Looks like Bloomberg is doing the same as with the "implant" rumors and Supermicro a few months ago.
Gruber has a very nice disclaimer at the bottom of posts mentioning Bloomberg now:
"Bloomberg, of course, is the publication that published “The Big Hack” last October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true."
As commonly with stories like this, people will see the Bloomberg story and not see the correction issued by ProtonMail. The harm is done, and ProtonMail is likely going to miss out on subscriptions because of Bloomberg's irresponsible publication. This tendency likely holds true even if Bloomberg were publishing the correction themselves, as it has been observed time and time again.
If you apply for a writer's job at Bloomberg or many of these media companies, people will ask you if you have a following on Twitter, Facebook and the like with which you can share content you write so that your employment poses a smaller risk to your new employer than someone with little to no following. That in itself might just make writers statistically more loyal to big tech than really necessary.
I'm still completely astonished by how little attention this got and that Bloomberg has never been forced through public pressure to offer a correction. It's bizarre given how large the story was when it first broke.
Thanks for reminding about this. I really don't know why people take Bloomberg seriously after "The Big Hack" article. From my point of view, they lost all credibility and I no longer believe what they write.
I wonder why ProtonMail is getting so much negative press. They are releasing articles like that to clarify "the truth" on a regular base. Even here on HackerNews, there are so many negative voices repeating the same things over and over again. Even and especially those that (seem to) have been rectified by ProtonMail. Usually, the people here seem to be neutral and fact-based, but as soon as ProtonMail is involved many are getting wild.
While I have an inactive account at PM, I'm not involved with them in any way. This is just an observation that I have made over the recent years.
That article does not clarify anything. I want to provide a link. It is nothing but thousands of words saying they aren’t partnering by putting an app in Huawei App Store.
For years companies used to provide all sorts of incentives to put apps in their store. It benefits them highly.
I still find it useful to read mainstream media, even 'free' publications like Metro and the Evening Standard in London. What I do is not read them for news per se, but a sort of high level scan of what the publication's bias is. What narratives are being pushed? How has the publication ordered, or prominently displayed articles? What news is completely omitted?
For example, no mainstream media outlet in the UK covers Al Quds day in London (absolutely nothing about this on the BBC or print media). Facts on the ground at the most recent (and previous) marches is that there is a lot of Hezbollah flags flown.
Another example is the BBC’s treatment of Brexit on three flagship panel shows, Question Time, Politics Live and Any Questions where Remain commentators outnumber Brexit commentators 3 to 1.
In this instance, Bloomberg seems to be wanting to push the 'Huawei is spying on you' narrative as well as 'Proton Mail isn't secure' narrative.
Make what you will of the points above, maybe they mean something, maybe they don't. I just keep an open mind, try to think for myself, see things from different perspectives, and do my best not to fall for my own cognitive biases.
I still use Proton Mail, and I trust their service more than GMail (I migrated from GMail to Proton Mail), but it's a nice reminder not to trust any corporation too much or get complacent with security. I really don't feel like rolling my own encrypted email solution so the question is, "Who am I willing to trust the solution to?" Ultimately I'm accountable to myself.
As for media bias, sometimes it is blatant, most times however I find it subtle. Either way it is pervasive. Unless you are scanning for it, I imagine it is incredibly easy not to think for yourself.
At the risk of making myself a punching-bag for downvoting, here.
Bloomberg is a source that investors and traders trust with getting them some level of access to the rumour mill (in the spirit of the saying that exists among traders that goes "buy the rumour, sell the news"). The problem here is that, fact or fiction, rumours affect the financial markets, and not knowing about them puts a market participant at a disadvantage.
The article starts by saying in indicative mood "ProtonMail is in talks with Huawei Technologies Co. about including its encrypted email service in future mobile devices [...]" ...I don't really see a problem with that part of the statement since they were indeed in talks of some kind, and there's a certain bandwidth of what "including" could mean. It could just mean "making available through Huawei AppGallery", so there is nothing wrong with using indicative mood here.
In the second paragraph, the article switches the modality and says "The Swiss company’s service COULD come preloaded ..." Now, it could of course be the case, as people are alleging, that they just completely made that shit up and MANUFACTURED a rumour. But it could also be the case that they were reflecting a rumour that was already out there and sufficiently widespread that they thought that investors and traders should know about it. They used subjunctive mood using the auxiliary verb COULD to signal that there was something going on here about the modality of the statement.
ProtonMail speculated that a misunderstanding of their earlier announcement must have been the basis of Bloomberg's article. But I guess we'll never find out if that was indeed so.
ProtonMail clarified their earlier announcement and took issue with the word "partnership" being used to describe their relationship with Huawei, but, interestingly, they did not come flat out to respond to these assertions. For example, they did not say that preloading was not a topic that was discussed.
Now, it stands to reason that preloading would amount to Huawei handing a huge chunk of marketshare to ProtonMail, and then it's up to users to make up their minds about the likelihood of Huawei asking for quid-pro-quo and ProtonMail's response.
Rather than there being no basis at all for the Bloomberg article, another scenario could be that ProtonMail saw that making-up-of-minds play out on social media in response to the Bloomberg article and decided to do a one-eighty on that as a result.
It's inconceivable that a manufacturer would preload an app without some kind of discussion of the app's content, and I think it's reasonable to be afraid of even a non-explicit quid pro quo from Huawei. If ProtonMail-on-Huawei is using so much as a new logging library because Huawei said the old one is insecure, I want to know about that.
It's a recurring theme: Media outlets publish whatever they 'want' to believe with little due diligence and the product makers have to scramble to put up clarifiers.
Media outlets certainly do that, but can't product makers sue them for damages, when they publish false information that can tank a stock or kill a company's sales?
I'd like to point out one thing. The people at ProtonMail are clearly under the belief that they are only subject to Swiss law because they are located in Switzerland. That's not my understanding of the law at all. Granted, it seems like an obvious conclusion but legally the truth seems to be different.
For instance, at my employer we had training on the GDPR rules and how they relate to us. We are a US based company with many global clients. However, we do have a physical presence in some EU countries so that does differ with the ProtonMail situation. However, in our training we were told that our business presence in the EU is irrelevant to the actual law because we would still be bound by it as it relates to our global clients. The layman's explanation we were given was that if you are using the internet to conduct digital business across country borders then you are pretty much subject to the laws of both nations between the client and the service provider.
That generally translates to defaulting to whichever law is more restrictive. For companies like Facebook and Google, they've rolled out GDPR style protections for everyone globally because it's much easier to do so than to only have it apply to a portion of their users, but that's a separate story.
I think everyone intuitively understands and knows this to be true. We can all think of cases where hackers have committed crimes that may only violate, for example, US laws and have been tried and convicted of such crimes even though they were committed overseas but the aggrieved party is the US or its citizens.
I think what ProtonMail is really saying is that because Switzerland doesn't have laws similar to China in this regard, China won't be able to convince Switzerland to extradite them to China for prosecution.
That's also why Russia threatened to ban them - because they know there is zero chance they will be willingly handed over to Russian authorities for this.
Not all countries handle international law violations the same. ProtonMail makes this clear in the above explanation - other foreign countries are welcome to make claims, but they must do so under Swiss law and Swiss courts. Swiss law, afaik, does not allow the Russians to simply claim all user records.
I was a gmail user a few months ago and I switched my entire life over to protonmail because I didn't want to contribute to Google. I would have to say the most frustrating part of the switch is the somewhat perplexed look I get from people when they ask why I don't have gmail, they have to learn to spell proton, fascinating. I would imagine we will see quite a few hit pieces against protonmail in the coming years, and likely other email providers as more and more people make the switch to a service that markets privacy.
I don't understand why people ever believed Protonmail's privacy claims to begin with? Not that I have reason to doubt them either, but their security seems nothing more than an unverified promise? I'm skeptical of my privacy protection coming from small companies that could easily be bought outright by governmental or political groups.
By posting this you're practically caving to the mass media. In the long term, it's best for everybody that you ignore them. Never pay the ransom or they will become more powerful.
ProtonMail does not support Yubikeys. I would like to ask all of HN to think seriously about this and what this means. ProtonMail does many things exactly right. This 1 oversight suggests something very very scary going on at the organization.
HN does not allow you to delete comments. I would ask that if you think that not having Yubikeys does not require a significant and immediate answer from the ProtonMail team, to sign your name (I will) at the bottom of your response. If you can’t do that, perhaps provide a burner email address.
Dan Ehrlich
dan@ehrlichserver.com
CISSP, CCSP, CISM
EDIT: spacing between my signature, change of comment to commentS
you're getting no traction with your argument because you're grossly overreaching with it.
not having yubikey support is obviously not "very very scary" since most people (even on hn) don't have yubikeys and we don't run around with our tails between our legs.
many reasons can lead to not supporting yubikey yet, including the simplest, which is that it's lower on the priority list for a resource-constrained organization. or another likely explanation: yubikey has unsolved ux issues that keep it a niche product (for now), so demand simply isn't there.
this seems to be an important issue for you, so if you want to effect change, then you need to come across as well-reasoned, not fud-filled. (edit: and don't let perfect be the enemy of good.)
I'd prefer to see them spending time on polishing their mobile app, which lacks in UX in important areas. For instance offline access to received, but yet unopened emails simply doesn't work. There is a (mis)feature where email bodies are downloaded only on notification, but in my case emails remain unavailable offline and Protonmail support was unhelpful.
But even if email-via-notification worked, it is still pretty much unusable. My usecase is to get to wifi, download emails and get offline, but with Proton mail I'd have to be super careful not to have my app open when enabling connection to wifi, otherwise it instantly downloads all headers and shows no notification, because app is in a foreground, after that there is simply no way to download message bodies other than opening them one by one in all folders. Surprisingly support saw not problem with this UX either.
This comment comes across as particularly callous. They are saying a part of why they may support the Huawei app store is to continue to provide access to the app to those in developing countries, and your response is to say you'd prefer them spend time on your personal UX pet peeve...
As a counter, I wouldn't prefer that — yes, there are UX improvements to be made to both the app and the Web UI, but I think multiple distributions channels are welcome.
Ideally, pushing the APK to multiple distribution channels is mostly a one-time job to integrate with their build and deploy pipelines and then it's relatively business-as-usual, so I would imagine it won't take away a lot from development effort in other places once up & running.
As a non-Google Play user, I'm installing via Aptoide (a platform I don't _really_ trust yet) and relying on signatures to validate that the package is valid. Any moves by ProtonMail to offer '1st party' distributions (e.g. F-Droid) is really welcome.
dewey|6 years ago
Gruber has a very nice disclaimer at the bottom of posts mentioning Bloomberg now:
"Bloomberg, of course, is the publication that published “The Big Hack” last October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services. The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort to do so), and has been largely discredited by one of Bloomberg’s own sources. By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it. I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true."
https://daringfireball.net/linked/2019/09/05/gurman-touch-id
mar77i|6 years ago
If you apply for a writer's job at Bloomberg or many of these media companies, people will ask you if you have a following on Twitter, Facebook and the like with which you can share content you write so that your employment poses a smaller risk to your new employer than someone with little to no following. That in itself might just make writers statistically more loyal to big tech than really necessary.
Barrin92|6 years ago
jwr|6 years ago
mar77i|6 years ago
MaupitiBlue|6 years ago
uallo|6 years ago
While I have an inactive account at PM, I'm not involved with them in any way. This is just an observation that I have made over the recent years.
rshnotsecure|6 years ago
For years companies used to provide all sorts of incentives to put apps in their store. It benefits them highly.
This is ridiculous: https://protonmail.com/blog/clarifying-protonmail-and-huawei...
ztjio|6 years ago
icu|6 years ago
For example, no mainstream media outlet in the UK covers Al Quds day in London (absolutely nothing about this on the BBC or print media). Facts on the ground at the most recent (and previous) marches is that there is a lot of Hezbollah flags flown.
Another example is the BBC’s treatment of Brexit on three flagship panel shows, Question Time, Politics Live and Any Questions where Remain commentators outnumber Brexit commentators 3 to 1.
In this instance, Bloomberg seems to be wanting to push the 'Huawei is spying on you' narrative as well as 'Proton Mail isn't secure' narrative.
Make what you will of the points above, maybe they mean something, maybe they don't. I just keep an open mind, try to think for myself, see things from different perspectives, and do my best not to fall for my own cognitive biases.
I still use Proton Mail, and I trust their service more than GMail (I migrated from GMail to Proton Mail), but it's a nice reminder not to trust any corporation too much or get complacent with security. I really don't feel like rolling my own encrypted email solution so the question is, "Who am I willing to trust the solution to?" Ultimately I'm accountable to myself.
As for media bias, sometimes it is blatant, most times however I find it subtle. Either way it is pervasive. Unless you are scanning for it, I imagine it is incredibly easy not to think for yourself.
stakhanov|6 years ago
Bloomberg is a source that investors and traders trust with getting them some level of access to the rumour mill (in the spirit of the saying that exists among traders that goes "buy the rumour, sell the news"). The problem here is that, fact or fiction, rumours affect the financial markets, and not knowing about them puts a market participant at a disadvantage.
The article starts by saying in indicative mood "ProtonMail is in talks with Huawei Technologies Co. about including its encrypted email service in future mobile devices [...]" ...I don't really see a problem with that part of the statement since they were indeed in talks of some kind, and there's a certain bandwidth of what "including" could mean. It could just mean "making available through Huawei AppGallery", so there is nothing wrong with using indicative mood here.
In the second paragraph, the article switches the modality and says "The Swiss company’s service COULD come preloaded ..." Now, it could of course be the case, as people are alleging, that they just completely made that shit up and MANUFACTURED a rumour. But it could also be the case that they were reflecting a rumour that was already out there and sufficiently widespread that they thought that investors and traders should know about it. They used subjunctive mood using the auxiliary verb COULD to signal that there was something going on here about the modality of the statement.
ProtonMail speculated that a misunderstanding of their earlier announcement must have been the basis of Bloomberg's article. But I guess we'll never find out if that was indeed so.
ProtonMail clarified their earlier announcement and took issue with the word "partnership" being used to describe their relationship with Huawei, but, interestingly, they did not come flat out to respond to these assertions. For example, they did not say that preloading was not a topic that was discussed.
Now, it stands to reason that preloading would amount to Huawei handing a huge chunk of marketshare to ProtonMail, and then it's up to users to make up their minds about the likelihood of Huawei asking for quid-pro-quo and ProtonMail's response.
Rather than there being no basis at all for the Bloomberg article, another scenario could be that ProtonMail saw that making-up-of-minds play out on social media in response to the Bloomberg article and decided to do a one-eighty on that as a result.
...I guess we'll never know.
SpicyLemonZest|6 years ago
jjtheblunt|6 years ago
sessy|6 years ago
ttraub|6 years ago
zenlot|6 years ago
dewey|6 years ago
t0astbread|6 years ago
protonmail|6 years ago
turc1656|6 years ago
For instance, at my employer we had training on the GDPR rules and how they relate to us. We are a US based company with many global clients. However, we do have a physical presence in some EU countries so that does differ with the ProtonMail situation. However, in our training we were told that our business presence in the EU is irrelevant to the actual law because we would still be bound by it as it relates to our global clients. The layman's explanation we were given was that if you are using the internet to conduct digital business across country borders then you are pretty much subject to the laws of both nations between the client and the service provider.
That generally translates to defaulting to whichever law is more restrictive. For companies like Facebook and Google, they've rolled out GDPR style protections for everyone globally because it's much easier to do so than to only have it apply to a portion of their users, but that's a separate story.
I think everyone intuitively understands and knows this to be true. We can all think of cases where hackers have committed crimes that may only violate, for example, US laws and have been tried and convicted of such crimes even though they were committed overseas but the aggrieved party is the US or its citizens.
I think what ProtonMail is really saying is that because Switzerland doesn't have laws similar to China in this regard, China won't be able to convince Switzerland to extradite them to China for prosecution.
That's also why Russia threatened to ban them - because they know there is zero chance they will be willingly handed over to Russian authorities for this.
vorpalhex|6 years ago
pkilgore|6 years ago
What led you to believe this is so clear?
unknown|6 years ago
[deleted]
unknown|6 years ago
[deleted]
Mbaqanga|6 years ago
humble_engineer|6 years ago
dvdkon|6 years ago
Scarbutt|6 years ago
scoobyyabbadoo|6 years ago
unknown|6 years ago
[deleted]
xgapp|6 years ago
bovermyer|6 years ago
paulcarroty|6 years ago
Is there any good&reputable replacement for ProtonMail?
scoobyyabbadoo|6 years ago
rshnotsecure|6 years ago
HN does not allow you to delete comments. I would ask that if you think that not having Yubikeys does not require a significant and immediate answer from the ProtonMail team, to sign your name (I will) at the bottom of your response. If you can’t do that, perhaps provide a burner email address.
Dan Ehrlich
dan@ehrlichserver.com
CISSP, CCSP, CISM
EDIT: spacing between my signature, change of comment to commentS
uallo|6 years ago
clairity|6 years ago
not having yubikey support is obviously not "very very scary" since most people (even on hn) don't have yubikeys and we don't run around with our tails between our legs.
many reasons can lead to not supporting yubikey yet, including the simplest, which is that it's lower on the priority list for a resource-constrained organization. or another likely explanation: yubikey has unsolved ux issues that keep it a niche product (for now), so demand simply isn't there.
this seems to be an important issue for you, so if you want to effect change, then you need to come across as well-reasoned, not fud-filled. (edit: and don't let perfect be the enemy of good.)
rossmohax|6 years ago
But even if email-via-notification worked, it is still pretty much unusable. My usecase is to get to wifi, download emails and get offline, but with Proton mail I'd have to be super careful not to have my app open when enabling connection to wifi, otherwise it instantly downloads all headers and shows no notification, because app is in a foreground, after that there is simply no way to download message bodies other than opening them one by one in all folders. Surprisingly support saw not problem with this UX either.
doesnt_know|6 years ago
another-dave|6 years ago
Ideally, pushing the APK to multiple distribution channels is mostly a one-time job to integrate with their build and deploy pipelines and then it's relatively business-as-usual, so I would imagine it won't take away a lot from development effort in other places once up & running.
As a non-Google Play user, I'm installing via Aptoide (a platform I don't _really_ trust yet) and relying on signatures to validate that the package is valid. Any moves by ProtonMail to offer '1st party' distributions (e.g. F-Droid) is really welcome.
Fnoord|6 years ago
But I guess there just is not enough demand for that.