I once tried to create a Protonmail account over TOR and I believe they require a phone number from 'malicious' IPs so if you want anonymity Protonmail is not the service for you.
If they don’t do this then spammers will use their service en masse and degrade the service for all customers by black holing their ips and domain through all other email providers.
>This isn't the Hotmail age where everyone expects free email.
Protonmail does offer a free tier, which is the problem. I'm sure they would be happy to take a payment instead, as the whole point of phone verification is to impose a cost on account creation. Perhaps they can rework their account registration flow to offer the ability to upgrade to a paid account at the verification step.
If you're upgrading to a paid account, isn't that even worse than the initial step in terms of anonymity? I get that they need to make money to survive, but this requirement isn't displaced by e2ee - it provides a misleading and false sense of security.
Anonymity toward state actors is compromised in either situation, whether phone verification or payment validation.
Doubt I'm the only one who thinks this, but the value proposition of their service is cancelled by their stated terms, which at least they make available. I have similar doubts about the veracity of claims by VPN providers (including mine) in terms of not keeping logs.
tor remains the only usable anonymising method with a decent track record. It's a shame Protonmail discriminates against it.
They support Bitcoin as a payment method. If you take precautions (ie use a Monero -> Bitcoin payment service over tor) I don't see it as compromising your identity.
> This isn't the Hotmail age where everyone expects free email.
It totally is.
I was running my own mail server for a while. The thing that finally pushed me into not bothering any more was when I looked at my logs and realised 82% of my non-spam non-marketing email was captured by google (where at least one recipient was either @gmail.com or a gsuite custom domain).
I try to sign up a protonmail through tor with brave browser at 2021/09/06. Everything goes well until last step.
Are you human?
If you are having trouble creating your account, please request an invitation and we will respond within one business day. Request an invite
If you need it one time for registration while staying anonymous using a burner SIM will work just fine. This way you anonimously create the account and then keep your location hidden using Tor. Authorities may even know who you are but will be unable to locate you.
But the mule only gives you some extra functionality, resilience, and is like having an email address just for spam or a home VPN endpoint. It gives you very little in terms of anonimity, which is why you'd go to Tor anyway. It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule. And you forward to your own mail server which again does little to hide anything. That's a long traceable chain that can be compromised or at least broken (to force you out) at every link.
This is great to make sure companies don't sell your phone number or use it to create some social graph, and to access your accounts independent of your normal phone. But if you're looking to hide your identity or location from your service provider and the authorities then it's barely a speedbump.
Let me explain both my threat model and my use-case.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.
I created an account made explicitly to be used over Tor some time ago and I was never asked to provide any phone number, but maybe that changed at some point.
