SimpleLogin, owned by Proton but not the same?

I’ve seen SimpleLogin touted as a great option especially since Proton acquired it, but from their own Privacy Policy it seems they don’t share the same privacy guarantees as Proton Mail. Essentially they say they scan your content for spam/viruses before sending it off (same as Proton Mail), after which it’s deleted, except if it bounces, in which case it seems it’s stored completely accessible to them (or anyone with access to their AWS S3 for 7 days, and potentially longer in their backups.

Whereas from Proton Mail’s Privacy Policy (I tried to link but new user limited to 2/post):

We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted.

So just wondering why Simple Login isn’t similarly encrypting message content at rest (bounced email/backups) in a way that they can’t read it either, is this just a matter of a new-ish acquisition not being revamped yet?

Both policies say:

Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times.

I can’t find any mention of how long/if they store this information though. Seems like quite a lot of deanonymizing information could be collected from these metadata over time.

1 Like

I’m going to assume this is the case in the short-term.

The answer to the storage question is legitimate, but yeesh what a reminder that email is not private by default.

1 Like