I just came across these "disturbing facts about proton mail". Let's say, hypothetically, that I administer a small org that now wants to move away from proton.
I guess I should just learn pgp, but that would be a tough sell for any boomer members.
EDIT: thanks for all the responses! It seems like my intuition was correct: email is inherently insecure, and proton is no worse than other email providers insofaras you don't let their marketing cause you to drop your guard. If it's illegal, keep it offline.
What is your threat model here? You need to figure that out first imo.
I think email will be too difficult to do securely, PGP is difficult. That beings you to IM, in which case I'd say Signal (far easier and more reliable) or some Matrix client (more private).
Signal gets a bad rep sometimes but they have published multiple court orders that show they hold next to no information on their users: https://signal.org/bigbrother/
Its main issue is you need to share phone numbers
This is roughly what I'd recommend, though I'd HIGHLY recommend setting up communications in such a way where the server is in the physical custody of the organization. This limits the spies to monitoring data in transit, whereas if you're hosted on something like AWS they can image the machine any time they want without your knowledge and collect data at rest.
PGP is probably the best tool available for email, but as you mentioned it is complex, and it is also not a panacea (however, it is not brain surgery. I recommend everyone learn how it works). I'd save email for correspondence outside the organization (newsletters, media contact, public inquiries, announcements, etc) and handle all internal communication using something that isn't burdened with 50 years of technical debt.
This leads me to recommend a private, non-federated Matrix instance, or something along those lines. Again, running on a machine in the organization's custody, so you can wipe that shit like Hillary Clinton the moment you start feeling suspicious, or spirit it away to an unknown place if the information absolutely must be preserved.
Except they have to furnish metadata to LEAs upon request, which is all that is needed in most cases.
Did you click the link? The metadata they have is:
This is all they provide LEAs when they're told to, because it's all the metadata they have on their users. That's what the link shows.
There's good basis to doubt their claims I use signal, but im still careful
Nothing in that link provides a reason to doubt
their claimsthe proof.Ultimately, there is one thing worth considering: There is a reason why LEAs bypass the messaging app completely, and instead use vulnerbailities in phone software to get the messages instead. It's not Signal you should be careful about, it's everything else.
Lol I show you evidence that signal was funded by extremely shady alphabet agency connected sources, and you show me some sternly worded letters that somehow make federal warrants magically disappear, calling it "the proof".
Listen, I don't know shit. I dont know if the author that i linked, as well as all of his sources, have an axe to grind with signal, or what. I'm just saying I don't trust them and I don't think anyone else should either. I use signal, cautiously.
And yeah, I'm running graphene, I'm aware of phone vulnerabilities and I do what I can. I have friends who know way more about this than I do, but nothing is perfect.
Interestingly the author is the same guy who wrote Lemmy (well, half of the team, it's Dessalines), small world