Proton spam and the AI consent problem

I think we must make it clear that this is not related to AI at all, even if the product in question is AI-related.

It is a very common problem with modern marketing teams, that have zero empathy for customers (even if they have one, they will never push back on whatever insane demands come from senior management). This is why any email subscription management interface now is as bloated as a dead whale. If too many users unsubscribe, they just add one more category and “accidentally” opt-in everyone.

It’s a shame that Proton marketing team is just like every other one. Maybe it’s a curse of growing organization and middle management creep. The least we can do is push back as customers.

I've been using proton for a year after migrating from Rackspace and I'm done. Not because of this article, but I might as well pile on:

1. I use a custom domain.

Turns out that there are two competing features, not-at-all documented. If you use a catch-all, like I do, AND use specific addresses for sending, the two are incompatible to some degree. Which is bonkers.

Example: with a catchall I can create any address I want (and I do). Some store wants an email for a big discount, cool, here's a throwaway. Buying something online, here's a throwaway.

Now sometimes, I need to reply using that throwaway. Turns out in Proton, this triggers a gotcha. As soon as I add the throwaway email to my list of email addresses for sending, I enter a world with a limit of 10 max.

That's fine, I can disable them right?

Nope, it turns out if I disable them in order to add aothers, Proton blocks those addresses *even though I have a catch-all*. WHAT?? Worse, if I try to delete the addresses, Proton will also delete the associated messages in my Inbox/folders. Excuse me?

2. What really pushed me away: Search.

Whatever proton is using under the hood is easily the worst search experience I've ever had from a mail product, and I use Thunderbird on my work machine.

Notable: Proton Bridge. I get why, but it's just terrible.

So many rough edges. Just not worth it.

> Has anyone else noticed that the AI industry can’t take “no” for an answer? AI is being force-fed into every corner of tech. It’s unfathomable to them that some of us aren’t interested. The entire AI industry is built upon a common principle of non-consent.

I can't help but see the spam as more circumstantial evidence of a bubble, where top-down "pump those numbers" priorities overrides regular process.

I saw a Mastodon tweet a while ago, which went something like:

Do tech companies understand consent?:

- [ ] Yes

- [ ] Ask me again in a few days

I really hope the Proton PMs are watching this.

Their main business offerings are privacy and security. The fact that they were able to pull customers away from Google shows that switching costs are low.

Your reputation is your moat. If you ruin it by acting like Google, you're filling your own moat.

This problem, along with general annoyances at Proton’s lack of focus on a good email experience pushed me over the edge to move to Fastmail. I’m so much happier. Proton Mail Bridge would often pin one core of my laptop CPU, draining my battery, and it was still slow to sync new email. With Fastmail, incoming mail is so fast that the verification codes are already there before I can alt tab over.

not to say this "should" be the solution, but does Proton not offer easy email filtering & automation (e.g. skip inbox, delete)?

I ask because I haven't yet bothered to implement it on a from-scratch email server I stood up a couple weeks ago (just kidding; I wanted to brag about SPF, DKIM, and DMARC test passes from Gmail with both inbound and outbound encryption). I can say from this experimentation and using Google's Postmaster tool, though, that emails being reported as spam by users is *very* serious; Google's threshold is 0.3%; if just 0.3% of users report your email as spam, it's considered a policy violation and your emails are likely to go to spam or have delivery refused outright. idk what Proton's policies are. (edit: by extension, this means enforcing authorization of users is very serious; if someone abuses the service as an open relay, your whole domain is toast)

There are a lot of valid concerns and complaints about Proton here but one positive thing that stood out to me is the fact that you can reach an actual human being without much fuss.

The amount of companies that I pay money to for one reason or another where its almost impossible to even find a "Contact Us" page much less being actually able to respond via email is way too high.

I had to contact Proton support twice in the 2 years since being subscribed to the Family Ultimate plan. Both times the support answered quickly and provided answers that solved my issues.

I have a Proton mailbox I specifically keep around to serve as a honeypot, for tracking when one of the many annoying little services will inevitably mishandle the contact address I hand them.

Over the years, the only spam I ever received there was from Proton. Quite the way to recalibrate my expectations, eh?

This is not an AI problem, it's an "data privacy + lack of consequences problem". It happens everywhere. I mean, have you ever tried making an airline company to stop sending their shitty miles newsletters?

Only way to stop is to start fining these companies.

Odd, I didn't even know Proton had an AI feature until I read this article. Didn't get an email or tooltip while using the app. Didn't previously explicitly opt-out either, and when I check my notification settings, Lumo product updates is set to disabled.

Maybe someone's feature gate isn't working as intended?

I did get the Github Copilot spam email today though.

I envy the person who has the energy to care so much while the world burns around us.

Maybe it is just me, but : these emails are spam. Marking them as spam should be easy in a common email box nowdays. Marking these undesired emails as spam lowers email sender reputation, then finally gives real insight to the spamer soon or later. Meanwhile you have no more emails from them.

This is unperfect because of ressource waste and the underlaying unsolved law compliance of these services. But at least you get job done easily this way.

As many things in life this is compromise, not perfect solution. In between using this simple trick I can spend my time on more interesting things.

I respect anyway the fact that people try to fight against the intrusive AI default communication mindset. In the end, i think this post need to be heard rather than having a solution.

Proton have a real problem with intrusive practices. 2 things that happened on the span of 2 years and almost got me to leave them :

1 - there was a persistent, very visible at all time big ass button on the Proton-Mail UI asking/suggesting to upgrade to a more premium plan, while I was already a paid customer. It was done in a way that was so wrong. Never experienced such frustrating things elsewhere even with my 99% full google drive.

2 - This must’ve been 2022 or 2023 Black Friday/cyber Monday season and there was a persistant, hardcoded, very annoying pop up that would immediately spawn each time I was opening Proton-Mail, asking me against to upgrade to the more premium plan than the premium I had, this will spawn every time I refresh despite hitting “don’t show this again”.

There are so many slick and smart way to get customer to use more services. Shoving unsolicited pop ups and spams is the worst thing you could do for your brand. I even start to wonder about their core values of privacy and whatnot, they play the suiss neutral privacy friendly so badly, their head of marketing is either so bad and should be fired or we going to discover another [Crypto AG](https://en.wikipedia.org/wiki/Crypto_AG) scandal.

I only use Proton for the spam or temporary low value (and free) email accounts. Proton also tries to do everything, which I don't like. If I did I'd use Google.

The thing I pay for is Tuta. The cheapest tier is way more generous than Proton and the product is simpler.

This isn't an AI issue. Marketing departments have been like this forever, or at least since the infamous Canter & Siegel 'Green Card' email.

https://en.wikipedia.org/wiki/Laurence_Canter_and_Martha_Sie...

I had a similar issue with Microsoft today. They obviously invented a new "Copilot Newsletter" and subscribed my address to it, without my consent.

I wonder what the legislation says (I'm in Germany). I know that some business related mails are deemed legal, but this seems to clearly cross the line.

I canceled my subscription, and deleted my account due to the nagging and promotional annoyances.

I've contacted the support, but they basically don't care.

There are not multiple ways to fight back against this behavior. I am now with mailfence until they start the same circus.

Great timing: I just received a Copilot spam email from GitHub. I don't remember opting in to such marketing communications, instead I generally opt-out from such communications as soon as I sign up to a service...

When I migrated my email from Gmail, I took a careful look at Proton and Fastmail.

Proton's very questionable design and claims around encrypted emails and their service offerings made me concerned, which were the main reasons I went with Fastmail.

So far it has worked well, and I hope it stays that way.

I have often found proton’s intrusive marketing campaigns annoying.

I use them for email and that’s all I want. Every time they market some new product to me, I get closer to moving to a new provider.

By the way, why does everyone need to spam people about their "AI" offerings?

"AI" is so good it basically sells itself right? Right?

Is anyone actually like super hyped about "Building AI Agents" with this and that? I wish I could get excited and just become a 100% AI Agwnt vibecoding all day and building AI agents to do AI stuff but like, I don't know?

Is there a crowd that just drools whenever a new way to "Build AI Agwnts" or "Agentic Workflows" comes out or something?

I think the last line is important. Proton isn’t perfect, neither are others. And proton is imo the best suited to my (current) needs.

I’m a (mostly) happy paying customer for their email, and also use their VPN and Authenticator. My worst experience I guess is the Authenticator app being laggy, which is not really all that bad.

I've been using Fastmail for years now, and I'm completely satisfied. Custom domain + built-in masked email functionality works great.

> Proton for Business newsletter

AFAIK you are legally allowed to spam businesses, but not individuals. A handy get-out clause for marketeers.

Proton should pay that guy for his rage post. First time I’ve heard about Lumo, will certainly try it out!

Even more hypocrisy:- if you have Proton Unlimited subscription, Lumo AI will be limited, not remembering conversations. And when it’s promoting you to upgrade, mentions in the same message that your Lumo is limited while you have Unlimited subscription.

Proton’s take on marketing is the main thing making me anxious of commitment to their ecosystem.

Other than that I’m a happy paying customer.

I had a similar problem with SunLife marketing emails. I would unsubscribe from everything there was an option for, then a month later I would get another marketing email setting personal finance advisors. I spoke to support to be told how to unsubscribe, then that it "was an account information email not a marketing email so I cauld not unsubscribe".

Eventually after escalating I was put on a do not email list and haven't received emails since; though they do still send crap to my work email.

Hey, Proton CTO here. There was a bug, and we fucked up. Support should have reported it up the chain and acknowledged this. Things happen, especially at scale, but we take comms consent seriously and will fix it.

Every company seems to scramble trying to sell AI based products they have invested in so heavily, disregarding whether anyone needed them at all in the first place.

This AI thing is going to implode so hard.

This is good timing actually. I've been self-hosting SimpleLogin for a while but was considering the lifetime subscription to Proton to get it (it comes with ProtonPass but I selfhost VaultWarden).

Last week I logged into my Proton mail that I'd used last year for some government contact to get the dates, and they'd deleted the account for inactivity. Ok, I don't pay, they're entitled. But now I see this and I think maybe I'll save the $150 or whatever it is.

This is a user-facing bug borne of engagement-driven development and a lack of user empathy. When a user opts out of a category, he should not receive cross posts. They ought to have had checks for this. The user did well to bring attention to it.

Legit point and agreed with everything, however wait until an email address of yours reaches the database of lead generation websites and you will see that you will never be able to keep count of the violations. Newsletter lists add your email in automatically and people sell you stuff without the unsubscribe button in the email, so no way to block them... I understand your concern but dealing with far worse

I just signed up for proton vpn, before I read this post. So far so good other than this post, but I notice I can't access my own freshdesk help desk while on proton vpn. It says location not allowed.

I got the same email on the same date. Unsubscribe told me it was from the 'important announcements' list - I fail to see how this could possibly fall into that category.

I guess I can't have important announcements from Proton in the future if it's polluted with these low value messages.

Trust is maybe the most valuable commodity for a VPN provider… And I have the feeling Proton is gambling it away.

It made me move to Mullvad.

Despite the fact that in terms of performance Proton is slightly better. (underscoring just *how* crucial ‘trust’ is)

Funny they mentioned the GitHub email. I got the same one and unsubscribed from every GitHub email immediately. I wonder if they track how fast people unsubscribe after opening particular emails.

> I don’t know about you, but I think that’s baloney. Proton Support had five full business days to come up with a better excuse. Please tell me, how can I have been any more explicit about opting out of Lumo emails, only to receive “Try Lumo” “From Lumo”, and be told that is not actually a Lumo email?

As someone who is in support in tech (not proton) I can tell you exactly what happened.

Day 1 they already knew which email it was, they probably had other tickets about this, they probably had an open discussion about this with marketing/product team.

Day 2-4 was the support agent arguing with marketing/product about how it's absolute bullshit to send out a AI newsletter when the user has it unticked and what they are going to do so it doesn't happen in the future.

Day 5 is marketing/product telling them that this is Working as designed and theu aren't going to stop this in the future. This is the day the support person works on this email with their team and potentially their manager.

It goes through a couple of "rewrites" for liability/protecting ass. The end result is the email you got, they know you are going to give a bad CSAT/NPS survey and it's going to kill their metrics.

They want nothing more to write and email that says, "Sorry marketing and product are fucking idiots and can't read. I fought for this to be disabled, but told me it's not going to happen, sorry" but culture and then not wanting to lose their jobs is why they didn't send this.

I really hope you didn't give them a bad survey.

I dislike Proton's excessive marketing on privacy and encryption topics, especially in their posts on X, where they always claim that accessing the internet without a VPN is a bad thing. It reminds me of Crypto AG.

Everyone would be happier if they just focused on good products instead of excessive marketing. I'm tired of seeing their privacy slop all the time.

This is some fine wine.

I want to get x, y, and z marketing email but not w.

They sent me something consider w. Outrage!

Lumo is not end to end encrypted. The model is in some kind HSM? Are those trusted?

If they are, I see some people might be interested.

I also received the email from github about AI that the author mentioned. No matter what you do, they will keep pushing the AI slop onto you.

For me, these kinds of emails especially stick out, because I like to keep my proton inbox clean and unsubscribe from everything I can.

There's one recruiting company I had contact with in 2017 (pre-GDPR, with no checked consent after) and they keep sending me marketing-disguised-as-GDPR emails. "Reply to tell us you want to keep hearing about our career insights newsletter that you never signed up for, or we'll delete your data in 30 days".

In the end I got sick of them repeating this and never deleting the data, so I sent them a SAR. I don't care what data they have but if they want to play the GDPR game so do I.

I also get pretty pissed of just ignoring gdpr, i just started to downright threaten them on support channels reminding that ignoring gdpr may cost them 2% of annual company turnover or 2 mil. eur, whichever is higher.

You would be surprised how many ridiculous "oh sorry some error in system" excuses you're gonna get. Right, that email accidentally slipped INSERT INTO spam slop database on its own.

And since i started to not explicitly opting in anywhere i know that when i receive a marketing email its abuse of my personal information. Under gdpr you need to explicitly consent to marketing communication. When you register to a service and receive spam you need to opt out from - that's an abuse. Some company try to argue they do so under "legitimate interest" clausule but that's bs and would not hold in court. For example, purchasing a product is not a valid legitimate interest for sending out eshop spam, they would lose.

When the incident repeats or i just get really pissed i go full karen and report them to authorities. I know two busisses had legal troubles because of me because i received deeper follow up emails while solving the case and i am happy for it.

One company that abused my personal data that i ended up not reporting was Telekom: when i contacted their support about spam incident and asked them for log of personal data and all of my consent logs and physical signatures to prove my consent, after which they said "it was a db error" (lol), and when the incident repeated i told them i am about to report them and they offered me 1 year of free internet - i said ok and never received a single spam from them ever again.

Fight back, you have the screenshots, you have the logs, ask for proof, report.

It's not an AI consent problem, it's an AI rape problem.

I’ve had a similar experience when signing up for Office365 and started getting promotional emails to CoPilot. These (2) emails were without an unsubscribe option.

I contacted MS support and after some back n forth they claimed it was a transactional email that doesn’t require consent or opt out.

Clearly promotional and not necessary but they won’t listen.

I’m in the process of filing GDPR + ePrivacy complaints, but it’s a tedious process, unlikely to do anything.

Here we are! Day after day, I realize that even smaller tech companies suffer from or could not resist the temptation of Enshittification[1] once they start gaining some momentum. I feel this path had became inevitable since everybody is doing this, at scale. I barely could recall some names that stuck to their original motto over time.

____________________

1. https://en.wikipedia.org/wiki/Enshittification

I'm so fed up with Proton. I will be taking my business elsewhere. Instead of making a great product for X, they've decided to make a series of extremely mediocre products for P, Q, X, Y, Z and W, all of which are left missing the most basic features for years. Features which even the free alternatives already have. Things like supporting unicode in email headers without having to use punycode, creating mailboxes from sieve filters and a bunch of other sieve expansions, and decent, portable, non-bugridden integration with email clients. Protondrive has such dogshit speeds it's basically completely useless. The nat-pmp support on their vpn servers is very strange, and it took me a couple weeks to craft a script that could handle all of its idiosyncrasies, none of which are documented. I haven't even bothered trying their calendar, password manager, or the Yet Another AI Service they keep sending me upselling emails for. I don't need any of those things, but I'm sure they have similarly lacklustre feature parity.

Doesn't help that when i notify them about these things, their support people just gaslight me. "I've notified our development team about this". Then nothing happens. I told them about the speed issue with protondrive when it was new, that was years ago now. Still not fixed, no updates, nada.

I will be moving to something like fastmail, plus some other vpn service, since those are the only two products of theirs I'm actually using. It seems like I'll get a far better product in both cases for almost half the overall cost.

Implementing this sort of “functionality” is always the department of a junior team, so that the obvious sorts of questions about defaults can be answered with “a junior dev was responsible for the implementation and messed up”, even though the mess up was by design.

This make me think of the GitHub spamming issue.

See, my GitHub email is not my main address, and when I got some it's either from a user of one of my repository or from a marketing team that extracted thousand of address from starred repositories to fake genuine email with my name and all.

The things is, it's always a less than stellar product. It started with NFTs, calm down for a bit and now came back with a vengeance with AI startups.

I guess it's a number game for them but I can't comprehend their lack of value, same for those peoples that subscribes to everyone just to gain a sub back (and judging by the number, a lot of people sub back without thinking about it, so it works).

Damn I despise that marketing-bussiness hellscape that the internet slowly morphed into along the years. We can't have nice things because there will always be a prominent proportion of us that would exploit it for personal gain and we would do collectively nothing against it, for the name of liberal economic or something. And forward the enshitification goes.

Kudos to Proton for how they handled it. Granted the email was wrong, and I'm sure they'll fix that process. But most companies don't even bother to write back when you bring something like this to their attention, much less issue an apology.

Lumo will likely be the thing that moves me away from Proton. I've been pretty happy with it, ever since they made the photo's app actually have shareable libraries it's been just as good as any other Google Mail/Photos/Files thing I've used. The password manager plugin for firefox isn't as good as bitwarden, but when you're paying it's part of the package so... If I have to encrypt my files before I use the drive, and they continue to build their AI spy into everything, though, then what is the point really?

Anyway, it is sort of hilarious to report Proton as spam to Proton.

I lost all respect for Proton. They've been running ragebait ad campaign on Facebook, maybe also on other media, I don't know that, with that rage especially targeted at Google, spreading fake information and hate.

Is this even worth writing an article? In almost a decade of paying for Proton I have ran across two annoying bugs that eventually got fixed. Report bugs and be patient.

Exactly the kind of whiny blogger I don’t want using Proton products with his squeaky wheel nonsense. Move over to Tutanova or go back to Gmail. What a trivial thing to whine about.

we are an "enforced consent" society, now. mafia tactics like back in the day, now conventionally normalized and established.

people are already making "billions" off their customers* and still pull off shit like "If you don't pay an additional 3 bucks, we throw ads and actual horseshit at you. Sign here". I was ok with TV and the Radio doing it because it made sense.

Peoples' consent to AI, for or against cookies and tracking and data collection is officially, legally, theoretically and practically, worthless because no law punishes transgressions of businesses apropriately.

"Consent. And do as we do. Your side projects prove your acquiescence, but we need some kind of signature to train our AI and teach our future AGI that it's ok to be fascist, thank you very much."

*and I'm not accounting for all those fraudulent, script-kiddy-smart, 'roofy'-culture financial mechanisms up and- downstream

Proton is frankly a bad company and this is unsurprising.

Funnily, Proton was supposed to be the anti-Google, wasn't it? Maybe some of "Proton's not in the US, so not subject to scary NSA warrant canaries"

Except... Gmail has handled spam pretty well? And at least if you do get Spam they actually tell you: https://news.ycombinator.com/item?id=6090712

considering lumo never gets the decryption password for my data, Im not nearly as worried about Protons AI vs googles default I will read your email.

"Never attribute to malice that which is adequately explained by stupidity" - Robert J. Hanlon

If you ever tried to setup a martech stack you konw what a PITA is to comply GDPR without any error

Ever since my first interaction with their support is was clear that they DGAF about usability improvements that I'd care about. Time to build an alternative I guess.

File under "some business bro had this classified in the wrong newsletter". I don't see the big deal and I don't extrapolate this into some systemic disease with marketing emails.

[dead]

[flagged]

[flagged]

> Has anyone else noticed that the AI industry can’t take “no” for an answer? AI is being force-fed into every corner of tech.

And yet this blog post is guilty of the exact same thing. It's just a complaint about which marketing messages get categorized as which newsletters you can opt in or out of (a valid complaint but pretty boring), but slaps "AI Consent" in the title to turn it into clickbait because the marketing message happens to be about an AI product.

This spam has been a problem for decades. It didn't arise with AI. I haven't even noticed any uptick with AI.

About six months ago I switched to completely self hosted email in Hetzner, waited the billing period to receive outbound access, but still use free forwarding for outbound by default. People always complain on forums about the struggles of self hosting, but outside of an occasional email I have to whitelist because of spam filters, it's nearly hands free (mailcow).

I setup aliases for every single one of my existing protonmail and gmail accounts, and now have them forward to my aliases. I can still use my old accounts, but everything is now ran through my systems, my data that I control.

I recommend others look at doing the same.

I'm with proton on this tbh. It's not a lumo update, it's an attempt to tell people who don't use lumo about it's existence. Maybe it's not something you want to read but an email saying "hey, have you heard of this thing called lumo" is not something you'd send out to existing lumo users