First of all I dont use email as a secure communications channel for important things.
I still have a Tuta account on the 1€/month plan and use it occasionally to contact people using tuta and have work related email forwarded to this address for notifications without play services on GOS.
For everything else I use Proton with SL aliases because I already pay 7,50€/month for unlimited (I use their suite except wallet) because I trust them and think they are reasonably secure provider.
Even if my emails can get scanned by other providers it’s still a few providers, each getting a little bit of info instead of my provider scanning all my emails.
or use password protected emails where you do have contact with that individual (Using tuta’s or proton’s). Nonetheless I do have to add that encrypted mailbox is a nice addition to actually keep using these services over say gmail.
By using these providers you stop contributing yourself to the problem directly. You may benefit with some contacts of e2ee but mostly keeping your own data safe with a trustworthy player.
By not needing a account at big tech you are limiting the posibilities for them to take advantage of you. Nothing is 100% but using these providers surely contributes to a more sane digital life.
Using Proton over another client can still make privacy simpler, even if the other recipient isn’t a Proton user. Here are a few practical examples:
Proton can automatically attach a public key to outgoing emails, which makes it easier for anyone else who wants to use PGP to communicate more securely with the sender.
It takes two to have message privacy, so if the other party is putting in 0 effort or acting maliciously (e.g. if they will always decrypt and make public backups of all emails regardless of circumstance), then nothing will keep these messages private.
Proton helps make privacy more convenient within reason. Think of it as a tool that makes it easier to privately:
Message other Proton users, with no effort.
Message other PGP users, with nearly no effort.
Message other users, with the effort of enabling the password protection.
When Signal originally supported SMS messages, you may have asked a similar question: how does downloading Signal help if you contact everyone on it using SMS?
In practice, by meeting users where they are (the ability to send unencrypted emails and SMS messages), it can help with adoption of opportunistic encryption (encrypted emails or messages between compatible users, with a fallback to unencrypted for other cases) until these encryption methods become more widely used.
In my opinion it’s all about being a little better.
For example, if Tuta or Proton would be only 1% better than the standard big tech shit, would you rather use them? I would, if I have to use e-mail for some reason. Of course I know that neither Proton or Tuta will help me against government hackers, but at least against most of the private businesses collecting your data. Although you have to keep in mind, that really big corporations or very rich people in general have contacts inside NSA, CIA etc. and are actively working with them. So even if the government itself doesn’t want a specific information about you, but a big company or a very rich person like Jeff Bezos, they just make a call and a “former” government hacker will make it happen.
So in the end it’s about protection against “normal” hackers, most businesses and maybe making it a little more difficult for government hackers. In my opinion worth it, if you have to use e-mails.
if the protection is on Cyber attacks then sure Proton and tuta does achieve it very well however There’s also the security aspect of that individual’s threat model (if they have 2FA, Passkeys set up, what recovery methods are set and how they’re protected etc.)
Yes this is a good point. May be your contacts are using Gmail but the more people use private mail providers, the most likely it is that we will communicate between us.
The same as messengers. Saying it is useless to use Proton because all your contacts are on Gmail is similar to say that it is useless to use Signal because all your contacts are on WhatsApp. Yes, but by using Proton and Signal, you make possible a more private society.
Edit : I just saw I mostly repeated the point made by @sgp
This is true, however its slightly worse than this. In America a warrant is needed for recent emails, however if the email is older than 180 days they only need a subpoena.
Draft emails can always be gathered with a subpoena only (no warrant needed).
Encrypted email will always be more protected, however like the OP mentioned its not perfect.
Using Gmail puts your data in the Google ecosystem which is designed to collect as much data as possible and analyze these patterns. Proton or Tuta are deisnged to send and store emails.
There is so much focus on end-to-end encrypted email transmission in this thread that it feels like the far more obvious benefit of end-to-end encrypted email storage is being ignored.
99.9% of the emails I receive are transactional (from various automated/online services), so the poor email storage practices of the party on the other end are totally irrelevant. All that should really matter is that your own inbox is safe from data breaches, hacks, the service provider snooping, etc.
Do you trust their policy? Good luck. “Don’t be evil” is a thing of the past.
I am not talking about skimming emails for advertisements. Technically, they might obtain the email content by a subpoena or other legal process. That is undeniable, right?
Google Workspace (previously G Suite) administrators have the technological power to access users’ emails.
Password Reset: Administrators can reset a user’s password, allowing them to access the user’s account and read their emails directly. This strategy is commonly used for troubleshooting or when an individual departs the organization.
For firms that use Google Vault, administrators can view stored emails even if users delete them. Vault retains email copies in accordance with the organization’s retention policies.
Security Investigation Tool: Available in select editions (such as Enterprise), this tool allows admins to search for and examine email content in specified scenarios, such as security investigations or compliance audits.
In summary, while E2EE secure email providers offers robust privacy features for internal communications among its users, the effectiveness of these features is significantly reduced when interacting with users on other email platforms.
It appears that none of the secure email services using e2ee advise their subscribers. Please let me know if I’m missing anything.
The way they promote e2ee email is identical to how Telegram describes it as secure.
Otherwise encrypted with TLS if the non-Proton Mail mail server supports it (most providers such as Gmail, Yahoo, Hotmail, etc, support TLS). Note, since these messages are encrypted but not end-to-end encrypted, Gmail, Yahoo, Hotmail, etc will be able to read these messages and hand them over. This is not possible if you use Password-protected Emails, which enable Proton Mail’s end-to-end encryption.
Isn’t this kind of a silly argument? You can say this about any company that has any info of value. For example, I was an entry level tech support at a large regional credit union. I had access to every customers SSN and could add money to their account if I so chose, just because those permissions in the software were needed to be able to reset a password. There is just a level of trust you are forced to have if you interact with a third party.
That is called working in a corporate environment. Thing is, Google itself is not doing the scanning or harvesting data for 3rd parties, instead all data stays within the company. Those scanning abilities are needed in a business environment, and Google Workspace is a business product.
Here is a question, why are you making those assumptions? As in, why not encourage friends to use similar services, why not use PGP on all emails, why not store contacts and calendars and why not create a custom domain?
Your point is what, to say that there is little point so why not stick with what is known? If less people thought that way, a world of encryption and privacy by default might come to be the norm and using anything else would be weird.
Life is complicated, time is short, and people have many competing priorities and interests (even within the privacy space) other than trying to convert their contacts to using PGP.
I get the “you do you” sentiment—it’s valid to respect personal choices and priorities —but at some point, it becomes clear that this approach isn’t cutting it. Privacy isn’t just a personal choice; it’s a (neglected) collective responsibility. When someone’s indifference or ignorance about privacy jeopardizes others—whether through leaking information, insecure communication, or reliance on surveillance-based platforms—the conversation can’t remain passive. It’s time to normalize encryption and privacy-conscious behavior as basic, non-negotiable habits. #priv/acc
The framing needs to shift from “why should I if the gains are only x or the effort is y times more?” to “why wouldn’t I?”—because the excuses we hear (“I’m too busy,” “it’s not worth the effort,” or “it works the same for me”) often mask an unwillingness to confront uncomfortable truths. Privacy isn’t a luxury or a niche concern; it’s a foundation for autonomy and security. Those excuses may feel benign, but they enable a status quo that puts all of us—especially privacy minded sorts/advocates—at risk.
This isn’t about gatekeeping or forcing someone to go full-tinfoil-hat overnight. It’s about fostering habits that prioritize privacy as a norm, not an afterthought. Like this site, which emphasizes rigorous, evidence-based recommendations to counter misinformation, we need to adopt a similarly insistent approach toward discussions which seek to normalise and trivialise moving the needle. So many such conversations are rooted in ignorance or indifference so I have to commend the OP for wondering if there was something they were missing and seeking some feedback. The stakes are too high to let inertia win however, and I was less impressed with their insistence on doubling down on misguided rhetoric.
We know how data is exploited against us. We’ve seen the tangible harm that arises when privacy is neglected. So why do we still entertain arguments that trivialize this reality? It’s time to change the narrative and make privacy-first choices not just acceptable, but expected.
