Protonmail is not safe!
Apologies for redtexting.
I've been spending the past three days de-googling my life and setting up semi-private alternatives, and that means a deep dive into current email alternatives. Obviously nothing is 100% secure. But the ideal is "plausible deniability" so when the Feds come knocking the email provider will hand over worthless encrypted data and no keys.
<But they're in Switzerland!
Just because it's an exotic sounding location to burgers doesn't mean jack shit. A "no logs" VPN provider in Hong Kong was forced to keep logs and served a gag order to keep quiet about it. Fucking Hong Kong!
Switzerland also has an official agreement with the US as to court orders, but I'm foneposting and I can't remember the name.
But suffice it to say, if it's anywhere in the world the whole Five Eyes/Fourteen Eyes/Nine Eyes system and USA hegemony can just request that data, extra paperwork is no problem for them.
They also use a program called Matomo for their main site. What is Matomo?
We employ a local installation of Matomo, an open source analytics tool. Analytics are anonymized whenever possible and stored locally (and not on the cloud).
Fuckin' lovely. But that's the website, what about email data itself? From Protonmail:
we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, message subject, and message sent and received times. […] We also have access to the following records of account activity: number of messages sent, amount of storage space used, total number of messages, last login time.
That's actually more metadata than Tutanoa! Let's read some more:
When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails are also permanently deleted from production servers. Deleted data may be retained in our backups for up to 14 days.
Indefinite retention if they flip a switch and keep your account "active" and 14 days of them holding on to your data even after you burn everything.
See pic related to know if your email will be safe.
So what's an alternative? I'm looking into Disroot, they run the Searx.me search engine I've been using, they have a very "hands off, don't tell us what you're doing with your email we don't want to know" attitude. It bears further research at least.