Being based in Switzerland or wherever else is NOT a panacea when it comes to privacy.

They're still vulnerable to hacking attempts (which CAN be state sponsored and have lots of resources!), zero-day vulnerabilities, illegal warrants and soapenas from the host country, regieme changes, and the company being sold.

Frankly, with correct end-to-end encryption you should be comfortable with the service provider storing everything and personally handing over the data to the NSA, MI6, and the North Korean government without ever fearing your privacy being compromised.



@sir end-to-end encryption doesn't protect metadata (sender, recipient, timestamp, size). One may not want the metadata of their communication to be collected by NSA, MI6, BND, GRU, and the Chinese government.

@sir it is data after it is collected.

Like, when you send an encrypted message from point A to point B, you don't include the "I just sent a 100KB message from point A to point B". It is an observation the attacker makes by watching the network.

So it makes sense to pick networks which are less likely to be watched, right?

@wolf480pl metadata is just data. If you send an encrypted message with point A and point B attached, you have given them the following data:

- Timestamp
- Point A
- Point B
- Message size

So you need mitigations for these things, like padding for message size, or onion routing for obsfucating point A and point B. Or, you need to be aware that these trade-offs are being made, and decide what information can be gleaned from your data. Which metadata is included in.

@wolf480pl @sir If metadata’s a concern, install i2p or GNUnet on your VPS, and just hope that your computer adds it as a peer. (You can’t make it only a peer for yourself, without the VPS doing timing analysis on the network activity.) But keep in mind that even if we leak metadata, if they can’t get at our most intimate secrets, then they’ll lose power over us overall, and so won’t have the power to use our metadata against us.

@cy @sir
ok, how about some middle ground for my normie friends?

@sir on a related note do you think that Tutanota is better than ProtonMail in any of these regards? Or do you think they’re about the same.

I saw you mentioned Migadu. How are they different from ProtonMail in the “privacy is based on math” regard? If you can’t be arsed to explain because you have already (understandable), could you point me to that explanation?

@net I don't think ProtonMail and Tutanota are functionally different

Migadu doesn't make false promises, it leaves most of the privacy to you via PGP or whatever

@sir @net But, safe to say that ProtonMail is better than say, GMAIL? ProtonMail could care less about the content of email, whereas Google's whole business model depends on the data. Not bulletproof, but a bit better than leaving the door wide open.

@cylb @net

I would recommend neither gmail nor protonmail and neither should you

@sir @net I totally agree that "Being based in Switzerland or wherever else is NOT a panacea when it comes to privacy.", but managing an email server (if that is what you meant?) is just not in my wheelhouse. What would you recommend? (And apologies for whatabouting you! I genuinely am trying to figure things out)

@sir @net That looks like something I could do. I shall give it a try. Thanks Drew.

Migadu vs ProtonMail 

Migadu vs ProtonMail 

Migadu vs ProtonMail 

@sir and then there is also the issue of data that is possibly relevant so far into the future that current cryptography can reasonably be expected to be obsolete by then. Health data on chronic diseases for example. Stuff that can tell something about your ancestors. Yet governments around the world seem awfully hyped to store it digitally.

@sir @traubenuss well, I can't english today. Obviously I meant descendants, not ancestors.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!