Proton Mail came under scrutiny for its role in a legal request by the Spanish authorities leading to the identification and arrest of a user.

No company is going to legally go to bat for you for $10/mo. I love how Proton nonchalantly calls out the user’s dumb move in the article:

Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order…

Proton does require a recovery email address if you sign up to a mail forwarding service or similar, right after creating the account. In that case the account remains locked if you don’t, so that’s just a lie

Setarkus.LW
link
fedilink
176M

In the article it says that that’s a one-time verification address. Though that leaves the question if/how long it’s stored

@azalty@jlai.lu
link
fedilink
3
edit-2
6M

Still, it wasn’t optional for me, so I’m pretty annoyed that they’re saying it.

You can remove the mail after but indeed, I won’t trust proton with not keeping that info. The mail has to be entered in the recovery email field, and then sends mail to the recovery email when you have unread mail. So it’s not a one-time mail sent with a code.

The Doctor
link
fedilink
86M

Thing is, Protonmail has been telling people this from the very beginning. It’s like it gets rediscovered every year or so when somebody else gets busted.

classic
link
fedilink
86M

What would be a more appropriate email address to use - or just no recovery email?

It’s best for anonymity to not use one at all. Proton provides a recovery key to allow access to your account if you manage to lock yourself out. Keep that key somewhere safe/secure.

classic
link
fedilink
46M

Thank you. Recovery key seems like a better route for sure

Ideally no recovery mail or you can create burner gmail account with a vpn

Doesn’t Gmail require a phone number upon registration? One of the worst choices for “burner” mails.

Do they now? I remember creating 10 gmail account using a free vpn back in 2022. iirc outlook doesn’t require a phone number

Oh, nice! Where was the VPN server, if you remember? Also heard of it being possible on a real Android device, but not on an Android VM so even harder to fake.

Canada or USA

Leraje
link
fedilink
446M

It is worth noting though, that Proton doesn’t allow you to use certain domains for recovery addresses. Admittedly this was awhile ago and maybe things have changed there but when I first joined Proton they wouldn’t allow me to set a duck.com or simplelogin.com or addy.io address as a recovery email.

Obviously using an apple ID is stupid but Proton could make more of an effort too.

I actually set simplelogin as recovery lol

So they will ask proton again for the address where everything is being forwarded… Not a good plan.

It would be fun to daisy chain a bazillion emails, all forwarding to each other in circles and have the cops just call yahoo 20 times.

But all emails are encrypted so they can’t be read anyways.

@Railcar8095@lemm.ee
link
fedilink
8
edit-2
6M

No, only the ones on Proton. If you send or receive an email from outside, it’s unencrypted there.

But still, it’s little to no difference for law enforcement. They will get the real address and whichever little info Proton or the other provider has on you.

As far as I know, Simplelogin doesn’t store anything.

https://simplelogin.io/faq/

Nowhere they say to m that they can’t see what your final email address and they have your logging email too.

If you have a specific quote saying the opposite, please share

They are actually quite aggressive about blocking disposable emails, most free services don’t work. I have used protonmail a few times for semi-disposable accounts that used disposable emails to sign up, and some of them were banned later.

deweydecibel
link
fedilink
16
edit-2
6M

At any point in the process, does it warn you about setting up recovery with personal email addresses?

Feels like with as much as Proton advertises nowadays as a privacy protecting service, they need to be taking into consideration that a lot of their customers now are going to be average users who don’t know anything about proper OpSec. They should be much clearer about what things they can’t protect you from.

It shouldn’t be in a press release like this, they should be explaining the difference between privacy and anonymity to the customer. It’s not like their marketing team isn’t aware of the fact most people don’t know any better.

It’s in their best interests, too, because it doesn’t matter how many times you say “we provide privacy not anonymity”, the headlines are a bad look.

Unless you’re targeted by law enforcement, having a recovery email won’t be an issue. 99.99% of the userbase world never have a problem with this.

I get what you say, but it’s really nitpicking at this point I think.

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 2.96K Posts
  • 74.6K Comments
  • Modlog