Tell HN: Protonmail is no longer private, sharing user info with US authorities

83 points by hammock ↗ HN
ProtonMail is in cooperation with authorities.

ProtonMail, which claims to be a "secure e-mail service from Switzerland," supplies user data to security authorities. User data also goes to law enforcement agencies in the USA, as a current case shows.

The proceedings concern threats against, among others, the well-known immunologist Anthony Fauci. In a series of emails, the sender threatened, among other things, to kill Fauci and his family.

As the U.S. Department of Justice writes, the defendant used "an email account from a provider of secure, encrypted email services based in Switzerland."

According to the corresponding affidavit, this email service was ProtonMail. The relevant emails end accordingly with "Sent with ProtonMail Secure Email".

On the basis of data from ProtonMail, which was sent to the USA by way of legal assistance, it emerged that the defendant had used several user accounts at ProtonMail.

According to his own statements, the accused had switched to ProtonMail because he believed he was protected by Swiss data protection law and end-to-end encryption. Nevertheless, the sender could be identified in the interaction of data from ProtonMail as well as other online services.

https://steigerlegal.ch/2021/08/02/protonmail-daten-usa/

https://www.justice.gov/usao-md/press-release/file/1416926/download

50 comments

[ 6.4 ms ] story [ 80.6 ms ] thread
Before we pull the panic trigger, based on the justice.gov link you provided (because I cannot read German nor do I feel like putting it through a translator) all Protonmail appears to have provided was the registration date of the account in question. The defendant apparently emailed himself his passwords to several accounts including the offending Protonmail account.
Pull the trigger because Protonmail‘s CEO said that they would leave Austria before cooperating with any agencies. They are still in Austria so they have to corporate through the BÜPF.
At the end of the day Protonmail itself is a company and they have to follow some rules to keep their operations running. If you look at their transparency report you'll see that they have been complying with government request, both local and international since 2017 https://protonmail.com/blog/transparency-report/
What you are saying is (of course) correct. But that makes the posturing / marketing of Protonmail no less deceptive if not outright dishonest.

It can indeed be (cynically) argued that Protonmail is just a company like any other, which will just say / claim whatever it thinks it has to, to find itself a slice of the market and make a buck.

Nonetheless and even while that might actually be the case (I'm not sure), in "the good old days" (/sarcasm) citizens still had something like tar and feathers to deal with dishonest business practices. I wonder what do citizens / consumers actually have these days? Please don't respond with: "voting with our feet", because that is not how things work with deceptive marketing.

Why are you refering to Austria?
You mean Switzerland, BÜPF is a law in Switzerland.
Protonmail is practically a honey pot. Can't sign up without leaking some kind of info like a cellphone number or an email, you know, to prove you're a human or whatever the justification is.
And ReCaptcha to verify accounts on a "private" service? Really?
It's actually a hcaptcha: https://i.imgur.com/JcStn1t.png

Also parent post about "requiring a phone number" or "giving them another email" is incorrect, you can choose to supply one if you want.

Not everyone on the internet has a requirement on being anonymous, so it makes perfect sense.

On a side note, you can fill out a captcha and remain anonymous, also they also have a v3 .onion unlike a lot of providers: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...

They must have changed it recently. That's good to hear.
(comment deleted)
What do people expect? To break national and international law and expect law enforcement to simply give up? Nothing on the Internet is untraceable if there is enough infrastructure for surveillance. You can hide under layers, but those layers can be peeled back too. Powerful nation states are not going to simply stand by and allow perfect anonymity on the Internet, now that it has become a critical part of daily life.
Are we really against preventing serious crimes against public figures? Is that what freedom and privacy is about?

I mean I get the possibility of slippery slope, and I get what protonmail is saying about their service, but come on. This is a death threat on a public figure and his family. Nobody should be protected to do that. Categorical imperative y'all?

Today you are not allowed to want to kill somebody. Tomorrow you are not allowed to be of Jewish decent.

How can we prevent the second Holocaust?

Refusing to reduce things to dualisms and binaries is a pretty well understood path to tolerance.
You're joking, of course. I suppose the downmods are because it's a slightly distasteful joke.
Does it really matter that it's a public figure, would you come to a different conclusion if they only threatened to murder a "normal person"?
Well, yes, sort of. Threatening to murder a public figure (or worse, murdering) is terrorism in the way that it discourages others to become public figures. Which in turn gnaws on a certain foundation of democracy, which is that everyone should be able to hold public office without fear of violence.

If we don't protect that foundation, only the people whose supporters are doing the threatening will eventually hold public office.

In most cases, death threats are done by someone who the victim already knows and the detectives surely have many other trails to follow than snooping on private communications?
Any legal business will cooperate with authorities. You should always assume that to be true by default.

Don't want the authorities to know what you're doing? Use illegal services if you can find them or better yet, do everything yourself.

From https://www.justice.gov/usao-md/press-release/file/1416926/d...:

> Pursuant to legal process, agents discovered that naturtheateralhena@protonmail.com was linked, for verification purposes, to the creator of the similar Instagram username “Naturtheater Alhena.” Additionally, the Instagram account was created on May 14, 2020, from an Internet Protocol (“IP”) address that was associated since April 17, 2014, to a property rented by CONNALLY from April 16, 2020, through June 1, 2020, which includes the date when the “Naturtheater Alhena” Instagram account was created

It seems the linkage to IG is what provides more info about the accused.

Also that ProtonMail account is used to send emails to a mail.com account (which is unencrypted, and that account seems to be owned by the accused too).

Edit: Typo

I use ProtonMail so that Google or other marketers can't scan my emails.

If you think any of your correspondence on the clear web is protected from US authorities you've been sleeping under a rock the past decade or so

This has never been a secret or am I missing something ? https://protonmail.com/law-enforcement

Protonmail's claim is that their emails are end to end encrypted and that they won't sell your data to advertisers nor answer random government requests. They have always told they are going to collaborate in cases of serious crimes.

I haven’t really got a problem with targeted surveillance of specific suspects, under a warrant or other judicial order.

Indiscriminate mass-surveillance without oversight is the hill to die on, not this.

What if you use the .ch Protonmail? The law enforcement does not apply, right?
Unfortunately I don’t have enough karma to downvote this post that’s just spreading FUD.

This is not the first time ProtonMail cooperates with authorities by putting probes on specific accounts, and won’t be the last time even.

ProtonMail works “perfectly” when used with E2E PGP encrypted communication, but when you send/receive messages to external addresses in clear text, well...

> spreading FUD

> ProtonMail cooperates with authorities by putting probes on specific accounts

Well, this is new information for me in it's own right.

Honestly, it is very much phrased in a way suggesting FUD to me, or at the very least deliberately "misleading".

>On the basis of data from ProtonMail, which was sent to the USA by way of legal assistance, it emerged that the defendant had used several user accounts at ProtonMail.

This outright goes out off it's way to avoid saying that the Swiss lawfully requested data from ProtonMail under Swiss law and passed it along to US law enforcement, most likely as a result of a Mutual Legal Assistance Treaty [1]. The sentence attempts to make it sound like ProtonMail directly supplied the USA with data.

>According to the corresponding affidavit, this email service was ProtonMail. The relevant emails end accordingly with "Sent with ProtonMail Secure Email".

This makes it sound like ProtonMail passed along the emails. ProtonMail themselves say they did not. Instead the emails were obtained from other email services that had received the emails.

You yourself write

>ProtonMail cooperates with authorities by putting probes on specific accounts

The term "putting probes" would suggest to me they installed some kind of additional surveillance for specific accounts. There is nothing to suggest ProtonMail put/puts "probes" on users. All they did, they say, was query their existing customer database, and all they really did deliver to the US (or rather the Swiss, who then passed it on to the US) was "This account was created on this date", but nothing else.

[1] https://en.wikipedia.org/wiki/Mutual_legal_assistance_treaty

No longer? How Protonmail could be considered private if their servers have to operate with unencrypted emails from other servers? That's how the mail system works.

Though, I'm actually glad that stupid criminals fall for this "marketing".

Andy Yen (Founder/CEO @ProtonMail & @ProtonVPN):

"A lot of incorrect information out there regarding @ProtonMail and alleged cooperation with US authorities. Some clarifications:

1) ProtonMail does not give data to US authorities. That's illegal under article 271 of the Swiss Criminal Code

2) ProtonMail only complies with legally binding orders from Swiss authorities. This means that the legal standard is that Swiss law is broken (not US law or any other law)

3) In the case with Fauci, the Swiss government opted to assist US authorities in their investigation as Swiss law was also broken (sending death threats is highly illegal)

4) The only information obtained from ProtonMail was the date that the account was created, as that was all that was available.

5) Under no circumstances can the encryption be bypassed.

Please don't use ProtonMail to break Swiss law - it's illegal."

https://twitter.com/andyyen/status/1422658759600525319

Really nothing to see here.

They had a copy of the email from the victim that it was sent to, unencrypted. That would include metadata such as Message-ID.

Protonmail can see metadata from the email, they are quite transparent about what is encrypted https://protonmail.com/support/knowledge-base/what-is-encryp... that data can't be encrypted, because well, it's email, it's needed in order for SMTP to work.

They also say quite clearly, and have since the beginning they will comply with MLAT https://protonmail.com/law-enforcement

Therefore parent post about "no longer private" is misinformation.

Also they're quite clear on what the threat model is https://protonmail.com/blog/protonmail-threat-model/

> If you are attempting to leak state secrets (as was the case of Edward Snowden) or going up against a powerful state adversary, email may not be the most secure medium for communications. The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.

My last straw with Protonmail: I created an email account in Protonmail. Used it to send and receive emails as usual. Then one day suddenly their "algorithms" suspended my account because the "algorithms" found that my account was being used for abuse. That was the end of Protonmail for me. Back to GMail. I know people lose their GMail accounts too. But in the last 17 years, I had 0 issues with GMail and 1 issue with ProtonMail and that 1 issue disrupted my life for a while.

I now find me asking: What is a good reliable email provider out there? I know I can host my own email in my own server under my own domain name but on HN we have seen articles about people losing their domain names too. Is there truly no good way to have permanent email address?

I would say self hosting is best. At least if you lose your domain name you still have your emails.
But then you have to deal with self-hosting emails and all the associated bullshit ( reputation, spam lists, dealing with spam on your side, etc.).

IMHO the best is to use a mail service with your domain and local / remote / something backups. You need to lose 2/3 to be really impacted.

I have reviewed and read on this topic for a long time.

It is extremely unrealistic to operate your own self-hosted emails. There are all kinds of problems with this direction.

One is that it is very difficult to even find an app to do this. Then you have to set it up, which is very difficult.

You have to always be updating your self-hosting, as it is a very much a security nightmare.

Then you have to worry about blacklisting. Companies like Google or Yahoo might blacklist your self-hosted mail server for various reasons, like you are not up do date or listed with trusted email provider associations, and a whole bunch of other things - so basically, you cannot send or receive emails from the most popular email systems, so good luck with that. And then you have to somehow try to get unblocked from them, and welcome to that nightmare, right? It could take weeks and you won't be getting emails.

Nobody should self-host unless they are crazy expert at it, and who even has the time to do that?'

.

.

Here is what some people write about self-hosting:

.

The key to reliable delivery from your server is to go through a relay like Mailgun. You can accept email directly, that's not blocked, but sending out needs to go through a relay. So your stack will look something like dovecot, postifx, and spamassassin, maybe raindrop for the UI." So right - need dovecot, postifx, spamassasin and raindrop. What a nosebleed to learn all that.

.

Sender reputation and RBLs.

Summary: Large providers spend a lot of effort fighting spam, and that includes tracking where email comes from and blacklisting untrusted sources. They use a combination of publicly available blacklists (the RBLs) and also their own secret algorithmic sauce and assign you (where "you" == your MTA's IP address and also your domain) a reputation score. If your score is too low, your email gets rejected and your recipients will never see it. There is often a complex process to try to get your email un-blacklisted—it means arguing with individual RBL maintainers, or begging Microsoft to please let your email through.

Sender reputation is also affected by whether or not you're implementing a whole suite of other technologies in addition to SMTP—most importantly SPF and DKIM, and probably DMARC at this point as well.

tl;dr - if you're writing your own smtp implementation, you almost certainly won't be able to email anyone at a major email provider.

.

The base protocol is simple, but the flexibility of configuration expected by real-world users is quite challenging and the scar tissue of dealing with broken or semi-broken clients and servers (e.g Microsoft Outlook) builds up over time. Virtual domains, rewriting rules, forwarding rules, see Postfix's wide variety of configuration options, lookup tables (and table backends) for just a small taste of the complexity.

.

A good starting point is being able to receive mail. Running an SMTP server that listens to the internet but only relays mail for your specific domain is fairly easy, and should work out of the box. That means, if you own example.com, and set up the correct MX record, and listen on port 25, people can send you emails immediately. Actually, even without an MX record, if you just have a standard A record, that is enough. In a pinch, I've done it. Perhaps it has gotten harder in the last few years.

Tools like Docker and Ansible are great for setting things up quickly and reliably, but if you really want to understand, there are plenty of tutorials on setting up an MTA on Linux, or FreeBSD.

And, if you want a simple "dropbox", there are modules for php and nodejs that will run a simple SMTP server that you can hook into. It can be useful for embedded devices. A long time ago I worked on an interactive installation where anyone was able to interact with by simple sending an email. The server portion was about 10 lines, after including the server module:

I have used tutanota, which is a competitor of protonmail. Not one problem.

I don't use Google mail or Yahoo mail or any of those because they scan your emails all the time and sell the info in a heartbeat. What would you think if the Post office let people scan your physical mail before you received it? Why should Google or Hotmail? Nasty.

I really don't understand the issue.

Protonmail is subjected to the Laws of Switzerland. These laws require that foreign requests be first approved by Swiss authorities, which is already a huge protection from rogue actors, as it shields the company from having to comply to most requests.

Once it's passed that hurdle though, Protonmail has to comply (although they seem to do some due diligence and reject some of these requests, or at least ask for reconfirmation[1]).

Even if they cooperate, Protonmail can only send limited information about the account[2].

That limited information was apparently enough to correlate with other mail services used by the accused, and LEA managed to get more incriminating information from these, including email content.

Mail services often send/receive un-encrypted emails to/from other regular systems like gmail. That means there is an inherent weakness that can be exploited. Swiss law has more stringent requirements than other jurisdictions on what can be collected but it's not a free pass to illegal activity.

Know your provider and its limits and take appropriate measures if you need more protection.

[1]:https://protonmail.com/blog/transparency-report/

[2]:https://protonmail.com/privacy-policy

My recollection of the beginning of ProtonMail is that they said they'd comply with Swiss laws. My impression was that there would be instances in which they would at least have to reveal information they carry. Which of course in almost all cases would include information that helps identify account owners. I mentioned one of the less-obvious ways in an HN comment a couple months ago: https://news.ycombinator.com/item?id=27328945

I know zero about Swiss law, and am not a lawyer, but some account being used to threaten murder (if that's what happened here) seems plausible legal grounds to layperson me, that a country would compel the company operating that account to reveal what they know about it.

(And also plausibly ethical/moral grounds. Were you starting a privacy service, you'd think hard about scenarios like someone doing something really-really-really bad using your service. Having some information, and being under the jurisdiction of a legal system that you trust for a just decision (JaaS), could mitigate some of the risks. And you'd want to disclose that upfront, both so that you could be entirely honest and be able to honor your commitments to users, and also to hopefully discourage the really-really-really bad.)

FWIW, here's an old page of Protonmail's, which ediff says they've edited only slightly since, no changes that looked suspicious to me: https://web.archive.org/web/20151116013004/https://protonmai...

Suppose that I am an activist in China and I use ProtonMail to communicate with others and write about things that Chinese government is doing that I think are bad.

I understand that metadata is not private in e2e email encryption. I am fine with that risk, I just want the content of my emails with another user of ProtonMail be secure, which ProtonMail has guaranteed AFAIK.

A Swiss court issues an order to PM: the Chinese government has informed us of a criminal that is using PM to do activities that are considered illegal in China. You are required by Swiss law to do two things: 1. In order to bypass end-to-end encryption for this user, push a malicious update to the mobile app or desktop browser of this user at this IP address, and 2. You are not allowed to disclose this request to public.

Another version of this request is that, a Swiss court would order provision of a back-door (possibly through pushing of a malicious JavaScript code) to a selective set of users provided regularly by the Swiss government, citing a law on national security of the Switzerland or the like.

What would be the response of ProtonMail to such hypothetical request?

First, if what you are doing is not illegal in Switzerland, the Swiss govt would never approve the request in the first place. In general, the Swiss govt does not typically accept requests from countries with dubious legal and human rights records.

Second, even if the request were approved, under Swiss law, it is not permissible to break end-to-end encryption. Swiss law enforcement is not allowed to make such a request.

Third, all requests eventually have to be disclosed, although the disclosure may come from Swiss authorities. This also a requirement of Swiss law.

Fourth, if a request were somehow approved, as the origin is China, our legal team would also scrutinize it closely, and if found to be suspect, would also fight the request.

Thanks for clarification!
I use tutanota, similar to protonmail except way cheaper.

I always go with the fact that I'm not using it to block the government. I'm using it instead of Google or Yahoo, that scan every bit of every email. I guard myself against the ravening grasp of businesses, which is WAY worse than any potential conflict with governmental bodies. Google will rape your email thousands of times a day and sell your info to the highest bidder. Any bidder. But governmental stuff - for most people, this will never, ever be a problem.

For some people with special stuff going on, like journalists in repressive governments, there's probably better ways to do this in a secure manner.

But if someone wants to do drug stuff or threaten murder of anyone, that person is not too intelligent to begin with. Got a screw loose, so all this protonmail stuff is beside the point. The point is that the person has some mental problems. Nothing will cure that except a trip to the nearest psychologist.