[Info] ProtonMail seemed great, but lately...

hono · November 5, 2021, 3:58am

*May 2021

[Security and GDPR Issue] ProtonMail includes Google Recaptcha for Login, every single time.

opened 02:29PM - 29 May 21 UTC

closed 12:46PM - 11 Aug 21 UTC

Description: A recent change over the course of the last two weeks led to re-…visiting, re-logging-in users. Recaptcha is now injected and compromising a machine's identity on every single login; especially so if cookies are deleted afterwards to preserve user privacy. Steps to reproduce the behavior: - Use any adblocker of choice (e.g. uBlock Origin with Cookie Autodelete) - Go to https://mail.protonmail.com/login - Find out ProtonMail is using Google Recaptcha, compromising privacy of all its already registered users. Expected behavior: As a project/company that was founded as an immediate response to the Snowden Leaks, which revealed that the Google PREFs cookie is literally how the NSA tracks users across the planet, I find this very absurd to see. I understand that there's intention to lower the rate of spammer accounts in the Registration process. But reoccuring users that have -TWO- passwords to identify themselves with should not need to re-identify themselves as a human. And especially not with an unethical service such as Google that seem to not respect any privacy laws that are applicaple in the European Union. To be honest, this issue is for me a reason to change services; and I feel betrayed in the sense that I as a crowdfunding campaign sponsoring user think that this is a serious breach of GDPR law. I'm a European citizen (from Germany) and I never agreed to share any information with Google. I also understand that other Recaptcha using services are necessary when ProtonMail would face lots of TOR traffic (which actually would also endanger journalists abroad btw). But this web traffic was received by ProtonMail without any Proxy in between, from my ISP's geo-ip-confirmable IP. Currently, if ProtonMail continues to deanonymize its users by including Google's Recaptcha code, I cannot recommend ProtonMail as a service to anyone anymore. - OS is ArchLinux - Browser is Ungoogled Chromium (latest) with uBlock Origin and Cookie Autodelete. - URL is mail.protonmail.com **edit:** I wanted to clarify the narrative that ProtonMail tries to make. This Captcha appeared **AFTER** I entered the correct password for my login, and **AFTER** I entered the correct password for mailbox decryption. After clicking through three almost unsolvable captchas, I was led straight to the Inbox view. This was no anti-bruteforce measurement. This was no anti-credentials-stuffing measurement. This was a false positive in classifications by IPv4 (as I have an ISP that shares their IPv4, as all customer hardware uses IPv6 primarily) (read below to what I think can be done to help mitigate this problem).

*Sept 2021

*Oct 2021 ( .onion link )

ana · April 2, 2022, 10:20pm

Si. Detienen a un activista francés gracias a su IP: fue entregada por el servicio de correo cifrado ProtonMail tras una orden judicial

Some advice in Spanish ana😈: «#proton #protonmail : los de protonmail facilitar…» - Mastodon NoBIGTech If you don’t understand just follow the links

hono · September 24, 2022, 11:28am

Proton - some options you might want to check
Gear Icon (right top) > Go to settings > Account > Security and privacy

*Security logs = sounding like a good thing but it records your IPs and login time like a surveillance camera.
*Privacy and data collection = I really dislike those “They’re just optional. You’re free to opt out!” excuses, with opt-out settings are indeed somewhere but hidden in hard-to-find, weird places. Ask first, and do that only if the user agrees, rather than secretly enabled by default…