Trying to move away from MS365, but struggling to decide on replacement

I’ve been using MS365 for a long time for my mental health practice. I am trying to move away from big tech (except for Apple, which I am deeply embedded in and can’t get out of without considerable effort).

My needs are:

• Privacy respecting. Of course I’d like my email to be private and safe through zero knowledge encryption, but I think I’m more concerned with the company’s overall stance on privacy and security.

• Email, calendar, tasks/to do and drive, though I am open to separate privacy focused services too.

• Reasonable support by people who know their service

• Good deliverability so emails don’t end up in people’s spam.

• Preferably open standards and open source, though that’s not an absolute requirement.

I’ve tried these so far:

Mailbox.org . Like it a lot and it ticks most boxes for me, but it feels stagnant when I look at their user forum, as though the company really doesn’t have any ambition to improve the service. With that said, it worked really well when I was trialling it. I’d like a nicer interface, but everything felt solid, except for the video conferencing service. I use Zoom anyway, but will leave that if/when a good open source alternative becomes available.

Proton . I like it, but it’s another ecosystem. And the recent statements by their CEO makes me not want to use them. It shows really poor judgment and a lack of attunement to his customers and to the dangers posed by the new administration to the US and the world. He’s entitled to his opinion, but it makes me trust Proton less. I left Go Daddy when their CEO posted a picture of himself and a beautiful but dead lion he had killed, so these things matter to me.

Zoho . This seemed like a good like for like replacement for MS365, but it’s just so sloppily put together and their lack of attention to detail and quality makes me not trust them to do the really important things correctly. So no.

Infomaniak . I’m using them now and really like their service and it’s very complete, including Onlyoffice, but their customer support takes a week or longer to respond. I want to feel that they have my back if something goes wrong and I don’t think they do. I haven’t used their telephone support – would like to hear other people’s experience of that. Nothing has gone wrong, but when I had questions there was nobody to answer them. When they finally answered, my follow up question was not answered even after 8 more days. I figured it out myself, but there may be times when I can’t.

Fastmail . Seems great – fast, smooth and really nice interface, unbelievably fast service when I had questions. They don’t have a task manager/to do list, which I would like since I will otherwise need to buy another service. And I don’t like that they’re Australian and have their servers in the US.

Forwardemail.net. This would be a very different approach. I’ve been testing their service and really like the idea and the sense of freedom it provides, though I do think they are a bit too aggressive in promoting themselves. I would use them for email and calendar, and then have other services for drive and tasks/to do. I looked at the thread here and was impressed with their answers to hard questions. Can I trust them though?

I understand that I can’t have everything, but have spent way too much time trying services and over-thinking it all. At the moment, I want to focus on reliability, privacy and support and am curious what others’ experience with these companies has been. Any guidance on how to think about the above? At some level they all seem ok, but I don’t have the ability to evaluate the technology and there are so many differing views on all these services. Thanks for any thoughts you have!

What country do you live in?

If the USA, would your mental health practice need to follow HIPAA rules? If so, make sure your mail provider is compliant.

I’m in the UK, so GDPR is important. I think all of the above are compliant.

Honestly if you are looking for an office replacement suite that is well supported, I’d have to say Proton fits your use case.

I do not recommend anyone to give up their ideals. However, with regards to you reasoning, M$ is just as openly supporting Trump and with hard real money. I’d agree Proton CEO put his foot on his mouth, it definitely wasn’t the worst I’ve seen, and I’m not aware of them funneling money to him. If you move from M$ to Proton, I’d argue it’s a definite significant “lesser” of two evils if we are going from that perspective.

Personally, I believe every sufficiently large tech company hopes to have policies geared towards whatever reduces their cost, and everything else is a casualty of that gain. I don’t mean to be pessimistic in that every tech company sucks for humanity, but I think permanent binary decisions on the occasional human blunder will lock out a lot of valid choices that may benefit you.

Thanks. I absolutely agree with you that moving from MS to Proton would be moving to the lesser of two evils, so I’m not ruling it out. The more I have looked into this, the more I realise that there are few choices for generally ethical companies. From what I know, I certainly would count Proton among them even with the comment by their CEO. Infomaniak also seems to be a thoughtful company in that regard, but there’s not enough information about them to feel confident.

First I want to thank you for taking this seriously. Most therapists I come across don’t seem to care. I’d start by recommending you stick with Privacy Guides’ recommended email providers. Non-recommended providers are more likely to be lacking in privacy or security. In many cases, they might not be any better than Microsoft or Google.

I’d specifically recommend sticking to OpenPGP compatible services so that you have a chance at having end-to-end encrypted emails with others depending on what provider they use. The only two services which currently meet that criteria are Proton Mail and Mailbox.org.

It sounds like you don’t have any major issues with Mailbox.org, just that it doesn’t have the most polished user interface. Since we’re quite limited in options for secure-ish email, if you can tolerate it I’d say go for it!

Signal is the most popular PG-recommended communications platform. With the new Signal call links feature, virtual meetings on Signal have never been easier. Because it requires users to install an app and sign up, I’d assume not everyone would be willing to use it. I’d suggest you could offer Signal alongside Zoom so at least clients will have the choice to use something secure and open source.

I’m totally with you and I think most Proton users feel the same. That being said, it isn’t something that’ll impact the product and since there are so few options, I’d suggest you reconsider whether this should be a deal breaker or not. It’s not surprising that a CEO is right-wing. Not to get too political but in my opinion, CEOs are either openly right-wing or quietly right-wing. Andy Yen has mostly been the latter until he recently let slip, and I think he learned his lesson to keep quiet next time. If you still feel like this is a deal breaker, Mailbox still looks like a solid option!

It’s definitely a tough call, as whatever you choose to migrate to you’ll likely stay for the foreseeable future. Another analysis to consider is the likelihood of impact of different views. For example, I disagree with some of my friends and family members views, but ultimately their beliefs have negligible impact on the world around them, and the beliefs do not pass the line of inexcusable. Consider such an analysis on prospective choices.

Do you know about any decent and privacy-friendly alternatives? I’m pretty interested to get something better but without compromising the convenience that Jitsi has.

Nothing I’m aware of that is web-based. The most convenient secure option is Signal. We can only hope Jitsi Meet improves but they’ve had those issues for a long time so it’s doubtful it’ll change any time soon.

Mailbox.org switched from Jitsi Meet to OpenTalk for video conferencing, available from Standard plan (3€/month) and above. Though it looks like it’s still without E2EE, but it is WIP

That plan also includes XMPP account, so you can basically use it as well for video calls, but I think it’s limited to 1:1 calls

I have used Vsee, which is reliably pretty good and free for individual use. It’s used a lot for telehealth.

That’s why I find it difficult to make a decision. I want to choose and then settle in and not be thinking all the time about other options, maybe that’s unrealistic with technology though.

Thanks for your thoughts around this. As a psychologist, I think daily about confidentiality and privacy. It’s not an easy one since I need to combine that with some convenience/simplicity for patients who have varying degrees of technological competency. This is especially important with video conferencing, but also with transmission of documents and patients letters/records. I use a practice management platform that is secure, but not private in the way I would like. I could go back to paper records, but it is too time consuming to manage these days.

I’m leaning toward Proton, especially with their promise to include tasks by the end of the year and public upload folders very soon. They seem to have a reputation of not delivering, so I’m not dependant of those features, but they would be very useful for me. I’m going to try it out again.

For a long time I have signed my emails with an S/MIME certificate, which Proton doesn’t support natively. What are people’s views on these? I’ve used them for so long, but am wondering if they provide any real benefit at this point.

I can talk about Infomaniak a bit. They have a mature, complete “ecosystem” with mail, calendar (incl. tasks), addressbook, “kDrive” (cloud for sync, backup, sharing files), Onlyoffice integration, “kMeet” (video calls), “kPaste” (pastebin) and so on. Basically, it can replace something like Microsoft 365.

It is also fully compatible to all standards like IMAP, PGP, WebDAV, CalDAV, CardDAV, and so on so you’re not forced to use their specific apps for anything.

They advertise their Swiss location and how much they respect your privacy, and they are definitely cheaper than e.g. Proton, BUT unlike Proton your data is NOT zero-knowledge or end-to-end encrypted. If they wanted to look at the data or if the police forced them to, they have the technical ability to. (Same as Microsoft.)

I’m not super familiar with S/MIME, but from what I’ve read it’s more common in the business world. I’d say picking between S/MIME or PGP depends on what your contacts typically use. If you don’t think anyone you’re emailing is using S/MIME, switching to PGP shouldn’t hurt. It’s worth noting that when it comes to contacting clients in particular (or really anyone not in “business”) PGP is likely to be much more accessible to them, especially if they use an email service or client that supports WKD such as Proton Mail.

Either way, most people use Gmail, Outlook, or iCloud Mail and don’t bother with any form of end-to-end encryption. Because of this, you’ll mainly be benefiting from zero-access encryption rather than end-to-end encryption from S/MIME or PGP if you switch to a more secure email provider.

I’ve used the certificate mainly as a digital signature for outgoing emails. Many email clients are compatible and the certificate verifies that the email comes from me and that it has not been tampered with. I think Proton also has a signature option, but sure how it works and what it does…

They do support digital signatures and have a blog post that goes more in-depth. If you still have questions about specifics, I’d recommend contacting support for more clarity.

I would say that small(er) providers, even without E2E encryption, are still better choice than MS or Google. Yes, they can access all your files, but as I know, they don’t do automatic scanning, analysis and AI trainings, they don’t sell that info to others and you can get living person for support, in case something bad happens (stolen account).

I’ve now looked into the Proton digital signature. It seems like the recipient also needs to have installed PGP to be able to verify the signature and thus that the email has not been tampered with along the way. By contrast, most current email clients can verify a S/MIME digital signature without installing or configuring anything. If they also have an S/MIME certificate installed, the emails will be automatically encrypted. At least that’s how I understand it.

I’m not even sure this adds value in terms of privacy, hence my question, but it’s something I’ve done for a long time.

Hi Regime6045,
Thanks for this. Do you know if they encrypt email at rest? I can’t find any information about encryption except that they encrypt kDrive. I guess I just assumed that they all encrypt at rest, but I wonder whether that is correct.

Equally, I can’t find any information about Mailbox.org encrypting email at rest. You can switch on PGP, which encrypts the inbox, but I don’t know if email is otherwise encrypted at all. Does anyone know for sure? Or is it always the case that email is encrypted at rest these days?