top | item 40358584

(no title)

brevitea | 1 year ago

The requirement that the recovery email address be a non-ProtonMail email is a bit fishy as well. The recovery email can be modified/deleted after initial account setup. However, it is unclear to me if Proton is caching that sensitive user information, to potentially turn over to authorities. Unsettling.

discuss

protonmail|1 year ago

There is no such requirement. You seem to be conflating a verification email address with the recovery one. The verification email address is sometimes required upon signup, but is not tied to the particular account, and also hashed so we don't have access to it: https://proton.me/support/human-verification. Therefore, we cannot share it with any third-parties (authorities included).

Recovery address (which is what this case is about), on the other hand, is completely optional, and it's not the only option we offer for account recovery: https://proton.me/support/set-account-recovery-methods. Also, it is removed from our systems as soon as you remove it from your account.

brevitea|1 year ago

Got it, my mistake. Thank you for the clarification. Is this to say, Protonmail does not cache previous verification and/or recovery passwords?