Vote for Proton not to have your recovery address stored as text

Something that allows you to access your stuff if you lose your passwords, etc.

If you search online you’ll probably see some enterprise-related examples. It’s an interesting read, but for end users, it might be something like this.

Suppose you know by heart the password for your password manager (PM) and nothing else. But that’s a dangerous account to leave without a 2FA, so you activate it, but now you’re in a situation where you might get locked out of your passwords.

So you create a second PM account, with a bs email that can’t be traced back to you, but one you have to remember. And the only thing it holds is the 2FA key for your first PM account. So if anything happens and you’re far away from your recovery codes, or you lose them, all you’ve got to remember is the second email (and password, if you feel the need to create a different one).

2 Likes

If anything I think Proton should enumerate the account and content metadata they have access to and would be able to disclosure to an adversary, either by legal request or even a potential compromise of the service. That way users can make their own informed decisions.

If you are really that concerned about keeping your Proton(Mail) account anonymous, either use a recovery phrase or do not set any recovery methods at all.

They, and most other services, already do provide all this information. For example, here is an excerpt from ProtonMail privacy policy:

Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. We do NOT have access to encrypted message content, but unencrypted messages sent from external providers to your Account, or from Proton Mail to external unencrypted email services, are scanned for spam and viruses to pursue the legitimate interest of protecting the integrity of our Services and users. Such inbound messages are scanned for spam in memory, and then encrypted and written to disk. We do not possess the technical ability to scan the content of the messages after they have been encrypted. We also have access to the following records of Account activity: number of messages sent, amount of storage space used, total number of messages, last login time. User data is never used for advertising purposes.

Any additional information needed is presented in Proton’s published public threat model and their terms of use. Honestly, most of the issues coming from end users are because they actually haven’t read the actual terms, and then imagined what they want a service to be than what it actually is.

2 Likes

Interesting discussion. The concerns around recovery emails and privacy are definitely valid, esspecially given Proton’s promise of ‘Privacy by Default’. The challenge truly lies in balancing security with usability.

One option to keep control more firmly in your own hands is by using email aliases. This allows you to provide a recovery email that isn’t directly linked to your account, without compromising your privacy.

Far less bulletproof than not including a recovery address. If someone has the authority to compel Proton to hand over the recovery address, they almost certainly have the authority to compel the alias provider to hand over the email linked to it. Much safer to just not have a recovery address in the first place.

2 Likes

You’re absolutely right that not including a recovery address is the most secure approach for those with high concerns or a strict threat model. Going without a recovery address does minimize the risk of exposure entirely. However, for users who want a balance between security and accessibility, aliases can add an extra layer that’s still helpful, especially when combined with a secure, privacy-focused provider.

Of course, each approach has trade-offs, and it’s all about evaluating personal needs and risks. In my own experience, I’ve found that aliases offer a practical middle ground for those who need the option of account recovery without linking directly to their primary addres.

For people who want a recovery address for their Proton account but (whether it is a reasonable concern to have or not) are worried an adversary may be able to get details of the recovery address via the Swiss authorities, could they create an anonymous break-glass Tuta account via Tor (GL with that!)? The Tuta account should not be used for anything else at all for fear of leaking something, but the account holder would need to log in every few months to ensure the account is not deleted.

my question is do they also store phone numbers in plain format ?
If so if I remove my phone number from proton , then can they theoretically still hold that phone number?

Also one of the reasons why I gave phone number this time was because I had gone the hard way of using keepassxc and recovery keys only to one day find my linux system bricked and I was forced to hard reset (and I hadn’t duplicated the keepassxc keys) or straight up forgetting the password after many days of not using it.

I had even gone through many bad opsec decisions like writing the password on piece of paper only to then not know where the paper actually is.