Maybe he meant that ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company. Its a lot more complicated than that, but if you see ProtonVPN being shot down on HN, that's why.
Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies.
It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!
> I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all the public VPNs are like big honeypots I'd rather stay away from.
I guess that depends on your threat vector. I mainly want copyright hounds and data miners (including my ISP) to stay out of my way. For this a public VPN is perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot they would be even better for that purpose since they'd essentially be untouchable by copyright holders.
In general, I guess a personal VPN is more private on a micro level (no VPN provider that can spy on you) but less private on a macro level (any determined actor can trace your DO VPN back to you since you are the only user)
> Does that mean ProtonMail also is no longer trustworthy?
That is, again, for yourself to decide.
Personally I think the Proton company isn't malicious and just really bungled up the launch of ProtonVPN by going at it together with / through TesoNet, and their VPN efforts will forever be tainted by that.
But, that has very little to do with their mail branch, which preceded ProtonVPN and which so far seems a pretty good offering to me if you want your mail to be encrypted-at-rest.
I wouldn't use a VC-backed, for-profit company for anything privacy related. Selling users out behind the scenes to advertisers and TLA's is an easy way to get money. Better to get hosting in a jurisdiction without police-state-style activities, with privacy protections, and/or from a nonprofit or public-benefit organization incentivized to look after users. A for-profit, non-VC company with long history of steady, honest business is also a decent option if you can't find/afford/use safer jurisdictions. Prgmr.com is an example of the last one from what I've observed.
For most VPN companies, you basically have to blindly trust them that they aren't doing anything nefarious. ProtonVPN is different because it's been thoroughly checked and vetted by Mozilla (https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...) and also because there is full transparency regarding who runs the service. You can find the names of the former CERN scientists who created the service, along with their past scientific publications, and things that prove who they are.
AFAIK ProtonVPN’s offering is based on OpenVPN and I just don’t see the benefit of using that protocol when a more modern alternative is available (i.e. Wireguard). The fact that ProtonVPN is located in Switzerland is not a selling point that matters to me, YMMV.
Further reading: https://news.ycombinator.com/item?id=17258203 https://news.ycombinator.com/item?id=17775326
Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies. It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!