Oddbean new post about | logout
 Proton is awesome. This kind of notice only happens when your email is tied in with "serious crime". If you a suspected of breaking Swiss law, no business is going to jail over a $13 a month user if the the gov gives them a legally binding order to freeze the account.

It's not just Proton...even the most liberal of domain hosts will not go to jail for their users. They can provide a safe harbor for freedom of speech, free press and whistle-blower projects, but when served a legal mandate to shut down a site, they must comply. If you signed up over Tor and paid with an untraceable coin like Monero, your site may be taken down, but they will still not know who the owner is.

This is not a Proton issue. This is a government law issue.

Proton has said time and time again, when forced, they must comply with Swiss law. They have repeatedly stated publicly recovery emails and recovery phone numbers are not e2ee and can be used to identify you. They recommend setting a recovery phrase instead so they will not be able to hand over any identifying information if forced to under Swiss law.

If the OP has truly don't nothing wrong, and practiced good OPSEC, they should be fine. They should be using a free burner account (signed up and accessed only over Tor) for anything that could potentially get an account frozen. 

The content of their frozen account is e2ee. If they are suspected of doing illegal stuff under Swiss law and they opted to give a backup email or phone number, paid with their debit card, or enabled the dark web monitoring service, that volunteered information can be used to associate their identify, then that's bad OPSEC.

Proton has been very vocal about this, saying they will comply with government law when forced. Don't give them any data and they will have nothing to hand over.

I agree that all-in-one services can be risky. I also know it depends on your threat model and how they are signed up for and used. 

No tool can replace good OPSEC or ultimately save you from bad OPSEC, or a situation like what happened with Skiff.

I use Proton in a compartmentalized way and I recommend it to most of my clients. I use it and recommend it for business domain email as well for most people.

IMO Proton is the best service of its kind out there for most people.

Proton Drive helps people ditch Google drive. That's a huge win for privacy for most people. 

Yes, you can run your own server and email but if you don't do and sustain it just right, it can make you far less secure from attack.

Extreme cases call for extreme measures. In those cases, I wouldn't advise putting any data on anyone else's servers, only communicating through SimpleX or Signal, not using any kind of social media at all, wiping the web of any trace of identity, only connecting to the internet from outside the house, never using clearnet, only using Tor, etc etc.

Without sharing my client guide here, the gist is that I recommend Proton be used in a compartmentalized way, with your "official" main front-facing account using your real name and/or personal domain "business" email for official purposes. This is a huge win over using Google for most people.

There are 15 @protonmail.com etc addresses that can be used for forwarding old email (to a pseudonym email) another for purchases, another for banking, an anonymous email with just random numbers for other purposes etc.

One can then use the unlimited simplelogin aliases (they have the ability to send mail from the alias, not just receive...unlike the current built-in proton aliases) to avoid spam/breaches.

It is best in class for these purposes.

You can then sign up with another account for just VPN, another account for your Bitcoin wallet, another account for anonymous email not associated with your identity etc.

Just make sure you sign up for the other free accounts separate from your main account OVER TOR using their onion site and make sure it's a free account.

If you try to pay for an account at sign up you will have to use a debit card initially. If you upgrade from a free account, you can use cash or Bitcoin!

Sign up over Tor on the PROTON PASS page and you don't have to give an emal.

There is an option when doing it this way (on the Proton Pass page to create a free account and they will automatically create an email for you.

Then, upgrade using Bitcoin or cash and there is no worry of "having all your eggs in one basket".
 
 Cool thank you for this. Learning about this and how to implement is difficult and overwhelming to be honest lol 
 Yw: Good OPSEC is principle based. You are already ahead of the game by knowing it's super important to learn best OPSEC practices if you are going to use technology in the world we live in. 

Just remember it's all about YOUR specific threat model. There are basic practices, yes, but most people are not running from the gov (which is very hard to sustain for any extended period of time). 

Most people don't need to go full-on ghost or have a most extreme threat model. If you sacrifice too much convenience when it's not necessary, you will burn out. 

You have to take inventory and decide in what areas of your life it is more important for you to sacrifice convenience for extra privacy and security and to what degree.

Take your time. Go at it steady. You don't have to know everything to get started. 
 Re: overwhelming, start with the basics; a foundation.  Once you understand the UNDERLYING TECH, the rest, is much, much easier to understand.  Book I wrote (2001?) ... to get newbies to understand PGP (public key cryptography; what runs pretty much everything under the hood.  Download (free):  https://mega.nz/file/jsplULpR#4K6CmI1YqCSRZhiAj83hRHqi9DBpTkdIt0hWzilV3v8 Read chapters 3 (PGP) and if you want to go full cypherpunk, chapter 4 also (remailers). Chapters 1 and 2 were written back when no one understood the very basics of online security (thus are unlikely to be of personal relevance to you, you'll already get that bit).  You can cover to cover the entire book in around 1 hour 20 minutes (tops). 
 thank you so much for taking the time to write all that!

the big worry was that my friend hadn't done anything wrong, illegal. or even eyebrow raising afaik.

thank you heaps for this. I will pass this on! 
 Biggest worry I guess is when I'm using Nunchuk or something that uses E-Mail as a login, if they require e-mail verification... and my email is unavailable, I worry people could lose access to their coins as they don't have that 4 digit code...

Thank you so much though, this is JUST what I need to read and comprehend.
 
 "Yes, you can run your own server and email but if you don't do and sustain it just right, it can make you far less secure from attack."

Truer words... 
 What you said is gold. Big companies have to comply with the law. But we must appreciate those who do not ask for more than the necessary data so give the case they can not gave up too much about us. 
 "They are great, they're just doing what they're told so shut up!"

nostr:note1usr525y0s36ffj8qanceuvw2edz75637alft4mhfne4chn87506qdv84ea  
 she's such a simp for the mozilla/proton/tor industrial complex

she basically brags about being some sort of spook

nothing to see here, just follow her directions for the golden stairway to nirvana 
 https://m.primal.net/JgJx.jpg  
 yeah, just add pink hair 
 The best note I've seen in a long time
Proton fud is completely misplaced in my opinion
nostr:nevent1qqswgp692z8cgay5ersweuv7x89vk302dglwl546am5eu6utenl28aqrsulml 
 I don't always agree with nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgprpmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0qy3hwumn8ghj7enfd36x2u3wdehhxarj9emkjmn99ulkwmr0vfskc0tpd3kqzythwden5te0dehhxarj9emkjmn99ue3v4az, but this is spot on. 
nostr:nevent1qqswgp692z8cgay5ersweuv7x89vk302dglwl546am5eu6utenl28aqrsulml