I use aliases for everything, but I find myself in a dilemma in figuring out how I should use aliases with Substack. It seems to me that there are only two ways to go about it.
Create a Substack account with one alias and use that Substack account to subscribe to all the substacks you like.
In this scenario, everything is centralized, not just to a single alias but to a single Substack account. A Substack account is useful if you plan to start publishing your own.
No Substack account. Create a new alias for every substack you wish to subscribe to.
You get more privacy, and one could argue that it makes it easier to unsubscribe from certain substacks by simply disabling or deleting your alias for it.
Although I created a Substack account years ago, I never published anything, which is why I am leaning towards option 2. However, I worry that I could get in trouble with my alias provider (Proton Pass) if I go for option 2.
On the one hand, Proton doesn’t allow more than 1 alias for the same third party website. But it is my understanding that that is only for accounts for said website.
Meaning that I can create 3 aliases to email 3 different people who use Gmail, because those aliases are not used to manage an account. Proton claims they can tell the difference.
Regardless of who you alias provider is, how do you use it with Substack?
Sorry to have to break this to you, but no you can’t. They only allow one alias per third party website. No more. So if you have 2 Instagram accounts, you can only afford 1 Proton Pass / Simple Login alias for one of your accounts. Even if you managed to create more than one alias for the same website, it’s not allowed. I’ve talked about it here and here.
I am saying that that Proton can distinguish the difference between:
A) Creating 5 aliases to email 5 different people who use the same email provider (Gmail).
vs
B) Creating 5 aliases to manage 5 online accounts from the same website (Reddit).
A is allowed. B is not.
If you have 2 Instagram accounts, you can only use a Proton/SL alias for one of them.
The reason I brought up Substack is because there are 2 ways to subscribe to a Substack newsletter. The first is by creating a Substack account and subscribe to other Substacks through your account. This means that every time you log into Substack, you will see all the Substacks you are subscribed to.
The other way is by not creating a Substack account, and just entering your email address every time you find a Substack you like, and you will receive the Substack newsletter directly to your email address.
Both methods require an email address. The difference is, in the 2nd method you don’t have a Substack account, and therefore can use a different alias for every Substack. At least that is my understanding. Someone correct me if I’m wrong.
Unfortunately your–very reasonable–assumption appears to be incorrect (as was mine). I was pretty surprised and disappointed to find out that Proton does care. Afaik, they are the only e-mail aliasing provider with a non-sensical policy against using multiple aliases with the same service.
Personally, I’d reach out to Proton support and explain the situation, politely explain your frustration with the policy and why it doesn’t make sense in the case of substack (and in many other cases).
If you want to see Proton change this misguided policy, Proton needs to hear about (and spend a few minutes of support time reading and responding to) all of the plethora of legitimate situations where it is useful or necessary to use more than one alias with a single service. The more they hear about legit use-cases, the more they hear about customer frustrations, the more likely they are to rethink the misguided policy.
Practically speaking, beyond trying to get them to change the policy, or ignoring the rule and hoping it isn’t enforced, I think the only solution would be to use any other aliasing service (at least for substack)
I have still not experienced this first hand so I’m not sure how Proton disallows this but its good to know this is the case. I will test this out more with different websites and see for myself then.
To answer your OG question/concern - did you consider using @lanedirt’s AliasVault? Or Duck’s email aliasing service? These may not be ideal but the only other option I can think of is Addy.io then.
(@lanedirt - please don’t be like Proton as others are describing in this thread. And this is another reason why a full page properly rendered email viewing and managing capability/capacity of AliasVault is needed. I know this is too close to being a full fledged email service but it’s still receive only, no sending (albeit I think you’ll consider that in the next couple of years once the core product is mature and stable). Just my two cents on the matter.)
I did reach out to Proton to express my frustration. I think it was last year. I had not encountered the specific dilemma of Substack back then, but I told them about the issues this rule presents. They don’t seem like they are going to budge.
1000% agree. This is why it is so important that users voice these issues to Proton via customer support. I intend to do it again, but that is not enough.
We must raise public awareness
We need to raise awareness publicly on forums like PG and on other social media platforms. Because if we only raise it in private, it becomes easy for Proton to ignore.
It’s very common for companies not to react to complaints until some influencers with lots of subscribers make noise. It shouldn’t have to be that way.
Most users are unaware
Another reason to do it is because most Proton users are not aware of this rule. Partly because it is hidden in the ToS, but also because it is not explicit. The ToS doesn’t say that you are only allowed one alias per third party website. It says that they don’t allow “abuse” and “bulk sign-ups” which they get to interpret however they want.
To me, “bulk” means a lot. Two is not bulk. If I buy five apples, I didn’t buy them in bulk. But to Proton, any number more than 1 = bulk. To Proton, abuse means creating more than one alias per third party website. But you will only find that out if you talk to customer support, or when they decide to enforce this rule, not by reading the ToS.
I told Proton that even if they never change this rule, which would suck, at the very least they can make it explicitly clear in their ToS. You know what they replied? That their ToS was already clear.
I’m working on a PG post
So, yeah, I plan to make a public post specifically on this issue where I will not only explain why this rule is impractical but also how it presents real security and privacy risks. I failed to make my case to Proton privately, but I hope I can make my case to the privacy community so we make more noise collectively.
Yes, I mostly agree. However, I want to be 100% sure that I correctly understand how Substack works before I do that. Because, if I am correct, anyone could rack up many aliases just for Substack, and I could see how that could potentially be a problem for other alias providers too.
Right now, there are less than 10 substacks I’m interested in. That’s not a lot. But 10 aliases for the same website is a pretty high number. At least I know that Addy is fine with having 3 aliases for the same website because I’ve asked them specifically. Proton is too strict, and that needs to change.
I’m following this with interest as I’ve just realised I have different email aliases with SimpleLogin for 9 different Substacks.
Am I going to have to delete 8 of them and re-subscribe with DDG?!
That is very interesting. I’m curious, do you have a Substack account? As in, a login with a username name and password for Substack? If not, you are probably fine.
If yes, do you have more than one account? If you do, then that’s where you could potentially get into trouble.
Sorry but what said above isn’t true. For example, I have created 2 accounts for GitHub with different aliasess. At least on the premium version you can. And if not, then just create an allias on Proton Pass without the website name.
I am talking about SL alliases, not Proton email alliases. Using xyz+youremail@proton.me isn’t effective as those techniques are know to data brokers and they can filter out it pretty easily
Just because you were able to create 2 aliases for the same third party website doesn’t mean this rule doesn’t exist. It absolutely does, regardless of if you use Proton Pass or Simple Login aliases. Just because Proton hasn’t enforced it yet with you doesn’t mean they can’t nor that they won’t.
You’re not the first person to say they were able to create 2 aliases with the same website. Various people have also reported getting flagged by Proton after creating three, including myself. Those people probably reached out to Proton Support as I did. And guess what they told me? The rule is one alias per third party website. Doesn’t matter if some people get away with 2. That’s the rules.
I got a warning after creating 3. You would think that means the limit is 2. I asked Proton and they categorically said no. The limit is one alias per third party website.
I do have 3 alliases for a website, and it works fine. But it should be noted that I usually rename the allias, so I never let the allias be domain.xxxx@aleeas.com, as it is by default on PP.
Now it might be because they are really appart in time.
I will test creating 3 allias on substack, will see if I get this warning
That’s true. But honestly, SL TOS say you cannot create “bulk” accounts for websites, so honestly I don’t see how 3 allias for a website is bulk. I think they are overzealous and should allow a few, maybe up to 5, provided you don’t just create them all in one day.
I think the reason for their policy is they don’t want to get their service blocked. Allowing a single, known user to sign up at the same website/domain with multiple aliases facilitates things like ban evasion. With the single-alias per domain policy in effect and enforced, they can credibly argue that they should not be blocked as each email alias used to sign up for a given service represents a unique user. Honestly, I’m ok with this. It’s a tradeoff, and they chose to make their service more accepted by third parties so it remains usable for pretty much anything. In the case of something like Substack, they can probably figure out who you are through fingerprinting even if you technically have multiple accounts. You’d have to maintain an annoyingly onerous level of opsec to avoid that.
I’m not sure what you mean by this. Could you elaborate? To my understanding, it is not possible to rename an alias once it’s been created. Also, choosing two different domains to create two aliases for the same website is not a loophole you can exploit. Proton still knows you broke their rule.
By this, do you mean that a significant amount of time passed between the creation of your first and second alias for the same website?
If yes, that is possible, but it doesn’t mean that you won’t get in trouble eventually.
Suppose you created 2 aliases for 2 Dropbox accounts, and a month went by between the creation of the first and second aliases. As a result of the time delay, you don’t trigger a warning from Proton.
Months later, Dropbox announces the release of a new service, and they send an email notification to all their users. That means that your two aliases will receive an email from Dropbox at the same time, which could trigger the warning from Proton. Every time Dropbox has a public service announcement that they send via email to all their users, it could trigger a warning from Proton. With more aliases for the same websites, the more likely this becomes.
This is why I personally do not want to take this risk since I already got a warning on my account.
And this is precisely the point, my friend. You seem to have missed my previous comment about Proton deliberately using vague terms in their ToS and avoiding defining what “abuse” and “bulk” means, so they can interpret it however they want.
You and I probably have the same understanding of what bulk means. But to Proton, it just means more than one, which is not the dictionary definition of bulk.
Trust me when I tell you that I argued back and forth with Proton Support for MONTHS about this. They won’t budge. They insist that, “bulk” means anything more than one. Moreover, they refuse to make their ToS explicitly clear by saying that they don’t allow more than one alias per third-party website. To them, it is already clear, which is not true.
That’s fine. But please remember that creating multiple aliasees to subscribe to various Substacks is not the same thing as creating multiple aliases for multiple Substack accounts with multiple usernames and passwords.
The former is almost surely more tolerated than the latter, if not allowed. But it’s still not clear enough for me to want to take the risk.
Yes, that is part of the reason. One of the response I got for asking why the limited is 1 was “we’re not Google”, implying that they are not universally accepted everywhere.
I don’t know if this limit Proton has predates their absorption of Simple Login, but I would not be surprised either way. What I know is that alias services have existed since before Proton acquired SL, and even before SL existed. I know because I’ve used them. And I never had this issue with the alias provider I used before.
My experiences of alias providers is that one alias per third party website is not the norm.
All that being said, the very least Proton could do is make this rule clear and explicit in their ToS, so people are aware and can make an informed decision. I intend to make a post dedicated to this issue.
I do receive email from them and I have 3 of them. I actually just noticed that one of them is named x.word123@aleeas.com, so it might be attributed to X.com for some reason.
Absolutely understandable, and I want to thank those who participated in the thread for informing me of this.
@team I feel like this should be mentioned in the allias section. Also to be mentioned whether Addy has a similar policy.
I see. I have never used the Proton Pass browser extension. I don’t even have it installed, mostly because I only use Proton Pass for aliases and not as a password manager, because the latter is still lacking in many features for me.
My point is, all my aliases are created manually in the desktop app, and I have never used the name of a website as the prefix in any of the aliases I’ve created it. It’s always a random word hetfy.whale123@passinbox.com, a name harper.whale123@passinbox.com, or just an initial h.whale123@passswinbox.com.
All that being said, the name of your aliases do not play any role into whether your account will trigger a warning. Proton can read and detect the website you signed up to regardless of the name of your alias. They can do that in part because signing up to any website, will trigger an email response from that website, and Proton can read the domain.
Every alias provider has rules about abuse, and I am quite confident that most of them do not allow creating 50 aliases for 50 accounts on the same website.
That said, I specifically asked Addy if I could create 3 aliases for 3 Instagram accounts, and they said yes, that is absolutely fine. There are definitely more tolerant than Proton.
