Email is never private, even with encrypted email, headers give away metadata. HOWEVER, Tuta & Proton are not scanning your emails to market shit to you and train AI. That's the main advantage.
this post was submitted on 03 Sep 2025
39 points (97.6% liked)
Privacy
42504 readers
1435 users here now
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
founded 5 years ago
MODERATORS
You can't know if they are not reading you emails to do anything. That is the issue. Because of how email works, we know that they COULD. And experience tells us that tech companies profit from breaking promises and laws.
Except that proton released their LLM AI so maybe they will start doing that?
No they probably won't, proton is not a big enough company to train it's own large language model instead they are using already available open source models.
Mail transport these days is usually encrypted over the wire, but once it lands at the receiving server (i.e. gmail) it is stored in the clear, or at least in a way that the host can read it.
Exactly. It has to be sent unencrypted. So there is no way to know what either of the providers are doing and is just a big "trust me bro"
It's usually sent encrypted (by TLS) so it can't be read by external entities monitoring internet traffic. Then the host decrypts it and stores it and can access it. Yes it's trust me bro. Email is fundamentally not all that private, because of that.
I have private email for two reasons: using my own domain, and to promote it in general. Sure, everyone else is on Google/MS right now, but as they continue to enshittify things, maybe more people will want to move away from that. And the more people do that now, the faster/easier it will be for others.
GPG and mailbox.org or anothet "just" email service
I wouldn't say you have gained nothing. The amount of data provided to google or microsoft when using their email is significantly more. For example, your app or client is checking email all of the time, giving them telemetry on your location and activity, all your devices, 24/7. Google logs and analyzes all of your interactions with Gmail's web pages, how long you have certain emails open for, what you don't bother to open, what you tag as important, etc.
Much of the one-way email you sign up for from companies and organizations come from smaller outfits like sendgrid or their own infrastructure, so you are cutting google out of information about your associations and interests.
Also, in regards to that 90%, you can either be part of the problem for all your contacts, or part of the solution. The network effect is huge.
load more comments
(1 replies)
Proton does offer what is essentially a self-contained PGP portal. You send anyone an email and they get a "hey, this is me, open the message below" thing and then a link to a message that's hosted on Proton servers. So your Granny doesn't need to set up a public/private key pair, you can just send the encrypted portal option.
No idea of Tuta or others do this.
Plus, no matter who you chose, you personally aren't feeding the Google algo. You can do what I do, which is you leave all the hyper data hungry services in the data eating world, just feeding on each other alone. Then you have real conversations over email or fediverse.
No idea of Tuta or others do this.
Tuta does too.
Yeah. I chose proton over tuta because of this option to send the link to the encrypted message. I think tuta does have it, but it didn't show the entire conversation. If you wanted to see the entire chain I think you and to either find the mates email to get the latest URL, or open each URL by itself.
The problem with those is that you have to exchange the password by some other means than the email itself, so it's really not practical for the other person
Signal message should be good enough. Though I think part of the Proton version is that by virtue of opening the email you are validated to open the message. Not sure if that means it can be forwarded or what.
No.
- One of the main uses of email is communication with companies. And they won't have a signal account just to exchange passwords with you
- doesn't work for emailing someone you have no say you want to send an email to... Idk a youtuber (first example I could think of where you know you want to talk to them but you have no other means to do so). They have their email published. Now what? You can't email them asking for their phone number so that you can exchange email passwords because they won't give it to you, and that exchange is happening unencrypted
- if I have a way to contact someone over signal, I'd rather use that than email
One of the main uses of email is communication with companies. And they won’t have a signal account just to exchange passwords with you
No. Email is just a non-centralized protocol. While not everyone uses it the same way, most normal people never use email to communicate with companies, who are increasingly forcing people to use chatbots anyway. So it's not even a reasonable point to make. Password protected emails are meant to be between people who have an established relationship. If a company needs someone to send them encrypted message, they'll have a platform for that, just like Wikileaks or ProPublica, so you're not making a valid argument about that.
If some Youtuber is someone that does anything privacy-related enough that they should be receiving encrypted emails, their public PGP key should be on their YT profile and you can send them an encrypted message anyway with that. Protocols and methods exist already to accomplish what you're talking about. You need to complain to the Youtuber for not practicing good security and privacy, not to Proton for not creating some mind-reading Diffie-Hellman scenario. Really, do you think that you can just send some random person a message that says "click link to open secret message!" and not expect it to just look like phishing?
If you'd rather use signal, use signal and send them an attachment encrypted with their PGP public key. This isn't hard, I don't even know why you're trying to argue all these weird non-existent edge cases like they're everyday issues.
load more comments
(3 replies)
Note that ProtonMail actually supports automatic encryption to email accounts that publish their public keys in a Web Key Directory, which I’ve set up for mine. When you type such an email address in the To field, it’ll turn into a special color with a lock symbol.
Likewise, ProtonMail also exposed a WKD so people can send encrypted emails to ProtonMail accounts. I don’t know of any mail clients that support this though (I used the command line to pull keys)
Wow, til I learn about WKD! I used to have a key on keyservers, but hated how that was basically a spam trap and the fact that anyone could upload a key there for my own address. It was easy because I own my own domain and already have a web server there.
I set it up and tested it with help from https://www.webkeydirectory.com/
Looks like it's being added to clients: https://wiki.gnupg.org/WKD/DistributionOfWKD
Tuta lets you encrypt a message for the sender only, with a passphrase.
They'll have to follow a link but still...
I think Proton mail is worth it just to diversify off Google but I don't lend much faith in how effective privacy will be with email. The free service is enough for that. If I wanted more faith in encrypted communications, encrypted chat applications. I sub to proton for drive and VPN. ProtonPass has all the email aliases for throwaway websites
I pay the amount of maybe 10 $ a year for having my own domain hosted at a mail-hotel, and that means I control my own e-mail. I think it's worth it. There more who switch, the better.
Could you elaborate? What is an email hotel? I'm guessing you mean an email hosting.
load more comments
(6 replies)
the thing with proton is you don't really know that they're private and they pretty much always collaborate with the police and their android vpn app collects some data that it doesn't need to. I would suggest you:
- don't use email, that's the ideal solution
- use a provider like cock.li and send messages encrypted with pgp. this isn't ideal, pgp leaks a lot of data and cock.li gets sinkholed by most email providers.
- use proton and encrypt emails with pgp, you have not much privacy but it's less worse than microsoft and not much convenience loss, except that proton doesn't allow email clients(at least if you don't pay), I don't know about ms).
I don't know how old are you or where you live, but for everyone I know it's non optional. My government requires an email. And for any site I want to use I require an email. Even Lemmy.
load more comments
(3 replies)
Assuming that you trust what Proton says, when they receive a (possibly unencrypted) message they re-encrypt it with your key as soon as possible and they don’t log the content. So, after that point, they (or anyone else) can’t read the email contents. If it was also encrypted in transit, then there’s only a small window inside their email processing system where the plaintext was passed from one encryption to the other. It’s only decrypted again in your browser or proton mail app with the key that only you have. It’s not bulletproof, but it’s better than most providers.
Makes me feel like I'm doing the best I reasonably can, even if it's of limited effect. Also, built-in aliasing service.
This is the best reply so far. Probably not enough for me to stay, but at least not pretending it's safer
There is an advantage of using a provider that suports MTA STS. This is Strict Transport Security and forces at least transport encryption.
There is an advantage to use a provider you pay for too and at least claims not to read your email.
It is also nice if they can host your domain and have good delivery.
Edit: I meant MTA STS not SMTP STS.
Haven't heard of MTA sts. I'll have to research it, but it probably doesn't change the fact that when exchanging emails with another provider, they have to work with plaintext
Google is promoting MTA-STS. MS is at least testing it and some others. Proton mail might support, check. I use NameCheap shared hosting mail. The support incoming but not outgoing.
Sure it is clear inside each org but secures between. Nice because you can secure in your org by contract. Not as good as e2ee of course.
i read the first part of google's article about MAT-STS. it is good for secury, but does nothing to prevent providersfor reading in and out email
load more comments
(3 replies)
view more: next ›