💾 Archived View for gemini.circumlunar.space › users › laur%C3%AB › mail › paranoid.gmi captured on 2023-12-28 at 16:20:23. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Alleges itself to be extremely privacy based, with quotes such as "Our mission is to return the feeling of privacy back to people." and "Return the privacy to day-to-day email communication and make it as popular as possible." However, the service has no privacy policy, so you can't know what do they actually store. They say that they are "PROBABLY THE ONLY OPENPGP-ENCRYPTED EMAIL BOX", but that isn't really true - even the dreaded ProtonMail and MailFence have that (though the implementaion is worse). Supports mail clients and has an onion domain. Here's the big thing though - Paranoid requires an invite, which I tried to get a few days ago. First, it told me that my cock.li mail is "disposable" and won't be accepted. Then I signed up with real disroot account and - though the message about the disposable services didn't appear - I still didn't get a reply in 5 or so days. One of my contacts says his friends sent requests months ago that are still not accepted. Thus, regardless of its privacy, Paranoid appears to be pretty useless.
UPDATE February 2020: The above is what I wrote very long ago. Then, the service went down shortly after so I assumed it's dead. Now it's back and one of my contacts was impressed with it, so I investigated again. Everything I wrote above is still true, except I also tried to sign up with my RiseUp E-mail alias, and got rejected for using a "disposable address". However, the contact managed to get through the process so we did some tests. Paranoid claims that:
If a sender can't encrypt the eMail which will be sent to your @PARANOID box - we will encrypt it for you using your public key - the only key we store.
This is true. Any E-mail sent to a Paranoid address will be encrypted by them with your public key (which you will have to generate and upload). However, since the encryption is done by Paranoid - they (as well as the sender's server) can still see the contents; and as they have no privacy policy, we don't know what they do with that. Let's check out another quote:
@2048.email & @4096.email aliases can receive encrypted eMails only. We will check for you, if an eMail, which has been sent to you, is encrypted.
Unless we've understood it wrong - the above is false. I've sent an unencrypted E-mail to both of those addresses, and my friend received them, where according to the claim - they should have been "bounced" back to me. I did, however, get a message implying that the unencrypted E-mails did not go through:
Dear owner of the email address email_redacted@some.domain, recently you've sent an email to the email_redacted@4096.email which is in the 4096.email domain provided by Paranoid.EMAIL service. This user does not accept unencrypted emails. Please encrypt email using PGP and send it again. If you do not know the key you can ask using this email email_redacted@paranoid.email To avoid seeing this 'bounce' message again in the future you can either start sending OpenPGP-encrypted eMail messages to the recipient (if you've already familiar with OpenPGP/GnuPG) or alternatively, you can become an early bird tester of our brand new encrypted eMail service...
Of course, even if he did not receive them, they would still have traveled unencrypted from my machine, through my provider, ending at Paranoid (with many other points inbetween). So, him not being able to read them wouldn't provide any security. What does the "bouncing" accomplish, then? It might possibly (in some alternate world...) get the other guy to encrypt using PGP - however, to have real end-to-end encryption, that person would also have to generate his own keys, which - for the vast majority of people - is insurmountable. Also remember that the above applies only to the 4096 and 2048 aliases - you can still give the regular "paranoid.email" one to avoid the bounce.
The above, however, is still the best implementation of PGP you can have without PGP proper. At least they are not doing decryption in the browser, or worse - storing your private key like ProtonMail. In fact, they are specifically warning against those approaches. Not only is there no security or other disadvantages in what Paranoid is doing, some benefits even exist. The messages you receive will be encrypted for at least a part of the journey without the other person's involvement (again, you must upload your public PGP key), and you might "convert" a few people to real end-to-end encryption in PGP (at the cost of annoying some others).
Despite all the above, Paranoid is actually a pretty good email service. It sucks that they consider so many real E-mail addresses as "disposable", but what can you do? If you get past that, you can sign up for free through anonymizers and without providing any personal data - which is already miles above what many others are doing. They also realize the perils of webmail and don't even provide it - therefore, you must use them through a mail client. An onion domain is available as well. The biggest problems (aside from the ones with signing up) are not having a privacy policy and making some weird statements on their main page - however, language is very clearly a barrier here. In summary, I can't recommend this one with the registration issues as well as not having a privacy policy - but it is better than most others allegedly private ones that are listed here.