Deeply disappointed in @ProtonMail lately. I have been really glad about their existence, and have even tried to stay positive with the later issues, but turns out they sent @njal_la a demand for getting private user data, because someone wrote about them badly.
Can’t say I’m surprised, they’re an “AG”, which means they’re beholden to increasing shareholder value and nothing else. It’s emminently rational for them to act similarly to corps with the same " fitness function". I mean, even the threat model they “protect” against is not one I find particularly convincing (It’s a key escrow system, but the entire “trusted” part happens inside either the ProtonMail-controlled JavaScript or in a ProtonMail-delivered binary; In both cases they are in a position to deliver tailored or blanket key exfil attacks unless you very carefully screen the JS or binary every time you download it, which seems unlikely given the target demographic of can’t-be-arsed-to-install-gnupg-themselves… Frankly it stinks to high heaven of being a Crypto-AG-style honeypot)
Can’t say I’m surprised, they’re an “AG”, which means they’re beholden to increasing shareholder value and nothing else. It’s emminently rational for them to act similarly to corps with the same " fitness function". I mean, even the threat model they “protect” against is not one I find particularly convincing (It’s a key escrow system, but the entire “trusted” part happens inside either the ProtonMail-controlled JavaScript or in a ProtonMail-delivered binary; In both cases they are in a position to deliver tailored or blanket key exfil attacks unless you very carefully screen the JS or binary every time you download it, which seems unlikely given the target demographic of can’t-be-arsed-to-install-gnupg-themselves… Frankly it stinks to high heaven of being a Crypto-AG-style honeypot)