Given the recent changes in the UK, I am looking to properly 100% move to privacy respecting services, and close most none respecting services I have left soon.
So I need to make a choice and I’d like to ask the community, here are my two choices.
Everything into Proton, ProtonVPN, Proton Drive, Mail, Pass etc.
Use different services.
Tutamail.
Proton Drive (Free due to my very limited need for file storage).
Bitwarden.
Ente Photos.
Mullvad.
Notesnook.
Addy.
Now I think the better choice is to have everything with different providers, but I trust proton I dont think they will become “evil” or end up switching to selling data.
So what would the community do? I’m thinking proton as their stuff is outside the UK, but obviously the others help if something happens to proton.
My rule of thumb is you can choose to be in the proton ecosystem or go seperate, either choice is fine just make sure that if you;re gonna go to the proton ecosystem at least take steps to where you can get out, eg. use custom domain on emails. However Always seperate your password manager and 2FA no matter what, in the event of your account being compromised or lost, the next thing you want is to lose those too
One extra point to add to that is even if you use separate services, it is still possible for lockout if you happen to put the password to your 2FA app in your password manager and the TOTP for your password manager in your 2FA.
I’m using the whole proton suite as well. I’ve got the unlimited plan, have been enjoying it for 2 months now. If I’m not mistaken there’s an option to have a separate password for proton pass? I might be wrong though.
Despite Proton’s recent announcement of their 2fa app, I’m sticking with Ente for the time being.
I just transferred most of my VPN to Mullvad simply because it integrates well with Tailscale.
I have my own domain for emails.
On the flip side, I am attempting to move my Joplin Notes and put them in the Proton Pass’ note functionality. It currently lacks markdown support and I need it for a checklist. Alternatively I am thinking of just using a local file and have it be synced around via Syncthing rather than a dedicated Docker container inside TrueNAS because I am too lazy to figure out why the Docker service isn’t seen remotely even if I have Tailscale on.
I am trying to get out of Proton Calendar. I am aiming for a Radicale server with a DAVx5 android client hosted in something like a Raspberry Pi but I haven’t gotten around it yet.
My 2FA codes are in my Yubikeys via the Yubikey Authenticator. I was supposed to just use Passkeys with Proton Pass but I am not 100% sold on Passkeys for now.
Personally I go with different services such as Mailbox.org for emails and calendar and hopefully contacts when they support groups.
They also support cloud storage accessible via webdav and can use joplin as well.
Tasks are done locally using tasks.org as Mailbox does not support recurring tasks.
Passwords I have been using dashlane since 2012 and they are quite good having started open sourcing their app and infrastructure.
Aegis for 2fa codes.
Vpn use mulvad
I would not necessarily stick with the whole proton system due to eggs in basket. But the point of degoogle debigtech is not put all your eggs in 1 basket
I quite like Tuta so may stick with them, I dont use email to email people really and I have a custom domain, so something like Purelymail maybe a shout given its price.
I was thinking of using a USB before I looked at the other services, and I wanted to leverage seedvault with grapheneos, might just try it with a USB and then restore to another profile and see what happens, worst comes to worst it doesn’t restore and I use Syncthing to my laptop.
The major issue for this setup is that it doesn’t play well when you are constantly sharing things with others, such as spouse, family, team, etc. where people need constant read/write access.
Doesn’t it make sense to prefer an ecosystem for related data since it limits the number of additional parties you need to trust? Email, password managers, contacts, and calendar usually share similar data.
For example, your email inbox could be thought of as an extension of your password manager since it can contain account information, it can often be used to verify you, and it can even be used to reset your password. Email aliasing service providers like SimpleLogin further co-mingle your email and password manager and present another party to trust unless you choose one that is owned by the same provider like SimpleLogin with ProtonMail, Apple’s Hide My Email with iCloud mail, and potentially Mozilla’s Firefox Relay with the upcoming Thundermail service in the future.
Likewise, contacts and calendar are usually paired with email as scheduling often goes through email. I’m not simply referring to personal emails, but nearly every business will send scheduling confirmations through email unless they’re trying to be annoying and only send it through SMS. As for contacts, even if you never manually enter a single contact, a potential breach of your mailbox would still leak a lot of people/businesses you interact with unless you delete all of your emails after reading them.
The point being that for a lot of people, using different providers for this stuff is less data compartmentalizing and more duplicating data with additional parties.
If the goal is fear of data loss and not privacy, then wouldn’t it make sense to simply make routine backups and to take steps to prevent accidental lockout?
Doesn’t it make sense to prefer an ecosystem for related data since it limits the number of additional parties you need to trust? Email, password managers, contacts, and calendar usually share similar data.
I think the concern from the community here, is what happens if Proton goes under? what happens if they turn evil, what happens if they are breached?
Generally you gain better security from seperating the data, but again as you mentioned, it can be a benefit to trust one provider.
And I think data loss fear & privacy should be linked, what if your one provider goes under suddenly, think lavabit, and you only store data there.
And this is why I asked, to get different perspectives, my ideal would be get as many things on my devices as possible, and that is very possible, I can store music, photos etc on all my devices and keep them in almost real time sync with syncthing, I personally would prefer to use GrapheneOS seedvault, but I did some testing with its backups this afternoon and it really is not reliable, but as you mentioned, what if I wish to share a photo with someone? while that is rare for me, it happens from time to time, and I could just share it from my file system over a chat app and that would likely do 99% of the work.
Honestly, it depends. Proton has a good ecosystem and I am happy with them (I pay for Proton Unlimited). However I don’t use Pass (still pay for 1Password which still much better, especially because of the autofill shortcuts that I use all the time and the fact that the extensions work together with the desktop app). I also had to pay for Ente Photos because, honestly, is much better than Proton Drive for that task. And I also use Notesnook for notes since Standard Notes (which was bought by Proton) is really expensive. I also have a different cloud storage with cryptomator since Proton Drive does not backup files on my Mac (it only syncs the “Proton Drive” folder). They planned to release this feature on spring, but they missed it and who knows when they will finally do it.
This means: I do use the Proton ecosystem but I do complement their offering with other things that work better for me.
My suggestion: do whatever works for you. I don’t buy that “diversification” and “different baskets” is necessarily the best option, usually simplicity works better. I also don’t believe in sticking with one ecosystem or forcing yourself to it, when other other options might suit you best.
Here is how I am thinking of this. It seems like we are asking two questions:
Diversification vs. convenience?
Proton’s security and trustworthiness?
Here are the relevant facts that are well established in this privacy community which answers those questions:
Diversification is more important than convenience if you value privacy and security.
Proton is trustworthy/private enough for the average person who does not have a high threat model.
From those two sentences, we basically have these two propositions:
Diversification > convenience
Proton = trustworthy/secure
But I think the logical disagreement comes from this proposition:
Proton = convenient
Position A says that if [Proton = convenient] and [Diversification > convenience] then [Diversification > Proton].
Position B says that diversification is not an end in itself, but rather a step to achieve privacy, which is an end in itself. If [Proton = trustworthy/secure (for the average person seeking privacy and security)] and if [diversification is a step towards privacy and security] then [Proton > Diversification] because it creates the very state of affairs that we seek to reach with diversification.
There’s probably other positions that people take than A and B, propositions that I didn’t mention or clarify, etc. Does this help clear the air, or is it just more confusing?
Its really up to each person threat model and needs, theres no generic “best” setup that works for everyone.
Personally i prefer and did segregation. Email, contact and calendar with a provider, and i used custom domain to not be locked to the provider. Pw manager with another provider, totp 2fa with another provider, cloud storage with another provider, notes with another provider. Only inconvenience for me is when logging in on a new device but that usually handled by the pw manager and i don’t change device that frequent.
This was exactly what I had been thinking. I was bummed at not getting the lifetime visionary plan when I may have been able to do so. But I never quite understood when they first launched a vpn after mail. There was a blog post about them having a less attack service since they did not do anything else but VPN and mail Why Proton Mail Is More Secure Than Gmail | Proton
Then they launched proton drive, and it seems as if proton are trying to be a whole drop-in replacement for Google services. Whereas when I first started working on degoogling, it was very much a case of use different options that can work together, which is why I have stuck with mailbox.org for example as I can use any email app or calendar system as well as different cloud apps that support WebDAV. Or use davx5 etc. Plus, mailbox.org only have paid plans, so there is no risk of free accounts bankrupting the service, unlike ProtonMail. Is mailbox.org as good as proton mail? Not quite. But hopefully mailbox will just be as good as protonmail.