I still see loads of people going on about how, ‘Proton isn’t safe, they log IP Addresses’, etc…
When in reality, Proton (Proton AG) is a registered company in Switzerland that has to follow and abide by Swiss law or else they could be fined or even shutdown.
In this case Proton received a un-appealable request from Europol through the Swiss courts for a users IP Address.
This made headlines. Many people started to spread; ‘Proton isn’t safe’, ‘Don’t use it’, etc…
Without releasing that if the user in question used Proton VPN (which has a free tier), under Swiss law they could not log any IP Addresses and could only give the IP Address of the VPN server to the courts. The user could also have used Tor to access Proton services.
So, if you are wondering whether to trust Proton or not…
Short Answer:
Yes, you should trust them.
Long Answer:
Yes. But it depends on what your threat model is, although most threat models will suit Proton (IMO). The only threat model that won’t really suit Proton is if you are running from the government.
Remember, email is not in any way a private form of communication. If you need to communicate privately and securely use a service like Signal.
Plus, this case reveals that they are truthful with their privacy practices. For example, they couldn’t hand over any email contents.
I just want to let you know that you have put the wrong link in the “Signal” hyperlink. It’s not signal[.]com (which redirects to digimedia[.]com) but signal.org.
People don’t care to do research or actually think about the situation with any nuance. Mental Outlaw is pretty guilty of this, and instead advocates for selfhosting email when in reality it is not worth the effort for most people to selfhost.
Don’t know why anyone would take advice from Mental Outlaw, he has a YouTube channel based on regurgitating bits of news he finds on Reddit, he is the internet equivalent of the snake oil salesman.
Go to any self-hosting forum and you will be told that the mail server is the one thing you shouldn’t self-host. There are deliverability and security concerns that have the potential to make it risky and time-consuming to self-host the mail server, for most people it’s simply not worth it.
Even if you self-hosted the mail server, it doesn’t mean that the police isn’t going to kick in your door and take the server, and all your other devices, if you commit a felony. Yes, you can buy the domain and hosting anonymously with crypto, but it helps fuck-all if you are using the same e-mail to send any personal mails.
For you to get any protection that is better than using ProtonMail or Tutanota, you would need to buy the domain and hosting with crypto and use the e-mail address with the same opsec as if you are running a dark net market.
I would argue it’s not worth the effort for pretty much anyone unless you only plan on receiving email. Even if you are an experienced sysadmin and manage to configure everything properly. Which when it comes to mail servers specifically there are many pitfalls. Building your IP reputation as a mail server to a point that Gmail, Outlook, etc, start trusting you is next to none.
Being there, done that. Unless you want to do it just for the learning experience like I did, it’s just gonna be a waste of time. It will only lead to frustration as many of the emails you send won’t even make it to the spam folder of the recipient.
Self-hosting is great for a lot of things, mail servers is just not one of them.
It would be better for him to explain how email in general should not be trusted for high-risk uses like whistleblowing or activism, and instead of everyone arguing over which email provider is the best, people discuss other protocols like XMPP. It isn’t about “fanboys fucking off to their subreddit” like he said in his video about escaping the botnet or something like that, it’s about getting to the heart of the issue: email is old and insecure. Encouraging people who likely are not skilled in system administration and cybersecurity to selfhost will only result in more people using bad email server setups that either result in their shit getting outright compromised or just blocked.
Overall I have respect for Kenny, I think he’s a smart guy but I think he also gets too caught up in ideology rather than practicality or being realistic about certain things. Similar view I have for the FSF but that’s a different discussion.
If you are attempting to leak state secrets (as was the case of Edward Snowden) or going up against a powerful state adversary, email may not be the most secure medium for communications. The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as Proton Mail can be legally compelled to log your IP address.
And now the community is pushing much riskier solutions like self-hosted email as a solution to this problem, when really the problem was a lack of research and understanding over what a ‘private email provider’ really provides you from a privacy & security angle.
