It hurts my soul to see a well-reasoned and well-intentioned post like this start off with good advice then immediately recommend ProtonMail.
ProtonMail is about the single worst experience I’ve ever had with Big Email. I really do wonder how many people they’ve harmed but get away with it because the happy path works for most people most of the time.
The worry I have with something like Gmail or Outlook is that they can just take away your access to your inbox without reason or recourse, but it’s never actually happened to anyone I know. It happened with ProtonMail though - I set up an account for a family member, updated some of their online registrations to point to it, then a couple of days later it was locked out permanently.
Thankfully they hadn’t got to the point of using the account for anything they cared about yet, just a couple of big retailer mailing lists (they’re not the most tech literate so move very slowly with things like this). Literally it was receiving mailing list emails from two well known, non-shady retailers and that’s it.
Password not forgotten, No way to have the account unlocked, no way to find out why it was locked, no way to have the account deleted, no way to get access to repoint the accounts using that address because now ProtonMail owned those other website accounts (not your email not your account).
Pretty much just [you can’t have your account back, you can’t find out why, you can’t appeal, and every email that ever lands here in the future belongs to us now so go fish].
They are by a long way the worst experience I ever had with a provider of any online service, so much so that I’ve since moved my own e-mail that was there back to outlook before some arbitrary spam caused the same thing to happen to me. Never again.
Hey thanks for taking the time to write this out. I wrote that post, and I use ProtonMail and have basically nothing but good experiences with them so far.
I don't consider them "Big Email" just by literal meaning (they're very small)
> The worry I have with something like Gmail or Outlook is that they can just take away your access to your inbox without reason or recourse, but it’s never actually happened to anyone I know. It happened with ProtonMail though - I set up an account for a family member, updated some of their online registrations to point to it, then a couple of days later it was locked out permanently.
>
> Password not forgotten, No way to have the account unlocked, no way to find out why it was locked, no way to have the account deleted, no way to get access to repoint the accounts using that address because now ProtonMail owned those other website accounts (not your email not your account).
>
> Password not forgotten, No way to have the account unlocked, no way to find out why it was locked, no way to have the account deleted, no way to get access to repoint the accounts using that address because now ProtonMail owned those other website accounts (not your email not your account).
This is pretty terrible, but I'm coming at it from a oligopoly-break-up angle, and hadn't heard any such stories about ProtonMail.
I'll try to update the post to serve as a better example, but I hesitate to do so without at least suggesting something (other than self hosting, obviously) that is a similarly easier option. What do you recommend instead? Fastmail?
There's nothing wrong with Protonmail if you use your own domain name. You can move your email to another service if you get shut out. I'm surprised no one has mentioned it in this thread, especially considering another recent post on the front page of HN discussing a very similar topic.
I don’t know that I could recommend any alternative at all.
I’ve no experience of FastMail, but this same thing could happen just as easily with any provider. You’re basically left to rely on the opaque internal policies of the email provider to prevent your online identity being revoked, which is one of the many reasons why so many people would rather self-host in the first place.
Sorry I can’t help you out with my two cents here. I’ve never heard of such things happening with FastMail, but then I hadn’t heard about it happening with ProtonMail either until it did.
Well thanks for offering your experience at least -- I've updated the post to at least list some of the alternatives.
Self-hosting is the end-goal but it looks like the in-between is still murky as well.
Maybe what it really takes is people springing up to fill the gaps of a closer-to-self-host solution (so you have full control) w/ deliverability auto-solved (automatic purchase of some external relay or something). Like a service that purchases a VPS in your name, sets it up, then essentially disconnects (or offers to manage the service for a fee).
Of course there's stuff out there like Cloudron etc so maybe that's part of the way forward as well -- but I wonder if Cloudron could ever really reach a completely non-technical user.
FastMail and Mailbox spring to mind as the premiere ‘alternate’ e-mail hosts. I’ve heard decent things about Tutanota but have never used them so can’t speak to it.
Fastmail is based in Australia, which IIRC has a pretty dismal privacy situation, with laws that mandate they have to be able to decrypt user data and provide full access to user accounts when asked, plus zero standing for non-citizens. Might not be an issue for most since the Five Eyes get it all anyway etc. etc., but it was a showstopper for me. Last time I looked Mailbox.org seemed to be the best EU-domestic provider.
Oh shit, Fastmail is based in Australia? I don't know how this escaped me/how I'd never heard of this.
Yeah, Australia's policies regarding the internet are fully foobar'd. Removing them from the listing. Nothing against the people of course but it's off my radar as even a place to visit for this reason (not that they need my tourism).
Tutanota I did hear something negative about -- they're beholden to the German government (not to necessarily say that others aren't -- ultimately nation-states tend to get their way), but I'm willing to include it if the community generally trusts it/is OK with the tradeoff.
I switched to Fastmail ... 5 years ago? I've had zero issues.
I pay them for a service, they provide said service. I think there have been a handful of outages, but I only noticed them afterwards from the HN front page :D
The Masked Email system alone they added a while ago has been a life-saver, I sign up to all mailing lists and weird online shops using it.
Also avoid using ProtonMail Bridge if you value your emails. It's been silently corrupting/deleting your emails for years now. And Proton hasn't done a single thing to warn users about it. Instead they've been working on a complete rewrite which is far from completion. Meanwhile people are still discovering that their emails are disappearing.
I find ProtonMail odd too, especially in context of better decentralization, for them (AFAIK) not supporting regular client-to-server protocols (without the bridge software) and doing that reinvented encryption which only works between its clients, but as for account cancellation, it does seem to happen with others too: there are regularly appearing stories about Gmail/Google accounts being blocked with no way to contact the support, occasional services (like Opera mail) just shutting down, some seem to take your mailbox hostage demanding more of PI.
AIUI it is, but that's achievable with generic setups (using OpenPGP for encryption, often GnuPG) and between any mail servers as well, in a standardized way. I think the ProtonMail's argument is that they make it the default for communication between their clients, while OpenPGP is not used commonly. But to benefit from that, all the involved users should use ProtonMail, which is contrary to decentralization.
It solves the problem of protonmail having to turn over emails to various authorities. This isn't solved with gpg as most people you would be sending to don't use it.
But most of the email recipients (and senders too) don't use ProtonMail either, so those won't be encrypted, and then ProtonMail can still turn over the messages. The ideal situation with this approach is that everyone uses ProtonMail (no decentralization at all), to have everything encrypted. While the ideal situation with OpenPGP is that everyone uses that, which allows for multiple independent mail servers.
Edit: or do they perhaps not store sent messages (that is, they have to queue them, and attempt resending on failure, but beyond that), and/or encrypt incoming ones with the user's public key upon arrival?
Edit 2: apparently the stored messages are indeed additionally encrypted by ProtonMail [1]. That looks useful.
Edit 3: now I wonder why not to do that with OpenPGP too.
Edit 4: looked around, apparently some do that. [2]
Weird, I've had the opposite experience with Proton - I was able to recover an account with insufficient recovery info after having forgotten the password (100% my fault) after a quite thororough process. I've also completely lost access to a Google account on which I hadn't provided recovery info and my only "fault" was trying to log in from a new location (even in the same browser) - I moved places in between, so I couln't just go back to the old location.
I'm sorry this happened to you, but I find it weird that you make this out to be a problem specific to Proton. It happens to people on all major services, it sometimes even makes the front of HN. Do we have any evidence that this happens at a significantly higher rate at Proton than at other providers?
Sure. We'll just believe that ProtonMail locks accounts randomly, for no reason. Or was spam the reason? If that was true, everyone would be locked out because, well, everyone is getting spam.
A quick Google search returns tons of results from ProtonMail's subreddit of people complaining that ProtonMail locked them out of their account for unknown random reasons.
The post you've linked doesn't say that it was some unknown/random reason just the fact that the person is locked out of the account, not that the account itself is locked, which may be for variety of reasons(losing 2FA, forgetting password, else?). It's more about that support is slow. The person reached out and the issue was eventually resolved.
> The post you've linked doesn't say that it was some unknown/random reason just the fact that the person is locked out of the account, (...)
Fair enough. You can google though. There's a wealth of complains of people seeing their accounts locked.
If you don't have time to run a Google search, you are free to read ProtonMail's own docs, specially how they describe how they lock accounts based on heuristics and how they recognize the occurrence of false positives.
Trying to contact support? Their response? Ultimately figuring out the real reason? When faced with an issue I usually try to figure it out first. After all, accounts can get flagged wrongly on outlook, gmail and other services as well. And the linked reddit thread does not relate to your case. To me, the very theory of account locked just because someone sends a spam email to said account is, honestly, ridiculous.
> They are by a long way the worst experience I ever had with a provider of any online service, so much so that I’ve since moved my own e-mail that was there back to outlook before some arbitrary spam caused the same thing to happen to me.
Well, I misunderstood you here. Wrongly assumed you meant it happened to you again.
I contacted support, but they simply refused to assist at all.
The account was just.. gone. That's what was so shocking about it - I realised pretty much immediately at the time that there would be no way to recourse a locked account because any means by which you could prove the account would be yours (other than having the password, which we still did, but which was not acceptable to unlock the account according to PM) is inside the inbox itself. More than that - they weren't asking for more information. They simply said it was permanently locked and nothing could be done.
This has happened to others too, as has been posted elsewhere in the thread.
Yeah, I get it. ProtonMail bad. I'm glad that your Gmails and Outlooks still work. Thumbs up. I'm also glad you've created this account just to reply to me, really honored.
You're being really dismissive here - no-one's saying PM bad/others good. I was pointing out an experience with ProtonMail and others have corroborated with their own experience.
All of that said, if it says nothing else it at least suggests that larger providers seem to have a better grasp of how catastrophic being locked out of one's own e-mail can be - PM really don't seem to understand the responsibility they bear being a provider of such critical infrastructure. If this were happening in this same way at larger providers like Google and Microsoft, I'm quite certain there would be heavy regulations by now.
Making an account is really quick, no need to feel honored by such simple act. It's basic privacy - don't keep your identities too long, especially if you're going to tie them to the set of services you're using.
Yes, we will, since it happened to others of us. What kind of evidence would you like? My account is inaccessible. Should I tell you the password so you can try yourself or what?
ProtonMail is about the single worst experience I’ve ever had with Big Email. I really do wonder how many people they’ve harmed but get away with it because the happy path works for most people most of the time.
The worry I have with something like Gmail or Outlook is that they can just take away your access to your inbox without reason or recourse, but it’s never actually happened to anyone I know. It happened with ProtonMail though - I set up an account for a family member, updated some of their online registrations to point to it, then a couple of days later it was locked out permanently.
Thankfully they hadn’t got to the point of using the account for anything they cared about yet, just a couple of big retailer mailing lists (they’re not the most tech literate so move very slowly with things like this). Literally it was receiving mailing list emails from two well known, non-shady retailers and that’s it.
Password not forgotten, No way to have the account unlocked, no way to find out why it was locked, no way to have the account deleted, no way to get access to repoint the accounts using that address because now ProtonMail owned those other website accounts (not your email not your account).
Pretty much just [you can’t have your account back, you can’t find out why, you can’t appeal, and every email that ever lands here in the future belongs to us now so go fish].
They are by a long way the worst experience I ever had with a provider of any online service, so much so that I’ve since moved my own e-mail that was there back to outlook before some arbitrary spam caused the same thing to happen to me. Never again.