Make things more clear in privacy policy

Misinformation spreads very fast on the internet and there are lots of idiots who don’t want to research themselves. Today I was browsing r/privacytoolsIO (was good, is shit now - lots of new users)

^ attached image

link: https://old.reddit.com/r/privacytoolsIO/comments/d0a5im/protonmail_or_disroot_free_versions/
archive: https://web.archive.org/web/20190906161904/https://old.reddit.com/r/privacytoolsIO/comments/d0a5im/protonmail_or_disroot_free_versions/

So basically they think disroot stores emails in plain text (which is true) but they didn’t read 1.5 of privacy policy which states full disk encryption is used. Also that comment states even google doesn’t do that which made me think it was about FDE because google also stores emails in plain text. Maybe this should be mentioned after 5.5 and 5.6 (asking users to read 1.5).

Those comments have around 10 upvotes so >10 people think disroot stores email in plain text (which is true) without FDE (false).

I would’ve replied directly but I don’t have a reddit account. If possible then can someone point them to 1.5 of privacy policy or this post?

People like that won’t be convinced though. Their favorite ProtonMail doesn’t even support mail clients, stores metadata forever, admits to direct surveillance, redirects their onion domain to clearnet (lol), and requires either SMS confirmation, a donation, or a secondary unprivate email to signup (Riseup is blocked for example). Reddit isn’t a good place for privacy discussion or advice (learned the hard way). Disroot should focus on itself.

And also, since we can download the e-mails to our mail client, it shouldn’t even matter if Disroot stores them unencrypted. How fast does the deletion of e-mails from the server happen? Is it possible to make it do that immediately after downloading?

digdeeper @ 2019-09-07 04:37 UTC:

https://old.reddit.com/r/privacytoolsIO/comments/d0a5im/protonmail_or_disroot_free_versions/ezc3i1h/

People like that won’t be convinced though. Their favorite ProtonMail doesn’t even support mail clients, stores metadata forever, admits to direct surveillance, redirects their onion domain to clearnet (lol), and requires either SMS confirmation, a donation, or a secondary unprivate email to signup (Riseup is blocked for example). Reddit isn’t a good place for privacy discussion or advice (learned the hard way). Disroot should focus on itself.

I didn’t start this thread to discuss why protonmail is bad, why so much
hate?

And also, since we can download the e-mails to our mail client, it shouldn’t even matter if Disroot stores them unencrypted. How fast does the deletion of e-mails from the server happen? Is it possible to make it do that immediately after downloading?

I guess disroot does weekly (?) backups which will have your emails if
not deleted. afaik the server doesn’t deletes emails when downloaded
with pop, the client has to send delete flags after downloading them.

··· -- Lugubris

There will always be some people complaining, there is not much that can be done. Claiming that even google doesnt do that (via the screenshot) just shows how little people know the email works in general. No matter what we write (we wanted to be clear and transparent about the fact emails are stored plaintext, which most of the other email providers do not specify even).

That said we will be reviewing our privacy policy soonish ( i think the work on version 1.2 has already started) so there will be more information. Not sure it will please ‘those’ type of poeple since it will reveal more information on what is and isn’t stored in plaintext on the server.

Protonmail pretends to support your privacy but in reality doesn’t. I only mentioned it because the thread compared it to Disroot.

I don’t know if it change but
the ProtonMail App require a Google Account and the Google Play Apps

For the encryption part, they encrypt every user which is done with something like eCryptfs.
This is why you have two layers of authentication.