I have mixed feelings about protonmail. On the one hand, they tend to be on the right side of political / legal issues, and this transparency report is nice:
On the other hand, they recently reduced the level of detail in the transparency report.
There is also the fact that they are Swiss, and their privacy laws were severely weakened by a recent referendum. In particular, the Swiss government can now monitor all cross border traffic without a warrant.
ProtonMail fought the referendum, but hasn't updated this "Why Switzerland?" page:
Agreed, and that referendum was back in September of 2016. That's almost 9 months ago. This seems really disingenuous.
And the referendum didn't just eek by but it passed by 65%.
So if the Swiss domicile doesn't offer the protections it once did, why would I choose this provider over any of the half a dozen others well-known companies in the space.
Then they should stop claiming that switzerland is protecting them to a degree that they aren't anymore, and explain why their encryption is still secure
See now, this is the part I don't get. Assuming that you don't encrypt your email with pgp (reasonable, if you're emailing someone who isn't very techy) and aren't emailing someone else who also uses protonmail, there's nothing stopping them from making an unencrypted copy of every email they receive.
The decryption only takes place on your local machine. Of course, you'd either have to check the source or, trust them. It very often comes down to trust.
I was trying to do some research to refute this claim, and my ignorance of email standards has once again reared its ugly head. I thought DKIM was for encryption, but it's apparently just for verification? Email is still primarily sent in the clear?
Email is not primarily sent in the clear these days, most providers implement SMTP over SSL/TLS, here you can find some nice stats of such traffic that passes trough google[0].
Of course this means that emails are only encrypted "in transit", that is, in the transmission from server to server, so you have to trust your provider.
On the contrary, PGP gives you end-to-end encryption, so you only have to trust your machine and your correspondent 's.
Switzerland was one place people use the name of as the hallmark of their service being free from surveillance while still residing in a developed country.
So which will be that new country now, since apparently Swizterland isn't that option anymore? And what if that new country does something similar? Then next? And then? I don't think there will be many countries left to go to in that case. Or any, after some time?
So, aren't user privacy and fight against surveillance running towards a wall which is the deadend?
Swiss being a bastion of privacy for anything other than banking should be taken with a pinch of salt. They've been up to their neck in crypto cooperation with the NSA since at least the Crypto AG scandal if not longer.
Germany has very strong privacy laws which is one of the reasons Amazon dropped an AWS region there. Customers are paying a premium for the jurisdiction.
Those laws protect against commercial exploitation, but not against endeavours of law enforcement or intelligence services. "Vorratsdatenspeicherung" (data retention) law just took effect. In fact the BND doesn't care about the law at all. Fear driven neo-con politics are en vogue as everywhere else. I think the main difference is the civil opposition which is probably a tad more vocal and active than in non-EU or soon to be non-EU countries.
I think he means "dropped" as in "the rapper dropped his mixtape today", not as in "the service provider dropped their service due to lack of profitability".
Yes, because I agreed with you that it was perhaps a poor time for a colloquial usage of "dropped" considering that, in the context, it was fairly likely to be interpreted as my counter-example, or your initial interpretation.
I'd like to think my wording was completely unambiguous to make up for any context-switching your brain might have tried to pull on you, and if not I apologize.
Think "drop a pin" like in Google maps parlance. To "drop something" is to release something. In that context it's really American hip-hop slang. Although its used widely by the music press when discussing a new release from any type of artist.
A band or artist might be "getting ready to drop something new" - a new single, a new album, video etc.
I guess that it's even easier to sniff upstream traffic (to/from VPN endpoints) to such small internet outposts than, let's say AWS, Akamai or any other large infrastructure provider out there.
This. You're at the mercy of their upstreams, which are fixed, targets for TLAs, and likely to be sharing the pipes with other people who are (at least in their own eyes) high value targets.
>it might be time for space satellite hosting companies.
Uhm that would probably backfire and make you an open target for every security service on the planet.
German BND did bulk-collection on satellite communications, even tho German law does not allow for something like that. So BND reasoned "Satellites are in space, German Grundgesetz does not apply in space!", dubbing it the "Weltraumtheorie" (Spacetheory)
Afaik this whole "satellite/international water" scenario was suggested to prevent government agencies from forcing access to sensitive data trough legal means.
If your data is so insensitive, that you can have it just sitting there accessible by anybody, then you might as well just put the data on regular public servers and not bother with the effort of building a "space server".
ProtonMail has pretty much stagnated and flat out refuses to cooperate with the community to implement new features of the OpenPGP email standards. Their Reddit guy is also pretty terrible, he pretty much insulted me in a comment after I criticized them.
ProtonMail would be happy to implement more of the OpenPGP encryption standard. Specifically, it would be great if someone would contribute ECC support to the opensource OpenPGPjs project that ProtonMail currently maintains. There are just not cycles to do it internally, right now. ProtonMail is far from idle. A number of new features and offerings are being worked on. For example, take the bridge application (currently in beta testing) that will allow integration with IMAP based applications like Microsoft Outlook.
If there's something that is a high priority for you personally to see (such as OpenPGP ECC algorithm support), I would ask that you take the time to submit it to the ProtonMail UserVoice page [ https://protonmail.uservoice.com/forums/284483-feedback ]. That page is monitored and the feedback received through UserVoice is considered and strongly influential. UserVoice has a great end user application and clarification effect that is difficult to experience through interacting with users through e-mail or traditional forum comments.
I don't believe I've seen the Reddit exchange that you are referring to (I don't personally visit that site very often). If someone using an official company account was rude to you, I sincerely apologize.
https://protonmail.com/blog/transparency-report/
On the other hand, they recently reduced the level of detail in the transparency report.
There is also the fact that they are Swiss, and their privacy laws were severely weakened by a recent referendum. In particular, the Swiss government can now monitor all cross border traffic without a warrant.
ProtonMail fought the referendum, but hasn't updated this "Why Switzerland?" page:
https://protonmail.com/blog/switzerland/
They also haven't moved to a more appropriate legal jurisdiction.
[edit: clarify links]