can lead to a false sense of security. Reign in the marketing department and present their tools for what they are and they’d be more trustworthy.

[-] rumba@lemmy.zip 7 points 2 days ago

I was actively looking to move my family over there.

When the CEOs spouted his Trump BS it made me look a little harder.

I see that they've doxed an activist.

They claim to be open source and then as you drill down you find out that some of their stuff is open source and some is not.

Switzerland looking at amending their privacy laws to further force companies to log and dox VPN users. Proton claim they would be willing to move the company outside of Switzerland if these laws take effect but will have to wait and see I guess.

There's a crap ton of either PR or fanboying going on for this company. I really want to see them get their shit together but you can't just discount this stuff like it's not happening. 400 people running around going I have never had any trouble with them privacy wise, and I don't think they all sell any of my data, It's not a good indicator of a company's privacy prowess.

I think we have good enough reason not to trust the CEO from his Twitter, and I think their marketing department is slimy as shit. I think the country they're based out of is going to force them to comply with too many court orders.

I'd say there less likely to market your data than Google/Microsoft. But they're also less likely to anonymize it correctly if they do so. Since Google runs their own ad network they don't need to sell your private data to other people to use it to market against you.

If Trump called up Andy Yen and asked him for a name, home address, IP address, phone number, and credit card mapping for all of his users he would fall over himself to provide that for hopes of a government contract. That doesn't sit well with me for a privacy concept.

If you're not worried about being doxed by a state agency, and would just prefer your data not be sold rather than it being a absolute critical thing because they might not sell your data, there definitely good enough.

If you're a little worried about putting all your eggs in one basket and want to be able to move from company to company without turning the world over, I would look at tuta and disroot, mulvad and backblaze. Or maybe even self-hosting nextcloud for the storage component on one of those services that allows you to just spin up nextcloud on a vps with single click.

[-] s3rvant@lemmy.ml 34 points 2 days ago

Proton just completed their SOC 2 Type II audit:
https://proton.me/blog/soc-2

Accomplishments like this are why I continue to trust Proton and remain a paid user.

[-] stink@lemmygrad.ml 13 points 2 days ago

Gonna be honest after working in the industry and seeing how corrupt auditing is (incompetent auditors, even some auditors getting paid off) these things don't make much of a dent to my decision making.

I say this as someone who pays for Proton.

[-] s3rvant@lemmy.ml 3 points 2 days ago

Valid to an extent. I've personally experienced various audits whether for ISO, PCI or SOC and the quality of the auditor certainly does vary though I've not encountered one I would consider incompetent; the audits have always been rigorous. I've not personally seen bribery though I have seen where an auditor might relax how aggressively they look for issues over the years of getting to know the people and quality of the company.

[-] Stowaway@midwest.social 6 points 2 days ago

I think soc 2 type ii is nice, but I also don't think it really says much about privacy in the context of me trusting what a business will do with my personal data. its been 4 or so years since if done an soc audit, so please correct me if I'm wrong. From what I recall its primarily geared toward security in general and when they say privacy, they mean securing your data from use unauthorized by the business.

The distinction im making here is that, from what I recall, soc 2 type ii says nothing about what can be done with your data (e.g. selling data to brokers, training ai, targeting ads, unclear/communicated eula changes, etc.). During these, and most other, security audits you can make business arguments as to why you should be exempt from various security mechanism or configs. These systems also don't protect from techno fascist douchebaggery like feeding the government information on individuals without warrant or just cause, to assist in targeting minorities or activists for example.

To be clear, I use proton, I think its great, and MOSTLY trust them with my data. I do also like that they got soc 2 type ii, i wasnt aware till now so thanks for the heads up. I'm not accusing or trying to infer any wrong doing either. Mostly trying to point out this doesn't resolve potential abuses some folks may have concerns about after ceo/board member/whateverthefuckingtitleis drama.

Thanks for coming to my ted talk...

[-] FriendOfDeSoto@startrek.website 40 points 2 days ago

I think you can trust the operational side of it. I don't think they've had many detrimental oopsies, the services work. I used them for a year and then jumped ship. One reason is the favorable comments by their CEO about the 47 administration, which I didn't like. Another reason is the nitty gritty - they don't clearly advertize what's part of what package and I felt that was by design to get you to upgrade. And they definitely see themselves as a basket for all of your eggs. If you are moving there because you want to degoogle your life you end up just protonizing it. It's better to spread around your stuff so you're not dependent on one provider. If you just want a good VPN and don't care about the rest of their services and the politics, you could make worse choices.

[-] Arkhive@piefed.blahaj.zone 7 points 2 days ago

I want to boost this approach. At first I just whole sale swapped to the full Proton Suite as a G-Suite replacement. But I quickly decided I did not want all my eggs in their basket, so I kept their VPN because it’s got good interfaces for mobile while also playing nice with OpenVPN on Linux, and then I’ve used other solutions for email and cloud and such, self hosting wherever possible.

[-] hanrahan@slrpnk.net 6 points 2 days ago

For what ? Security or anonymity ? Likely yes for the first but no for the second. For example

https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification

[-] czl@lemmy.dbzer0.com 6 points 2 days ago

People get their panties in a twist over this one, but they still operate within the law. What should they have done here, not complied? It’s a court order, from their country.

[-] girsaysdoom@sh.itjust.works 3 points 1 day ago

I think OPs question is still relevant in that context. Does that case reduce their effort towards privacy? I believe the answer is yes.

[-] Zerush@lemmy.ml 24 points 2 days ago

Swiss have one of the strongest privacy laws and Proton is pretty save to use.

[-] rumba@lemmy.zip 6 points 2 days ago* (last edited 2 days ago)

This is absolutely not the case. Swiss courts compel them to act on whoever asked them for information they've doxed activists. https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-court-order-french-climate-activist-arrest-identification

Edit: more

https://cybernews.com/security/proton-considers-relocation-from-switzerland/

[-] yetAnotherUser@discuss.tchncs.de 1 points 1 day ago

Can you list countries with stronger privacy laws that woud not have forced Proton to provide this information to law enforcement of a friendly country?

[-] rumba@lemmy.zip 2 points 1 day ago

You need a place that's not in this list

https://protonvpn.com/blog/5-eyes-global-surveillance?

[-] yetAnotherUser@discuss.tchncs.de 2 points 1 day ago

That's for government intelligence agencies though? Proton had to identify the activists due to a French court order which Switzerland enforced since these two countries cooperate to some extent.

Are there countries with solid privacy regulation which refuse to enforce court orders by friendly/allied nations?

[-] sunzu2@thebrainbin.org 10 points 2 days ago

Laws don't mean shit when it comes to national security issues and everything is a national security issue nowadays.

Also, Swiss are changinge their national security laws and proton is looking to move some servers out of there so how good these laws really are?

Proton is good for to ZK encryption that has yet to be debunked.

load more comments (2 replies)
[-] dukatos@lemmy.zip 1 points 2 days ago

Not for long: vice

[-] DrunkAnRoot@sh.itjust.works 8 points 2 days ago

run mailbox.org bring your own encryption

load more comments (3 replies)
[-] umbrella@lemmy.ml 12 points 2 days ago* (last edited 2 days ago)

the ceo is potentially fascist. they might be ok now, but there's no way to trust it long term if that's what you are hiding from.

if you are coming from gmail or hotmail its gonna be better, but that's kind of a low bar.

load more comments (6 replies)
[-] drkt@scribe.disroot.org 17 points 2 days ago

It's a corporation, so, no.

You need to specify what you want an alternative to, as Proton hosts a lot of services.

[-] somerandomperson@lemmy.dbzer0.com 6 points 2 days ago

OK then, what alternative do i have to Proton Mail?

[-] Zerush@lemmy.ml 3 points 1 day ago* (last edited 1 day ago)

Murena Mail (Workspace, with several apps, similar to Google Docs, but better) is also a good choice. Murena products rely on open-source software, including the deGoogled operating system /e/OS and NextCloud, partner companies, among others, Fairphone. EU

[-] drkt@scribe.disroot.org 13 points 2 days ago

Tuta are better, but not much. They've been getting worse every year.

I switched to Disroot early this year and it's been smooth sailing. They're not a corporation, and I can talk to them directly and not some dumb outsourced support staff.

load more comments (5 replies)
[-] SheeEttin@lemmy.zip 8 points 2 days ago

That depends on your risk tolerance, which is a decision you have to make yourself.

[-] TranquilTurbulence@lemmy.zip 8 points 2 days ago

The real question is, where do you draw the line. You can even make a convincing case that gmail can be trusted with your data. Actually, many people feel that way, so it’s not a bizarre or rare stance. Alternatively, you can also say that self hosting everything is the only way to be sure.

load more comments (1 replies)
[-] 0xtero@beehaw.org 7 points 2 days ago

Depends on your threat model. What are you defending against?

[-] somerandomperson@lemmy.dbzer0.com 7 points 2 days ago

I am defending against anyone that uses my data for non-essential purposes. Well, not all non-essential purposes; i mean ads, personalization, AI, selling it for profit, etc.

[-] 0xtero@beehaw.org 7 points 2 days ago

Then Proton should be fine. As far as I know, they don’t sell user data.

Of course as soon as you send an email or receive it from someone else, there’s a chance it will be mined, but while it’s ”at rest” on Proton servers it should fulfill your model just fine.

[-] appropriateghost@lemmy.ml 1 points 1 day ago

excuse me ignorance, but I understand that once you receive mail from someone with shared pgp keys, they'd have no way to read the contents.

But when I receive an email from any service that sends me mail, or from a friend that doesn't use PGP, it sits encrypted in my account... but how do we know proton isn't 'reading' the contents when it is delivered and before it is encrypted in the account?

Is there a possibility of data mining or them storing the contents on their end? like a mirror image?

[-] 0xtero@beehaw.org 3 points 1 day ago* (last edited 1 day ago)

If and when you send or receive e-mail encrypted by PGP, the body (contents) of the message is indeed encrypted and you're safe from snooping and data collection, which is great. However, privacy-wise this might actually be a bad thing, because almost no one uses PGP and using it makes you stand out in a sea of normal e-mail users for someone who collects and analyzes lot of data. So if that's your threat model, using PGP might actually be dangerous. Also, you have to remember and remind everyone to use PGP, which is cumbersome if you correspond with non-techie people. You don't really know how they handle "their side" and PGP software is notoriously not very user friendly.

Whenever you send someone unencrypted e-mail from your Proton account, there's a chance that the recipients e-mail provider (most likely Google or Microsoft) reads it. Same when they send it to you. It doesn't actually matter that the message sits encrypted "at rest" in your Proton accounts Sent Items -, the contents have already been read, indexed and sold to a broker.

It's very hard to do e-mail privacy because the protocol itself doesn't have any built-in. It's better to use other communication methods for sensitive transactions.

[-] appropriateghost@lemmy.ml 2 points 1 day ago

Good explanation, and I figured the same.

I feel the 'encrypted at rest' is then a false sense of security. Alas it is much better than gmail, etc.

[-] JumpyWombat@lemmy.ml 5 points 2 days ago

To my knowledge Proton doesn’t sell your data and there were no leaks in the past. It is also true for a lot of its competitors though.

Note: I use Proton for some things.

[-] somerandomperson@lemmy.dbzer0.com 5 points 2 days ago

But, here's the twist: there's a controversy because of the recent AI and the CEO being Pro-trump.

load more comments (7 replies)
[-] pahulf@lemmy.world 5 points 2 days ago

I think they are trustworthy and the sexy alternative to Gmail. I've been testing both Proton and Tuta as my replacement. Proton is more expensive, but provides more services. Tuta is smaller, cheaper and gives off a user centric vibe. Proton seems to be emulating bigtech a bit too much with their release of a privacy chatbot today. I'm personally leaning towards keeping Tuta over Proton.

[-] Stillwater@sh.itjust.works 4 points 2 days ago

I trust Proton's privacy aims as much as I can trust any corporation, which is to say very little but way more than Google. I do feel the company prioritizes privacy and eg. bases itself in countries with privacy respecting laws (hence leaving Switzerland after their recent legal changes that risk privacy). I think this is a more important signal than the CEO's tweet supposedly favorable to Trump (which I dont like but also dont find damning enough to override their commitment to privacy).

When I researched alternatives after leaving Google I ended up choosing Proton (I also considered Tuta) for Mail & Calendar. For me they are the best option for privacy and usability, and something my non-tech family can use, which is a major win because otherwise they would not be able to leave Gmail.

I dont use their other services because I don't want to put more eggs in the same basket.

load more comments
view more: next ›
this post was submitted on 23 Jul 2025
62 points (93.1% liked)

Privacy

40146 readers
491 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
Yayannick@lemmy.ml
ranok@sopuli.xyz