I use protonmail and I love it but what do you mean by e2e encrypted email? A mail from proton to Gmail or vice versa can't be e2e encrypted. Do they (claim to) have encryption at rest for all emails? 

 this. 

 Proton claims to have encryption at rest for non e2e encryted emails. Of course you need to take their word of it, since they can just make a copy during unencrypted transport. But so far, there's no evidence that they actually do this. 

 Email is just not private at all, but that does not mean you should throw your arms into the air and just use gmail... Every little step helps 

 I wonder if they have this part of their code open sourced 

 This is server side. It does not matter if it's open source, you can never verify what they are running there. 

 E2EE works only Proton to Proton. That's why I onboarded my family.

For external encryption offers Proton something different.
The sender can encrypt the mail with a (strong) password.
https://m.primal.net/IEHN.png 

But I am sure you know that already.... 🙂  

 Only when you using PGP. You could use FlowCrypt on Gmail tho

But metadata (sender, receiver, subject) is still in plaintext 

 Yeah. End-to-end encryption has to be encrypted AT BOTH COMPANIES and we all know Gmail isn’t on their end. 

 It is E2E between proton users.

If you want to encrypt it to other users, you can. Although you have to set a password for your email.

Then the receiver will only get a proton website link, which if they click, they have to put in your password and then they can view it.

I think that is the only way to encrypt to any arbitrary mailbox. 

 I do have a password to my Proton email but didn’t realize I needed to give that password to whomever (with a different email account) received my transmission. Thanks so much for weighing in on this important topic. 

 No, no! 

 When you create an email, and you want to send to a non-proton user, if you click the lock icon, you have to set a specific password for that email. Then it will be password protected/encrypted, and only openable with that password. 

NOT your account password. You shall not share that with anyone! 

 Yay!  Thanks for clarifying. I was not too keen on sending my main password to my ProtonMail account out. 

 No problem. I am glad we discussed this before you shared it. 💜

Rule 1: Never share your password with anyone!

If you have to. They try to scam you, or you need to use a different product 🤙 

 Many “influencers“ might lead to believe that using any VPN (specifically the one they advertise) turns people into a cipherpunk. Many are centralized services vulnerable to attacks and even more are just a honeypot. And of course almost all of them have to comply with the law as companies. 

 There was a case where Proton disclosed data not to the authorities but to the press. There was a case where they helped the CIA with money. They don't do anonymous payment with Bitcoin, they don't have logs disabled by default in client settings, etc.

As a result, Proton just sucks. It's basically just a paid Google. 

 Yes, just use gmail, it's free and more user friendly. 

 After Google Stadia, I don't use Google services.  

 Source? 

 You can pay with bitcoin, fyi 

 Only after creating an account, what does that mean in practice? For example, Proton may ask you for your Visa/MasterCard details and only then allow you to pay with Bitcoin. That's exactly what they do to me because they think I'm unreliable. 

 Thanks, I didn’t realize that was the flow 

 You can't pay with bitcoin without paying with something else (credit card) first. 

 Thanks I didn’t know that 

 Well said.  

 nostr:nevent1qqsfhm74zz3yme54rg5qwwmju6996tym4xnypqwpug0yhlzmm29shfsppamhxue69uhkummnw3ezumt0d5pzp5x7h70mzt00s86r6lrfg2dm0pyp9tq7f5k48gszmd42cl4yk3nvqvzqqqqqqyask03c 

 "not proton VPN" -- what would you recommend instead? 

 Mullvad or ivpn 

 ivpn 

 Yes mullvad 

 Mullvad 

 Mullvad paid using lightning network all the way 

 hm the only options I see are Monero, Bitcoin, and *cough* Bitcoin Cash 

 https://njal.la/ 

 Oh yeah. Try 

https://vpn.sovereign.engineering 

 https://mullvad.net/en  Is worth looking into. 

 Other option is to build your own VPN server 

 Makes me wonder if the recovery email the account had was the biggest metadata leak that actually confirmed the identity to that account. So much for owning your own account completely.  

 It looks like it. I never provider any recovery info. If it's lost, it's lost ¯\_(ツ)_/¯ 

 Yeah this is nothing new, nor is it avoidable for a public company.

Anyone who says that this makes it no different then Gmail is deeply naive and uninformed. There’s an ocean between the two. 

 I was under the impression that if you use proton VPN the Swiss law protects them from disclosing certain information to authorities? Obviously that can change. 

 I wouldn't know about that but:
* You should not rely on the law to protect your privacy
* you definitely should not put all your eggs in the same basket: if you use proton mail, don't use any other service from them. Look for alternatives for vpn, cloud, password manager, notes, calendar, etc and spread your risk as much as possible. Ideally most of the above can and should be selfhostable. 

 Good point, convenience can equal compliancy. Good to change and mix things up every couple of years. 👍 

 Reading one of their Mastodon posts they say that as VPN is not considered a communications tool in Swiss law they therefore don't have to log IP-addresses, and that there are no Swiss laws that can compel them to do so.

https://mastodon.social/@protonprivacy/112401509092025344 

 Proton is as transparent as they could be on this and they openly talk about what they do / could see on their web site all the time. It comes across like a lot of people use Proton Mail but don't actually read what they say and then get in trouble. A lot of the data they received are opt-in by users (IP history logs, recovery emails) and what is left is impossible for them to stop them knowing.

If a company following the law is 'compromised' then by their logic everything is. Arguably using a service that endorses breaking it makes you even more compromised by putting a target on your back. EncroChat, SkyECC, Phantom Secure, ANOM had hundreds of thousands of combined users and countless arrests... the price is paid on all of their users. Fortunately they were almost all involved in serious crime, but that doesn't mean the next time it wouldn't be normal people who could be misled by a false promise of security and privacy. Proton is a good provider by telling the truth and following good practice. 

Email is not like SimpleX or Signal, they can't move hosted infrastructure away to their users so they cannot get legal requests or design their product in a way where they can't provide any valuable information. Even if you host your own email, it wouldn't stop them going after the person above the pyramid (your host / network provider) to disrupt the operation... 

 tuta.com  might be a better choice for an email provider. 

 Why? No open pgp compatibility, only e2e encryption between tuta users... 

 I was a paying a Proton customer for over 6 years.  They about 4 months ago they suspended my account for unknown reason.  Their primary support method is email.   Anyway, suspend my account and have shitting support no thanks. 

I long for the day when centralized services are a thing of the past. 

 I don’t feel like looking it up now but pretty sure they have done the same thing in regards to handing over user info they have in the same manner. 

 All that and:
You can't expect anyone to take the fall for you, especially not for free. 
The only one responsible for your action is you and you are the only one who should be held accountable.

nostr:nevent1qqsfhm74zz3yme54rg5qwwmju6996tym4xnypqwpug0yhlzmm29shfsppamhxue69uhkummnw3ezumt0d5pzp5x7h70mzt00s86r6lrfg2dm0pyp9tq7f5k48gszmd42cl4yk3nvqvzqqqqqqyask03c 

 Absolutely, it's essential to look beyond the headlines. ProtonMail has been upfront about complying with legal requirements, which only extend to metadata and not the content of your emails thanks to end-to-end encryption. While concerns about metadata collection are valid, using ProtonMail still offers a higher degree of privacy compared to many mainstream alternatives. It’s about choosing the best available option while staying aware of its limitations.