We actually have more developers now, but the difference is that recently we have been working on bigger projects and clearing out some technical debt from the earlier days to pave the way for the next stage of development.

ProtonMail Bridge is an example of a "big" project that takes longer. Bridge adds IMAP support, but this also means that changes are required on all clients (iOS/Android/Web, etc) in order to support the new range of behaviors that are possible with IMAP. However, a lot of the work done here can be re-used, and for example, will allow us to add IMAP import/export much more easily.

ProtonVPN is also on an accelerated development timeline. ProtonMail was 2 years from beta to public release, with ProtonVPN, we're reducing this to 4 months.

There has also been more focus on the backend (stuff users don't see). For example, improving search performance, improving API performance, finding more reliable ways to store petabytes of encrypted data, and overall site reliability engineering to reduce even further the risks of downtime.

Then there is also time spent on several other email related "big" projects, some which are among the most ambitious we have done so far. We're not ready to give too many details yet, but generally speaking, the new features we are adding, all tend to have longer development lifecycles, because they are harder and more revolutionary.

Andy here, I literally just had a call with Jason Donenfeld this afternoon about this. Yes, it is planned, most likely sometime next year. ProtonVPN's infra and user base has grown a lot in the past 12 months, we just released the iOS app, and we're working on preparing to make all the apps open source (as that's one of our firm goals we have outlined for 2019), so we've got a lot of plates spinning at the same time on the VPN side (and this is without getting into all the projects happening on the Mail side). We need a couple months to stabilize things and then we will start working in this direction.

If you look closely, you will see that the new storage space indicator is inspired by the server load icon which first debuted on the ProtonVPN windows app back in 2017.

We spent a lot of time refining little things like that. The 4.0 design also has a "single piece" background, which makes it easy for users to customize colors or add their own background image to make your encrypted services unique and truly yours.

The quick select to go between Day/Week/Month, etc, views, instead of using a dropdown, makes calendar navigation much faster and less confusing. The quick access time-zone dropdown also makes life a lot easier if you work/travel across multiple timezones (as the Proton team does as we have team members from practically every continent). The next event display at the top is also something that we hope users will find useful and makes it less likely to forget an appointment. There are also little subtle things, like the week of the year visible in the month view.

In general, the beta version will only have maybe 10-15% of the overall feature set that we plan to introduce eventually into ProtonCalendar. The crypto is also quite sophisticated. Not only are events encrypted, but they are also digitally signed, so you can be sure that the server didn't tamper with it without your knowledge. We like to get things right before we release them, even the little things, and that's why in general, we don't like to rush the process.

ProtonMail is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed.

The correct response to the efail vulnerability is not to stop encrypting, but to use clients that are using secure implementations of PGP.

It is not correct to call Efail a new vulnerability in PGP and S/MIME. The root issue has been known since 2001. The real issue is that some clients that support PGP were not aware for 17 years and did not perform the appropriate mitigation.

Werner Koch (GNUPG author) has a good write up about the efail issue. https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060315.html … We agree that the @EFF warning is overblown and disproportionate, and likely issued without fully understanding the issue. It was irresponsible for the researchers to not correct that.

Efail is a prime example of irresponsible disclosure. There is no responsibility in hyping the story to @EFF and mainstream media and getting an irresponsible recommendation published (disable PGP), ignoring the fact that many (Enigmail, etc) are already patched.

While we think that stories claiming "PGP is vulnerable" are inaccurate (since the issue was reported in 2001 and is a client side problem), we do take the Efail bug seriously. The researchers have said ProtonMail is not impacted. We are performing independent confirmation also.

Edit: Blog post with full technical explanation: https://protonmail.com/blog/pgp-vulnerability-efail/

Yeah I was wondering what everyone was on about in the other post -- I'm absolutely thrilled with ProtonMail and it's easier than running my own server. It handles mail for me and that's the number one thing I need, it's already my daily driver (I do keep a GMail as a backup but all important mail flows to Proton now).

Night mode, advanced calendaring (well more than they already have implemented) and that other stuff is just icing on the cake for me. Maybe I'm too casual a user. I expect an email provider to mostly provide me access to my email.

Paid up for multiple years at this point (actually I need to go back and check, renewal might be coming up) -- very happy with ProtonMail as a service. ProtonVPN is a nice to have, I don't use ProtonDrive but might someday. I make do with + aliases for most things, make proper aliases the other times.

I almost don't care what speed ProtonMail goes at as long as it's sustainable -- obviously they need to develop features fast enough to entice and keep new users (not doing so is unsustainable if everyone churns), but they don't want to move too fast and grow beyond their means or introduce new bugs (also unsustainable).

We actually object pretty strongly to this characterization. Like all small companies, we have limited resources, and open sourcing code requires a lot of work, such as proper documentation, code organization, and making it ready to accept pull requests. This is not easy on a code base that is rapidly evolving and changing.

Where have our resources gone you might ask? Well, the answer is to other open source projects. For example, OpenPGPjs, the world's most widely used OpenPGP library which powers dozens of other projects: https://protonmail.com/blog/openpgpjs-3-release/

If this doesn't show a strong commitment to open source, we're not sure what does. As we have always said, building secure encryption libraries and protocols (for example, OpenPGPjs was one of the only PGP implementations not impacted by Efail and already with AEAD support) is extremely important for making privacy ubiquitous.

Our support of these initiatives comes at the cost of the resources we could have used otherwise to prepare some of our applications for open sourcing, but we prioritized in this way because developing secure, open source encryption libraries delivers more benefit to the world.

This does not mean that we are not going to open source our mobile apps or the ProtonMail Bridge, it is just going to take longer as it will have to wait until we shift our limited development resources from core crypto libraries back to clients.

We don't think this means we aren't committed to open source. Quite the contrary actually - we are so committed to open source that we've put community projects ahead of our own projects. And this commitment has allowed us to support a community of users that is well in excess of the millions of people who use ProtonMail and amplify our impact.

I am subscribed to ProtonMail Plus and ProtonVPN Plus. I am really disappointed by what I pay for and what I get. Having lots of problems with the clients, ProtonVPN Speed often is horrible and/or doesn’t work so I have to use Windscribe. The development of ProtonMail is extremely slow considering the amount they charge for it. It does not even have a real iPad App with Columns!

If everything would work at least... but for now I just wish I could get my money back :(

> Please note that once your account is deleted, there is no way to recover or recreate it. We do not recycle usernames, which means the same username will be not available in the future.

Source: https://protonmail.com/support/knowledge-base/delete-account/

There are a couple things that we have heard people mention.

First, we're a bigger company, more reliable, more likely to be around long term.

Secondly, our webapp and mobile apps are more polished and much easier to use.

Third, we are standards compliant. For example, we are the core developers behind OpenPGPjs and play a big role in driving the future of the OpenPGP standard.

Fourth, Swiss jurisdiction is generally better for privacy

Fifth, we have a strong scientific/research background, and we focus a lot on research, which allows us to do security on the cutting edge. For example, our authentication system and how we improved upon SRP: https://protonmail.com/blog/encrypted_email_authentication/

As a person living in India under an oppressive government, both Protonmail and ProtonVPN are useful but regrettably extremely expensive services for us. I would love to pay for a lower tier with enhanced services than their free versions, but it's quite impossible at their current rates, thereby excluding an entire continent of customers.

> For ProtonVPN while only launching a new version (mainly cosmetic) of the ProtonMail web version & calendar & drive “betas” and only for the web & Android (calendar only)! It’s been months since they’ve been “testing” a calendar iOS app. The calendar beta in particular has felt just like it’s taking an eternity.

I think you should inform yourself a bit further before posting such claims.

v4 is not only mainly cosmetic, it has been completely rebuild from the ground, includes single sign on for proton services, persistent logins, subfolders, calendar integration.

Additionally since then they released the attachement reminder and started to release the encrypted search.

This is all very far from mainly cosmetics.

Several. I think someone more crypto-elite will give a better answer, so I'll be brief and check back later:

Your email account is much more difficult for an outside agent to access. They're not going through your email (like Gmail is with keyword searches and hash comparisons), they're not responding to subpoenas (like Yahoo did when China wanted to read the accounts of dissidents), and they're not creating a profile of you based on other behavior and login habits (like everything Google, everything Facebook, and many other websites.

If they wanted to, they couldn't read the email in your account because it's encrypted and they don't have the key.

Despite this, they've got a warrant canary. https://protonmail.com/blog/transparency-report/

That's all pretty good by itself.

Also, if you know you're sending a specific contact using non-Protonmail an email you want specially encrypted, you have that option at the bottom of your screen. You'll just have to tell them the password somehow. If they have PGP capability, that makes it possible to do things remotely, but at this point we exceed my knowledge.

There are a couple other benefits.

First, your entire inbox is stored with end-to-end encryption, so even emails you get from non-ProtonMail contacts are encrypted before the are saved into our database, and we have no way to decrypt those messages.

Furthermore, since we are outside of the US and the EU, we aren't subject to mass surveillance programs like the NSA, GCHQ, etc. We don't have much we can turn over anyways, but we also avoid issues such as what happened with Yahoo: https://protonmail.com/blog/yahoo-us-intelligence/

We do these sales in order to accumulate the resources to build new services. For example, something like ProtonVPN requires a lot of capital investment (e.g. losses) for many months, before we can start to generate revenue from it and fill in the hole it created in our balance sheet.

When more people pre-pay for services (whether it's 2-year plans, or Lifetime plans), this gives us a cash surplus to absorb many bruising months of losses in the runup to a new product launch, in the period before the new product can pay for itself. In this case, we are using the proceeds from this promotion to partially cover the "hole" ProtonDrive will create in our balance sheet.

We believe it's good for the community too. Long time users can benefit from discounts/savings, while simultaneously enabling us to make the product they have invested in better.

Good post and captures my thoughts as well. I've been a paid ProtonMail user since the beginning and have enough credits in my account to keep it paid for at least another five years. That said, my confidence in PM has dropped gradually over the years to the point I no longer rely on this service and definitely no longer recommend the paid service to anyone.

PM is by far the slowest development cycle of any product I use. The team always hides behind the "encryption is hard" excuse for not releasing new features, but I think we all know that's just an excuse at this point. It's not hard to implement basic features, such as notification sync across devices. Every multi-device app you use likely has this basic feature, except PM. I remember when PM released ProtonVPN and charged top dollar for a slow, buggy VPN. It took a solid year before the product was worth even half the price of what they were charging. The free users praised them and loved it, of course, but the paid users were the ones paying for an expensive product that did not work well. That's always been the case with ProtonMail - the paying users support the free users.

The bottom line is that PM does not have good product management and they have either not recruited industry talent or their management team is stifling productivity. They have a lot of staff and have stated that revenue is not a problem. Then what is causing the slow development cycle? It seems to me at this point they need to turn over some of the management by removing the scientists from CERN and bringing in industry talent who have experience managing large-scale software products.

This is a good question. We wrote up a not too complicated explanation of Gmail vs ProtonMail from a security and privacy standpoint. It also addresses the other benefits of ProtonMail even if you don't have end-to-end encryption with non-ProtonMail users.

https://protonmail.com/blog/protonmail-vs-gmail-security/

No, they did reserve them the right to eventually do that, but they don't practice it right now.

So they may close free accounts if they are inactive. But currently they don't do that at all.

Here's the line from their ToS:

> Although it is not the current practice now, we reserve the right to suspend or delete accounts that are inactive for over three months. This does not apply to paid accounts. Paid accounts are never subject to deletion as long as their paid status is active.

https://protonmail.com/terms-and-conditions

That's a valid concern, but it holds true to all online services and there is only one universal solution for this problem: Get a custom domain and use only your custom domain exclusively.

If you'd use ProtonMail with a custom domain and they would be gone tomorrow, just switch your DNS-Records to another Email provider and you will receive all your Emails there. Also makes it super easy to switch provider because you don't have to edit a thousand accounts and switch the Email address if you'd dislike ProtonMail in the future.

> what do you think about GMail and why would you NOT reccoment Gmail ?

Gmail is a great service but I personally don't consider the cost in privacy even close to worth it. Maybe ProtonMail is overkill for some people, both in price and in sacrifices, but I would rather recommend to go with something like https://mailbox.org if that's the case.

We confirm that there was a brief 5-minute interruption to our services where users may have experienced difficulties accessing ProtonMail and ProtonVPN. All services are back online. We apologize for the disruption.

> premium prices

This is why I'm considering possibly not renewing.

I really like ProtonMail, I've been a paying member for 3 years. I also donated bitcoin in the past.

But I'm paying $50 a year for a privacy-enhanced service where I still can't import PGP keys.

I feel like that should be a main priority.

Meanwhile the last big release focused on snooze notifications.

Like I'm sure it's nice to have snooze notifications, but why not focus on PGP first? The whole reason people use protonmail is for privacy.

I get that emails are encrypted at rest, and that's nice, but 90% of my outgoing mail is still in plaintext because I can't import anyone's PGP keys.

The only option is to send an encrypted link, which expires. Seriously, at least make it so that there's no message expiration until you have PGP fixed.

Sorry to rant, I really think they are doing great work, I'm very proud to have been a paying member, just a bit frustrated with the direction it's going.

I've been a paid user of Proton since it was a crowdfunded project, and I think the ProtonMail Plus package is a fantastic value for security-conscious users. If you consider that you'll have unlimited usage of ProtonVPN and all its servers for multiple devices, and the extended features of ProtonMail, including more storage, higher daily message limits, private domain access, and access to ProtonCalendar and ProtonDrive, the $8/month price is a no-brainer.

Same here. Although I'll be moving to Tutanota.

How am I going to justify 50+ dollars per year for email when the spam filter doesn't even work?

I've spent ~$300 on ProtonMail over the years between my membership and donations.

People have been asking for the source code for ages. Nope sorry.

In the other thread they straight up admitted they haven't been spending time on the client side but focused on other open source projects instead, because it would benefit more people.

Seriously? I've been donating and spending money on them so they can work on projects that help non paying customers?

Don't get me wrong, I agree with helping the general public, but that's not what I'm paying a company for.

If I want to help open source projects I will donate to them directly (which I do all the time).

Meanwhile Tutanota is 12 dollars per year and they actually open sourced their stuff.

So why stay with Protonmail? Because they are in Switzerland? I honestly don't care.

And why does ProtonVPN have a free plan with barely any limits? Seriously, how many people are we supporting that have no intention of ever going Premium?

A couple thoughts about this.

First, the ProtonVPN email only went out to ProtonVPN users. If you have used ProtonVPN before, then you get counted as a ProtonVPN user. If that doesn't describe you and you got the email, then that was a mistake on our end, and we will look into it to see why that happened.

Second, the starred email situation has been discussed a lot internally. We used to just star certain emails. But due to the rise of increasingly sophisticated phishing attacks against certain users, we have decided to always star all emails from us, even the feature announcement ones. As an example, there are fake marketing email going, where the phishing link was the unsubscribe link. We understand that starring all emails from us might be annoying for some of you, but it is essential for security and the greater good.

Third, regarding the default images which are displayed in the inbox when you first log in. It is on our list to let paid users turn them off. This feature simply hasn't been built yet.

>Purism is an american company, where gag orders exist. They don't exist in Switzerland. So unless ProtonMail itself is the bad actor, they can notify the public about data requests. Furthermore they can challenge them in court, which is public. > >https://protonvpn.com/blog/transparency-report/

I'm putting this quote from u/rafficer here for visibility. Feels like this sub gets a lot of concern trolling.

Tutanota is a more and more compelling alternative to ProtonMail. Between their more transparent development, completely open-source clients and significantly lower cost, I am more and more tempted to make the switch.

https://protonmail.com/support/knowledge-base/what-is-the-difference-between-protonmail-com-and-protonmail-ch/

> The primary risk is domain name seizure which can occur if the US government bypasses the Swiss court system and directly seizes protonmail.com by serving a court order directly to VeriSign. In this case, ProtonMail could lose control of protonmail.com and the US could gain access to emails sent to protonmail.com after the seizure through directing all email sent to protonmail.com to a different server.

Even if I don’t expect this to happen, I prefer to use .ch

This user’s entire post history, essentially, is arguing with you (specifically you) about this one misconception of what “Extended Validation” means. They’ve got a few comments from over 2 years ago that are about ProtonVPN and don’t discuss EV, but aside from that, it’s all arguing with you.

This user is either a troll, an employee at a big PKI provider who sells EV certs (but not a shill, a shill would know more about the subject), or just so intensely paranoid they refuse to be corrected by anyone. Props to you for not just banning them.

I feel like with Proton's products right now you're paying ten times the real cost, and you do so for a promise of a product. Their beta email client is dope, but you shouldn't have to migrate to beta to get great UX. They are also finishing the Contacts & Calendar, and Drive is underway. I would happily pay for a stack of tools that would just work (hint-hint I hate myself for sticking with ProtonVPN), but right now... Idk I'm still paying 8 EUR per month for mail & vpn but I am this close to just going "fuck it, this is a waste of money".

One should never pay for a promise of a product, yet here I am doing exactly that. F

+1 And if you look on all protonvpn are half the price. Exemple for ProtonVPN & ProtonMail Plus 2 years: new user 144$ old user 190.4$ Why renew when a new client can get a better deal ?

I'm quite disapointed and feel cheated. You guys tell "go on your account and look for the Black Friday button" knowing damn well old user will NOT see the better deal for new user.

This is why you're not telling exactly why the promotions are and don't put them side by side.

Worse on it's writing "Billed as 144 € for two years. After two years, your subscription will automatically renew at the regular price of 190.4 € every two years."

So for new user you tell them 190.4 is the regular price and for the old customers it's black friday ???

Protonmail : "Regular price is the new black friday"

I like the privacy concern but this is not ethical. For me this sh** you guys are pulling is a lack of respect to your customers.

Unfortunately opting to keep it the way it is, is no longer feasible or practical as it raises a lot of issues.

For example if they continue with their current route of having:

• +
  
• + (I'm aware doesn't exist)

and they go with the proposed solution of doing the same for Drive / Calender etc. then they will have to:

• Pay for a service's domain name twice (if they decide to have 2 tld's)

• Dedicate time towards properly configuring the domains and every time a new domain is brought in.

• Issue SSL certs for every domain

• Any DNS record updates may need to be done for every domain and could cause issues if some update faster than others

• Potential domain name squatting such as the proposed ProtonVault and someone squats /

All of which will be costly to them and increases the chances of issues down the line.

Granted, they could probably work on a better name other than but that's something they can take to the drawing board and seeing as it's their company's name (Proton Technologies AG) I can understand why they want to use it.

Another comment says they own which honestly sounds perfect to me. It's short, has their collective name in it and it's on Switzerland's tld so it's a win-win all around. Also that means domain names now look like:

Which looks cleaner and it's easier to maintain as they now only have one main domain to manage and can now separate each service using subdomains and quickly bring in others as they expand.

ProtonMail datacenters are entirely in Switzerland. If you do a traceroute, sometimes in the route you will find a IP belonging to Radware.

Radware is our DDoS protection provider, you can find more details here: https://protonmail.com/support/knowledge-base/protonmail-israel-radware/

DDoS protection is on now because we got hit hard this past weekend.

As others have pointed out, it is true that Yahoo, Google, Microsoft, etc, also have outages like this. However, this should not happen so that's not an excuse. We apologize for the inconvenience. No emails or data were lost, but some incoming emails may be delayed.

This afternoon, a critical system overloaded (we are approaching the weekly peak load interval, and ProtonMail and ProtonVPN have had more and more traffic recently). We think we know why it overloaded, it might be an "echo" from the server failure that we unfortunately experienced on Friday. That failure caused some extra data to be cached which was not detected, and caused the cache to overload today. We are adding in a software level fix now to prevent this and make this more resilient in the future.

Because of fast growth, we've had to expand our infrastructure and there is a migration ongoing for the past couple weeks and some systems are not as redundant as they usually are. We apologize again for the inconvenience.

Currently, we are working on PGP integration, Linux bridge, import/export tool, an auditable append-only public key log, (almost done, but needs support on all clients before we can release it), MacOS and iOS for ProtonVPN, and a still secret hardware project. We are also doing some things with blockchain/cryptocurrencies, better anti-abuse/anti-spam, and search. At least two other projects are also moving in parallel, but we will say more about them later when they get a bit more mature.

No and Nothing. Because nothing resides on Apple's servers. They'd have to serve YOU the warrant and have YOU unlock the phone. In fact, it's safer to use the app than a browser.

Here's PM's description of their iOS security: https://protonmail.com/blog/ios-security-model/

Here you go mate:

> You further agree to not use ProtonMail to send Spam, junk mail, bulk emails or mailing list emails that contain persons that have not specifically agreed to be included on that list. Any account found to be sending the aforementioned type of emails will be immediately suspended.

https://protonmail.com/terms-and-conditions

Generally because of privacy. Privacy is extremely important for a functioning democracy. https://whyprivacymatters.org/

And here are also some reasons: https://protonmail.com/blog/protonmail-vs-gmail-security/

Since I assume most of you guys are into privacy you should know that TechCrunch links redirect through guce.advertising.com. Depending on your adblocker it might or not be picked up. On my device it gets picked up every time with such shared links and the loading stops with guce.advertising.com.

Explanation: > Links into, and out of, techcrunch now bounce through guce.advertising.com, in order to set a tracking cookie. advertising.com is listed here, but guce.advertising.com is not. Both TechCrunch and advertising.com are Verizon Media properties. guce.advertising.com is an alias for real.rotation.guce.aws.oath.cloud.

Source:

https://github.com/StevenBlack/hosts/issues/1370

For Chromium, you want the ungoogled version: https://github.com/Eloston/ungoogled-chromium
Not sure about brave.
~~For Firefox you want to disable the safer browsing settings in about:config~~

edit: See follow up comments RE:Firefox

Release notes

New Features

• Encrypted Contacts

• Download all attachments as a .zip file

• Plain Text composing and sending

• Advanced composer

• Show auto-save time/notification

• New translations (added support for Portuguese)

Bug Fixes

• Trim input value for email autocomplete

• Better support for UK zip codes

• Add delete action in Spam folder

• Load embedded inside a draft if user has already loaded them

• Fix translations on the dashboard

• Fix several French translations

• Fix how missing embedded images are displayed in the composer

Improvements

• Improvements in the ProtonMail Dashboard for selecting ProtonVPN plans
• Upgrade favicon
• Allow url images in an Autoreply
• Add confirmation popup before unsubscribing to mailing lists

> Furthermore, under Swiss law, a Warrant Canary is not meaningful, because under Swiss law, the target of a surveillance or data request must always be eventually notified, so they have the opportunity to contest the data request.

https://protonvpn.com/blog/transparency-report/

Purism is an american company, where gag orders exist. They don't exist in Switzerland. So unless ProtonMail itself is the bad actor, they can notify the public about data requests. Furthermore they can challenge them in court, which is public.

When ProtonMail is a bad actor a warrant canary doesn't help anyway.

>In August 2017, we received a request for assistance from the government of Turkey that was passed to us through the Swiss Federal Police. We rejected the request on account of the Turkish government’s human rights record and will take the case to Swiss courts if the Turkish government files for an international proceeding.

From https://protonmail.com/blog/transparency-report/

So it seems you have done something their terms of service to the extent that law enforcement has been involved. Given all of these things are explicitly covered in their ToS, what is surprising to you?

Per the CEO: > just released the [ProtonVPN] iOS app, and we're working on preparing to make all the apps open source (as that's one of our firm goals we have outlined for 2019...)

ProtonMail has hourly and daily sending limits. These are intended to stop a new or compromised account from being used to spam. They're based on your account's normal use and subscription, so they vary, but the suggestion for a free account is 50 messages per hour and 150 messages per day. For this purpose one e-mail with 24 recipients is actually counted as 24 separate e-mails, but it sounds like it still shouldn't be a problem.

The Terms and Conditions note:

>Due to their nature, the paid Services provided by the Company are generally non-refundable and any refunds or credits given will be at the sole discretion of the Company.

​

Eh I guess you can reach out to the support team and ask for advice on your options.

So short version is:

If you are using the webmail client (not the mobile app or a mailclient like thunderbird) a secret key will be stored on the Protonmail server. Thus if the Protonmail servers are compromised and if you are using a weak password that can be realistically brute forced, a possible malicious actor that has access to the protonmail server can decrypt your communications.

The paper does not really say anything new though. that is exactly how it is described by Proton: https://protonmail.com/support/knowledge-base/how-is-the-private-key-stored/

I am no expect though..am I m missing something more important?

I pay for priority support as well. When I asked why I wasn't getting it, they told me I should file a support ticket on their website. https://protonmail.com/support-form

While I believe they should provide priority support via email as well, apparently they don't.

u/ProtonMail you need to make that more obvious.

According to WP29 guidelines, right to portability doesn’t give to the user a right to necessarily obtain all their data summarized in a single document for example.

Access with a sufficient way to copy and/or download data should be sufficient, as long as it is exhaustive on personal data.
https://protonmail.com/support/knowledge-base/export-import-emails/

Read "Effective Spam Filtering with Encrypted Email".

> There simply isn’t any foolproof method for defeating spam. Thus, if spammers don’t know how we are blocking their messages, it makes it much more difficult for them to find a workaround. This is why we cannot publish detailed specs of how our spam filters work. It also means we cannot open source our backend server configs which contain our spam filter settings.

Edit:
It should be noted that emails sent from PM to PM are encrypted and ProtonMail service can't analyze the content: plaintext, images and links. This can be a relevant issue, because the most powerful spam filters relies on that data to flag an email as spam or scam, where the last can be potentially more harmful than the first. Possibles workaround*:
1. count how many emails a PM account sent, and how many of his emails were flagged as spam by the PM accounts recipients. If the ratio hits a threshold, the account can be flagged as spammer.
2. by reporting as spam, the user could allow the email to be forwarded to PM database so they can read the content and analyze it. All at the discretion of the user.

Edit: suggestion: read Spam Nation by Brian Krebs.

* - My thoughts; so not saying it works this way.

I think it's in their privacy policy... The mail will be deleted immediately from production servers but it could be that it's still in backups for one or two weeks after that.

Edit:

> #Data Retention

> When a ProtonMail account is closed, data is immediately deleted from production servers. Active accounts will have data retained indefinitely. Deleted emails are also instantly deleted from production servers. Deleted data may be retained in our backups for up to 14 days.

https://protonmail.com/privacy-policy

I have doubts. Wanted to take survey, but haven't done it yet. I'm very unsure if is the right way to go. It just doesn't have the right ring to it. Frankly, I think it should remain as it is. ProtonMail, ProtonVPN, ProtonDrive etc. Descriptive, unique.

More than "protontech" I'm vouching for "protonsecurity" or something along those lines for cover domain, but individual services should remain on their own names.

Problem is , sometimes some messages seems to be written by competitors or people who just want to hurt the credibility or integrity of the service and influence the opinion of those who might not really know the service or IT/programming/encryption/computers in general... in these kind of cases which seems to happen quite frequently im not shy to let the fanboy in me express himself :P Those kind of dishonest business practice should not even exist. This seems to happen also on ProtonVPN , some competitors ( which i wont name ) seems to have fun making dumb comments , false statements and accusations with no foundations.

Also ..Comments like : Wow man protonmail fail so much i cant * insert any ridiculous action / function that could lead to security breach here* proton is #?@$%? worthless $%?@# blablabla..

..will most likely trigger my inner fanboy too ..:P and i cant even say im a proton fanboy , its just that privacy is a topic that mater to me and its a really big concern in this age of spying and censorship ..since proton work to protect privacy ..i tend to be on their side

​

Legit and respectful questions / issues / comment deserve to have respectful answers.

​

Angry trolls, liars and shady competitors ..not much ;)

This is getting ridiculous. I cannot do any work right now – with 2auth codes being sent to my email. My home's internet is also down because my router routes through ProtonVPN.

Paying over $120 USD for such unreliable service is disappointing.

Everything about ProtonMail is perfect for me. I also love typing instead of or ProtonMail also has a great vpn service called ProtonVPN that I use. I also got the Humble Bundle last month for the 25$ Credits on ProtonMail.

Whats funny is that this information was put out by PIA. Perhaps ProtonVPN has been hurting their paychecks. I imagine this hiring didnt help either.

I don't work for ProtonMail but as someone who worked as a part of a development team, I feel like I have something to contribute to this discussion.

Getting the Bridge done as quickly as possible isn't simply a question of throwing as many people as they can at the problem.

First, it's an established fact in the software world that shoving more programmers at a project can actually make things worse, rather than better.

Secondly, not every developer brings the same thing to the table and has the same expertise.

The ProtonMail web interface uses one technology. The encryption itself uses another, plus an even deeper level of theoretical understandings. ProtonVPN is a completely different technology.

To stick with the house analogy, suggesting that building ProtonVPN means the Bridge isn't a priority is like suggesting that the plumbing in the house must not be a priority because you aren't pulling the carpenters off their jobs to help get the plumbing done as soon as possible.

This question is so common it has its own article https://protonmail.com/support/knowledge-base/what-is-the-difference-between-protonmail-com-and-protonmail-ch/

Bookmark this link:

https://protonmail.com/download/current_version_linux.json

It'll have a link to whatever the latest is.

Of all the things people bitch about when it comes to ProtonMail - this is the one that grinds me the most.

It'd be so fucking simple to just make this publicly available or available to users who have a plan that supports Bridge. But they're petulant little dickheads over this issue. and every excuse they've given is shit. Honestly.

I can get onboard with the fact that calendar or drive is taking a long time, or that it took a while to get contacts right.

I can be patient as all hell while they open source aspects of their software piecemeal. Hell - as long as it's truly end-to-end encrypted, i can even be tolerant of them not open sourcing some things like maybe mobile clients or something, so they can maintain a model allowing them to sustain themselves.

But this.. this... just post the fucking URL you fucking dolts. JFC.

Using the @pm.me address is not a separate account, it's just a shortened email address for you account. (You must have a paid account to send using the @pm.me address.) https://protonmail.com/blog/pm-me-short-email-domain/

1. If Freda sends an email to you at and Ichirou sends one to you at , you'll see them both in your inbox.

2. There are no 2 accounts to "toggle" between.

I can understand the reasoning here, however this should be communicated much more clearly on the website

https://protonmail.com/blackfriday

there is no statement that this deal applies only to new customers. Then I log into my account and see a pop-up with the exact same layout/details, but the price changed, no explanation, so this was very confusing.

Can you try to do this in a browser without extensions (or use incognito/private browsing mode)? This may be a conflict caused by the plugins you are using.

​

If you continue to encounter this, we would be interested in digging more into this, so please let us know here: https://protonmail.com/support-form

well if you had implemented DEVNULL you wouldn't have to worry about diskspace any time soon. just about customers who send you angry support tickets. well i suppose you could just devnull those, too... endless possibilities :D

Be aware that notifications do not sync across apps. So if you read your email in the web browser, the iOS app will still show a badge notification for unread mail until you manually open the app to clear it. It's a basic feature that they have not fixed for at least two years.

Personally, I don't recommend the service if you're looking for something polished that works well. If you just want an encrypted mailbox and willing to work through some inconveniences, then it's worth it. Don't pay full price and I'd avoid ProtonVPN, even with the bundle the price is not worth it.

To be fair, there is no reason why someone shouldn’t “pay on time” and expect their life to move on smoothly. If we don’t intend to pay, we should cancel that subscription and make alternate plans.

I have a lot of problems with ProntMail, but this isn’t one of them.

I use PM and PV both. I have a combined payment system. In fact, I still stick with PM because of the VPN. The country that I live in blocks most VPNs including the famous ExpressVPN which I used for years. But PV finds a way to work. Always! So I’d give it a big thumbs up.

Proton Technologies AG is ProtonMail. It's just the parent company for legal reasons, no unknown people behind that.

It's also the parent company of ProtonVPN. And will likely be the parent company of ProtonDrive once that's out as well.

Something doesn't seem correct here. We don't typically block accounts without warning for payment issues. There is a two week grace period and we also send two past due notices. The only time you get blocked without warning is in the case of banking fraud (credit card chargebacks).

Regarding your second question, Proton accounts are linked by default. Today it is just ProtonMail and ProtonVPN, but in the future with ProtonDrive, ProtonCalendar, etc, the link will also remain, since it makes it easier to just log in once to ProtonX and be logged in also to ProtonY. A lot of people also like this system because we apply bundle discounts, so if you have both paid ProtonMail and ProtonVPN, you get 20% off on both.

However, we don't force this linking, so you can in fact opt-out of this by creating a separate account for ProtonMail and ProtonVPN. It means you have two different logins, but now your accounts are also fully separated. So we never force you into the situation where non-payment of one service leads to the suspension of another, but if you use a linked account, then this necessarily will occur because the billing is integrated across all systems also. But again, it is possible to opt-out of this by making two accounts.

We have edited to include ProtonVPN now, although technically, ProtonVPN is authenticated differently as we use separate OpenVPN credentials when communicating to VPN servers, for security reasons. If we go into more native clients use ProtonMail credentials to retrieve the OpenVPN credentials which are then used for communications with the VPN servers themselves.

For ProtonDrive, we haven't made a final decision on how we will do authentication there, so we can't say for sure yet.

Right now, all data is in Switzerland, but we are always exploring all possibilities, and Iceland is also looking like a really good option, so we are keeping that possibility open. We already have servers and network there so it would be easy to extend to Iceland.

That company only checks for compliance on a specific page and probably doesn't know much about ProtonMail to offer a better rating. See the ProtonMail GDPR Compliance information for how they achieve it.

They have a blog post about the introduction of it in case you haven't read it: https://protonmail.com/blog/elliptic-curve-cryptography/

The post includes a link to an explanation of how both RSA and ECC work, which you may find useful when deciding which to use. Neither RSA nor ECC is without any flaws, but ECC seems to be the better option for most users since it offers comparable or better security but takes less resources to use.

Regarding labels and folders, we provide labels because they can do everything folders can do, and more. Labeling a message and archiving it at the same time achieves the same functionality as a folder, and you can even set ProtonMail to automatically archive messages that you label. Filters can also be used to automatically label+archive incoming messages. Labels are more powerful than folders because you can have more than one label on a message.

Regarding pricing, ProtonMail isn't designed to be the lowest cost email service, for that, there is Gmail. Our focus is security and privacy without compromises. Like most high-end Swiss products, ProtonMail paid plans will not be the cheapest option. Our pricing page describes why we tend to be more expensive: https://protonmail.com/pricing

That said, ProtonMail is not expensive, at $4/month. This allows us to deliver a higher quality service that includes key features for usability, security, and reliability:

Usability: Advanced search, conversation view, native/fast mobile apps

Security: Two factor authentication, OpenPGP standard (peer-reviewed), Swiss-based, SRP authentication (authentication, not crypto weaknesses, are the most common email compromise point)

Reliability: Staff of over 20 means all technical positions are redundant and we can operate a 24/7 network operations and emergency response team

You can use your own encryption with the likes of https://cryptomator.org/ or https://www.cryfs.org/ for cloud stores, that way you fully control the key locally not depending upon anybody else to encrypt for you. No need to wait. You can even aggregate multiple cloud stores for even more storage and encrypt it yourself this way too.

For Me, it is.

I pay to use my own domain with Protonmail.

I bundle ProtonVPN.

I only use the web UI or the mobile app.

I also still use my various gmail accounts for most non-critical stuff, because honestly nothing beats gmail when you're not factoring in the privacy implications.

I don't use proton calendar, drive storage, or contacts. It's explicitly just email for me.

> When I pay for 1 year service it's 1 year service not 1 year service + another years without your knowledge or permission. It was clearly standing in ProtonVPN Plus 1 year service.

Oh, looks like you're with the wrong provider then. Because the ProtonVPN I know doesn't offer a VPN service that goes for a single year, but only a service that you can subscribe to which costs $96 per year.

It's clearly stated in their terms and conditions. Read them. Now cut the crap about it's their fault and learn your responsibilities when subscribing to services or deal with it when they cut the service if you don't.

Wow, this is mind-numbingly stupid. It's inexcusable that ProtonMail would set up their billing system like this.

Thanks for the heads up. I'll be sure to never buy ProtonVPN as I can't risk something like this happening.

ProtonMail has made so many empty promises over the years, and I'm really getting tired of it. I'm strongly considering dropping the service entirely. Seeing how their horrendous mismanagement extends from their service development to their billing system is just another reason to leave.

ProtonMail, please get your shit together.

Well any email provider you use is gonna comply with government requests. They're businesses after all, they don't exactly want to be shut down.

The benefit of ProtonMail is that they can provide very limited information, I think just your IP address. The content of your email is encrypted at rest with client-side encryption, so they wont be able to access it anyway. It's also encrypted in transit if you use PGP or you're talking to another ProtonMail user.

If you want increased privacy, you can use ProtonVPN, which has a no-logging policy I believe, or any other VPN you want. ProtonMail also has an onion link if you want to use it through Tor.

You have to keep in mind that email is inherently insecure, and providers like ProtonMail, Tutanota, CTemplar, etc are pretty much trying to make the best of a bad situation by giving you encryption and PGP built-in. For proper secure communication you'll need to use Signal or other end-to-end encrypted messengers.

https://protonmail.com/support/knowledge-base/delete-account/

> Please note that once your account is deleted, there is no way to recover or recreate it. We do not recycle usernames, which means the same username will not be available in the future.

There is actually a direct business support team and a way to contact them, but it is not publicly posted to avoid getting swamped. If you contact https://protonmail.com/support-form, you can receive the direct contact information, as it will get escalated to the business support team.

https://protonmail.com/blog/2018-recap-future-roadmap/

"For ProtonMail, our ambitious goal is to launch version 4.0 (with encrypted search), conversation view and multi-user support on mobile, and an encrypted calendar in 2019."

Contact them via the other way, let me google that.

https://protonmail.com/support-form

Time taken to Google: about 20 seconds, never used any proton product before. (But I am a programmer, my key function is to Google things until I get a program running and copy paste code)

Edit: also let them know the bug report itself is not working, they also want to know that, I'm sure. Perhaps they were praising themselves over doing a good job, due to so few bug reports. I can only imagine the sadness upon finding out that this was not the case, this sadness will grow more pressing every second this situation goes unreported.

ProtonMail's public security roadmap can be found here: https://protonmail.com/blog/secure-email-roadmap/

By the end of this year, when we get most of the way through our 2016 roadmap, most of the issues in the article will have been resolved.

However, we have an even longer list of additional security improvements we are going to make in 2017. We view security as a moving target that requires constant improvement as the threat landscape evolves. We have seen in 2016 that both state actors and cybercriminals are getting more sophisticated, so we are already doing work to defeat the next generation of attacks.

Thank you for pointing this out. We do not limit the bandwidth of your connection, therefore the speed is influenced mostly by the server load and server distance. Naturally, the basic servers can be more crowded which can result in a slower speed. Thus, ProtonVPN Plus users have the highest performance because they have access to Plus servers which are only accessible to other Plus users and because many of the Plus servers are on 10 Gbps networks.

We simply develop things in different order. We put more emphasis on security (address verification, srp authentication, pgp support) and anti-abuse (more focus on deliverability, spam, not getting blocked by other services), and certain features such as IMAP support (via ProtonMail Bridge), import/export tool, threaded views, etc.

​

Because we have many more users, we also need to place more emphasis on growing infrastructure and bypassing attempted blocks in various countries (e.g. ProtonVPN). Our calendar efforts are actually very far along though. It is being built using our new 4.0 design system, which is why we are waiting for 4.0 beta this fall to release it.

I am currently studying in Shanghai and for me it works pretty fine. I use it as App on my phone and via bridge with the macOS Mail app. The website via browser is blocked but with VPN it’s accessible (ProtonVPN ftw). App on the phone even works without VPN...wouldn’t recommend it though. I haven’t tried out via bridge without a VPN so I can’t tell if that works.

All traffic is TLS encapsulated, so it cannot be read by internet providers.

How the traffic routes depends a lot on your ISP, and is not something that we can really control.

If this is something that you're worried about, we recommend also using ProtonVPN, or connecting through our Tor gateway.

ProtonMail does a good job (they manage to keep me coming back, and I am a very very indecisive person). However they are notoriously slow in delivering even new, seemingly minor, features. Look at how long it took them to implement . As an alias it's treated as a second class citizen. Although I don't blame them this time for implementing so hastily; this crowd is rabidly foaming at the mouth for new features (myself very much included).

Don't hold your breath on ProtonDrive. It will take quite a while to implement. Please also don't expect it to be quite so inexpensive. Such a service will be rather costly, and rightfully so. It will take quite some effort to create a service that lives up to Proton's quality standards, as well as being adequately secure.

I believe that the best way to speed development is for more people to sign up for the paid service. For that we need Proton to focus more on stability, usability, and overall quality of service. They are already mostly there, and it is quite wonderful. If the service can be made solid enough of an offering for the average user, they can sign up more people, and therefore obtain more funding. If this is to be the case, they need to focus on improving the existing products; Mail and VPN. I for one will continue to roll my eyes at the continuous begging and pestering for new features.

I want Proton to focus on the existing products. Absolutely. They need to be putting their effort into that right now. I also like to pass on my commendation to /u/ProtonMail, and /u/ProtonVPN. I have been frustrated in the past, am currently frustrated, and will likely continue to be so in the future. But the product is already very very good. Refinement is key, IMO. Please keep up the good fight; for all of us.

For the first question, both addresses are admins.

As for the second question, we don't always run at a profit every month as sometimes we'll make strategic investments (e.g. ProtonVPN), but we generally always maintain 12 months cash reserves and will be close to break even over a 12 month period.

In general, if we turn a significant profit, we're doing something wrong and not growing the team fast enough to speed up development.

Hi! Please note that the Import/Export app is currently in beta and unfortunately some errors are expected. Our team is actively working on resolving these issues with one of our next updates for the app. Could you please open a ticket request with our team so they can further look into this issue https://protonmail.com/support-form

I use multiple addresses on same subscription (including my own domain) and have option to use combined or split addresses mode. More here.

The method you mention (+ sign) is already supported :

https://protonmail.com/support/knowledge-base/addresses-and-aliases/

True. Some is open source though, and there's also a plan to keep open sourcing most of their code base.

Also, being an open company isn't about having 100% open source software, it's just way bigger than it. As I said in the post, it gravitates around three core principles: openness, transparency and interoperability. I believe that ProtonMail, while still having room for improvement —as every other company does—, are very strong in all three fronts.

But it's great to read different opinions! Thanks for your contribution.

It's not the job of an email platform to do that, plus it's not a good idea to assume that everyone would like that being the default behavior for every user.

The one tool I can recommend is ExifCleaner. It's free, open-source, and has a version for basically all operating systems.

1. It is possible to combine accounts, but a little tricky, you'll need the help of support. See here: https://protonmail.com/support/knowledge-base/combine-accounts/

2. Yup, ProtonMail works in the exact same way as Gmail in regards to using a period (.) or plus (+)

3. To send an encrypted email to a non ProtonMail account you to need encrypt the message using a password. More info here: https://protonmail.com/support/knowledge-base/encrypt-for-outside-users/

Version 3.11 Full Release Notes

New Features

• Bitcoin Payments

• Credits Top-up

• Spanish Translation

Improvements

• Improve signup

• Add professional plan to sign up process

As always, your feedback is very much appreciated. Please report bugs using ProtonMail report bug feature, or send us a support request here: https://protonmail.com/support

Hi everybody, Lifetime accounts are in fact transferable and resellable. Details here: https://protonmail.com/blog/black-friday/

Buyer and seller need to contact us at . Transaction can be done directly between buyer and seller, or we can also facilitate it.

We agree there is no such thing as 100% security. If anybody ever tries to pitch you a service claiming to be "completely secure", run away, quickly. It's important to define the threat model which we have done here: https://protonmail.com/blog/protonmail-threat-model/

> Given the power of metadata and given Protonmail's current position on not encrypting metadata coupled with their recent blog post in which they came out in favor of Net Neutrality

I really don't see how being supportive of net neutrality has anything to do with what you are saying.

> Other encrypted email providers such as Scryptmail encrypt everything end-to-end including metadata

I can't find anything saying that ScryptMail encrypts metadata end-to-end. And there is a good reason for it. If you do that, your break compatibility with the email ecosystem completely. Email was written at a time when security was not "needed", and it shows. PGP secured email is basically (an elegant) "hack" to secure what could be secured without compatibility issues, namely the plain text. The provider needs to be able to read the metadata in plain text to know who to deliver the email to. There are definitely arguments to encrypt it at rest, as well as argument to not do it. There is a privacy gain there, but it boils down to "trust us", since there is no math to guarantee privacy in the same way as it does for the message body, and whether a person think that privacy gain is worth the problems that comes with it.

If you don't want to leak any metadata, classic email is not really what you should look for. You need another protocol built from the ground up to provide both privacy and anonymity. You could take a look at Tox or similar onion route based service , but it will sadly not be compatible with any existing chat/email services.

”Protonmail doesn't have a limit”

This is not correct.

Both ProtonMail and ProtonVPN free plans offer limited service to encourage upgrades. You can learn the differences between plans by visiting their websites.

This. Perfect example is Private Internet Access. They were taken to court to divulge information twice and both times said they don't have that information on record. Simple as that.

Could the US government in theory force a company to start logging? Sure, but I can bet you it will likely result in a landmark SCOTUS decision. We see the US government using that kind of force in big cases like Snowden or the 2015 Apple vs FBI saga, but for climate activists? It's probably not going to waste its ammunition to get a bad verdict handed down either.

So this is why I do think it's a legitimate concern that Swiss law made it so easy to force a company to log.

I am in the same boat as you. I’ve been on their side for a long time but it’s been far too long for basic features like you mentioned.

Unfortunately, I will be going back to iCloud for mails, contacts and calendar for the sake of convenience. Maybe I’ll just keep ProtonVPN.

This is somewhat missing the point of the debate. Proton is a supporter of F-droid, and indeed the ProtonVPN app is already on F-droid. But F-droid likely has less than a 1% market share, so for all intents and purposes, on Android, the Play Store is a monopoly.

Coming back to Apple, the problem here is not that there isn't an alternative to Apple's app store (although that is indeed the case), and we are also not asking for an app store alternative.

The problem is also not that Apple is charging 30% fees for their own in-app purchase system, and we are also not asking that governments regulate the prices Apple can charge.

The problem is that they allow no other in-app purchase system, in effect preventing the market competition which makes capitalism work.

So what we are asking for is competition in mobile payments in the app store. This way, the government doesn't actually have to regulate the prices that Apple charges. Instead market competition will determine the price.

Without this, capitalism does not work, and we all suffer as a result.