It seems there is some mental conflict going in readers between the reality of what ProtonMail does for its customers and their expectations of what kinds of protections a legitimate business can provide.
Both ProtonMail and Apple will challenge subpoenas when they believe they are not valid, however neither company has the final say in the matter and can be compelled to provide access to data that they reasonably have access to. It is up to the user to plan what information they provide to service provides in order to not leave a trail of crumbs, and also evaluate what kind of man-in-the-middle weaknesses a service might have for the possibility of wiretapping. It should go without saying that linking a phone number or back-up email address can be a pretty large crumb.
The learning here is to recognise that these services can be compelled to provide whatever small information that they have reasonable access to, and that this information may be useful in unmasking an identity.
I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
I don't think this is solely the issue that users don't understand that the companies are obliged to provide the data requested by the authorities.
The whole controversy surrounding Proton started when they marketed themselves as "secure and private email", promising they would NEVER give away their users' data, until they did. I had a similar discussion with my friends today about this topic and the issue I have with it is that Proton tries to market itself as an email which will never snitch your data to the authorities. And we've seen countless times (they have provided data to almost 6k requests last year) that this isn't the case.
The problem as I see it is that Proton is not even trying to challenge the requests anymore. It's not like Tuta, who you can read on the news that they keep challenging almost every order they get from the authorities, even if they lose the battle in court: https://techcrunch.com/2020/12/08/german-secure-email-provid...
As I read on a website comparing "private email services", the question here is not whether a service provider will or will not abide by the court requests. It's whether it will do anything to challenge it or just giveaway the data without questions asked.
And therein lies the problem. We on HN may have a few ideas about how to do this, but the typical user of a secure email/VPN/tor unfortunately doesn’t and realistically can’t understand the corner cases and tricks.
Realistically, even HN users would make enough mistakes.
This is why I’m dubious of these types of products marketing to average consumers
>I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.
Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.
The order itself might be unreasonable and should be challenged if so, but the procedure and ability to do so is not and will never be.
I would argue that the second learning is to make it impossible to comply with these subpoenas where possible by making it so the company itself is unable to decrypt it.
Admittedly this is not really an easy solution with something as open as emails, it's possible within corporations but I don't know of a solution between "random" people.
But outside of email and things that have to be unencrypted for interoperability, everything should be encrypted and inaccessible to the company so this situation is impossible.
I think the ship has sailed on the idea of electing people who will actually care about privacy of their citizens.
If Protonmail, and Apple, and Google, and Microsoft and Phone companies, etc., all, in concert, give some parts of the identity -- the total identity can fairly easily be found.
Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?
While an IP address is not an identity, it can still zero in on a location. I suspect governments and ISPs all keep historical logs of who was assigned what address.
> Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
Irrelevant to the point. Proton Mail provided authorities with user data.
I dislike that a website with privacy in the name collides privacy and anonymity. Privacy does not protect you from the state. Privacy is good enough to protect you from the public.
If you are doing battle with or an enemy of the state, much less an agent of the state acting in bad faith simple privacy will do nothing for you. Worse your misunderstanding of it is actually a vector, like in this case. The measures for anonymity you require will not incorporate fancy UIs, nice features, or even reasonable reliability at times because they will be sacrificed in the name of leaving no trace.
Privacy is also meant to protect you from the state, or more specifically state abuse. It's an essential aspect of privacy.
Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.
Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).
Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.
They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.
Which doesn't mean their service is useless.
Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.
You state this distinction as if it's established, but it's not a definition I've personally heard explicitly stated before. If I read the introduction of the Wikipedia article on "privacy", I find the following:
>The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries' privacy laws, and in some cases, constitutions.
So according to Wikipedia, at least in some cases, privacy is protection against the state. Where does your definition come from?
Privacy protects some things from the state, which is why the western world has the concepts of warrants and such.
But the concept certainly doesn't mean that a business is going to help you cover your tracks in regards to data you've already shared. (in this case, the recovery email address)
If you give out your personal information, commit a crime, and ask that person to help you hide, you're not asking for anonymity, you're asking for an accomplice.
You seem to be confusing privacy with practicality. In practice, nothing is ever secure, nothing is ever private and nothing is ever safe.
What matters here is what Proton promises and advertises to users/potential users vs. what it can actually deliver. I don’t know if Proton is more open about this, but hopefully this isn’t just buried in some long Terms of Service that almost nobody reads.
Your take is just about the opposite of what anybody I know would mean by privacy, which is to protect your information from government actors primarily, for obvious reasons since the government is an actor that seeks out to harm the public.
> Privacy does not protect you from the state. Privacy is good enough to protect you from the public.
While I get what you are saying, that is a little too black and white for the entire field. Privacy can be used to shield whistle blowers from the state.
Yes it's a strangely skewed article focusing on proton, when:
> Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number. Afterwards, the Civil Guard also asked the telephone company responsible for the telephone number who was the owner of the line, which matches the name provided by Apple. Also, they say they have found that this person is registered at the same address provided by Apple.
> Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)
If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.
If you're doing low-bandwidth stuff like sending e-mails, TOR (which is of course free) should be your first choice.
But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.
You are totally wrong. You are assuming that every single VPN is logging everything you do online, every IP address, and every website, and then saving this information for every user. Completely false. Show me a single reputable VPN that does. Show me the real life cases where this has happened. Any good VPN, including Mullvad, is a no-logs VPN, which means activity through the VPN is not recorded and cannot be connected with users. There have been numerous VPNs that have not only been audited to verify this, they have been proven correct in court or real-life tests. Mullvad is a perfect example of this:
Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.
> Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
They can claim all the privacy guarantees they want, but unless the privacy is guaranteed by cryptography, it's an empty gesture. Nobody is willing to do prison time to protect your privacy.
> The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
and
> Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
Expeacting a lawful corporation to shield you from the law is absurd. The state has the right to obtain this information - so, if you want it hidden, you need to find a provider that doesn't operate under the bounds of the law. You'll soon find out that A LOT of niceties go away once you're not dealing with legal matters: you can't guarantee that you'll get the service you payed for, you can't re-gain access if you lost your main security, etc.
There’s a reasonable chance that they already had this info (possibly even cleartext email via an ISP lawful intercept), and the proton/apple jig whilst bad, wasn’t as bad as the real source
Proton Mail can give email content, however, it is encrypted and they do not have the encryption keys.
Anything that is stored by anyone can be handed over. That information may be useful, may be useless or may be useless now and useful tomorrow when they have the key.
Go try to create a ProtonMail account with Tor. It will ask you to confirm your account with a phone number. It skips this if you’re using a non-proxy IP. They want to know who you are, and it’s been this way for years. I think they’ve long been a honeypot.
This is not true - most of the time all you need to do is fill out the captcha. In some cases (when our systems detect something suspicious about your network), we would request an additional email address.
Even in those cases, the email addresses are not tied to your account - we only save a cryptographic hash of your email. Due to the hash functions being one-way, we cannot derive your data back from the hash: https://proton.me/support/human-verification
While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.
Not surprised at all. Even if it did not start with this intention, one has to suspect that with enough time it will become compromised.
About the only way to even vaguely keep your email private is to use a self hosted server with GPG keys. And any lapse on security updates for that thing and you could be compromised almost immediately.
Beyond that I cannot think of anything more one could do.
I have always treated email as something to travels in the clear. My current provider (Fastmail) is compromised by authority. The Australian Privacy Act 1988 by being based in Australia and it gets caught up by PRISM as the servers are run out of New York.
You can create anonymous accounts with Tuta through Tor and they don't ask for a phone number or contact email address. They even made a tutorial video on YouTube a few weeks ago for how to do it: https://youtu.be/oXv3llPIfvo
If you continued using the account only through Tor, there wouldn't be any traceable info.
This is different each time you try it. They may use the exit node's country (I doubt they'd be so naive), some other fingerprinting, or just have a limited number of anonymous accounts to give out each day, which is what cockli does. Sometimes you need a phone number, other times an email address, other times just a CAPTCHA.
Try setting up an email service without these protections and report back to me how well that went. Oh no you can't, as you won't be able to email anyone as everyone will mark your emails as spam as you'll be a humongous source of it. Running an email service is like being flypaper for dickheads. Evidence-free accusations of being a "honeypot" is ridiculous.
No shit. People actually do not apprend intelligence agencies have the capability, desire and resources to operate legitimate "privacy" services. Why not just roll out the red carpet and let all the sus people walk in?
This case is particularly noteworthy because it involves a series of
requests across different jurisdictions and companies, highlighting the
complex interplay between technology firms, user privacy, and law
enforcement. The requests were made under the guise of anti-terrorism
laws, despite the primary activities of the Democratic Tsunami involving
protests and roadblocks, which raises questions about the proportionality
and justification of such measures.
Proton Mail is pretty good email. I use it since I decided to de-google as much as possible. That said, I don't consider it truly 'private.' Weird key handling in order to make pgp 'easy,' just email being what it is, and courts and governments being what they are.
I'll continue to use it despite some hyperbole on the site, but as long as my mail isn't being fed to an advertising engine it's a step up.
Why not, seems pretty obvious. If you need an email address and phone number not associated with your real identity it's pretty important the two are totally separate.
This is something that I never understood with their "oh you are safe in Switzerland" bs. If the court presents them w/ a warrant they have to comply. There is no magically safe data haven and it isn't honest to pretend that they are one.
I think this is the same distinction as a phone operator providing the metadata (when, between who, for how long did phone calls happen) but not wiretapping the call itself.
The former has distinctly less legal requirements than the latter, and authorities might be OK with keeping it that way, as metadata is already good enough in most cases.
It depends on the local laws. Not all places can demand that a service provider do an active attack on a user. Of course many countries have passed such laws and others are planning to
It wouldn't technically be a MITM attack, they would just capture the incoming email. Tuta was famously forced to do that once by the German authorities.
Yeah, they can just deliver an alternate version of the web client (assuming the target user uses the web interface) -- probably the easiest (or least-detectable) way for ProtonMail to read a user's encrypted email contents.
I hate when companies mislead, they claim email encryption. but the question is how they know the email is suspicious. it means they monitor emails and obviously, Proton Mail is (not) the trusted choice for secure and private communication.
What email was suspicious? From what I can read. Proton provided the Spanish authorities with a recovery email address, which the latter then used to find an associated Apple account.
While I agree this makes Proton unreliable for many things, there's no indication they were reading any emails.
Just to make it clear. Proton is a Swiss Company and is not answering to any request from Spain, directly. Spanish authority's ask Swiss authority's and if everything is in order Proton HAS to give the data out (or contest it).
I never thought of ProtonMail as a secure-from-state-surveillance provider. Only as a secure-from-civil-surveillance-aparatus provider. A replacement for Gmail, no more than that.
If I wanted to conduct illegal activities I would not use my main account on it, at minimum.
Protonmail is a step up from Gmail/Outlook, but no more than that. You need more layers on top of it.
I use Proton to protect myself from Google, Microsoft, advertisements, tracking, terrible, slow, “too much padding everywhere” UI, my emails/data being sold to 3rd parties, etc. I’m not worried about Proton cooperating with law enforcement agencies to catch criminals.
However.
What if say, russia/nk/china wants to catch somebody some journalist for speaking truth about their regimes? Or, like say, Jason Bourne exposing some IronHand in “democratic” country like USA? How can we protect good actors without enabling adversaries to do “bad stuff”? Is it even possible? I still don’t know the answer…
There are some serious anti-proton-vibes in this thread, so just my 2 cents as a paying customer: I'm rather happy with their service. I pay them money, they make sure that Joe in Marketing won't be able to harvest data from my emails. I'm also fairly optimistic that they take security serious enough that the blast radius of some dataleak is hopefully very limited.
I have zero delusions however that they can protect me from state agents, let alone state agents with malicious intent. And I don't think it's realistic to expect that for the amount of money they cost. But that's fine with me - it's Joe from Marketing I'm scared about, and so far they seem to do a good job keeping Joe at bay :)
Seconded, happy Proton customer for years since de-Googling my life.
Par for the course at HN to have a "vaguely dislike-ish" relationship with Protonmail. Fastmail is the poster child of HN on the other hand.
I would guess the gist of it is that if you promise _any_ amount of security (or whatever feature), HN will nitpick you to death on not going 100% (despite the general improvement to your security). If you don't promise security at all, it doesn't matter that you're less secure than Proton. Something like that.
I'm a free customer and I am always annoyed by ads in my inbox about other services provided by Proton. I signed up for an email box, I don't care about Proton Drive nor ProtonVPN. I chose Proton specifically because it supposedly had less or no ads at all, but it seems like Gmail continues to be the better choice.
> This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
...and...
> The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
As I understand it, Catalonia has long desired for independence[1]. Is the Democratic Tsunami movement something different, entirely? If not, can someone fill-in the blanks of how vying for independence (in this case) gets umbrella'ed under terrorism?
The Democratic Tsunami was/is(?) more of a pure action based protest group lead by an anonymous leader structure. The leaders were/are probably certain leader figures within the independence seeking community; but that is just a speculation on my part.
Its biggest action was probably at the Barcelona Airport in October 2019, a protest a couple of years after the Catalan independence election in October 2017. The election itself was deemed unconstitutional by the Spanish government. The registered voters/turnout of this election was 43.03%; where 92.01% voted for separation from Spain and 7.99% voted to stay within Spain –– see: https://en.wikipedia.org/wiki/2017_Catalan_independence_refe... –– but this was not a normal election by any means (read the link for more).
Typically the ANC –– see: https://en.wikipedia.org/wiki/Assemblea_Nacional_Catalana –– has been the leading organization in the independence movement. They have been organizing big independence rallies etc. and the actions has been peaceful (from what I've read and seen). The Democratic Tsunami based protests were different in this regard, where more direct confrontation was more the norm. From what I have read Democratic Tsunami is not particularly active at the moment, but of course this might change.
They did extreme protests like road blockages, and some other stuff which the government considered sabotage and so pursued them with anti-terrorist legislation.
Also some members were arrested apparently planning even more extreme things.
The IRA and ETA were vying for independence too...
That said, I think it's crazy how much time the government wastes on this when the cities are full of petty criminals acting with impunity. Someone was stabbed to death outside my apartment just in a robbery and yet nothing changes.
Independence is a political goal. Terrorism is a means to achieve political goals. (Though I don't think it has a good track record of being successful at that.) It's not that unusual for people to combine the two and plan terrorist attacks against the state they want to be independent from. (In this case it appears the investigation concerns a suspected attack plot targeting the Spanish king.)
I understand that no person or company is above the law and that the user should have used a VPN or Tor but I find it funny that Proton promotes itself as a private provider which does not give out user information when it can log any type of user information and give it to the authorities, it is certainly not a private service.
OK, I think I grokked this. You might think that a Greco-Nipponese name for this organization poorly conveys Catalan nationalist pride. But in fact it quite effectively says "anything but Spanish". That's almost certainly the gag.
It is 2024 and there are still people who cling to the idea there can be privacy with email, so much so they are willing to be parted with their money for the "privilege". I really cannot imagine a more diametrically opposed schism in privacy threat modeling.
Quite interesting how the Spanish authorities got the recovery email: (from a link in the article)
> In the police cooperation form requesting the information, the Spanish officers indicate to the Swiss authorities that the investigation is for the crime of terrorism.
Email is not private, and can't be made so. Email is my preferred communications channel, but I treat it as I would a mailing list or comment forum; it's almost completely unlike whispering to someone in the middle of an empty field.
quitit|1 year ago
Both ProtonMail and Apple will challenge subpoenas when they believe they are not valid, however neither company has the final say in the matter and can be compelled to provide access to data that they reasonably have access to. It is up to the user to plan what information they provide to service provides in order to not leave a trail of crumbs, and also evaluate what kind of man-in-the-middle weaknesses a service might have for the possibility of wiretapping. It should go without saying that linking a phone number or back-up email address can be a pretty large crumb.
The learning here is to recognise that these services can be compelled to provide whatever small information that they have reasonable access to, and that this information may be useful in unmasking an identity.
I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
xinayder|1 year ago
The whole controversy surrounding Proton started when they marketed themselves as "secure and private email", promising they would NEVER give away their users' data, until they did. I had a similar discussion with my friends today about this topic and the issue I have with it is that Proton tries to market itself as an email which will never snitch your data to the authorities. And we've seen countless times (they have provided data to almost 6k requests last year) that this isn't the case.
The problem as I see it is that Proton is not even trying to challenge the requests anymore. It's not like Tuta, who you can read on the news that they keep challenging almost every order they get from the authorities, even if they lose the battle in court: https://techcrunch.com/2020/12/08/german-secure-email-provid...
As I read on a website comparing "private email services", the question here is not whether a service provider will or will not abide by the court requests. It's whether it will do anything to challenge it or just giveaway the data without questions asked.
wepple|1 year ago
And therein lies the problem. We on HN may have a few ideas about how to do this, but the typical user of a secure email/VPN/tor unfortunately doesn’t and realistically can’t understand the corner cases and tricks.
Realistically, even HN users would make enough mistakes.
This is why I’m dubious of these types of products marketing to average consumers
snakeyjake|1 year ago
Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.
Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.
The order itself might be unreasonable and should be challenged if so, but the procedure and ability to do so is not and will never be.
dcist|1 year ago
dennis_jeeves2|1 year ago
This will _never_ happen. It's the human condition....
nerdjon|1 year ago
Admittedly this is not really an easy solution with something as open as emails, it's possible within corporations but I don't know of a solution between "random" people.
But outside of email and things that have to be unencrypted for interoperability, everything should be encrypted and inaccessible to the company so this situation is impossible.
I think the ship has sailed on the idea of electing people who will actually care about privacy of their citizens.
unknown|1 year ago
[deleted]
unknown|1 year ago
[deleted]
nthb3kk|1 year ago
makeitdouble|1 year ago
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?
fbdab103|1 year ago
RachelF|1 year ago
lkdfjlkdfjlg|1 year ago
Irrelevant to the point. Proton Mail provided authorities with user data.
oooyay|1 year ago
If you are doing battle with or an enemy of the state, much less an agent of the state acting in bad faith simple privacy will do nothing for you. Worse your misunderstanding of it is actually a vector, like in this case. The measures for anonymity you require will not incorporate fancy UIs, nice features, or even reasonable reliability at times because they will be sacrificed in the name of leaving no trace.
dathinab|1 year ago
Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.
Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).
Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.
They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.
Which doesn't mean their service is useless.
Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.
lancebeet|1 year ago
>The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries' privacy laws, and in some cases, constitutions.
So according to Wikipedia, at least in some cases, privacy is protection against the state. Where does your definition come from?
kube-system|1 year ago
But the concept certainly doesn't mean that a business is going to help you cover your tracks in regards to data you've already shared. (in this case, the recovery email address)
If you give out your personal information, commit a crime, and ask that person to help you hide, you're not asking for anonymity, you're asking for an accomplice.
newscracker|1 year ago
What matters here is what Proton promises and advertises to users/potential users vs. what it can actually deliver. I don’t know if Proton is more open about this, but hopefully this isn’t just buried in some long Terms of Service that almost nobody reads.
betaby|1 year ago
Public doesn't care mostly. Governments on the other hand...
mogiddy55|1 year ago
You got a few days of Tor on each device; then they need to burn.
I really don't know what more you can do beyond making your own chat client. Internet is not a place for revolution.
deadbabe|1 year ago
baby|1 year ago
carlosjobim|1 year ago
VelesDude|1 year ago
While I get what you are saying, that is a little too black and white for the entire field. Privacy can be used to shield whistle blowers from the state.
RedComet|1 year ago
politelemon|1 year ago
> Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number. Afterwards, the Civil Guard also asked the telephone company responsible for the telephone number who was the owner of the line, which matches the name provided by Apple. Also, they say they have found that this person is registered at the same address provided by Apple.
lolinder|1 year ago
If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.
red_admiral|1 year ago
But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.
ApolloFortyNine|1 year ago
Most claim they don't, PIA even was subpoenad at least once and responded they don't have logs.
Dylan16807|1 year ago
How are police going to find me behind that hop?
detlef64|1 year ago
https://restoreprivacy.com/mullvad-vpn-says-customer-data-is...
Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.
unknown|1 year ago
[deleted]
lordofgibbons|1 year ago
> Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
They can claim all the privacy guarantees they want, but unless the privacy is guaranteed by cryptography, it's an empty gesture. Nobody is willing to do prison time to protect your privacy.
weikju|1 year ago
No, that was last year's issue.
This time it's:
> The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
and
> Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
tsimionescu|1 year ago
fbdab103|1 year ago
nabla9|1 year ago
Email content is encrypted and Proton Mail has no access
blackeyeblitzar|1 year ago
kube-system|1 year ago
wepple|1 year ago
There’s a reasonable chance that they already had this info (possibly even cleartext email via an ISP lawful intercept), and the proton/apple jig whilst bad, wasn’t as bad as the real source
nabla9|1 year ago
That's the strictest privacy policy any company can hope.
Proton Mail can't give email content, only things like email address, ip adressese etc.
blitzar|1 year ago
Anything that is stored by anyone can be handed over. That information may be useful, may be useless or may be useless now and useful tomorrow when they have the key.
IAmGraydon|1 year ago
protonmail|1 year ago
While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.
tremarley|1 year ago
Unfortunately, it can and has been abused.
VelesDude|1 year ago
About the only way to even vaguely keep your email private is to use a self hosted server with GPG keys. And any lapse on security updates for that thing and you could be compromised almost immediately.
Beyond that I cannot think of anything more one could do.
I have always treated email as something to travels in the clear. My current provider (Fastmail) is compromised by authority. The Australian Privacy Act 1988 by being based in Australia and it gets caught up by PRISM as the servers are run out of New York.
BobFromEnzyte|1 year ago
If you continued using the account only through Tor, there wouldn't be any traceable info.
immibis|1 year ago
arp242|1 year ago
unknown|1 year ago
[deleted]
dheera|1 year ago
Get one from your neighborhood coffee shop Wi-Fi, and pay cash for your coffee.
moosemess|1 year ago
underlogic|1 year ago
[deleted]
ementally|1 year ago
https://www.forbes.com/sites/thomasbrewster/2023/08/08/proto...
Archive: https://web.archive.org/web/20230814144638/https://www.forbe...
0xmohit|1 year ago
mrmetanoia|1 year ago
I'll continue to use it despite some hyperbole on the site, but as long as my mail isn't being fed to an advertising engine it's a step up.
barbariangrunge|1 year ago
kylebenzle|1 year ago
unknown|1 year ago
[deleted]
lolmao|1 year ago
RachelF|1 year ago
BobFromEnzyte|1 year ago
Havoc|1 year ago
gertop|1 year ago
Yup, until they receive a court order asking them to mitm an inbox, if they haven't already...
This entire system of "receive email in clear text but store it encrypted at rest" is smokes and shadows, really.
makeitdouble|1 year ago
The former has distinctly less legal requirements than the latter, and authorities might be OK with keeping it that way, as metadata is already good enough in most cases.
upofadown|1 year ago
It wouldn't technically be a MITM attack, they would just capture the incoming email. Tuta was famously forced to do that once by the German authorities.
protonmail|1 year ago
hwbunny|1 year ago
mynameisnoone|1 year ago
amatecha|1 year ago
onhacker|1 year ago
NicuCalcea|1 year ago
While I agree this makes Proton unreliable for many things, there's no indication they were reading any emails.
BSDobelix|1 year ago
unknown|1 year ago
[deleted]
snvzz|1 year ago
0. https://en.wikipedia.org/wiki/Dark_Mail_Alliance#DIME
mrmetanoia|1 year ago
fifteen1506|1 year ago
If I wanted to conduct illegal activities I would not use my main account on it, at minimum.
Protonmail is a step up from Gmail/Outlook, but no more than that. You need more layers on top of it.
beretguy|1 year ago
However.
What if say, russia/nk/china wants to catch somebody some journalist for speaking truth about their regimes? Or, like say, Jason Bourne exposing some IronHand in “democratic” country like USA? How can we protect good actors without enabling adversaries to do “bad stuff”? Is it even possible? I still don’t know the answer…
obelus|1 year ago
Shacklz|1 year ago
I have zero delusions however that they can protect me from state agents, let alone state agents with malicious intent. And I don't think it's realistic to expect that for the amount of money they cost. But that's fine with me - it's Joe from Marketing I'm scared about, and so far they seem to do a good job keeping Joe at bay :)
sevagh|1 year ago
Par for the course at HN to have a "vaguely dislike-ish" relationship with Protonmail. Fastmail is the poster child of HN on the other hand.
I would guess the gist of it is that if you promise _any_ amount of security (or whatever feature), HN will nitpick you to death on not going 100% (despite the general improvement to your security). If you don't promise security at all, it doesn't matter that you're less secure than Proton. Something like that.
xinayder|1 year ago
hwbunny|1 year ago
newscracker|1 year ago
felsokning|1 year ago
...and...
> The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
As I understand it, Catalonia has long desired for independence[1]. Is the Democratic Tsunami movement something different, entirely? If not, can someone fill-in the blanks of how vying for independence (in this case) gets umbrella'ed under terrorism?
[1] - https://en.wikipedia.org/wiki/Catalan_independence_movement
Edit: Accidental caps-lock on a word. My bad.
wolfhumble|1 year ago
Its biggest action was probably at the Barcelona Airport in October 2019, a protest a couple of years after the Catalan independence election in October 2017. The election itself was deemed unconstitutional by the Spanish government. The registered voters/turnout of this election was 43.03%; where 92.01% voted for separation from Spain and 7.99% voted to stay within Spain –– see: https://en.wikipedia.org/wiki/2017_Catalan_independence_refe... –– but this was not a normal election by any means (read the link for more).
Typically the ANC –– see: https://en.wikipedia.org/wiki/Assemblea_Nacional_Catalana –– has been the leading organization in the independence movement. They have been organizing big independence rallies etc. and the actions has been peaceful (from what I've read and seen). The Democratic Tsunami based protests were different in this regard, where more direct confrontation was more the norm. From what I have read Democratic Tsunami is not particularly active at the moment, but of course this might change.
GardenLetter27|1 year ago
Also some members were arrested apparently planning even more extreme things.
The IRA and ETA were vying for independence too...
That said, I think it's crazy how much time the government wastes on this when the cities are full of petty criminals acting with impunity. Someone was stabbed to death outside my apartment just in a robbery and yet nothing changes.
yorwba|1 year ago
nsoolo|1 year ago
kazinator|1 year ago
OK, I think I grokked this. You might think that a Greco-Nipponese name for this organization poorly conveys Catalan nationalist pride. But in fact it quite effectively says "anything but Spanish". That's almost certainly the gag.
i8comments|1 year ago
It is not up to corporations to decide which laws should be enforced, and this again shows how futile this specific kind of corporate resistence is.
Just change the law.
moosemess|1 year ago
nairboon|1 year ago
> In the police cooperation form requesting the information, the Spanish officers indicate to the Swiss authorities that the investigation is for the crime of terrorism.
jamesholden|1 year ago
What if my recovery email is to another proton mail account? What if my VPN used is Proton VPN?
obelus|1 year ago
submeta|1 year ago
denton-scratch|1 year ago
contextnavidad|1 year ago
jimmydoe|1 year ago
Alfagun74|1 year ago
XXxXr|1 year ago
zzz999|1 year ago
[deleted]
probably_jesus|1 year ago
[deleted]
ein0p|1 year ago
[deleted]
mynameisnoone|1 year ago
[deleted]
cynicalsecurity|1 year ago
[deleted]