First of all I dont use email as a secure communications channel for important things.
I still have a Tuta account on the 1€/month plan and use it occasionally to contact people using tuta and have work related email forwarded to this address for notifications without play services on GOS.
For everything else I use Proton with SL aliases because I already pay 7,50€/month for unlimited (I use their suite except wallet) because I trust them and think they are reasonably secure provider.
Even if my emails can get scanned by other providers it’s still a few providers, each getting a little bit of info instead of my provider scanning all my emails.
or use password protected emails where you do have contact with that individual (Using tuta’s or proton’s). Nonetheless I do have to add that encrypted mailbox is a nice addition to actually keep using these services over say gmail.
By using these providers you stop contributing yourself to the problem directly. You may benefit with some contacts of e2ee but mostly keeping your own data safe with a trustworthy player.
By not needing a account at big tech you are limiting the posibilities for them to take advantage of you. Nothing is 100% but using these providers surely contributes to a more sane digital life.
Using Proton over another client can still make privacy simpler, even if the other recipient isn’t a Proton user. Here are a few practical examples:
Proton can automatically attach a public key to outgoing emails, which makes it easier for anyone else who wants to use PGP to communicate more securely with the sender.
It takes two to have message privacy, so if the other party is putting in 0 effort or acting maliciously (e.g. if they will always decrypt and make public backups of all emails regardless of circumstance), then nothing will keep these messages private.
Proton helps make privacy more convenient within reason. Think of it as a tool that makes it easier to privately:
Message other Proton users, with no effort.
Message other PGP users, with nearly no effort.
Message other users, with the effort of enabling the password protection.
When Signal originally supported SMS messages, you may have asked a similar question: how does downloading Signal help if you contact everyone on it using SMS?
In practice, by meeting users where they are (the ability to send unencrypted emails and SMS messages), it can help with adoption of opportunistic encryption (encrypted emails or messages between compatible users, with a fallback to unencrypted for other cases) until these encryption methods become more widely used.
In my opinion it’s all about being a little better.
For example, if Tuta or Proton would be only 1% better than the standard big tech shit, would you rather use them? I would, if I have to use e-mail for some reason. Of course I know that neither Proton or Tuta will help me against government hackers, but at least against most of the private businesses collecting your data. Although you have to keep in mind, that really big corporations or very rich people in general have contacts inside NSA, CIA etc. and are actively working with them. So even if the government itself doesn’t want a specific information about you, but a big company or a very rich person like Jeff Bezos, they just make a call and a “former” government hacker will make it happen.
So in the end it’s about protection against “normal” hackers, most businesses and maybe making it a little more difficult for government hackers. In my opinion worth it, if you have to use e-mails.
I mostly use it as evangelism. Most folks I email don’t receive anything from me that I wish to encrypt (I use other platforms for that). It’s mostly a way to get them to ask me “What’s this?”, which allows me to point them towards privacy as a concept and existing tools. I have converted some folks to the bright side
I also quite like to support these companies, vote with your wallet and all that.
if the protection is on Cyber attacks then sure Proton and tuta does achieve it very well however There’s also the security aspect of that individual’s threat model (if they have 2FA, Passkeys set up, what recovery methods are set and how they’re protected etc.)
Yes this is a good point. May be your contacts are using Gmail but the more people use private mail providers, the most likely it is that we will communicate between us.
The same as messengers. Saying it is useless to use Proton because all your contacts are on Gmail is similar to say that it is useless to use Signal because all your contacts are on WhatsApp. Yes, but by using Proton and Signal, you make possible a more private society.
Edit : I just saw I mostly repeated the point made by @sgp
This is true, however its slightly worse than this. In America a warrant is needed for recent emails, however if the email is older than 180 days they only need a subpoena.
Draft emails can always be gathered with a subpoena only (no warrant needed).
Encrypted email will always be more protected, however like the OP mentioned its not perfect.
Using Gmail puts your data in the Google ecosystem which is designed to collect as much data as possible and analyze these patterns. Proton or Tuta are deisnged to send and store emails.
There is so much focus on end-to-end encrypted email transmission in this thread that it feels like the far more obvious benefit of end-to-end encrypted email storage is being ignored.
99.9% of the emails I receive are transactional (from various automated/online services), so the poor email storage practices of the party on the other end are totally irrelevant. All that should really matter is that your own inbox is safe from data breaches, hacks, the service provider snooping, etc.
Just clarifying that Google Workspace emails are not scanned by google for advertisement, nor is their data shared with any third parties. Its in their privacy policy.
Do you trust their policy? Good luck. “Don’t be evil” is a thing of the past.
I am not talking about skimming emails for advertisements. Technically, they might obtain the email content by a subpoena or other legal process. That is undeniable, right?
Google Workspace (previously G Suite) administrators have the technological power to access users’ emails.
Password Reset: Administrators can reset a user’s password, allowing them to access the user’s account and read their emails directly. This strategy is commonly used for troubleshooting or when an individual departs the organization.
For firms that use Google Vault, administrators can view stored emails even if users delete them. Vault retains email copies in accordance with the organization’s retention policies.
Security Investigation Tool: Available in select editions (such as Enterprise), this tool allows admins to search for and examine email content in specified scenarios, such as security investigations or compliance audits.
In summary, while E2EE secure email providers offers robust privacy features for internal communications among its users, the effectiveness of these features is significantly reduced when interacting with users on other email platforms.
It appears that none of the secure email services using e2ee advise their subscribers. Please let me know if I’m missing anything.
The way they promote e2ee email is identical to how Telegram describes it as secure.
Otherwise encrypted with TLS if the non-Proton Mail mail server supports it (most providers such as Gmail, Yahoo, Hotmail, etc, support TLS). Note, since these messages are encrypted but not end-to-end encrypted, Gmail, Yahoo, Hotmail, etc will be able to read these messages and hand them over. This is not possible if you use Password-protected Emails, which enable Proton Mail’s end-to-end encryption.
Isn’t this kind of a silly argument? You can say this about any company that has any info of value. For example, I was an entry level tech support at a large regional credit union. I had access to every customers SSN and could add money to their account if I so chose, just because those permissions in the software were needed to be able to reset a password. There is just a level of trust you are forced to have if you interact with a third party.
That is called working in a corporate environment. Thing is, Google itself is not doing the scanning or harvesting data for 3rd parties, instead all data stays within the company. Those scanning abilities are needed in a business environment, and Google Workspace is a business product.
How do you trust any other email provider? Do you personally setup their servers for them, verify hardware, and check if they are running clean code every second?
Anyway, my point wasn’t trust. It was just to clarify that you won’t be served ads based on your workspace emails. It is very strictly governed since Workspace emails are also handling emails from minors studying in colleges, corporate secrets, medical information, etc. Do with that what you will.
As they should??? These aren’t consumer emails or personal emails. The company admin has right over company communication. It is literally how companies and orgs operate. If you setup your own workspace, YOU are the admin, not google.
Nobody is claiming Google Workspace is E2EE. I was just clarifying the FUD where you cited a blog about personal email, and then cited the Google Workspace market size. They aren’t the same product.
