THE HATED ONE: We need to talk... about the Proton ecosystem

Well since you are new, I recommend not relying on reddit for any quality or accurate info. Doesn’t mean there is no accurate info but there is a lot of click bait rage bait content and comments misrepresenting info even if the commenters there may not be technically inaccurate. It’s lying by omission and misrepresentation of facts.

What exactly is your problem here with Proton doing this?

Well, I don’t know how far you are in your privacy journey but Proton with all its smaller faults (nothing that is or should be deal breaker to anyone), is transparent enough to be trusted given their history, how they operate, and their business model among other things.

Again, don’t rely on reddit for good quality accurate info.

The thing is.. like I said, not fully sharing the details of the story in the video. Only headlines.

Sure, Proton has the capacity to collect metadata. But you can also make and use Proton services anonymously if you wanted to. You can also turn off and ensure no “metadata” is collected in the first place.

This means, you can indeed access and use all of Proton’s services as privately and anonymously as you want/can.

How do you not see this as a solution to many people’s if not everyone’s privacy needs for all that they offer and how.

It is my opinion that you do not yet know enough about Proton to have such a view on them and I believe it is an incomplete assessment of them. But you do you.. you don’t have to trust me but please find accurate info and not fall for misinformation. As you keep learning, I hope you’ll come to see it my way and change your mind somewhat.

Right now, you appear to have this view based on half truths and incomplete information.

(welcome to the forum btw! Hope you stick around and keep learning).

Every privacy product has a specific use case. These software are always functional first and feature rich second.

I think the concern is, should the people who may be targeted with search warrants use a non-self hosted solution in the first place? Instead of any company, maybe they should just self-host their own email and storage, or use cryptomator for the cloud-based storage they require.

I suppose I took this site as to mean “privacy” didn’t mean differentiating those who would be served with search warrants from “normal” people looking for actual privacy. Just because you may not be served with a search warrant today, doesn’t mean you may not be in the future based on future actions, and you’re actions and services you chose for privacy today, should hold up in both situations. You could combat this with your callouts to threat models, but I think it still stands.

I agree though. Self hosting (with the technical knowledge to do so securely) is the solution and proton is definitely a better choice than, say, Google/MS. I do however have the same feeling from proton today that I did with google (when “do no evil” was their moto) back in the early 2000’s and im confused why it isn’t brought up more.

Well since you are new, I recommend not relying on reddit for any quality or accurate info. Doesn’t mean there is no accurate info but there is a lot of click bait rage bait content and comments misrepresenting info even if the commenters there may not be technically inaccurate. It’s lying by omission and misrepresentation of facts.

Again, don’t rely on reddit for good quality accurate info.

I completely and 100% agree but I was not at all using reddit as any source of truth to the matter if you re-read my comment. I was using their shady practices on reddit as an example of why I don’t think they are to be as trusted as the community accepts.

I use many devices: tablets, mobile phones, and computers. I didn’t know much about computing when I began this journey into the world of technology, but I was clear for ethical and political reasons that I wanted to change my habits and learn about this world, at least enough to become aware of what I use.

My experience with Proton Mail (and SL) and Calendar services has been good, but Drive has wasted too much of my time. On Mac it’s horrible (or it was, I stopped using it a long time ago). It only worked well on Windows (and even then the upload speed is ridiculous compared to Filen, for example); the photo sync functionality only serves to make backups. They need to polish Drive much more (I think that after Mail, it’s the cornerstone of all the other services). The VPN is good overall, but on Fedora and Ubuntu it’s given me a lot of problems. In the end I use it on a few devices and, on others, Mullvad works without issues.

A person who wants to switch from one ecosystem to another, in a simple way and without overthinking it too much, is going to feel brutal rejection when Proton starts giving them problems. In this sense, I think the ecosystem does more harm than good. Ente, Addy, Notesnook, Tuta… These are services that are coming together and collaborating to offer discounts to those who use the family of services, and I think it’s a wonderful idea because they work perfectly and don’t generate so much frustration. I wish Filen, Bitwarden and Mullvad would join the party.

I would also like you (and anyone else reading) to always take note, assess, and evaluate for what the product is, can do, is supposed to do or be, and for whom it is made when making your own conclusions about it and what you like or don’t like and for what reasons. Then you may choose to like it fully or somewhat or not at all.

Reading and risking confirmation biases from other comments and platforms reinforces potentially misguided beliefs about privacy tech that does not lead to anything good but misinformation at best and your safety at worst.

So, you may still question why Proton is beloved with all its faults, I ask anyone to please go back and read beyond headlines and verify the info from multiple sources and also account for what Proton says and does and why - this is where some nuance helps. It’s not always black or white.

Proton did this so it must be bad and is a bad product. That’s a bad and poor way to look at it. There’s always more to it, not to mention that none of the issues with which people have had a problem with Proton cannot be mitigated if not eliminated. Their personal OPSEC is also a big factor sometimes.

Anyways, I hope I’m more clear for how I meant my other comment. People are so quick to judge and form strong opinions. Take a breath and think critically. The privacy community can be a tricky bunch with particular and have strong alliances to their favorite tools. Learning to look past it to evaluate info more holistically is key.

Hey JG, and just to be clear. I’ve seen many many of your comments and I did not mean to come across as argumentative. I see you have absolutely contributed to the privacy community with accurate info for some time. I just want to clear that up.

I do still however have an issue with Proton and I think a lot of people are starting to also have that realization. Maybe it’s anecdotal (though, probably not from all the videos etc. coming out) from my circle of privacy minded friends, but I do think it’s absolutely worth discussing the practices from the media “department” of proton which i think leads to a bigger issue to discuss with the product of proton suite itself.

I still want to say that, while you and I both agree that reddit and social media in itself is not to be trusted, Proton certainly believes so with their overreaching efforts to fund reddit, privacy influencers, and so on and I absolutely think thats something to take note of. I think that reflects on the company as a whole, and I don’t see how to compartmentalize their product and media team as the decisions for that are the same minded decisions that get passed onto their development team and so on.

I think we should be discussing the trust with these companies, and I think, as of right now, Proton is top of the list to be criticized.

Thanks! We’re good.

Yeah, I agree that their marketing needs to improve a lot and so does some of their decisions they make at times. Though the product they do release do their job so not always easy to hate them because they do deliver.

I also think Proton cannot be like Mullvad or Tuta where their marketing is a lot less than what they do. It’s a different approach to business. Folks who are more purists and ethical when it comes to things like this especially in the privacy and security space are not going to like the almost big tech approach to their marketing but that’s what works.

And at the end of the day, I’d rather see more people move to Proton than worry about how they are doing it. That said, I do see that they are very close to crossing lines at times. Perhaps I’m being overly forgiving here to Proton. But I am also thinking about this from a slightly more big picture way. I don’t know.. I might change my mind later but this is what I think for now.

I agree with you. I was actually debating on making a forum post about this very THO video myself. However, as you beat me to it, I will post my personal opinion on this here.

Here is my two cents on the matter:

My thoughts for Proton:

1. Proton is a pretty well-known company, as far as I know, probably almost as widely recognized as a name as DuckDuckGo in both the privacy community and in general. They haven’t really done anything to negate any trust in my eyes as of yet.

2. I myself was a little skeptical of Proton at first, given some of the criticisms about them that I have seen online. However, after listening to a couple interviews with Andy Yen on both the Linux Experiment and on one of Vivaldi’s podcast episodes, it gave me some comfort in being able to choose Proton without worrying too much. Andy Yen seems to be a very chill person, and looks like that he is very passionate in his company and is legitimately serious about the goals and values of Proton regarding the preservation of privacy and security for the average person.

3. In those interviews, one thing that Andy Yen explicitly said was the main reason why Proton is building an ecosystem, is because it is something that the majority of their user base has been explicitly asking for. While it is probably true that there could be a bit of profit and monetary incentive involved as well, Proton is ultimately only trying to cater to their paying user base in what they want. So in my view, that is totally understandable and is a valid reason. Yen also said himself that their biggest stakeholder is their paying users, so they are more willing to listen to their users than other alternative companies like Google and Microsoft.

4. Personally, I myself prefer sort of an ecosystem because it reduces the amount of long-term/permanent subscriptions that I need in order to be productive. I honestly sort of like how Proton is making it so that all of their products can start integrating and working together. This gives me the benefits having a similar experience as using more mainstream suites like Google and Microsoft, but without all of the spying and data collection that I am trying to get away from. I just upgraded from Proton Unlimited to their Visionary plan and I find the value and exclusive perks that is offered in that tier to be insane for the $360/year that it costs, and I absolutely love it. I’m going to try my hardest to keep it for as long as I can forever since it’s not something Proton publicly offers or sells anymore. That is not to say though that I won’t be getting a couple of other things to compliment my Proton ecosystem like Ente for photos and Notesnook for notes, but Proton for me is a nice base to build off of and already has a lot of my bases covered.

5. I feel that THO may have felt a bit sore about what was essentially a rejection of his interview offer by Proton, so that could have been partially what has fueled the inspiration of his latest video about them that he made.

My thoughts against Proton and for THO:

1. I think that THO does present some perfectly valid arguments and reasons against using Proton, in particular for those who have higher threat models or just prefer to avoid any sort of ecosystem altogether. So, I think the warnings and risks that he presented are justifiable and within reason in regards to this matter.

2. I have seen some Reddit stories and some comments on YouTube regarding some testimonies of some people who have gotten some of their Proton accounts shut down for unknown reasons. However, I am not sure to the extent of their validity.

3. I think that it is quite strange that Proton advertises “open source” on all of their products and services, yet it seems for most of their software only the clients are open sourced while none of the code running on Proton’s servers is published and made publicly available on code repositories like GitHub or GitLab. For example, Proton claims that their Lumo AI is fully open source, yet none of the server-side code to the models they used and customized, their implementations of the AI, the chat UI, their web browsing mechanism for Leo, etc. are available to the public with only the code for their Lumo iOS and Android apps being made available. Although, it does seem like that Proton has published what open source models they use for Lumo in their documentation, so +1 for them on that.

That means to say, unlike fully open source Notesnook and Ente Photos with both their client and server-side code being available for instance, I have no ability to get the full source code of the Proton Suite, compile it myself, and run it locally on my own self-hosted hardware if I wish to do so. Philosophically speaking, since I have bought a lifetime license to Proton Pass and Simple Login Premium, I feel that I should have the right to obtain a copy of the same exact Proton Pass and Simple Login software that runs on Proton’s infrastructure and fully run it self-hosted myself without needing Proton hosting it for me, in the same manner as I would self-host a fully and truly FOSS cloud password manager like Bitwarden. If Proton could let me do that, I would find that to be seriously awesome.

4. I find it interesting and weird that Proton would basically just ghost THO like that, and not even take him up on his offer of doing an interview despite him turning them down for a sponsor.

There you have it. That is my official stance on this matter.

The explanation I read/heard from him was he wants to stay on a platform where the noobs are so he can get more people to care about privacy/security. If he goes to Peertube, he feels he will just be making videos for tech experienced people.

BTW he does have an account on Bitchute The Hated One

And yet his videos don’t appear to be heavy on exposition than just talking about what’s what in privacy. There’s so much more he can do to better explain his stances on things if the goal is to explain it to newcomers to the space.

I think at the end of the day, we should always have an exit strategy to every critical service we rely on.

I love email aliases, but the more I create, the more I mentally sweat about the idea of leaving behind my alias provider for another and need to go through and update each one. It’s not impossible, but it’s something to consider when going all-in on a service.

Proton Suite is great, I think, but if they go south then we should have a rough idea on how we would quickly transition to another service ASAP.

This is generally my beef with companies like Apple, because it is very difficult to quickly leave their ecosystem once you’re all-in. Privacy is about control over our personal information, but there’s this tough balance between doing everything ourselves (self-hosting) and giving control to a trustworthy company.

I think this is the only argument that I currently find valid and a dealbreaker for not going to ecosystem route if this is a legitimate concern of one. Being fragmented with the services you use helps mitigate if not eliminate this issue.

Off topic: this is the case for custom domain aliases, in lieu of addresses on the provider’s stock domains. It’s trivial to reestablish these same aliases with a new provider, if you own the domain

Exactly. And this right here, like some others have mentioned, is the big one. Always have an easy exit strategy. It doesn’t matter if you decide to put all your eggs in one basket because it’s convenient and easy, or if you use a dozen different services because you think you absolutely have to diversify, always have an exit strategy. Always back up your 2FA codes, your recovery keys, always have a local storage, even if you do use cloud, always do the 3-2-1 backup method, and absolutely use custom domains and catch alls for your aliases, say your prayers, drink your milk, take your vitamins, etc..etc..

This was a great video. He isn’t wrong on many aspects. I disagree on the following point.
Warrants:

Andy Yen mentioned in an interview Proton VPN is actually a separate entity than Proton itself,meaning a single court order couldn’t order Proton Mail info and Proton VPN one. Not sure if still holds today.

Also, I disagree putting eggs in different baskets is better. But this is another subject. Proton is aiming to compete with Big Tech, and I believe that’s good. We need to bring Privacy to the masses. Proton has 100 million users. People are used to ecosystems and honestly it’s just more convenient.

It’s a matter of different people having different threat models. I don’t have any issues myself with using Proton for all the things Proton offers, but if someone does have an issue, that’s not a “wrong” stance.

I haven’t watch this video as of writing. Does the content creator make concrete criticisms about Proton’s ecosystem, like @PurpleDime? Or are they just criticizing the abstract concept of ecosystems and criticizing Proton for creating one?

If it’s the former, I’ll consider watching it. If it’s the latter, I see no reason to. Why not just make a video about ecosystems in general, if that’s the case?

Just watched it. I’d say the main argument is to not put all eggs in the same basket which implicitly implies that you need an exit strategy.

He also points out on the company having control over your email shouldn’t be the same one handling VPN on the case of the company going evil (being sold for instance) or a court order.

He also talks about the journalist who got his account closed and Proton didn’t react until it was public.

You could theoretically have your account blocked, which in an ecosystem is rather rough if you have no backups.

I’m a paid user of Proton, but for some stuff, I don’t have a clear exit strategy.

Is it not possible to migrate aliases easily? If not, I also need to rethink this.

These are just criticisms of the concept, not of Proton specifically. Because of this, I will probably not watch it. It doesn’t seem like anything new. I’m already well aware of the downsides of the all-eggs-in-one-basket approach.

Does the content creator suggest any exit strategies or solutions other than “don’t use Proton” or something like that? I think it would be a shame if they didn’t after all the downsides they pointed out. This kind of stuff irks me.

It’s easy to mirgrate from one SimpleLogin account to another, but I can’t say for other services. As for migrating from one service (like SimpleLogin) to another service (like AnonAddy), that would indeed be extremely annoying and difficult if you don’t have a custom domain, as @privacy.slouchy says.

In the grand scheme of things, Proton does not even do enough for me to clock this as a problem. I pretty extensively use all of Proton’s services as a Visionary subscriber, and even as I do so, Proton represents only a very small fraction of what I use on the computer.

To me, it’s simply very easy to be highly diversified while also using Proton’s services, and I think most Proton users find themselves in a similar situation.

That’s not clickbait.

Just like how he loudly proclaims he’s very unique and special for not accepting sponsors many times throughout the video and in his comments section.

I find it pretty challenging to take YouTubers seriously these days when we do what they do + we do written work + we self-host everything from the ground up in addition to meeting people where they are on big tech platforms + we foster this community for other members to do the same. Unfortunately, “content creator” types have been far less willing to work with us compared to serious organizations like Tor or EFF, so to me that speaks volumes about how serious YouTubers are about advancing privacy vs. their own brand.

1,000%, yes.