I'm not going to get into the meat of the drama here but I do want to say, and I hope the protonmail team is reading, the value of protonmail for me isn't even in protecting me from state actors and whatever they're proud about for being in Switzerland etc.
The value of their service to me is primarily:
- they aren't mining my communication for ad revenue or the enabling of any convenience features which indirectly leads to ad revenue
- should someone (perhaps not nation state) gain access to their storage, that attacker can't see the plaintext of my past mail. Perhaps this doesn't stop them from monitoring incoming/outgoing unencrypted mail, but at least my life history is secure.
I guess they're trying to get this across with their marketing/branding but it always felt a little more over the top to me than the more practical feelings I have about it if that makes sense.
I know some people will say "go with google because their security team is the best" and maybe that's true but my threat model here is googles business model, not nation states. Would it bother me if I found out Protonmail was colluding with nation states etc, yeah, maybe enough to switch providers should one of similar quality exist. Now to read into this kerfluffle...
edited for formatting
edit post read (quote from Steigers second addendum regarding protonmail response):
> ProtonMail once again argues contradictorily and inconsistently. Every user of ProtonMail must still decide for himself whether the email service is trustworthy.
The decision I'm making, and this shouldn't be surprising given my initial comment above, is that I will continue to be a happy paying user. I agree the advertising is kind of misleading, but I always had the pessimist view that the service might give away more than their marketing/branding tries to let on, whether voluntarily/knowingly or not.
I am a little disappointed that protonmail didn't respond more directly to some accusations, I guess they might not want to if they're suing for defamation (according to Steiger?). Am also a little disappointed that both in their response and in their HN comment they said he "hid" something on the bottom which was clearly linked. Though I think he could have done a better job of highlighting the content of that addendum where it was relevant in the article, I wouldn't call it hiding given the link.
I would be happy to see the marketing/branding take a shift towards my more practical viewpoint of it and maybe this incident will encourage that. I have friends/family creeped out by google/yahoo but when they go to the home page for protonmail they tell me (in different words) that the branding is too tin foil hat. The value is there for them otherwise but hard to get past that.
"my threat model here is googles business model, not nation states"
Same here, for this Proton Mail user. I am, of course, attracted to the idea of keeping my mail private from nation states, but Google (and most other providers) is a bigger thing in my (personal) threat model.
Agreed and I'm not the type to be like "well I've got nothing to hide" but the reality is email is a requirement for modern life and I'm guessing nation states can intercept my plaintext mail in places besides the servers of my mail provider so...
> they aren't mining my communication for ad revenue or the enabling of any convenience features which indirectly leads to ad revenue
Exactly. Ever wonder why Amazon stopped including an itemized list of your order in its conformation emails? (and switched to things like "Your order of Super Soake... (and 33 other items) has shipped")? Google was mining the hell out of them to flesh out their user profiles, and Amazon didn't want to gift them its customer data.
Google need to be broken up, and Gmail doubly so (which shouldn't be too hard, since email was designed as a federated system).
The value of their service to me is primarily:
- they aren't mining my communication for ad revenue or the enabling of any convenience features which indirectly leads to ad revenue
- should someone (perhaps not nation state) gain access to their storage, that attacker can't see the plaintext of my past mail. Perhaps this doesn't stop them from monitoring incoming/outgoing unencrypted mail, but at least my life history is secure.
I guess they're trying to get this across with their marketing/branding but it always felt a little more over the top to me than the more practical feelings I have about it if that makes sense.
I know some people will say "go with google because their security team is the best" and maybe that's true but my threat model here is googles business model, not nation states. Would it bother me if I found out Protonmail was colluding with nation states etc, yeah, maybe enough to switch providers should one of similar quality exist. Now to read into this kerfluffle...
edited for formatting
edit post read (quote from Steigers second addendum regarding protonmail response):
> ProtonMail once again argues contradictorily and inconsistently. Every user of ProtonMail must still decide for himself whether the email service is trustworthy.
The decision I'm making, and this shouldn't be surprising given my initial comment above, is that I will continue to be a happy paying user. I agree the advertising is kind of misleading, but I always had the pessimist view that the service might give away more than their marketing/branding tries to let on, whether voluntarily/knowingly or not.
I am a little disappointed that protonmail didn't respond more directly to some accusations, I guess they might not want to if they're suing for defamation (according to Steiger?). Am also a little disappointed that both in their response and in their HN comment they said he "hid" something on the bottom which was clearly linked. Though I think he could have done a better job of highlighting the content of that addendum where it was relevant in the article, I wouldn't call it hiding given the link.
I would be happy to see the marketing/branding take a shift towards my more practical viewpoint of it and maybe this incident will encourage that. I have friends/family creeped out by google/yahoo but when they go to the home page for protonmail they tell me (in different words) that the branding is too tin foil hat. The value is there for them otherwise but hard to get past that.
Anyway back to work...