Be careful when companies market themselves as Swiss or that due to them being located in Switzerland means there is some extra layer of security or privacy.
Sure, it's a more stable country than many other countries in the world, but not much different from most EU countries for example. And privacy wise there is no difference.
Be also aware of the fact that many companies market themselves as Swiss, but all it means is they have a head office in Switzerland due to tax reasons. In one example, it's a cloud storage company, they say on their marketing page and their about page that they are based in Switzerland and under Swiss law, but if you look at the legal pages the company you sign up with are actually based in Bulgaria. Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria.
What, you mean those landing pages with that majestic snowy mountain doesn't automatically mean robust security and unparalleled privacy? My life has been a lie...
China-Email: Would be interesting to buy email hosting from a super secure email service based out of China. Basically a "trust in math" approach where they operate despite adversaries. With huge claims on the website:
- No physical security: our offices don't even have locks
- Pro-crime-CEO: our CEO is a known (and future) criminal
- Political: we seriously try to read your email for the cops but we cant :(
- None of that matters because our protocol is open source, blockchain enabled, and it doesn't matter if you trust us at all.
Seems like a joke but you get my point. In God we trust, for everyone else use math.
> - Pro-crime-CEO: our CEO is a known (and future) criminal
Best to not have employees if they know the CEO is pro-crime. I mean why not eBay all of the company's equipment on my personal account? Just towing the company line.
Even people who are pro-crime tend the be anti-being-a-victim-of-crime, and extent that to organizations they lead unless they are the perpetrator of the crime.
I kind of figure that since I don’t live in the Chinese sphere of influence I might be better off using a Chinese service if I had really sensitive communications.
Yeah I also bought a lifetime plan from that cloud storage company few years ago, scammed by the marketing page, only to find out somewhere in the settings page that my data were never in switzerland or even in EU but were physically in US, and had to pay to move them to EU, just deleted my account, I guess the swiss thing is just a marketing scam
Gotta love the rsync.net marketing.
Good company, best support I have ever had with any internet firm. Can only recommend their product if it fits your use case.
>> In one example, it's a cloud storage company, they say on their marketing page and their about page that they are based in Switzerland and under Swiss law, but if you look at the legal pages the company you sign up with are actually based in Bulgaria. Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria.
> Yeah I also bought a lifetime plan from that cloud storage company few years ago, scammed by the marketing page, only to find out somewhere in the settings page that my data were never in switzerland or even in EU but were physically in US
I'm confused on the lack of naming names. It's not libel if you show the pages being discussed as evidence. So I'm not sure what the cause for the pussyfooting around name and shame.
I bought it from pCloud, and the person I replied to also said in another reply that he was talking about pCloud, so I think we both have had the same experience and it should be ok to name names as one person could be lying but if 2 people who never met each other say the same thing I guess that would make it at least believable
I am fairly happy with pcloud though. Didn't buy for privacy (i use encryption for that), but for cheapness. I am not aware of any violation of trust like what is mentioned here.
But to be honest i have had my files there for few years unencrypted and in US without realizing, so it's not that encryption was needed or anything special, but it just sucks to be a victim of marketing practice advertising "your files are under the jurisdiction of Switzerland" and find out that they never been, then it's a good service? It's debatable, it's cross platform and has good client support for Linux OSes, but from mobile for example i have never been able to show to friends pics and videos, always timed out, and i have good connections, i.e. TMobile and Vodafone for mobile (I'm Italian living abroad)
But whether or not you need encryption, is that ok to advertise something that you don't have?
In that case... I get it. But yeah... Everybody did/does it and it's stupid. And i knew it was stupid back then (even my current mail provider does the same; Belgium yada yada, but have been honest about cooperating with police). I even figured the lifetime option was a sign that they would collapse years ago. But i took a risk, and I have very cheap storage online.
Also. Yes. The Android app is very bad compared to e.g. drive/photos
Great, so to get the full picture of your point, one must read the entire thread.
My actual point, was why in the world would you not post the name of the company in the original post? What thought processes occurred that suggested you shouldn't provide the name in the first place?
> always read the fine print, no matter how long it may be.
I think it’s time we stop doling out this advice and acknowledge that it’s entirely unrealistic. I’m a lawyer. I read the fine print a lot. Sometimes just for fun. But even I don’t “always” read it. Usually I don’t even read it so much as I give it a skim. If I read the fine print each and every time I came across it during the day I would literally do nothing else. Not even sleep.
And that’s to say nothing of the average person’s hope of actually understanding what the fine print even means!
But even for someone very well-suited (a retired lawyer, for example, with all the time in the world) the suggestion to always read the fine print is absurd.
These are contracts of adhesion. As consumers we usually don’t have any leverage to change the terms or even much of a choice to take our business elsewhere. It makes far more sense to regulate consumer contracts and force businesses not to screw people over than it does to ask millions of people to waste hours of their lives reading pages and pages of legalese they don’t understand and couldn’t change even if they did.
I agree with you, but i also think as i wrote before in another reply, another issue i would like to submit to you as a lawyer with experience in law, reading the TOS to me seems something to make you feel relatively good on the moment but most of it retain the right to change those after you've bought something, what do you think about that?
It's been a year since i bought anything, so i solved it like that, the issue is not even the fine print anymore is that anything retains the right to change the terms and conditions without explanation or warning, in Italy we have a law that if a company change the terms and conditions it has to communicate it to you and has to give you 30 days in order to stop the contract without any penalty, it works for services and software but we don't have anything to protect people from hardware to force company to buy back devices in case of unilateral TOS changes, so it sucks a bit, on the other hand in the rest of EU there isn't even the protection for software
True, the swiss government has bent over in all directions imaginable regarding the banking secret once a powerful enough entity pressured them.
Forget hosting, VPNs or email providers from Switzerland.
It's exactly true, companies incorporate there due to tax laws, even Phillip Morris is there.
"Bent over in all directions" is a bit of an exaggeration, most countries nowadays abide by various conventions to prevent money laundering & terrorism funding, since the G7 founded the FATF https://en.wikipedia.org/wiki/Financial_Action_Task_Force
Ironic since the US is more or less the world leader for money laundering and tax evasion. It also bothers me that the US has spent billions of dollars over the past several decades fighting narcotics just to turn around and make them legal. They must have passed the "It's Ok When We Get Our Cut" Act when I wasn't looking.
THC is still illegal at the federal level, if that's what you mean. The federal government is just being dragged kicking and screaming into sanity by individual states that are legalizing it.
The company you’re mentioning in the end is Tresorit, right? If so, they still do get some kudos for running a pretty solid end to end encrypted storage service. Their whitepaper checked out to me and their heavy focus on business users instead of consumer seems to attract less of the advocate types of users that ended ProtonMail in this weeks situation to begin with
As far as I know Tresorit has actual offices and staff in Zurich, Switzerland. They also appeared clear to me in the past that they have multiple offices around the world (I listened to a presentation from them recently at a conference).
I was referring to pcloud and pcloud also have an office in Switzerland. But similar applies to Tresorit I believe, thy just have it for tax and marketing reasons.
The issue is both Tresorit and pcloud store the data outside of Switzerland. If you start using pcloud on the expectation that it's stored in Switzerland you are wrong, it will be stored in Texas or in Luxemburg. So, how can Swiss law really apply once it really matter? And secondly, who cares if it's Swiss law, it's nothing special with that.
People seem to believe there is some kind of banking secrecy that applies to data storage. On top of that, the Swiss banking secrecy does actually not exist anymore.
And looking at the Terms & Conditions from pcloud, it says:
"If a European Union user of the Site or Services is located outside of Switzerland, then, for the purposes of any claim or action relating to these Terms, the Privacy Policy, the Site, or any Services, the applicable jurisdiction will be the courts that are located in the territory of residence of such European User."
So what is the point to highlight they are in Switzerland, if Swiss laws do not apply if you do not live in Switzerland? It's just false marketing.
I got you - I was just replying to kylehotchkiss. Either way, if the data is properly client-side encrypted, it shouldn't really matter much where the data is stored, since they would need access to your device to decrypt the data. So I don't see how this is an issue.
My expectation here would typically be that the company itself is governed by a stable, democratic government. It matters, because different legislations can impose different requirements (see recent changes in Australia for example).
Yes, banking secrecy has nothing to do with this and doesn't really apply, since that is more about someone not spilling your information, while here you already ensure on your device that the data is not visible to anyone.
I think you are right - it's a marketing element, but most companies do that, don't they? See for example Apple with "Designed in California", which is really just trying to not only say "Made in China". People have known associations with certain countries (such as Switzerland), which are used for marketing, yes.
The funny thing is, while advertising all of that, they're not providing free SMTP service that actually allow you to send properly GPG encrypted emails to protect your privacy.
So for me, ProtonMail is basically a web email service, a nice web email service to be completely fair, but without perks. I will never call them an "encrypted email" service.
I don't understand this part. ProtonMail does not offer a burner address service. Are you referring to the ability to create aliases on a ProtonMail account? If you are, that's possible with most other hosts too.
A proper burner address service would be SimpleLogin or Anonaddy.
> USA broke their back. They opened their private banking
If you've ever been to a really large American city, you'll notice all the logos of the large Swiss banks on big tall shiny office towers. The USA said that if they want to keep doing that, then they have to follow American laws. The Swiss banks decided that running their businesses in America was more profitable than secrecy.
"Follow our laws or get out" is not even remotely controversial.
> USA broke their back. They opened their private banking.
This sounds like you think this was a bad thing. But a not insignificant amount of swiss bank holdings, and profit, stemmed directly from dormant accounts of holocaust victims, purposely withheld from their heirs under the guise of "privacy"; and from plunder deals with the Nazis.
> In one example, it's a cloud storage company, they say on their marketing page and their about page that they are based in Switzerland and under Swiss law, but if you look at the legal pages the company you sign up with are actually based in Bulgaria. Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria.
Just out of curiosity, in this kind of situation what laws actually apply? Wouldn't that be the Bulgarian laws?
"If a European Union user of the Site or Services is located outside of Switzerland, then, for the purposes of any claim or action relating to these Terms, the Privacy Policy, the Site, or any Services, the applicable jurisdiction will be the courts that are located in the territory of residence of such European User. "
I also dislike companies that use the label 'Made in [country]' as a prominent hook to promise users they will get enhanced privacy - which may or may not be true. I'd rather they be honest and say: these are the examples when we must comply with the law and must hand over the following details.
We all need to make our own evaluation of the privacy promises of those services and whether they actually provide privacy above and beyond what other companies offer. We shouldn't rely on vague impressions that privacy is strong in company X merely because of their presence in a particular country (and which the company uses heavily for promotion).
Yes but Australia, especially recently is becoming for totalitarian and surveillance oriented. Not really sure why people there are not voting those people and laws out while they still can, but I guess it's tribalism and limited number of parties just like here in the USA.
Made in Switzerland has strict rules as to what percentage (at least 50% for most items, 80% for certain food items) is actually made here. Unlike "based" which just means there is an office or mailbox.
Agreed, it's unsustainable for ProtonMail. They should operate out of China, and then build credibility from there. "Trust us" is not viable long term. In God we trust, for everyone else use math.
> Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria
I don't believe it means anything. They form a company in Switzerland, which makes them compliant to the Swiss laws, they rent infrastructure from a provider where these services are most favourable for their business(which in this case could be USA and Luxembourg) and they do their tech dev work in Bulgaria(Which is in EU) because they get the most bang for their buck in this country.
What I see is simply business as usual. Are there even single origin tech companies? Even if everything is Swiss, if you have your app on the Apple App Stor or Google Play, you would be required to comply with US laws. You came up with an interesting encryption? Well, you will be asked to document it as part of you export compliance if you are going to make the app available outside of the US.
As I understand it it is actually not a issue as they have strong enough privacy laws that EU have said good for it. Though when doing business with EU citizens they of course still have to follow the rest of gdpr.
I have 2 friends that worked for pCloud in Sofia, but don't know anyone who has worked for proton in Bulgaria. I can't find anyone from Bulgaria working crently for proton via linkedin
Last time there was a protonmail discussion on HN I brought up the point that they save Metadata and of course got downvoted to the oblivion and had to remove my comment....
Got any proof of that? Can you decrypt my email that is sitting on their servers? If you are communicating something so precious that not even the sender/receiver and subject line shouldn't be seen then you best not be using ANY EMAIL at all without a couple more layers of security on top of it.
The whole clarification they wrote was "As a Swiss company, they must comply with Swiss law when it relates to a Swiss citizen."
So if you're not a swiss citizen, you've got nothing to worry about. The only thing they did different was notify the person they were being investigated and then began tracking. That's the major difference.
It's not like some random company can just skirt all laws globally for the sake of privacy.
If the swiss have a vested interest in pursuing a french person for a specific reason, the Swiss can and will exert that power. No clue why HN for some reason thinks a tech company can just skirt the law here for the sake of some crusade of 100% privacy. Newsflash, it doesn't exist.
I remember being fooled by the whole "We're Swiss, isn't that great?" marketing at the beginning. It was disappointing, to say the least, when I learned that Switzerland is part of the N-eyes agreement(s).
Truth is that Email is almost a dead protocol now, anyway. As much as that hurts me to say. It was never able to meet the moment- PGP is complicated and easy to mess up, it's pretty damn hard to host your own Email server and not end up in everyone's SPAM or blocked, and if they person on the other end is using GMail, your shit's being read, analyzed, and archived anyway.
Email is going to be a business-only (as in "companies"/"corporations"/etc) protocol soon.
I agree in that, for me, e-mail is almost solely used for business communications and newsletters. However, I don't know of a "timeless", or otherwise decentralized, communication technology so ubiquitous that can be secured like e-mail. Signal seems to be the hip thing, but it's centralized. "Blockchain" communications, perhaps?
That is something I doubt I'll ever sign up for is my email on a blockchain lol unless it's just a hash of the email text or something for "proof" of it's origin/association.
Actually, a blockchain might work as the basis for a distributed email server reputation system. If every provider published their opinion of all the providers they've received emails from, it should be possible to reach a consensus about who the spammers are.
Hopefully this system would provide a useful signal even if it was only adopted by a few big mail providers, and they could pressure newly-registered mail domains to adopt it or face delivery delays. Long-established mail domains would be grandfathered in, so most providers wouldn't have to change anything.
Sure, it's a more stable country than many other countries in the world, but not much different from most EU countries for example. And privacy wise there is no difference.
Be also aware of the fact that many companies market themselves as Swiss, but all it means is they have a head office in Switzerland due to tax reasons. In one example, it's a cloud storage company, they say on their marketing page and their about page that they are based in Switzerland and under Swiss law, but if you look at the legal pages the company you sign up with are actually based in Bulgaria. Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria.