As my question about ProtonMail disclosing user data was removed, can someone explain to me how does it work - isn’t the user for Mail and VPN the same, and if the mail information was disclosed, does that mean that my VPN user information would also be or could also be disclosed?
No, simply because Proton VPN doesn’t keep any information that can be useful to the law enforcement, as you can see here: https://protonvpn.com/blog/transparency-report/
Proton VPN is a no-logs service, which means that we do not keep records of what websites you visit, your internet traffic, your IP address, etc. What makes Switzerland different, and possibly unique, is that within the current Swiss legal framework, Proton VPN also does not have forced logging obligations.
Note that a recovery email is completely optional, and you don’t have to set it up on your account at all. If you still wish to make your account recoverable, you can use a recovery phrase: https://proton.me/support/set-account-recovery-methods#how-to-enable-a-recovery-phrase
The mail service is required to log user data if the Switzerland authorities ask them to. The VPN service doesn’t have this requirement. The VPN is 100% safe
just don’t do anything shadey and you’re all good to go👍
Would it be possible for Proton to not store the recovery email in plain text, but rather hashed (+ salt), just like a password.
If the user want to use the recovery email they would have enter their recovery email and can only use recovery if it matched the hash.
This way you can only hand over the hashed recovery email to authorities.
We do appreciate this comment as it adds some clarity to some mystery. That said, and this has been debated quite a bit in the forums behind Tor, the fact that the company is sharing anything at all, in any way falls under scrutiny in some circles. Please keep in mind I’m not pushing false information in anyway, nor disagree with what you’re telling us. That’s not the point here. The point is that the company is unfortunately sharing something, no matter what it is, and that causes the more secure minded folks (and sometimes paranoid ;)) to choose other options.
I simply look at it this way, folks need to understand what end and security really looks like, and if they’re putting all their faith in one single service to solve everything, they are poorly misguided. Unfortunately, there’s not much we can do about that except educate when we see it.
I’m still put more faith in tor.
Yeah agreed. Your intentions matter.
From a technical perspective, one can’t end-to-end encrypt or hash a recovery address as it needs to be accessible to send the recovery email, which is typically initiated by an unauthenticated user who has lost their password. In brief, if we did that, one wouldn’t be able to use the recovery address for its intended purpose.
Yes, you have use Tor properly for you to remain anonymous. That is true!