That's refreshing to see in a world of ever increasing enshittification. Wish more companies move in this direction.
Yeah, kinda makes you wonder as to why proton is adding A.I. features though.
I think it might be because AI (aka LLMs) is genuinely useful when used properly.
I use AI all the time to write emails. I give the LLM the email thread along with instructions like “I can’t make it Tuesday ask if they can do Wednesday at 2pm”
The AI will write out an email that’s polite and relevant in context. Totally worth it.
I think the problem is people/companies trying to shove LLMs where they don’t make sense.
I am not a fan of this. I see it all the time at work and it's very obvious when someone has chatGPT write an email for them (it's always such a sterile and yet overcomplicated writing style). If it's a direct email to me, I tend to feel insulted that they couldn't be bothered to write those 4 paragraphs themselves - it would have taken them 2 mins. There is a definite human disconnect going on in society at the moment, and its worrying.
I agree. I actually think it's a net negative as well for friendships. As in the case of OP, I would rather get an original email from the sender saying they couldn't make it, so let's meet the next day, but instead I have to read thru several paragraphs of boilerplate and AI crap instead, which wastes my time, and I know the sender did it, so I'm mad at them for being impersonal. At some point, we're just going to have people's AI responding to each other without any person actually reading it.
We're only doing this because every company doesn't want to be left behind so they go all in. It feels like Ian Malcolm said it best in Jurassic Park
"Yeah, yeah, but your scientists were so preoccupied with whether or not they could that they didn't stop to think if they should"
In bureaucratic situations, you’re expected to have a bunch of polite boilerplate. Or at least that’s how my dad keeps telling me to write emails.
Which it seems you're missing the point of.
what does this mean lol
There's a purpose in showing that you put a little bit of thought into the email, not only for courtesy, but also because spending that attention can help you spot errors.
Then why not just spend more time reading what I wrote out loud instead of spending that time solely on padding?
I can understand that. I don’t actually use chatGPT to be fair. I use a locally run open source LLM. This all being said I do think it’s important to fine tune any LLM you use to match your writing style. Else you end up with chatGPT generic style writing.
I would argue that not fine tuning a LLM to match tone and style counts as either misuse or hobbyist use.
I use a locally run open source LLM.
How? GPT4All + Llama or something else? I just started dipping my toe in locally run open source LLM.
not fine tuning a LLM to match tone and style counts as either misuse or hobbyist use
You’ve hit the nail on the head with this one. I think the other commenters are right, that a lot of people will misuse the tool, but nonetheless it is an issue with the users, not the tool itself.
My main workstation runs Linux and I use Llama.cpp. I used it with mistral’s latest largest model but I have used others in the past.
I appreciate your thoughts here. Lemmy I think, in general, has an indistinguishing anti LLM bias.
Agreed. People are so bad at writing that they struggle to put a few sentences together for an email. Even their prompts lack clear instructions /message. It's astounding when you think about it for a minute.
Why not just write "I can't make it Tuesday, can you do Wednesday at 2pm?"
Otherwise we just end up in this world.
You’re not wrong but at least my emails will be taken seriously by some 60 year old company exec that’s still mad his secretary stopped printing his emails for him.
You’re trying to please a boomer that’s still angry that email exists in the first place.
In some cases literally yes. But at least for me I have to meet my customers where they are. If I try to force them to do things my way they just don’t use my services.
Then just write that.
I don't understand why we're having AIs verboseify simple information?
Why do many word if few word do trick.
How long until we start using LLMs to summarize messages over-verbalized by LLMs?
And offloading the accounting for context WILL bite you in the ass. If you can't remember what a discussion was about and what needs considering, you're no longer doing the thinking.
Because in my experience some business clients feel offended or upset that you aren’t being formal with them. American businesses seem to care less I noticed but outside of the USA (particularly in Germany) I noticed that formality serves better. Also the LLM uses the thread history to add context. Stuff like “I know we agreed on meeting on Tuesday at last meeting but unfortunately I can’t do that…” this stuff matters to clients.
I don’t offload because I don’t remember. I offload because it saves me time. Of course I read what is written before I send it out.
Being formal and considerate does not require being that much more verbose.
Do you really save time running messages through an LLM vs just writing them as you think of what to say?
It's the equivalent of when I got assigned papers with minimum word counts as a kid. Despite the fact that the prompt doesn't warrant 5000 words and it would take massive deviation off of the prompt to get anywhere close to it, people have this weird impression that more words shows more "care" than just communicating clearly. I struggled a lot with a lot of assignments (to the point of not turning some in) because all the filler they'd need to reach the word counts hurt my soul lol.
(I do tend to prefer 500+ page books, but it's because the authors I engage with the most use that space to build out better plots or develop better characters or whatever. It's not padded out.)
Is it?
I once told a teacher I'd write ten times the number of required words as long as I could pick a subject that actually warranted it. And I followed through.
The rare times I got prompts that were actually good, I would run out of paper on which to express everything I wanted expressed. (Yes, I've done writing assignments writing by hand.)
Outside academia no-one is enforcing a word-count. Which means you can just write good prose. Using a lot of words to say very little, is not good prose.
Unless you're dealing with people that don't actually read what you write and instead just look at net weight of the word-salad you threw at them, the content of the text is what matters.
Who takes offence at only a single paragraph, if it addresses their every concern and insecurity, and they are left feeling seen as they reach the final word?
Only people who don't actually read things, or have no reading comprehension, needing the same thing said three time in different ways in one message.
It's the same philosophy, yeah. That more words means more substance and more "respect" or whatever to the message.
It's not rational at all, but people genuinely don't think that way. (Unless it's a forum/social media, then 3 paragraphs is a wall of text that needs to have a 5 word TLDR, because none of it is rational).
The exaggerated version of a simple message once you have a working relationship is silly, but there are way too many times you don't get to a working relationship at all without a wall of bullshit.
Ok, but do the people you're referring to actually appreciate prose, or just skim-read through everything?
Because I'd wager they're the latter, and at that point you don't even need to try to write something good. It's fine to send them three paragraphs where the second and third ones just paraphrase the first.
Paraphrasing the first multiple times is still a big, distracting extra cognitive load, and it needs to hold up if they actually do pay attention to it. One time they notice the obvious bullshit can end a relationship. I won't use an LLM for anything like this because it's stupid, but that's why people are doing it.
You're saying once they see the pointless fluff they themselves ask of people, for what it is, they'll feel insulted?
Paraphrasing yourself comes with built-in deniability. "Oh it's just something I tend to do, I don't mean anything by it, I can make an effort to stop if you like". And then boom, you get to be concise.
There is no way of bloating your prose that doesn't come off as insulting when done with people who don't appreciate volume over quality.
Also, teachers are typically smart enough to probably themselves understand the word-count problem. Which is why I was able to make deals with many of my teachers to change the assignments given such that writing something good was actually possible.
Hence why it's not the same. The people you are talking about aren't worth the effort of dealing with. A writing teacher that gives you high marks for saying nothing with a lot of words, is not a good writing teacher.
I never once had a language teacher that had even the tiniest shred of competence. It's not the norm.
Was for me. I've had teachers assistants that were intelligent and pedagogically literate. Benefits of going to school in the nordics, I guess.
But my point stands. That makes those people unworthy of the effort. You might play to those things to get ahead, but it still doesn't mean it's good communication.
And good communication should be your default behaviour, otherwise you're part of the problem.
I don't play those games.
But most people do, because there's a lot of it required to succeed in a lot of industries. (Even if most recognized that it's nonsense, which they don't), everyone can't just apply for the one percent of bosses who don't do bullshit games.
The LLM responses are more verbose but not a crazy amount so. It’s mostly adding polite social padding that some people appreciate.
As for time totally. It’s faster to write “can’t go to meeting, suggest rescheduling it for Thursday.” And proofread than to write a full boomer style letter.
I feel like we might write at very different WPMs. For me, proofreading and fixing AI slop takes longer than just writing things myself.
And another difference might be that to me and everyone I work with, writing in full on "boomer" is considered an insulting waste of everyone's time.
Which it is.
It’s a waste of everyone’s time for sure. It’s just good business sense to make your customers happy though.
As for typing speed perhaps ya lol. You could be faster. But I think the best approach here is using high quality locally run LLMs that don’t produce slop. For me I can count on one hand how many times I’ve had to correct things in the past month. It’s a mater of understanding how LLMs work and fine tuning. (Emphasis on the fine tuning)
Abs Japan. Oh my.
Non-profit doesn't mean that no one makes money. But it does mean they pay less taxes. If the C suite is full of funders, you can pay them in bonuses.
It does mean that there are no shareholders and you have to be "limited in powers".
This was a disappointing realisation about "Open"AI.
They have two divisions and only one is "open"
Maybe to keep pace with trends, and be able to put a check in that box amongst competitors
I'm happy to see this announcement. However, just transitioning to a non-profit does not make an organization good. They can still be greedy and take advantage of their user base. That being said, it seems Proton's mission statement resonates with a non-profit type structure. When you are accountable to the shareholders, they become the priority.
"don't let perfect get in the way of good" or whatever that saying is. One step at a time, yeah?
"Perfect is the enemy of good."
Bad, also, is the enemy of good...
I think maybe good walked into the wrong damn neighborhood.
Generally you'd want to strive for perfection, but not go crazy over it and mantain a balance in all things, risk vs. benefit, that sort of thing, hence the saying
If I remember right, OpenAi started with this model too, and they do lots of shady stuff.
Not that this is the plan for Proton, but I completely agree that simply creating a nonprofit that owns the for profit brand doesn't guarantee good behavior.
Yes Mozilla is a good example. They're run like any other Silicon Valley company and spend more in C-suite develop their damn product.
Bad example. There are plenty of non-profit FOSS services that do well and serve the community.
This is what made me finally completely switch my email and docs to proton. I'm so close to being able to delete my google account now.
Well this and the docs live collaboration feature they recently added.
Switched mail and I'll switch VPN once my old sub expires.
I thought it'll take many more years until the acquired Standard Notes
90 a year though? That's taking the piss. Notesnook has all their features and more for 49.99
And that's on top of Proton's main fee. That's one option I won't be taking.
Is this the standalone annual price? I see 120$/y for all of proton's premium products
That 90 for Standard Notes is on top of the plan you are on. 90 per year for somethings that is available elsewhere for half that is a non starter for me. I'm on unlimited now, not putting another 90 onto it.
Oh I wasn't advocating for getting anything else besides proton unlimited. There's only Docs now but I'm guessing more products will get integrated soon
Ya know, you may have just helped me finally make the full switch. Thank you
I wish it worked in the (iOS) app or had its own. A browser only experience isn't good enough for me to use it.
Cool. I switched to Tuta because it fits my use case better (2 domains, one for my personal email and one for everything else). I don't need any of the bells and whistles Proton has, and I also don't want to pay extra to get more domains. The Tuta app kinda sucks, but it gets the job done. I'm hoping my wife and kids will be interested in private email, but they don't seem to care, and I don't think they'd like the tradeoffs.
Now, if Proton revises their tiers, I might be interested. Give me something like the Tuta tiers, and I'll probably switch to it. I prefer the UX of Proton, but $10/month is a bit steep for me, especially since I'm not going to use the other stuff they're bundling in (I use Bitwarden for PW manager, have my own NAS, and I prefer Mullvad over Proton for VPN).
That said, it's super cool that they're going non-profit. When that's done, I'll give it another look.
They also have mail-only tier at 4.99.
Does that include the IMAP bridge and multiple addresses?
I don't know, you'll have to check yourself. Multiple addresses yes, though, 10 of them.
Yup, but only one custom domain. I really want at least two domains, one with tons of aliases for various accounts, and the other for personal communications. I could use a proton.me address for it, but then it becomes a huge pain to switch to another service should I need to.
Problem with Tuta for me is its too closed off.
Proton at least offers an IMAP bridge, Tuta utterly refuses to let you use your email outside their apps, which makes it more of a messaging app. And the fact there's no way to export everything easily or even forward messages rubs me the wrong way. I tried them and have been using them for about 2 years but I'd definitely love to get away from it.
I'm tired of these walled gardens. I don't give a damn how secure it is, if I can't leave it with my shit, then no thanks.
Yeah, it's annoying, but I honestly don't use any email clients anyway. So whether I use the Tuta or Proton app/website is essentially the same for me.
But you can export your email (select all then click "Download"), but unfortunately forwarding isn't a thing. That does put a bit of a wrinkle into my longer-term use of it, so if Proton can become price-competitive for my use-case (and no, I'm not paying $10/month for email), I'll probably switch. But since I can export them in some way, it's not a deal breaker.
You say you use Bitwarden. Is that self hosted by any chance? If so, how do you handle the potential for an outage or server failure, where you’d presumably need some of the passwords to fix the problem in the first place.
The Bitwarden client has all the data cached, so the server can be down and you still get access to the passwords (same for internet connection).
Thanks for the reply! That makes sense. I’m still weary of the client somehow losing the cache while the server is down (two holes in the Swiss cheese lining up) but that is overly paranoid I know that
You should definitely be! I take backups every 6h for my self hosted vaultwarden (easier to manage and to backup, but not official, YMMV). You can also restore each backup automatically and have a "second service" you can run elsewhere (a standby basically), which will also ensure the backup works fine.
I have been running bit/vaultwarden now for I think 6 years, for my whole family and I have never needed to do anything, despite having had a few hiccups with the server.
Don't take my word for it, but the clients (browser plugin, desktop app, mobile app) are designed to keep data locally I think. So the term cache might be misleading here because it suggests some temporary storage used just to save web requests, with a relatively quick expiration. In this case I think the plugin etc. can work potentially indefinitely without server - something to double-check, but I believe it's the design.
Yes, I figured the word “cache” was used loosely in this case. But you know, the server is down and/or irrecoverable for a while, and then one’s phone gets swiped. Not inconceivable. So I think I’ll follow some of the advice here about a backup service or password stash
I also self host vault warden, it's pretty straight forward. Like the other person said, it caches locally.
Thanks!
The local cache solves this problem mainly. Mine also replicates to one of my other servers occasionally.
How do you set up local caching? For non-phones?
Edit: TIL there are windows, Mac, and Linux apps for it. Sheesh.
Yep, the browser extensions also have an encrypted cache, although it is less consistent imo. I've had times where my server was down and the extension just completely logged out then couldn't authenticate so I couldn't access the cache.
There is a setting now (in all types of client I think) to log out when you close down the browser. Your comment makes me realize that I probably want to NOT set that on at least one machine. I set that on the machines that are out and about.
Also TIL about the browser extensions!
Mine isn't currently, but I'm working on it. The main complexity is that my wife and I share some passwords, and I want to make sure I do it properly so that transition is as smooth as possible. Vaultwarden is what you'd use to self-host.
But as others have said, I'm really not worried about it. Passwords are cached locally and only touch the server when syncing to the server. I want to self-host to protect against breaches, not because I'm worried about connectivity loss.
You can always backup your passwords (there's an export feature) if you're worried about it. I haven't done it, but I imagine it wouldn't be too hard to have a KeePass backup or something that you update manually every so often.
Are you me? Lol I feel the same about tuta, yet I such with them. I am waiting for my wife to care for her privacy and switch to a family bundle with tuta.
Got my own NAS and a Bit warden server for PW. I changed Mullvad over AirVPN once they stopped supporting port forwarding, though.
Yup, confirmed, I am you.
The Tuta app kinda sucks, especially for searching, but I do that rarely enough that it's fine. It did annoy me a bit when I was traveling in Canada and needed to find my confirmation code for something (had to connect to their wifi, wait for emails to download, search, etc), but it got the job done. I love that I can just add another person to my plan for another €3 or whatever. I'm going to try to get my kids interested even if my wife isn't, and it's nice that I can just add a little at a time. With Proton, that would jump up to $15 for two users, $24 for my family (three kids). That's a lot more than Tuta, which is just €3/user/month, so my entire family would be €15/month ($17/month), and I don't need to get everyone on all at once (i would probably only add one or two at first).
So Tuta meets my basic needs, is priced very competitively, and the client is FOSS. I'm actually excited about some upcoming updates (looks like having the subject in the notification just landed, but hasn't hit F-Droid yet), and I love how their roadmap is very open.
That said, I do miss the UX of Proton. I just don't think that's worth more for fewer features I actually use. Hopefully that changes.
This is definitely great news and refreshing to see from a company, but this came out two months ago.
Published on June 17, 2024
Edit: it looks like Proton just recently sent an email about this to their ProtonMail subscribers which is likely why this got posted just now.
Good. Profit and privacy are mutually exclusive in this industry.
Proton is still a for-profit company and has shareholders who expect to to make money. The change is that the largest shareholder of the for-profit company is now a separate non-profit organization. It is still a positive move, but not entirely what the marketing makes it seem.
You mean record breaking profit and privacy.
Edit: actually I bet drug cartels probably do both, at least some (\s)
I would imagine any privacy measures cartels take are seen as overhead more than anything else
That's roughly the opposite of what the article says.
Of course it is good news, and I'm an happy Proton customer since over an year, but this Proton blog post dates back 2 months now...
They just pushed an email announcement out, which is probably where OP heard about it.
And that makes it irrelevant because...? I'm a subscriber and I wasn't aware of this until this post...
They literally sent the email out within the last 36 hours. My work account got it this morning, and my personal last night.
The email was more of a summary of past changes.
The actual donation of shares to the Proton Foundation was a little while ago, and anyone directly subscribed to the Proton Blog probably already saw it (myself included), so seeing it show up again as if it was new news probably just felt a bit jarring to some people.
Switched from gmail to Protonmail and Outlook to Tuta.io and love it! Companies that put privacy and the individual first.
How is spam filtering compared to gmail.
Afraid to switch as gmail spam filtering is excellent
I've been using Protonmail as my primary address for a few years now. I'm yet to have a single spam email make it to my inbox. In comparison, I use my gmail less and I've had a few blatant crypto scams make it to my inbox.
I'm not saying for certain that it's better than Gmail's, but that's my experience so far.
I've been using proton for a few months now with a yearly Mail Plus subscription and I have yet to receive an actual spam e-mail. Your experience might be different than mine since I take precautions not to invite spam in the first place, but even then, Proton looks to be doing an excellent job
Honestly I’ve not experienced any on either of them!
Good for them, I love being able to play Windows games on Linux.
They’re unrelated to Valve’s Proton
To be honest that's what I thought the post was about until I read this, so thanks.
y'know, just in case
c/whoosh
I switched to Proton Mail in 2019, and recently started switching to their VPN service to use port forwarding. Glad to see Proton is putting their money where their mouth is.
I've been too critical of them in the early days and will admit that many of the issues that plagued their VPN service years ago have now been fixed.
Didn't they get shit recently for AI and crypto related decisions ? Did they backtrack on that ?
Even if they did, so what? We should not then recognise positive decisions?
If we don't allow companies and people to make any mistakes, for fear of being forever scorned, then we'll end up with either unprogressive risk averse companies that cannot compete against their peers, or a host of good companies that go bankrupt from the slightest misstep.
Personally I'm glad companies such as proton exist, and are prepared to take risks, as they are currently our best hope against the likes of Google and Meta.
They did not. This is another marketing play
How is this related to what the previous person said? Do you understand what "enshittification" is? Proton Wallet is an entirely separate application while the AI feature in Proton Mail is completely optional. Neither of these decisions have impacted the user experience of Proton customers.
Do you understand what enshittification is? It's a slow descent over a long period. You add optional, privacy-respecting AI now, and over time, (like a decade,) it becomes more shitty until eventually all your data is opted in to centralized data harvesting or wherever.
I'm an Unlimited paid Proton user, and these new trend worry me too. Enshittification is a slow process. I watched Google turn from "Do no evil" to what they are today, and I'm too tired to want to watch the same entire process happen again to Proton.
Shouldn't we worry of enshittification when we are on the verge of, or on the descending side of trajectory?
So far they added features in a way that keeps respecting users rights, without changing their business model (which is 90% of the reason why companies enshittify BTW).
Just because these products have something in common with products of companies who enshittified doesn't mean the same applies here.
That's some big slippery slope fallacy. Privacy respecting AI was a highly requested feature, whether you wanted it or not.
Them adding an AI mail assistant that is completely private has nothing to do with them eventually not protecting user privacy. These things have nothing to do with each other.
AI is not inherently a privacy invading tool, its just that the majority of services offering it are free, hence them profiting off data.
You add optional, privacy-respecting AI now, and over time, (like a decade,) it becomes more shitty until eventually all your data is opted in to centralized data harvesting or wherever.
Except their entire brand is built on privacy, so this master conspiracy you seem to think exists makes absolutely zero business sense. Google has never cared about user privacy, nor was that ever a reason people used Google's services, so I'm not sure why you think that is a relevant comparison. It's not.
Google's entire brand was built on amazing search, and now their search is awful.
Enshittification isn't a conspiracy and it's not a nefarious end-goal, it's just a descent into shittiness. Proton continuing to sideline Linux (still no Drive support, other apps are second-class, etc) is a great example.
If they were truly focused on the goal of promoting privacy, they would be wanting to prioritise the option for people to leave Windows and Mac for Linux. Instead, it seems like their goal is becoming "Offer all the things that are hot in the market right now."
Google’s entire brand was built on amazing search
And how was that search funded? Google took in large amounts of money from venture capitalists in the 90s and transitioned to an advertising-based model as early as 2000. You're incredibly naive if Google's "descent into shittiness" came as a surprise; it was always going to happen as the company looked for ways to generate a return for investors on its free product.
Please think before you rage post. Your attempts to compare these two companies are hysterical and inane.
Please think before you rage post. Your attempts to compare these two companies are hysterical and inane.
🙄 I think you need to take a deep breath and count to 5 if you think there was any rage or hysteria in my very mild comment.
Suggesting Proton is undertaking a "descent into shittiness" comparable to that of Google because it hasn't made a Linux application for one of its many services is very hysterical. As is suggesting Proton is "not truly focused on privacy" because it has applications available for Windows and macOS. There is nothing "mild" about either of those delusional claims.
If so, will they re-think tiers?
Or maybe they could give the option for users to choose what they need exactly and what they're willing to pay?
(i.e current Proton plan that costs 8-12€ per month is too much for me, but I would gladly pay like 5€ monthly for little storage, VPN and few email aliases)
Edit: Proton has REMOVED the P2P tick from the VPN on this plan since I took the screenshots below. That sucks.
I would gladly pay like 5€ monthly for little storage, VPN and few email aliases)
I don't think this plan supports P2P. You're still on the free plan with the VPN.
Edit: Looks like I was wrong. I remember needing to switch to a better plan to get the P2P but I guess I was wrong.
Edit 2: There is some inconsistent information on the Proton site regarding what is included in each plan and this seems to be the source of our confusion in this thread.
Edit: Proton has REMOVED the P2P tick from the VPN on this plan since I took the screenshot below. That sucks.
Yo I see you on your link that you are right. I stand corrected. Maybe. This link says something different and so I'm not actually sure what's correct. Let me know what you think. It seems like there's some conflicting information
Interesting. That's a support article so is less likely to be up-to-date than the pricing page, but that being said I'm on Unlimited and don't know what the Plus plan provides with certainty.
Yeah you must be right with that pricing page. I think it's also unclear what is offered in terms of VPN when you actually try to purchase the Mail plus plan. At any rate, lots of ways for people to be confused about what plan includes what.
Is this for Mail Plus or Proton Unlimited? I pay for Mail Plus, and have continually gotten the "P2P is blocked" page whenever I try to redownload the Ubuntu 22.04 ISO--maybe I should complain
Although looking at the VPN section, it does appear that the Free and Mail Plus plans have the same checkboxes, so perhaps I am reading it correctly
The column with the ticks is for Plus not for Free, so yes you should definitely complain to support.
Now this is fascinating--I'm seeing no ticks in Plus! Maybe it varies by country (located in Canada, but I think I pay in USD)
The tick is gone for me too. Well that sucks, I guess they updated the page.
Is this going to be the same kind of non-profit as OpenAI? With a mission to improve the world? Yeah, let's see how that goes. Another Proton marketing play on their set track to enshittification.
OpenAI is now for-profit since they got funded by Microsoft.
This is old news. Why are you posting this just now? I mean I don't really care much. I transitioned to Posteo as soon as I learned that they stored the private key. They don't even let you use your own GPG key, useless honeypot. Their recent bitcoin wallet supports this. If they cared about privacy, they wouldn't go with Bitcoin. They have been ignoring requests for monero since years.
They also are getting into the AI hype, so I can't trust my data with them.
You can use your own GPG key (https://proton.me/support/importing-openpgp-private-key or using the bridge), whatever tool does the signing needs the key (duh) so I am not sure what you mean by "they store your private key" (they stored it encrypted as per documentation https://proton.me/support/how-is-the-private-key-stored), their AI was specifically designed as local, exactly to be privacy friendly, plus is a feature that can be disabled (when it will reach general subscriptions).
I don't care about cyptocurrencies, but I suppose they started with the most popular, nothing to do with privacy as they just let you store your currencies.
Anyway, use what you like the most, of course, but yours don't look very solid motivations, quite a lot of incorrect information, I hope you didn't take your decision based on it.
You upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. I can do the signing locally and then I'll do the decryption with my own private key locally without them storing it as well.
Edit: mixed public keys with private keys
You upload your private key to the cloud. Encrypted or not, this is a bad idea.
An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.
They can do the signing and encryption with my public key
They can't sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.
Either way:
and then I’ll do the decryption with my own private key locally without them storing it.
You can do it using the bridge, exactly like you would with any client-side tooling.
It's still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone
It's not "insecure", it's simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.
Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.
In any case, if this tradeoff doesn't suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.
The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.
I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another "plain and simple" email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )
I can't comment on this, since I don't use the bridge for a while. But it's just an IMAP/SMTP server, so not sure why certain features wouldn't work. What service did you end up using which has gpg integration?
I used protonmail for 3 years - bridge issues have been being ignored by protonmail support in my opinion. "Clean cache and try again". I stopped using protonmail and switched to mailbox.org. So far so good.
From what I read though, the GPG security model for mailbox.org is the same as it is for Proton webmail (except for the browser plugin, where the difference is not really there). I like mailbox.org, to be clear, but I don't get how it is an alternative to the bridge.
I don't use mailbox gpg sevice simple as that. I use mailbox perfect imap (k-9) / pop3 (desktop) integration and use gpg natively in case if that person uses gpg. Thunderbird (desktop), k-9 with openkeychain on android. I don't say proton is bad. It's quite good if you never want to export mails outside our webmail. I do want it so protonmail is not for me. Most my protonmail issues were with their bridge they, until the moment I migrated to mailbox, have not resolved.
Oh that makes sense. Yeah, definitely simple encryption and exported (unencrypted) emails are not going to work together.
I am all in support for European tech companies, so I think that mailbox.org, tuta, proton etc. Are all good options.
Exactly. There's no justification for them storing the private key online for "convenience". And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.
There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won't do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.
That simplicity introduces security and privacy issues.
Introduces some risks in terms of security.
Privacy concerns are extremely minimal, because in any case you don't control the setup of your other interlocutor(s).
Considering that the realistic alternative is not using anything at all and the fact that you have both options with Proton, it's a win-win scenario.
One of the biggest risks is when someone knows your password. Your PGP encrypted emails that you want noone to see will be available to the attacker. Whereas if no such thing happened, the attacker wouldn't be able to decrypt the PGP encrypted emails even if the attacker gained access to your account.
Manually encrypting your stuff is better than having some random on the internet do it for you. It's really just a tradeoff. Convenience or security? It's not even hard to manually encrypt emails.
One of the biggest risks is when someone knows your password.
Just a curiosity. How do you think every password for every online service works? The service "has" your password. It is hashed, but if this doesn't matter (similarly for encryption) to you, then you should be panicking about basically everything.
In the case of Proton an attacker has basically these options:
Option 1: Attack you, try to compromise your device. If this is the case, your local keys are going to be taken, one way or another, even if you have them locally and encrypted. The only way you might save yourself in this scenario is if you store them on an hardware device (like a yubikey).
Option 2: Attack proton. Once the infrastructure is compromised, the JS code that does the crypto operation needs to be backdoored, you need to use the service while the JS is compromised, and the attacker will obtain the keys and the messages.
Option 3: Compromise the sender/recipient for the emails (this is in cleartext in any case).
In the case of a manual solution:
Option 1 is identical.
Option 2: Attack the software you use (let's say, mutt). Once you gain access to the repository, push a backdoored update and wait for you to install the new version. Incidentally, compromising this tool also allows the attacker to compromise your whole machine (unlike what happens with JS code, which runs at least in the browser sandbox).
Option 3 is identical.
So the tradeoff is really that:
With Proton an update is going to be pushed quicker and without your explicit interaction, but
compromising Proton is going to be much, much harder than compromising the laptop/repository for the handful of maintainers that generally have the keys to push updates for the software you are most likely going to use. We are talking company with security department + SOC vs maintainers with whatever security practice and no funding.
It’s not even hard to manually encrypt emails.
Yeah, and this is why 99.9% of the people have never and will never touch GPG with a 10-foot pole. The tradeoff is a complete no-brainer for the vast majority of people, because the reality is that for most, either someone else does the key discovery, management, signing, encryption, decryption, or nobody does. We can sit here and pretend that it's easy, but it's not. Managing keys is hard, it is painful, especially on multiple devices, etc..
Encrypted or not, the fact that someone else has it stored somewhere in their computers is dangerous. The fact that it can be accessed online is dangerous. The only recommended way to store private keys are offline and encrypted. Why are you so ignorant of this fact, I wonder? I think you trust Proton a bit too much.
Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot "freeze" the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )
Then they should transition away from multi-level marketing pyramid Ponzi schemes too. I deleted my Protonmail account when Proton began peddling crypto“currencies”.
Them holding a reserve of a cryptocurrency in case something happens to their financial accounts is not the same as peddling crypto.
They're not trying to sell you any. They're not telling you that signing up to proton gets you "ProtonCoins" or something.
It gives credence to greed incentivizing unethical contraptions.
greed incentivizing unethical contraptions.
Crypto is a tool, just like anything else. Is the internet a greed incentivizing unethical contraption? Because the internet spawned Google, Instagram, Facebook, 4Chan, and various other shady and illicit sites and services. Should we hate the internet because of this?
Crypto isn't inherently bad. It's the people trying to take advantage and duplicate the "success" of Bitcoin that make crypto bad. I'm telling you this as a person who used to believe in "crypto" and was an early adopter.
A hammer is a tool because no one but the hammer merchants gain financially if everyone were to buy a hammer.
Crypto“currencies” are not purely tools but instead multi-level marketing pyramid Ponzi schemes because as soon as one has it they have everything to gain the more people buy it after them.
“Thirdly, early adopters mine or buy large proportions of the total supply at negligible costs while late adopters mine or buy negligible proportions at large costs. It follows that holders immediately have every incentive to get as many people to buy after them. Like stocks? Like stocks, but without the dividends or anything tangible in the real world [10]. Congratulations, you got yourself a pyramid scheme †.”
“† The stock market has largely become a pyramid/Ponzi scheme as well since most of the money does not exist and profits come from buyers or new entrants, i.e., the greater fool [16].” —Money corrupts; bitcoin corrupts absolutely, https://www.cynicusrex.com/file/cryptocultscience.html
What's wrong with splitting eggs in different baskets ?
Immoral baskets that incentivize greed are to be avoided.
That's refreshing to see in a world of ever increasing enshittification. Wish more companies move in this direction.
Yeah, kinda makes you wonder as to why proton is adding A.I. features though.
I think it might be because AI (aka LLMs) is genuinely useful when used properly.
I use AI all the time to write emails. I give the LLM the email thread along with instructions like “I can’t make it Tuesday ask if they can do Wednesday at 2pm”
The AI will write out an email that’s polite and relevant in context. Totally worth it.
I think the problem is people/companies trying to shove LLMs where they don’t make sense.
I am not a fan of this. I see it all the time at work and it's very obvious when someone has chatGPT write an email for them (it's always such a sterile and yet overcomplicated writing style). If it's a direct email to me, I tend to feel insulted that they couldn't be bothered to write those 4 paragraphs themselves - it would have taken them 2 mins. There is a definite human disconnect going on in society at the moment, and its worrying.
I agree. I actually think it's a net negative as well for friendships. As in the case of OP, I would rather get an original email from the sender saying they couldn't make it, so let's meet the next day, but instead I have to read thru several paragraphs of boilerplate and AI crap instead, which wastes my time, and I know the sender did it, so I'm mad at them for being impersonal. At some point, we're just going to have people's AI responding to each other without any person actually reading it.
We're only doing this because every company doesn't want to be left behind so they go all in. It feels like Ian Malcolm said it best in Jurassic Park
In bureaucratic situations, you’re expected to have a bunch of polite boilerplate. Or at least that’s how my dad keeps telling me to write emails.
Which it seems you're missing the point of.
what does this mean lol
There's a purpose in showing that you put a little bit of thought into the email, not only for courtesy, but also because spending that attention can help you spot errors.
Then why not just spend more time reading what I wrote out loud instead of spending that time solely on padding?
I can understand that. I don’t actually use chatGPT to be fair. I use a locally run open source LLM. This all being said I do think it’s important to fine tune any LLM you use to match your writing style. Else you end up with chatGPT generic style writing.
I would argue that not fine tuning a LLM to match tone and style counts as either misuse or hobbyist use.
How? GPT4All + Llama or something else? I just started dipping my toe in locally run open source LLM.
You’ve hit the nail on the head with this one. I think the other commenters are right, that a lot of people will misuse the tool, but nonetheless it is an issue with the users, not the tool itself.
My main workstation runs Linux and I use Llama.cpp. I used it with mistral’s latest largest model but I have used others in the past.
I appreciate your thoughts here. Lemmy I think, in general, has an indistinguishing anti LLM bias.
Agreed. People are so bad at writing that they struggle to put a few sentences together for an email. Even their prompts lack clear instructions /message. It's astounding when you think about it for a minute.
Why not just write "I can't make it Tuesday, can you do Wednesday at 2pm?"
Otherwise we just end up in this world.
You’re not wrong but at least my emails will be taken seriously by some 60 year old company exec that’s still mad his secretary stopped printing his emails for him.
You’re trying to please a boomer that’s still angry that email exists in the first place.
In some cases literally yes. But at least for me I have to meet my customers where they are. If I try to force them to do things my way they just don’t use my services.
Then just write that.
I don't understand why we're having AIs verboseify simple information?
Why do many word if few word do trick.
How long until we start using LLMs to summarize messages over-verbalized by LLMs?
And offloading the accounting for context WILL bite you in the ass. If you can't remember what a discussion was about and what needs considering, you're no longer doing the thinking.
Because in my experience some business clients feel offended or upset that you aren’t being formal with them. American businesses seem to care less I noticed but outside of the USA (particularly in Germany) I noticed that formality serves better. Also the LLM uses the thread history to add context. Stuff like “I know we agreed on meeting on Tuesday at last meeting but unfortunately I can’t do that…” this stuff matters to clients.
I don’t offload because I don’t remember. I offload because it saves me time. Of course I read what is written before I send it out.
Being formal and considerate does not require being that much more verbose.
Do you really save time running messages through an LLM vs just writing them as you think of what to say?
It's the equivalent of when I got assigned papers with minimum word counts as a kid. Despite the fact that the prompt doesn't warrant 5000 words and it would take massive deviation off of the prompt to get anywhere close to it, people have this weird impression that more words shows more "care" than just communicating clearly. I struggled a lot with a lot of assignments (to the point of not turning some in) because all the filler they'd need to reach the word counts hurt my soul lol.
(I do tend to prefer 500+ page books, but it's because the authors I engage with the most use that space to build out better plots or develop better characters or whatever. It's not padded out.)
Is it?
I once told a teacher I'd write ten times the number of required words as long as I could pick a subject that actually warranted it. And I followed through.
The rare times I got prompts that were actually good, I would run out of paper on which to express everything I wanted expressed. (Yes, I've done writing assignments writing by hand.)
Outside academia no-one is enforcing a word-count. Which means you can just write good prose. Using a lot of words to say very little, is not good prose.
Unless you're dealing with people that don't actually read what you write and instead just look at net weight of the word-salad you threw at them, the content of the text is what matters.
Who takes offence at only a single paragraph, if it addresses their every concern and insecurity, and they are left feeling seen as they reach the final word?
Only people who don't actually read things, or have no reading comprehension, needing the same thing said three time in different ways in one message.
It's the same philosophy, yeah. That more words means more substance and more "respect" or whatever to the message.
It's not rational at all, but people genuinely don't think that way. (Unless it's a forum/social media, then 3 paragraphs is a wall of text that needs to have a 5 word TLDR, because none of it is rational).
The exaggerated version of a simple message once you have a working relationship is silly, but there are way too many times you don't get to a working relationship at all without a wall of bullshit.
Ok, but do the people you're referring to actually appreciate prose, or just skim-read through everything?
Because I'd wager they're the latter, and at that point you don't even need to try to write something good. It's fine to send them three paragraphs where the second and third ones just paraphrase the first.
Paraphrasing the first multiple times is still a big, distracting extra cognitive load, and it needs to hold up if they actually do pay attention to it. One time they notice the obvious bullshit can end a relationship. I won't use an LLM for anything like this because it's stupid, but that's why people are doing it.
You're saying once they see the pointless fluff they themselves ask of people, for what it is, they'll feel insulted?
Paraphrasing yourself comes with built-in deniability. "Oh it's just something I tend to do, I don't mean anything by it, I can make an effort to stop if you like". And then boom, you get to be concise.
There is no way of bloating your prose that doesn't come off as insulting when done with people who don't appreciate volume over quality.
Also, teachers are typically smart enough to probably themselves understand the word-count problem. Which is why I was able to make deals with many of my teachers to change the assignments given such that writing something good was actually possible.
Hence why it's not the same. The people you are talking about aren't worth the effort of dealing with. A writing teacher that gives you high marks for saying nothing with a lot of words, is not a good writing teacher.
I never once had a language teacher that had even the tiniest shred of competence. It's not the norm.
Was for me. I've had teachers assistants that were intelligent and pedagogically literate. Benefits of going to school in the nordics, I guess.
But my point stands. That makes those people unworthy of the effort. You might play to those things to get ahead, but it still doesn't mean it's good communication.
And good communication should be your default behaviour, otherwise you're part of the problem.
I don't play those games.
But most people do, because there's a lot of it required to succeed in a lot of industries. (Even if most recognized that it's nonsense, which they don't), everyone can't just apply for the one percent of bosses who don't do bullshit games.
The LLM responses are more verbose but not a crazy amount so. It’s mostly adding polite social padding that some people appreciate.
As for time totally. It’s faster to write “can’t go to meeting, suggest rescheduling it for Thursday.” And proofread than to write a full boomer style letter.
I feel like we might write at very different WPMs. For me, proofreading and fixing AI slop takes longer than just writing things myself.
And another difference might be that to me and everyone I work with, writing in full on "boomer" is considered an insulting waste of everyone's time.
Which it is.
It’s a waste of everyone’s time for sure. It’s just good business sense to make your customers happy though.
As for typing speed perhaps ya lol. You could be faster. But I think the best approach here is using high quality locally run LLMs that don’t produce slop. For me I can count on one hand how many times I’ve had to correct things in the past month. It’s a mater of understanding how LLMs work and fine tuning. (Emphasis on the fine tuning)
Abs Japan. Oh my.
Non-profit doesn't mean that no one makes money. But it does mean they pay less taxes. If the C suite is full of funders, you can pay them in bonuses.
https://www.charitywatch.org/nonprofit-compensation-packages-of-1-million-or-more
It does mean that there are no shareholders and you have to be "limited in powers".
This was a disappointing realisation about "Open"AI.
They have two divisions and only one is "open"
Maybe to keep pace with trends, and be able to put a check in that box amongst competitors
I'm happy to see this announcement. However, just transitioning to a non-profit does not make an organization good. They can still be greedy and take advantage of their user base. That being said, it seems Proton's mission statement resonates with a non-profit type structure. When you are accountable to the shareholders, they become the priority.
"don't let perfect get in the way of good" or whatever that saying is. One step at a time, yeah?
"Perfect is the enemy of good."
Bad, also, is the enemy of good...
I think maybe good walked into the wrong damn neighborhood.
Generally you'd want to strive for perfection, but not go crazy over it and mantain a balance in all things, risk vs. benefit, that sort of thing, hence the saying
If I remember right, OpenAi started with this model too, and they do lots of shady stuff. Not that this is the plan for Proton, but I completely agree that simply creating a nonprofit that owns the for profit brand doesn't guarantee good behavior.
Yes Mozilla is a good example. They're run like any other Silicon Valley company and spend more in C-suite develop their damn product.
Bad example. There are plenty of non-profit FOSS services that do well and serve the community.
This is what made me finally completely switch my email and docs to proton. I'm so close to being able to delete my google account now.
Well this and the docs live collaboration feature they recently added.
Switched mail and I'll switch VPN once my old sub expires.
I thought it'll take many more years until the acquired Standard Notes
90 a year though? That's taking the piss. Notesnook has all their features and more for 49.99 And that's on top of Proton's main fee. That's one option I won't be taking.
Is this the standalone annual price? I see 120$/y for all of proton's premium products
That 90 for Standard Notes is on top of the plan you are on. 90 per year for somethings that is available elsewhere for half that is a non starter for me. I'm on unlimited now, not putting another 90 onto it.
Oh I wasn't advocating for getting anything else besides proton unlimited. There's only Docs now but I'm guessing more products will get integrated soon
Ya know, you may have just helped me finally make the full switch. Thank you
I wish it worked in the (iOS) app or had its own. A browser only experience isn't good enough for me to use it.
Cool. I switched to Tuta because it fits my use case better (2 domains, one for my personal email and one for everything else). I don't need any of the bells and whistles Proton has, and I also don't want to pay extra to get more domains. The Tuta app kinda sucks, but it gets the job done. I'm hoping my wife and kids will be interested in private email, but they don't seem to care, and I don't think they'd like the tradeoffs.
Now, if Proton revises their tiers, I might be interested. Give me something like the Tuta tiers, and I'll probably switch to it. I prefer the UX of Proton, but $10/month is a bit steep for me, especially since I'm not going to use the other stuff they're bundling in (I use Bitwarden for PW manager, have my own NAS, and I prefer Mullvad over Proton for VPN).
That said, it's super cool that they're going non-profit. When that's done, I'll give it another look.
They also have mail-only tier at 4.99.
Does that include the IMAP bridge and multiple addresses?
I don't know, you'll have to check yourself. Multiple addresses yes, though, 10 of them.
Yup, but only one custom domain. I really want at least two domains, one with tons of aliases for various accounts, and the other for personal communications. I could use a proton.me address for it, but then it becomes a huge pain to switch to another service should I need to.
Problem with Tuta for me is its too closed off.
Proton at least offers an IMAP bridge, Tuta utterly refuses to let you use your email outside their apps, which makes it more of a messaging app. And the fact there's no way to export everything easily or even forward messages rubs me the wrong way. I tried them and have been using them for about 2 years but I'd definitely love to get away from it.
I'm tired of these walled gardens. I don't give a damn how secure it is, if I can't leave it with my shit, then no thanks.
Yeah, it's annoying, but I honestly don't use any email clients anyway. So whether I use the Tuta or Proton app/website is essentially the same for me.
But you can export your email (select all then click "Download"), but unfortunately forwarding isn't a thing. That does put a bit of a wrinkle into my longer-term use of it, so if Proton can become price-competitive for my use-case (and no, I'm not paying $10/month for email), I'll probably switch. But since I can export them in some way, it's not a deal breaker.
You say you use Bitwarden. Is that self hosted by any chance? If so, how do you handle the potential for an outage or server failure, where you’d presumably need some of the passwords to fix the problem in the first place.
The Bitwarden client has all the data cached, so the server can be down and you still get access to the passwords (same for internet connection).
Thanks for the reply! That makes sense. I’m still weary of the client somehow losing the cache while the server is down (two holes in the Swiss cheese lining up) but that is overly paranoid I know that
You should definitely be! I take backups every 6h for my self hosted vaultwarden (easier to manage and to backup, but not official, YMMV). You can also restore each backup automatically and have a "second service" you can run elsewhere (a standby basically), which will also ensure the backup works fine.
I have been running bit/vaultwarden now for I think 6 years, for my whole family and I have never needed to do anything, despite having had a few hiccups with the server.
Don't take my word for it, but the clients (browser plugin, desktop app, mobile app) are designed to keep data locally I think. So the term cache might be misleading here because it suggests some temporary storage used just to save web requests, with a relatively quick expiration. In this case I think the plugin etc. can work potentially indefinitely without server - something to double-check, but I believe it's the design.
Yes, I figured the word “cache” was used loosely in this case. But you know, the server is down and/or irrecoverable for a while, and then one’s phone gets swiped. Not inconceivable. So I think I’ll follow some of the advice here about a backup service or password stash
I also self host vault warden, it's pretty straight forward. Like the other person said, it caches locally.
Thanks!
The local cache solves this problem mainly. Mine also replicates to one of my other servers occasionally.
How do you set up local caching? For non-phones?
Edit: TIL there are windows, Mac, and Linux apps for it. Sheesh.
Yep, the browser extensions also have an encrypted cache, although it is less consistent imo. I've had times where my server was down and the extension just completely logged out then couldn't authenticate so I couldn't access the cache.
There is a setting now (in all types of client I think) to log out when you close down the browser. Your comment makes me realize that I probably want to NOT set that on at least one machine. I set that on the machines that are out and about.
Also TIL about the browser extensions!
Mine isn't currently, but I'm working on it. The main complexity is that my wife and I share some passwords, and I want to make sure I do it properly so that transition is as smooth as possible. Vaultwarden is what you'd use to self-host.
But as others have said, I'm really not worried about it. Passwords are cached locally and only touch the server when syncing to the server. I want to self-host to protect against breaches, not because I'm worried about connectivity loss.
You can always backup your passwords (there's an export feature) if you're worried about it. I haven't done it, but I imagine it wouldn't be too hard to have a KeePass backup or something that you update manually every so often.
Are you me? Lol I feel the same about tuta, yet I such with them. I am waiting for my wife to care for her privacy and switch to a family bundle with tuta.
Got my own NAS and a Bit warden server for PW. I changed Mullvad over AirVPN once they stopped supporting port forwarding, though.
Yup, confirmed, I am you.
The Tuta app kinda sucks, especially for searching, but I do that rarely enough that it's fine. It did annoy me a bit when I was traveling in Canada and needed to find my confirmation code for something (had to connect to their wifi, wait for emails to download, search, etc), but it got the job done. I love that I can just add another person to my plan for another €3 or whatever. I'm going to try to get my kids interested even if my wife isn't, and it's nice that I can just add a little at a time. With Proton, that would jump up to $15 for two users, $24 for my family (three kids). That's a lot more than Tuta, which is just €3/user/month, so my entire family would be €15/month ($17/month), and I don't need to get everyone on all at once (i would probably only add one or two at first).
So Tuta meets my basic needs, is priced very competitively, and the client is FOSS. I'm actually excited about some upcoming updates (looks like having the subject in the notification just landed, but hasn't hit F-Droid yet), and I love how their roadmap is very open.
That said, I do miss the UX of Proton. I just don't think that's worth more for fewer features I actually use. Hopefully that changes.
This is definitely great news and refreshing to see from a company, but this came out two months ago.
Edit: it looks like Proton just recently sent an email about this to their ProtonMail subscribers which is likely why this got posted just now.
Good. Profit and privacy are mutually exclusive in this industry.
Proton is still a for-profit company and has shareholders who expect to to make money. The change is that the largest shareholder of the for-profit company is now a separate non-profit organization. It is still a positive move, but not entirely what the marketing makes it seem.
You mean record breaking profit and privacy. Edit: actually I bet drug cartels probably do both, at least some (\s)
I would imagine any privacy measures cartels take are seen as overhead more than anything else
That's roughly the opposite of what the article says.
Of course it is good news, and I'm an happy Proton customer since over an year, but this Proton blog post dates back 2 months now...
They just pushed an email announcement out, which is probably where OP heard about it.
And that makes it irrelevant because...? I'm a subscriber and I wasn't aware of this until this post...
They literally sent the email out within the last 36 hours. My work account got it this morning, and my personal last night.
The email was more of a summary of past changes.
The actual donation of shares to the Proton Foundation was a little while ago, and anyone directly subscribed to the Proton Blog probably already saw it (myself included), so seeing it show up again as if it was new news probably just felt a bit jarring to some people.
Switched from gmail to Protonmail and Outlook to Tuta.io and love it! Companies that put privacy and the individual first.
How is spam filtering compared to gmail.
Afraid to switch as gmail spam filtering is excellent
I've been using Protonmail as my primary address for a few years now. I'm yet to have a single spam email make it to my inbox. In comparison, I use my gmail less and I've had a few blatant crypto scams make it to my inbox.
I'm not saying for certain that it's better than Gmail's, but that's my experience so far.
I've been using proton for a few months now with a yearly Mail Plus subscription and I have yet to receive an actual spam e-mail. Your experience might be different than mine since I take precautions not to invite spam in the first place, but even then, Proton looks to be doing an excellent job
Honestly I’ve not experienced any on either of them!
Good for them, I love being able to play Windows games on Linux.
They’re unrelated to Valve’s Proton
To be honest that's what I thought the post was about until I read this, so thanks.
y'know, just in case
c/whoosh
I switched to Proton Mail in 2019, and recently started switching to their VPN service to use port forwarding. Glad to see Proton is putting their money where their mouth is.
I've been too critical of them in the early days and will admit that many of the issues that plagued their VPN service years ago have now been fixed.
Didn't they get shit recently for AI and crypto related decisions ? Did they backtrack on that ?
Even if they did, so what? We should not then recognise positive decisions?
If we don't allow companies and people to make any mistakes, for fear of being forever scorned, then we'll end up with either unprogressive risk averse companies that cannot compete against their peers, or a host of good companies that go bankrupt from the slightest misstep.
Personally I'm glad companies such as proton exist, and are prepared to take risks, as they are currently our best hope against the likes of Google and Meta.
They did not. This is another marketing play
How is this related to what the previous person said? Do you understand what "enshittification" is? Proton Wallet is an entirely separate application while the AI feature in Proton Mail is completely optional. Neither of these decisions have impacted the user experience of Proton customers.
Do you understand what enshittification is? It's a slow descent over a long period. You add optional, privacy-respecting AI now, and over time, (like a decade,) it becomes more shitty until eventually all your data is opted in to centralized data harvesting or wherever.
I'm an Unlimited paid Proton user, and these new trend worry me too. Enshittification is a slow process. I watched Google turn from "Do no evil" to what they are today, and I'm too tired to want to watch the same entire process happen again to Proton.
Shouldn't we worry of enshittification when we are on the verge of, or on the descending side of trajectory?
So far they added features in a way that keeps respecting users rights, without changing their business model (which is 90% of the reason why companies enshittify BTW). Just because these products have something in common with products of companies who enshittified doesn't mean the same applies here.
That's some big slippery slope fallacy. Privacy respecting AI was a highly requested feature, whether you wanted it or not.
Them adding an AI mail assistant that is completely private has nothing to do with them eventually not protecting user privacy. These things have nothing to do with each other.
AI is not inherently a privacy invading tool, its just that the majority of services offering it are free, hence them profiting off data.
Except their entire brand is built on privacy, so this master conspiracy you seem to think exists makes absolutely zero business sense. Google has never cared about user privacy, nor was that ever a reason people used Google's services, so I'm not sure why you think that is a relevant comparison. It's not.
Google's entire brand was built on amazing search, and now their search is awful.
Enshittification isn't a conspiracy and it's not a nefarious end-goal, it's just a descent into shittiness. Proton continuing to sideline Linux (still no Drive support, other apps are second-class, etc) is a great example.
If they were truly focused on the goal of promoting privacy, they would be wanting to prioritise the option for people to leave Windows and Mac for Linux. Instead, it seems like their goal is becoming "Offer all the things that are hot in the market right now."
And how was that search funded? Google took in large amounts of money from venture capitalists in the 90s and transitioned to an advertising-based model as early as 2000. You're incredibly naive if Google's "descent into shittiness" came as a surprise; it was always going to happen as the company looked for ways to generate a return for investors on its free product.
Meanwhile, Proton is a company that generates almost all of its revenues from selling its services to consumers for a fee and has no venture capitalist investors. As consumers are its primary source of revenue, any attempt to undermine the reason those consumers pay for its services (privacy) is going to have a significant and negative impact on the financial viability of the business.
Please think before you rage post. Your attempts to compare these two companies are hysterical and inane.
🙄 I think you need to take a deep breath and count to 5 if you think there was any rage or hysteria in my very mild comment.
Suggesting Proton is undertaking a "descent into shittiness" comparable to that of Google because it hasn't made a Linux application for one of its many services is very hysterical. As is suggesting Proton is "not truly focused on privacy" because it has applications available for Windows and macOS. There is nothing "mild" about either of those delusional claims.
If so, will they re-think tiers? Or maybe they could give the option for users to choose what they need exactly and what they're willing to pay? (i.e current Proton plan that costs 8-12€ per month is too much for me, but I would gladly pay like 5€ monthly for little storage, VPN and few email aliases)
Edit: Proton has REMOVED the P2P tick from the VPN on this plan since I took the screenshots below. That sucks.
Includes VPN with P2P and streaming, Drive with 15GB, Proton Pass, etc.
I don't think this plan supports P2P. You're still on the free plan with the VPN.
Edit: Looks like I was wrong. I remember needing to switch to a better plan to get the P2P but I guess I was wrong.
Edit 2: There is some inconsistent information on the Proton site regarding what is included in each plan and this seems to be the source of our confusion in this thread.
Edit: Proton has REMOVED the P2P tick from the VPN on this plan since I took the screenshot below. That sucks.
Here is a link: https://proton.me/mail/pricing#compare-plans
I have asked. You only get VPN Free: https://mastodon.social/@protonprivacy/112988334950564963
This is correct
Update: I have used Mail Plus since before Proton VPN was a thing, and have never been able to P2P download--Proton should make this clearer
Edit: Proton has REMOVED the P2P from the VPN tick on this plan since I took the screenshots. That sucks.
That is incorrect. Here is a link: https://proton.me/mail/pricing#compare-plans
Yo I see you on your link that you are right. I stand corrected. Maybe. This link says something different and so I'm not actually sure what's correct. Let me know what you think. It seems like there's some conflicting information
https://proton.me/support/proton-plans#proton-mail-plus
Interesting. That's a support article so is less likely to be up-to-date than the pricing page, but that being said I'm on Unlimited and don't know what the Plus plan provides with certainty.
Yeah you must be right with that pricing page. I think it's also unclear what is offered in terms of VPN when you actually try to purchase the Mail plus plan. At any rate, lots of ways for people to be confused about what plan includes what.
I have asked. You only get VPN Free: https://mastodon.social/@protonprivacy/112988334950564963
Is this for Mail Plus or Proton Unlimited? I pay for Mail Plus, and have continually gotten the "P2P is blocked" page whenever I try to redownload the Ubuntu 22.04 ISO--maybe I should complain
Although looking at the VPN section, it does appear that the Free and Mail Plus plans have the same checkboxes, so perhaps I am reading it correctly
The column with the ticks is for Plus not for Free, so yes you should definitely complain to support.
Now this is fascinating--I'm seeing no ticks in Plus! Maybe it varies by country (located in Canada, but I think I pay in USD)
The tick is gone for me too. Well that sucks, I guess they updated the page.
Is this going to be the same kind of non-profit as OpenAI? With a mission to improve the world? Yeah, let's see how that goes. Another Proton marketing play on their set track to enshittification.
OpenAI is now for-profit since they got funded by Microsoft.
This is old news. Why are you posting this just now? I mean I don't really care much. I transitioned to Posteo as soon as I learned that they stored the private key. They don't even let you use your own GPG key, useless honeypot. Their recent bitcoin wallet supports this. If they cared about privacy, they wouldn't go with Bitcoin. They have been ignoring requests for monero since years.
They also are getting into the AI hype, so I can't trust my data with them.
You can use your own GPG key (https://proton.me/support/importing-openpgp-private-key or using the bridge), whatever tool does the signing needs the key (duh) so I am not sure what you mean by "they store your private key" (they stored it encrypted as per documentation https://proton.me/support/how-is-the-private-key-stored), their AI was specifically designed as local, exactly to be privacy friendly, plus is a feature that can be disabled (when it will reach general subscriptions).
I don't care about cyptocurrencies, but I suppose they started with the most popular, nothing to do with privacy as they just let you store your currencies.
Anyway, use what you like the most, of course, but yours don't look very solid motivations, quite a lot of incorrect information, I hope you didn't take your decision based on it.
You upload your private key to the cloud. Encrypted or not, this is a bad idea. No thanks. I can do the signing locally and then I'll do the decryption with my own private key locally without them storing it as well.
Edit: mixed public keys with private keys
An encrypted key is a useless blob. What matters is the decryption key for that key, which is your password (or a key derived from it, I assume), which is client side.
They can't sign with your public key. Signing is done using your private one, otherwise nobody can verify the signature.
Either way:
You can do it using the bridge, exactly like you would with any client-side tooling.
It's still insecure. They decryption process is still in the proton company hands and they could add some client specific code to log the password on the fly. Proton is obliged to follow the swiss law and I can imagine situation that police asks proton (+ gag order ) to log certain data for specific clients like passwords and ips. Still private keys are better to be stored separately. You can sync them easily if you with with either rsync or rclone
It's not "insecure", it's simply a supply chain risk. You have the same exact problem with any client software that you might use. There are still jurisdictions, there are still supply chain attacks. The posture is different simply by a small tradeoff: business incentive and size for proton as pluses vs quicker updates (via JS code) and slower updates vs worse security and dependency on a handful of individuals in case of other tools.
Any software that makes the crypto operations can do stuff with the keys if compromised or coerced by law enforcement to do so.
In any case, if this tradeoff doesn't suit you, the bridge allows you to use your preferred tool, so this is kinda of a moot point.
The main argument for me is that if you rely on mail and gpg not to get caught by those who can coerce proton, you are already failing.
I used bridge for many years. It was totally unusable - 1) you cannot delete emails with it ( deleted emails were coming back ), 2) synchronization issues so it made me move to another "plain and simple" email provider offering pop3 and imap and also gpg integration ( but without that e2e hype talk )
I can't comment on this, since I don't use the bridge for a while. But it's just an IMAP/SMTP server, so not sure why certain features wouldn't work. What service did you end up using which has gpg integration?
I used protonmail for 3 years - bridge issues have been being ignored by protonmail support in my opinion. "Clean cache and try again". I stopped using protonmail and switched to mailbox.org. So far so good.
From what I read though, the GPG security model for mailbox.org is the same as it is for Proton webmail (except for the browser plugin, where the difference is not really there). I like mailbox.org, to be clear, but I don't get how it is an alternative to the bridge.
I don't use mailbox gpg sevice simple as that. I use mailbox perfect imap (k-9) / pop3 (desktop) integration and use gpg natively in case if that person uses gpg. Thunderbird (desktop), k-9 with openkeychain on android. I don't say proton is bad. It's quite good if you never want to export mails outside our webmail. I do want it so protonmail is not for me. Most my protonmail issues were with their bridge they, until the moment I migrated to mailbox, have not resolved.
Oh that makes sense. Yeah, definitely simple encryption and exported (unencrypted) emails are not going to work together.
I am all in support for European tech companies, so I think that mailbox.org, tuta, proton etc. Are all good options.
Exactly. There's no justification for them storing the private key online for "convenience". And key generation happens in the browser with JS. Which means it is possible to send backdoored JS to easily copy the private key.
There is a reason: simplicity. Either you do all the key management yourself, which in practice means 98% of the people won't do it at all, or you implement a solution like they did and increase the risk of a small % (see my other comment) but you cover every customer.
That simplicity introduces security and privacy issues.
Introduces some risks in terms of security. Privacy concerns are extremely minimal, because in any case you don't control the setup of your other interlocutor(s).
Considering that the realistic alternative is not using anything at all and the fact that you have both options with Proton, it's a win-win scenario.
One of the biggest risks is when someone knows your password. Your PGP encrypted emails that you want noone to see will be available to the attacker. Whereas if no such thing happened, the attacker wouldn't be able to decrypt the PGP encrypted emails even if the attacker gained access to your account. Manually encrypting your stuff is better than having some random on the internet do it for you. It's really just a tradeoff. Convenience or security? It's not even hard to manually encrypt emails.
Just a curiosity. How do you think every password for every online service works? The service "has" your password. It is hashed, but if this doesn't matter (similarly for encryption) to you, then you should be panicking about basically everything.
In the case of Proton an attacker has basically these options:
In the case of a manual solution:
mutt). Once you gain access to the repository, push a backdoored update and wait for you to install the new version. Incidentally, compromising this tool also allows the attacker to compromise your whole machine (unlike what happens with JS code, which runs at least in the browser sandbox).So the tradeoff is really that:
Yeah, and this is why 99.9% of the people have never and will never touch GPG with a 10-foot pole. The tradeoff is a complete no-brainer for the vast majority of people, because the reality is that for most, either someone else does the key discovery, management, signing, encryption, decryption, or nobody does. We can sit here and pretend that it's easy, but it's not. Managing keys is hard, it is painful, especially on multiple devices, etc..
EDIT:
The entire threat model for proton is also documented BTW: https://proton.me/blog/protonmail-threat-model
Encrypted or not, the fact that someone else has it stored somewhere in their computers is dangerous. The fact that it can be accessed online is dangerous. The only recommended way to store private keys are offline and encrypted. Why are you so ignorant of this fact, I wonder? I think you trust Proton a bit too much.
Especially with the fact that: 1) deminificafion of the javascript code is not simple 2) you cannot "freeze" the code version you use. Still your computer does allow it ( minus the windows which follows the Microsoft thinking way, kidding about windows updates )
Yeah mb. Mixed private keys with public keys. Edited original comment.
"I know this. Why doesn't everyone else know this? They should be me, I'm the smartest man alive."
proceeds to type an entire paragraph as to why you don't care
Then they should transition away from multi-level marketing pyramid Ponzi schemes too. I deleted my Protonmail account when Proton began peddling crypto“currencies”.
Them holding a reserve of a cryptocurrency in case something happens to their financial accounts is not the same as peddling crypto.
They're not trying to sell you any. They're not telling you that signing up to proton gets you "ProtonCoins" or something.
It gives credence to greed incentivizing unethical contraptions.
Crypto is a tool, just like anything else. Is the internet a greed incentivizing unethical contraption? Because the internet spawned Google, Instagram, Facebook, 4Chan, and various other shady and illicit sites and services. Should we hate the internet because of this?
Crypto isn't inherently bad. It's the people trying to take advantage and duplicate the "success" of Bitcoin that make crypto bad. I'm telling you this as a person who used to believe in "crypto" and was an early adopter.
A hammer is a tool because no one but the hammer merchants gain financially if everyone were to buy a hammer. Crypto“currencies” are not purely tools but instead multi-level marketing pyramid Ponzi schemes because as soon as one has it they have everything to gain the more people buy it after them.
What's wrong with splitting eggs in different baskets ?
Immoral baskets that incentivize greed are to be avoided.