I've been using protonmail/vpn for a few years now. I've had nothing but positive experiences. That said, I think its healthy to question any business, especially those that claim to care about your privacy. I'm curious to hear what signals you've picked up on.

Is this post two years old? If so I think we can wait a long time for a reply from OP. I too would like to know what signals they picked up on.

Protonmail is just the "latest" (it's been open for a few years now) in the technocratic "online privacy" bubble. They probably willingly give backdoors to the NSA.

Basically they sell you the peace of mind, not really any actual security as far as anyone can tell. Until their code is open-source and can be independently reviewed, it's worthless. That they are based in Switzerland doesn't mean much because backdoors are meant to be secret. Like in any other country, there is no official organ in Switzerland that will evaluate your app and say "yes, this app is secure. We give it five stars". However if you find they don't respect Swiss law you have to open a lawsuit, retain a Swiss lawyer, travel there for the court date, and at that point you start to realize they're based over there more to protect themselves than you.

There has been another encryption company operating since the 50s in Switzerland that was somewhat recently found to just be a front for the CIA. So clearly being based in Switzerland is not a gage of quality.

Their support of the Hong Kong protest was also kinda suspicious because as far as I'm aware, they've never been that interested in any other event. And it wasn't just a press release that gets picked up by a few hobbyist magazines; it was a full-length email sent to every protonmail customer, even those like me who hadn't used their account in years.

I also just read that ProtonMail would start using Google infrastructure. While the actual usage of Google's services would be "limited", again Proton does not explain the exact nature of this partnership and which services will be routed through Google.

I don't believe there is any way to be completely secure on the Internet unfortunately. Snowden showed how far backdoors run. So whether you want to keep using protonmail is up to you, but outside of a decentralised p2p system, I don't think we could fully be anonymous and secure. Maybe though it would be possible to open your own email service -- you just have to rent a space on a shared server like you would when hosting a website, and then encrypt it if possible... or open your own mail server in your basement lol. Email doesn't consume a lot of resources.

If your threat model is "corporations spying on me and profiting from my private data" then it is good option IMHO. If your threat model is "a three letter agency is after me" then don't use e-mail.

So what are those signals you picked up? I am curious since I am a PM customer.

I've been using Mullvad VPN for about 5 or so years now and it's been really great.

Very privacy centric - your account holds no personal information, it's just a randomly generated number that you keep saved somewhere, and it's really only used for payment.

It's very reasonably priced as well - I just keep it on autopay, and every year it charges the €60 to my PayPal - but you have a lot of options for payment - including crypto and even cash!

I literally purchased 12 months of Proton VPN last night and this is one of the first posts I see today. Glad this is an old post and happy to see new positive responses.

The most concerning part about ProtonMail/VPN is that their funding came initially from the feds and many big names in Silicon Valley. Would you trust that combination of "donors" sponsoring a service that's supposed to protect your privacy?

Lookup Mullvad. It's a great VPN. No gizmos, no bells and whistles, and more importantly: it has been audited frequently and their client is open source.

For email I suggest getting your own domain name. That way you can easily change provider without having to tell all of your contacts to use a new email. I don't know about all domain providers, but some provide email addresses for free with all the domains that you bought from them. It's a really good and way to have an interesting email address, and not be dependant on any tech giant.

I personally gave up on the idea that my email will ever be secure, so I just try to use a provider that seems trustworthy, and avoid using it for anything critical. The email providers that tell you they encrypt your emails don't really improve anything in terms of security, given that they have access to the clear text email before they encrypt it. It's even worse if they offer a web client, they could steal your keys anytime.

There are solutions (PGP), but they are really niche and don't provide some critical security aspects like Forward Secrecy. If you want your communications to be truly secure, use a system that was built for that (Signal, Matrix, etc.. all provide pretty decent security way ahead of whatever you'll get with email).

a step forward from Google, or is Protonmail just as bad

i would say it is a step forward but how much depends on your use case. if you are encrypting all your emails, protonmail allows you to do so with the body of the email (but NOT the headers). there are other providers who make this as easy. tutanota even encrypts your entire email, subjects and senders included but they recently had to comply with a court order to store new incoming emails for a certain user unencrypted.

when it comes down to it, any secure communication should not be done over email. you can always encrypt the body of the message yourself but the sender/receiver information and subject line will not be encrypted.

an alternative vpn would possibly be mullvad. the people over at privacytools also recommend ivpn so that's another one you could look into

I would suggest you Disroot and Riseup for e-mail and Riseup for VPN.

Other VPN alternatives (Though IMO Mullvad is the best) are: AirVPN (Italy), iVPN (Sweden). AirVPN are vocal critics of Wireguard though, they think it hasn't been battled tested so they won't offer it.

I don't know much about protonmail and tutanota, since I don't like that you need your contacts to also use the same provider in order to have the easy encryption they offer (so no federation), and it's not much different than using any email provider and an email client which uses GPG encryption, or PGP encryptions for that matter (I prefer GPG), given the provider is not one of the giants, and not based in the 5 eyes or extended 5 eyes (in this case that really counts, given most of the email one receives is NOT encrypted, since not everyone uses GPG/PGP encryption). Enigmail used to have an option to full encrypt (included subjects) emails on Thunderbird, and I think the new Thunderbird encryption does the same (just that it doesn't use GPG anymore, and other subtleties).

If not self hosting (as mentioned by others, keeping your service and host secure and safe when opening it to the internet is hard to accomplish), using /e/ email service might be an option, as long as you encrypt as much as you can what you must. But even encrypted emails are not as secure and private as messengers designed for that purpose. So I wouldn't use email for confidential or personal stuff, or use it as little as possible, and GPG encrypting of course. And if going the GPG route, you should use ed25519 (elyptic curves) keys, same way those are the recommended ones for ssh keys, but the problem is that nothing forces your contacts to do the same, and they might use weaker keys...

I heard Tutanota is worser. But I been a long time customer of Proton, since they started. Its been great for me.