Has ProtonMail done anything wrong themselves, or is this just a case of them existing in the wrong country? If they refused to cooperate, could the government have just seized their servers and collected the data they wanted themselves?
They never advertised that they don’t keep logs they just said they aren’t permanent, in fact you can view your own connection logs if you enable it in which case they are maintained forever.
And even on their English website, the marketing is misleading. They say that the service is "anonymous" and also: "By default, we do not keep any IP logs which can be linked to your anonymous email account".
> But https://protonmail.com/security-details page says “No tracking or logging of personally identifiable information. Unlike competing services, we do not save any tracking information. We do not record metadata such as the IP addresses used to log into accounts.” So, now it turns to be that you introduced tracking and logging? Is this data encrypted as well?
> Admin, October 17, 2015 at 9:14 PM
> We don’t save any of this data by default, the user must explicitly turn it on for us to save it.
There should be a reasonable assumption that given they have end-to-end encryption for the service, they just encrypt the logging for the user and store it encrypted without the key themselves like they do the emails.
Also to note, they at least have an onion link to use their email service.
The CEO's position on Twitter is that "by default" (from the sentence you're quoting) means when there is no criminal investigation, but when there is a legal order in place, Protonmail will collect the IP...
"As described in the link above, under Swiss law, we can be forced to collect info on accounts belonging to users under criminal investigation. This is obviously not done by default, but only if we get a legal order."
If you thought that Protonmail (or any other company) was going to go to break the law in order to avoid keeping logs on you despite a Swiss-backed warrant saying they had to do so, then you had the wrong impression. But I never got the impression Protonmail was saying that.
I have never used the service and don't know or care a thing about it. But their advertising is laughably inconsistent with the reality of the service provided.
If it's illegal to provide a completely anonymous email service, then you should not claim to provide a completely anonymous email service.
Once again: if you can't see their server software, you should assume they are FOS, and are capable of recording anything.
Also:
One more reason NAT was a good thing over IPv6. The closer we get to the platonic ideal of "UUID per person" the more likely justice systems will use it that way.
The day everyone learns how to self-host mail on ephemeral compute instances is the day law enforcement starts requiring MX domain logs to be maintained in a historical manner. Work around that magically, and some law'll go on the books to try to tame the super spooky criminal communicators hiding from law enforcement.
Theoretically yes but if your ISP assigns your home a /64 you can use 2^64 different addresses to access the internet.
This still doesn’t protect your privacy because your ISP knows what prefix they gave you and will likely provide that to the authorities if you broke the law while using that address. Just like they would even if you used NAT and ipv4 so I don’t get where the parent comment thinks that is protecting their privacy at all.
Plausible deniability. My NAT and DHCP leases can be shortened, and not logged. At best you know something came from my network, and I may have many users on my network. For nodes, VPN, etc...
IP's address Internet endpoints, not people using them, yet States, prosecutors, and law enforcement regularly try to create the illusion that an IP has anything to do with who uses something.
IPv6 makes that temptation worse. IPv4 forces you to realize IP's can be ambiguous. IPv6, through having more addresses than people on Earth, checks off the Institutional checkbox for "raw material to contribute to a UUID identity scheme". Just look at China's proposals for a more governable international Telecom network, and the intention to use device persistent addressing as a control mechanism becomes obvious.
Where IPv4 creates enough decentralization and localized namespace unscrambling to provide enough friction via statefulness to thwart these types of efforts, I'm not at all confident IPv6 will do the same. I believe it is just what the Doctor ordered for laying the foundation of coupling IP's and net addresses in the minds of the masses to personal identifiers.
Which is not by any stretch the way we want things to go.
If your location is assigned a /48 you can then set up over 65,000 subnets with 2^64 possible endpoints in each.
My iPhone spoofs the MAC address each time it connects to WiFi, so support for changing your /64 is not going to be a challenge even with consumer devices. Whether we lose this ability or not is another question (but they could easily make the same requirements of “hard device uuid” on IPv4 if they wanted. These are laws and regulations after all, not technical limitations).
If anything IPv6 gives you an even greater amount of plausible deniability because like you said you could be running a vpn with a billion different devices connecting to it.
IPv6 just means your laptop could have an internet routable IP associated with it. You can easily change to one of the billions upon billions of possible addresses that your assigned prefix will give you (just like you could have something like 10.0.0.0/8 with millions and millions of addresses behind your internet routable IPv4 address. Your ISP will turn you over all the same if the authorities ask who that address belongs to.
> No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.
Anyone who ever says "we don't log" is definitely logging, and that statement alone should tell you that they are untrustworthy. No one is stupid enough to take on that kind of liability. The same applies for VPNs.
If you need trust, theres no way around rolling your own service.
Yeah, that seems more a mechanism to prevent forensics analysis of a hard disk to retrieve transient logs that might've been briefly written to disk (?). I hope it isn't being as a means to prevent the means to log for future connections, for the reasons you state.
expect you need to have the infrastructure in place to gather data for police investigations in many countries.
If you don't have this infrastructure in place, you are breaking the law as a company which could have enourmous consequences.
This does not mean you need to log everything all the time. (usually that is actually quite illegal too) but you need to have infrastructure in place to allow for police investigations.
I don't get how people don't understand this. companies need to operate according to the law of the land, this being one of them.
Legally nothing wrong - but they've maybe been a bit disingenuous to their users.
However, better than most (both by jurisdiction and their own rules) than other email providers - and I'd have thought any of their users who were serious about anonymity would have used Tor/Tails etc to connect anyway and used pgp for their messages.
Details of connections to the account (IP and connection fingerprint) shouldn't matter if you were taking your privacy seriously.
Basically just signing up for protonmail doesn't make you secure and there's nothing they could do to help if you just rely on that.
Part of the issue is that the bar for subversive activities in the eyes of western law enforcement seems to be getting lower and lower. I don't know the specifics of this case, but it seems many authorities are also not shy about using these methods to identify and track peaceful protesters as well.
while i agree this is a problem, this is something that isn't to blame on protonmail (or any other company following the law). This is something that should be changed through politics/lawmaking.
Your own self-hosted service on rented server / cloud instance?
AFAIU (IANAL!!!) you can refuse to give evidences against yourself in most jurisdictions.
I don't thinks that dedicated server provider (like Hetzner) or cloud provider (like Digital Ocean or Vultr) stores traffic logs with enough details to be useful in such case.
You can't be compelled to incriminate yourself, but your server provider can very much be compelled to give access to the server. And once the server is physically compromised the battle is lost, anyway, but in that case probably with a larger papertrail leading to you.
One expensive but possible option would be to build a server yourself with sufficient traps to shut off when it's tapered with. Then set it up with full disk encryption and put it in a shared rack.
What would be the benefit of being in a shared rack? Wouldn't the service provider still know which physical system is yours if you only rented a 1/2/3U space? (Or is there an advantage at a network layer?)
The shared part is only for pricing, since renting a full rack for a single server is a bit overkill :)
Going for a rack has the advantage that you own the hardware and can install the anti-tamper measures so that the server can't be turned against you. Anonymity wise, renting a server makes things a lot easier.
Dedicated server (with standard hardware) can be prepared to be almost tamper-protected, for almost everything realistic attacks. Yes, it will be prone to freeze memory (physical freeze, with liquid nitrogen or liquid helium), but I don't think that it is what police in any country will do.
But as sibling comment mention, it can be seen as destroying of evidences in many jurisdictions :-(
In most jurisdictions you can refuse to testify against yourself but you are still required to give up all physical evidence against yourself if an appropriate warrant requests them, the immunity only applies to things in your mind.
Things like hiding or destroying evidence of a crime generally are separate crimes of which you can be convicted even if you're acquitted of the original crime (e.g. burying a corpse in the woods or throwing a gun in the river).
Destruction of evidence with the intent to hide it from prosecution also may enable so called 'adverse inference' where essentially the jury/judge can assume that the destroyed evidence actually showed what the prosecution intended to find there. For example, if you're being prosecuted for possession of child sexual abuse material, there's a warrant for your hard drive, but it gets fully destroyed because you have rigged some device to destroy it (and the prosecution proves that you did that with the intent to destroy evidence) then the court may take it as a fact that the hard drive did indeed contain CSAM and treat it as sufficient evidence to convict you.
In short, self-hosted service on a rented service does not provide much protection.
Honest question, because I've been asking it of myself: what do you expect from such a service?
I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.
It's impossible to choose a "secure" email provider, unfortunately.
Email can't guarantee E2EE without a block cipher tool like GPG. Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.
If you email google, google gets to do whatever googly stuff it would like to do with its algorithm.
If you email exchange, roundcube, ISP, hotmail, it could wind up being archived to tape, or simply be sitting for a long time in some unencrypted mail spool, maybe in a public cloud.
If you selfhost, you would be forgiven if you find you have made a mistake or simply got pwned.
I've never selfhosted email, but I understand it is a lot of work to set up if you aren't familiar, and while maintenance is okay once you get rolling, there are occasional emergencies or hiccups that require intervention.
Aside from being much slower, regular mail is quite better since you can easily inspect the envelope for evidence of tampering, while email will be imperceptibly copied.
> Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.
What? If Alice encrypts an email to Bob, using Bob's PGP key on her laptop, then it doesn't matter how many MTAs that email passes through, the email stays encrypted at every hop.
> it could wind up being archived to tape
I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack the private key and read the email.
That seems expensive (and illegal) for a company to do just on a whim (assuming the sender and recipient are periodically deleting old emails), and I'd like to think that a judge would turn down a request for a warrant that covers data that won't be readable for a decade or more.
Yes, you have to bring your block cipher unless you are 100% sure all the MTAs are using your e2ee scheme.
>I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack
No, I'm saying when you send the email, the next MTA might not use encrypted transport and any mailbox/mail spool/cache might not store the data encrypted in any way.
You can of course get E2EE if you use GPG (you always could), but if somebody doesn't know how to use GPG or uses it wrong, that is problematic.
You can also just broadcast your gpg block message via public/ham radio or even hire a skywriter to spend his day tracing out your GPG cyphertext as a huge QR code in the sky :-)
> I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.
Notionally, I would imagine something that looks like "email" and acts like "e-mail" (to the end user) could eventually exist that provides the same (conceptual) security that the Signal protocol provides (and perhaps a hosting provider option that's the same level of user confidentiality that we get the Signal foundation), although you're correct that foundationally it would be a different protocol. Backwards-compatibility would be required, at least for seamless transition (perhaps represented as "secure" and "plaintext")
Wasn't Ladar Levison (the individual behind Lavabit) working on something like this? https://darkmail.info/
A number of features I expect from e-mail seem rather between hard up to impossible to achieve if you insist on the "your server cannot be trusted, either" model of operations, though:
- The ability to login from multiple devices (using both dedicated clients and webmail) and subsequently being able to immediately access all my old messages, too.
- Global filtering, tagging, folders, read/unread tracking etc.
- Full-text search that doesn't require downloading all messages to your local device beforehand.
For this specific issue, find a provider that can be accessed through Tor.
But if you want truly private and secure communication, you'll have to forget about email. Even with encryption there's still way too much metadata floating around that can identify you.
One option not mentioned yet is Posteo. They don't keep your IP and strip it in case your mail client sets it in the headers. They also don't take any personal identification for signup or billing (you can even send them letters with money to pay for a mailbox).
I don't know what came of it, but they've been told by the German constitutional court that their approach ("we're using NAT, we don't know the IP on the actual server") doesn't fly and does not protect them from complying with a court order.
I agree that one should not use it for private comms. But many people have to use it, and they would rather not use a provider like MS or Google. For those people, mailbox.org is a good offering (IMO).
Anything that you access using thunderbird with GPG configured?
It gives no worse privacy guarantees than protonmail and possibly way better - because if you use protonmail through a web client and they get a court order to serve you a "special" client that forwards your certificate you won't notice it.
and the lesson here is that everyone who called out Protonmail for being sus (suspect) on signup was correct.
try using Tor to create a protonmail account and they require both javascript and a phone number.
yeh yeh client side encryption requires javascript, but seems better to just have an unlinked email that can be read server side and there are plenty of Tor-only email providers for that.
phone number under an "anti-spam" guise is just suspect.
Protonmail customer here. Sigh. This is why I keep my own domain and can point it wherever I need. Dear Protonmail, email is fucking cheap and easy, I pay you $58 a year to solve stupid shit like this.
Vendors really need to figure out how to thread the needle of "No don't trust us" but still encourage customers to buy. Protonmail failed here. Apple's still very much in the "trust no one but us!" vibe, and it's just not sustainable.
I'll be switching my Protonmail use to default to Tor now. Open to Tor-first vendors...are there any?
I like how Brave has "open in Tor" displayed on Tor-mirrored sites. There's even an option for "Automatically redirect .onion" sites too. Makes it easy to switch over.
What if Protonmail pushed their Tor services more? "Guide to using Protonmail as privately as possible", have a switch for "Private Mode" that kicks you over to Tor/download Tor.
This wouldn't even have resulted in the catching of the person in question, due to the use of an Onion Service, your link referring to the guy downgrading HTTPS on bitcoin exchanges. Hacker News users have surprisingly little comprehension of just what Tor is, so much so that I made an account here just now. Lurkers, please read:
Tor is a powerful tool for increasing the privacy of its users, though it is worth noting that it prioritizes performance over privacy. Tor's threat model does not include global adversaries, particularly those who can access traffic metadata for large numbers of ISPs- though, hidden services do fare significantly better than your usual clearnet services, usually requiring DoS attacks to deanonymize their hosts, and protecting their users especially. But note that Tor is not a mix network- it does not provide mathematically provable anonymity against a global passive adversary, unlike systems such as Loopix. See from this paper describing Tor in 2004, and consider reading the whole thing for a better understanding of Tor: https://www.usenix.org/legacy/publications/library/proceedin...
Tor's Threat Model
"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers. In low-latency anonymity systems that use layered encryption, the adversary’s typical goal is to observe both the initiator and the responder. By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to force distinct patterns. Rather than focusing on these traffic confirmation attacks, we aim to prevent traffic analysis attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. Our adversary might try to link an initiator Alice with her communication partners, or try to build a profile of Alice’s behavior. He might mount passive attacks by observing the network edges and correlating traffic entering and leaving the network by relationships in packet timing, volume, or externally visible user-selected options. The adversary can also mount active attacks by compromising routers or keys; by replaying traffic; by selectively denying service to trustworthy routers to move users to compromised routers, or denying service to users to see if traffic elsewhere in the network stops; or by introducing patterns into traffic that can later be detected. The adversary might subvert the directory servers to give users differing views of network state. Additionally, he can try to decrease the network’s reliability by attacking nodes or by performing antisocial activities from reliable nodes and trying to get them taken down—making the network unreliable flushes users to other less anonymous systems, where they may be easier to attack."
Tor increases the costs to uncover your identity, especially so in the context of a hidden service, which the entity in question (Protonmail) actually does offer to users. Perfection is the enemy of the good- Tor is not built to deal with global adversaries unlike a mix network, but surely any increase in privacy is a good thing, no? You do not complain that your wrench does not serve the purpose of a hammer quite as well as a hammer might- you either put some more energy into it, or you buy a hammer.
"Open source" means literally nothing for the majority of Tor users that are downloading prebuilt binaries from US Government-funded www.torproject.org/download/
The USG persecutes and imprisons journalists for exposing its war crimes, anyways I'm going to download this Tor binary from them because it says 'totally legit' on the packaging and there's no "hard evidence" to the contrary...
Don’t those binaries come with signatures you can verify? People in the community would notice if building from source produced different signatures than the binaries provided directly by torproject
And yet, confirmation attacks and traffic shaping by global adversaries are where the actual design flaws lie, inherent to any 'low-latency' (read: performance trumps privacy) anonymizing network, and you know that. Even efforts such as the Invisible Internet Project (I2P) which pile on tactic after tactic to improve upon this, but are too scared to delve in outright mixing traffic, are vulnerable to traffic confirmation attacks.
Where "this" is using soft language like "by default" to hide shortcomings. I expect Protonmail to do more to educate users to be aware of how surveillance happens, whether a rogue employee enables the function on their end, warrant, etc.
"hide shortcomings" like what? Doesn't language like "by default" infer/suggest/imply that there would be circumstances in which they would save logs? And wouldn't an obvious circumstance like that be a warrant?
I think for most people the interpretation of "by default" means "we will not log your IP unless you enable it", i.e. the power is in the hands of the user. The complaint people are making here is that this statement should really have a clarifying clause saying "or unless requested to do so by law enforcement".
Has your home in France been squatted? No? Or maybe you do not own a house in France?
If so, on which basis do you ironically call squatting a "terrible crime"?
Squatters in your house in France means that you you have zero rights on this place until a lengthy process gives it back to you, ruined. You are then expected to be grateful and can forget about any reimbursement from the poor people who stole your property.
ficklepickle is poking fun at the fact that the crime is minor, relative to the weight behind the warrant. It would be like if the FBI put you on their website and the news stations aired your photo, for driving without a license.
Sure, it's a crime, but it's a relatively minor one. I suppose if you were the victim you'd have a different point of view.
I Don't know about France but in some places its near impossible to evict squatters, meaning if your property stands empty a month (e.g. waiting for new tenant or repairs) and some squatters move in you are basically screwed for years to come - they won't pay rent, you'll lose thousands and much lifetime evicting them, and for a few years they'll run down your property as they have no legal or other interest in maintaining it, so you are out huge amounts of money.
This can happen to the slumlord (who will then send someone to beat up the squatters), to the big capitalist (who will go through the courts and win) and to smalltime owners where that is maybe their family home or future retirement apartment (who will suffer the most).
Homelessness/lack of housing is a problem, but squatting is in most cases not the right solution.
But if someone just moves into your property why can’t police just kick them out? That’s an illegal action. If someone came into your house and started stealing your things and you call the cops on them you don’t go to court to prove those things are really yours.
Because in many locations around the world, it's not as simple as a criminal offence, it's a civil dispute, as once you have commenced "squatting", you are now an occupant, rather than a clear trespasser. Many squatters find squatting manuals online detailing the local laws and how best to approach it to maximum time available in the property.
In France once someone entered your house (and stayed a generally agreed upon 48 hours) you have no right to evict them.
Then starts a possibly very long process to have them evicted/ If they have a child you are basically screwed and won't be able to get your property back. Or you will wait months/years and get a ruin back.
Please give your opinion about squatting primary and secondary homes of people. Who worked to buy them and have zero rights afterwards, when a colony of parasites come and destroy their belongings.
Someone had squatters after working 3 months outside the country. He basically had zero rights to throw them out, and the law considered him as a sort of landlord for non-paying tenants, with all relevant responsibilities. As his and their legal address where now identical, he was partially responsible/paying for their healthcare.
But the law allowed him, as a good landlord, to work on the outside of the house, for the good of his tenants. So he did.
He installed security cameras, and reported every minor infraction of the squatters to the police. The police loved it, and duly did everything. Oh look, a cm of your wheel is parked outside the allowed boundary. That's a ticket. Of course he duly tested the very loud alarm every evening, to make sure it works.
He did a paint job, first removing the old paint with the noisiest dustiest old tools he could find, then painting it in an old ugly pink he found on a flea market somewhere. Then decided the quality wasn't good and removed the paint again. One day, the squatters had enough and actually went to a court to demand he let their poor baby sleep. Judge just laughed, and told them all work happened before 22:00 so he was in his right.
Squatters ran away after a few months, which supposedly is a happy outcome, at least compared to what the law could do for him.
What's weird is why they'd need all these hoops to jump through if it's squatting? It's pretty easy to find the squatter - they usually are at the same place they're squatting, and the real owners of the place would be eager for the police to come and find them there. Once you found them, you could seize their devices and get all the IP information (at least) from them and from the carriers. it's weird why would you need to look for a squatter in such a convoluted way?
Probably the movement to squat in empty buildings and organize more of the same in response to pandemic evictions, that's been getting the kind of attention its very dangerous for left wing groups to get.
It depends on jurisdiction. For example the UK has the infamous gag orders that are even harder to fight in court (successfully) than their US counterparts.
Sure, ProtonMail and its current operators could opt to stop operating in such jurisdictions, but usually it's too late for that when you get the [secret] court order, because if you refuse the operators personally are quickly found in contempt of court (or whatever other bad legal circumstance), and eventually that can lead to similar InterPol/EuroPol (other MLAT) warrants.
But if you ever want to do business in the UK or travel to/through the UK, or in/to/through any country that might have MLAT with the UK ... then you're highly incentivized to take them at least a bit seriously to avoid really (sorry, royally!) pissing them off.
I found this informative article [1], and another [2] on the misuse of the so-called Interpol Red Notice, which I assume is like a BOLO, but not truely a warrant.
If you think that's bad, Tutanota was forced by the court to change their SW, so that all incoming e-mails for a specific account would be intercepted before encryption: https://news.ycombinator.com/item?id=27303712
Hushmail had a similar warrant, they changed their login form so it would send the password in the clear to the server, which they used to decrypt the mail and logged all the traffic to help trace the user. If you get targeted these "anonymous" email services aren't going to be good for much in practice.
I don't really know but eco terrorism is something that is more than likely to increase, with all the floods, forest fires, hurricanes, Greta thunberg, ipcc reports, and recently Biden authorizing some oil contract thing.
In this case it seems that they are a far left group that has decided to squat a restaurant for good old 'class struggle' reasons and vowed not to back down...
It also seems that it is not any restaurant but one of the 'victims' of the 2015 terrorist attacks [1]
Basically political extremists trying to disguise themselves as environmental activists. Not interesting people, to say the least.
"We won't store your IP, except when its sought by the government, which is the only reason you'd ever realistically pay for a service that doesn't store your IP."
Even if ProtonMail had not stored these data, it could have easily been, legally or not, collected from the ISP(s) providing Proton with their internet access.
Disclaimer: I have a ProtonMail account that I pay for.
I have seen a ton of disturbing pieces about ProtonMail. Every time I've looked into them, they seem to be maliciously motivated and usually not true, or otherwise twisting of the truth. This has been a confusing thing for me because why is there a small subset of people so vehemently against them?
In this case, I'm not surprised. They say quite clearly they can be compelled to collect IP addresses - including in the linked tweet. This seems like a pretty clear cut case of them being compelled to provide an IP address. What the authorities can't do, is read that person's email. And that's what I and others pay for.
I'm not sure what there is to be upset about here? Other than perhaps France prosecuting this individual to begin with? If we had faith that ProtonMail wouldn't hand over anything to the government, why would anyone even care about having encrypted emails?
Tor solves this. Protonmail's Tor support is lukewarm. They have a Tor based login without captchas. It's mentioned on their homepage in the bottom menu under "Onion Site", (/tor). And there's one blog post from 2017 that still promotes their v2/shorter onion address.
I expect Protonmail to push its users to login through Tor. "Don't trust us, trust math". Embed Tor support in their apps as well. Rebuild their iOS app to offer to drive all connections through Tor.
And frankly, for $50 a year for email, I expect Protonmail to be thinking ahead about this, rather than me coming up with dumb ideas on a forum. Protonmail was neat in 2018 but 3 years later it's stagnant.
How is that lukewarm? Sounds like first class support if they have a dedicated onion address and not just let you connect to the regular clearnet. Or is that address only in that old blog post and not mentioned in places you'd usually look? It's a bit unclear to me.
It's lukewarm because what less could you do besides not support Tor?
Tor is mentioned on their homepage in the bottom menu under "Onion Site". However, this menu link redirects to their Tor placeholder page, rather than directly to the Tor service: https://protonmail.com/tor
> It's lukewarm because what less could you do besides not support Tor?
Alright then, what more do you want them to do? Spend millions in court fighting every warrant issued for their users and go bankrupt defending criminal activity?
"What makes Tor different from the usual thesaurus-full of government projects is that Tor is essentially a very elaborate math trick, using layers of math puzzles to create a network-within-the-network. That math is being implemented in front of a global audience of millions of sophisticated watchers. It is likely the most examined codebase in the world. It has been subjected to multiple public audits. The math, well known and widely standardized, will work for everyone, or it will not, whoever pays the bills."
"Trusting mathematics" would be a much more accurate claim if we were talking about mix networks, such as Loopix (https://arxiv.org/abs/1703.00536). But Tor is vulnerable to confirmation attacks to varying degrees, (depending on whether you are accessing clearnet or not, of course) which is very much worth noting in the context of a global passive adversary.
The authorities don't need to run exit nodes, they just pwn enough routers, have enough interception devices or buy enough netflow data that they can trace data flowing through the Tor work back to its original location.
Sure, but if that becomes a problem for you depends on
1. whether or not your request stays within the tor network or not (if you use the .onion address, no need for an exit node)
2. given both entry and exit nodes can be literally all over the world: your threat opposition level. I doubt the NSA will be happy to help French authorities trying to catch a teenager who blockaded a government parking garage).
One of the first sentence on their website is "By default, we do not keep any IP logs". If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising. The fact that only the anonymous feature is important to you will not change the fact that they do the opposite of what they advertise regarding IP logs
>If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising
Is there any evidence this is what happened?
An alternate scenario is that they were not keeping logs, and were then compelled by the authorities to start keeping them on that user.
what other status quo do you expect from them?
Having to provide IP logs after a warrant has been issued is the law in switserland (and most if not all of the EU).
Sure, the law would (hopefully) be changed, but at the moment, this is the best they can legally do?
Unless you are naive enough to assume that ProtonMail is incapable of logging IP addresses (in which case they'd be incapable of serving HTTP requests...see the problem?) then they can log. And they most certainly aren't going to declare independence from Switzerland and refuse to turn on IP logging when required to by law.
Whereas with E2E-E, they actually are incapable of turning over readable emails.
No history of when you logged in from where and, possibly, plausible deniability about about you being the only user of that account (through you'd probably need to prepare for this to be believable).
I mean it's either this or traffic analysis. If you use your clearnet IP address to do illegal things, it's nothing more than reasonable that you can get in trouble for it.
This is also why I don't get protonmail in the first place. Unless you use pgp or equivalent, you'll always be subject to law enforcement. Just that protonmail cares more and caters more to activists and so might not give it out without checking that the asker is really legit and then give the minimal amount possible. But they'll always be able to turn over your emails and log IPs, it's not protonmail's fault the laws were voted into action like this.
They tout that off-by-default statement on their homepage, underneath the header of "Anonymous Email," with the closing sentence of "Your privacy comes first."
So why even market that? It provides no meaningful security.
Were _you_ mislead by this? Did you really expect a Switzerland-based company not to comply with law of the land?
There is a difference between "available to police, not retroactively, and only with a valid warrant" and "available to any government agency constantly and in bulk, as well as to data-collecting commercial entities, Russian and Chinese hackers, and their dogs".
Don't you agree?
Really solid explanation of what you’re paying for as a proton customer - and despite this unfortunate situation for the French advocate is why myself and others will continue their paid ProtonMail plans
Fair point. I still don't think they've worded that well enough. I would probably not have read "By default" to have the context of "Unless asked to do so by authorities."
They're not being as transparent as possible in their marketing, which is at odds with their allure of security.
As far as I know, Swiss law does not allow for "secret data collecting orders", unlike US after "Patriot Act".
This is the benefit if being located in Switzerland, where banking is one of the main pillars of the economy and which historically has been much more supportive of personal privacy than most other countries.
They eventually caved under US pressure on some things, so it's not such a "haven" as it used to be, but I believe it is still the country that respects individuals' rights the most.
Not perfect by any means, just better than most others.
I'm not taking sides on privacy or the threat of govt (or other sourced) tyranny, I'm just explaining the logic to answer your question:
Let's say you engaged in a long history of using protonmail innocently, then one day you decided to start commiting crimes for the first time and attract police interest. You would know that your historical logs were not kept, and it was only after you started attracting police attention that you would be at risk of incriminating yourself through proton mail. Maybe, on the run from the law, it would be safe for you to hide at your old friends house because there was no log to link you to him.
Yes, it is also the case that you may not have realized that ordinary behavior had been criminalized by an evil govt all along blah blah blah... I'm just pointing out that there is a difference where you saw none.
No. With on-demand logging, they can find the owner of the account (assuming he doesn't take further measures), but you can't retroactively prove someone used that account to do something at a specific time. For example, you could not prove that the individual was logged in at internet cafe xy near the time of the crime. Also, an opsec mishap (such as logging in without protection) will not be fatal unless you're already under surveillance.
So also a proton customer here. "By default we do not keep any IP logs" and this case does not seem like the default? Seems like they were required to by law to log and turn over this specific IP? (Of course I haven't seen the actual case but I would assume that meant a warrant.)
Tor helps, but is not especially robust against state-level actors / APTs. An actor running a sufficient number of entry/exit nodes could perform at least some traffic analysis.
In comic-book voice, then: what would an intelligence agency or police force's response to a suspect known to be using Tor be?
Traffic analysis, at a cost, could establish that the suspect is using Tor.
TorMetrics shows slightly more than 1,250 currently-running Tor exit nodes. I'll presume this is typical, history shows it's pretty consisten over the past 3 months.
I'm going to presume that a court could conceivably issue an order to log all Tor-based traffic. A state actor / APT might then be able to correlate a known IP and traffic at a given point in time with other data to identify a source IP. This might be combined with other measures to encourage circuit-jumping until the suspect is on a specific known or monitored Tor circuit.
Yes, costs increase. I don't see this as technically infeasible, however.
Might not be rolled out just for a house-squatter, however.
Yeah, what you outline means Tor is Swiss cheese (ha, ha, long game pun), when it comes to traffic analysis. Are all the IPs for Paris to Tor being logged at the ISP level? You bet!
Frankly, I don't think anyone is safe from the tip of a nation state, even small ones. But I do think we should protect everyone else and Tor would have done that.
Because this was clearly civil disobedience and that is what we really should be protecting.
No it’s not bulletproof but there isn’t really any other network with the same availability which would protect against a targeted and sustained analysis.
Even if a nation state was targeting you, it would still take months for a timing/bandwidth attack to identify a user. Even then it would only provide your adversary a probability of certainty and requires consistent traffic from the victim through a compromised exit node.
No system is 100% perfect but tor will make most attacks prohibitively expensive.
It's not misleading in that many services do keep records by default. If people don't understand what default means, they should grow their understanding, not be outraged that their uninformed opinion was wrong.
I'm pretty sure it means that both the user and the company is bound by the terms of service and privacy policy that clearly spells out that they comply with legal warrants (from switz authorities) and provide the limited data that they are asked for if they have it (IPs being one such thing).
I mean they are misleading in so far you want them to...
I'm a privacy activist and certainly think that a company should be able to not keep logs. If the law in the country they are in (or area, see for example the data retention directive in the EU) we should of course (and I am) work to change those laws.
It should come as no surprise to anyone who is privacy minded and actively seek out privacy focused services that are located within the EU or Switzerland that your IP (or other information) can be requested with a warrant and that a company is required to hand that over.
As a privacy activist, what's productive about arguing that protonmail shouldn't need to make a greater effort to pound into their customers' heads exactly what you just explained?
I get that you think people should already know this, but do you feel they should be punished for not already knowing this, and not reminded by a company that markets itself on protecting its users? Protonmail was forced to get an IP address, but they're not forced to keep the fact that they respond to warrants a big secret.
Not everybody who is an activist is a big techie, or even computer-literate.
They clearly spell out in their privacy policy that they respond to warrants....
> We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.
It would also be nice if they were allowed to notify the customer but I'm not familiar enough with Swiss laws to know if they can.
That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
Of course Protonmail is accessible via Tor. Not that you should need to do that to remain private.
> That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
That's an interesting point, but I'd contend there is a difference between scanning for known virus patterns vs. feeding your email into ML algorithms to do God knows what with.
If someone comes to Google, asking for the content of someone's email, is Google technically unable to provide that information for past emails?
Because I am aware of no reason to think that Google stores my gmail with zero access. I don't know for a fact that ProtonMail discards this information at the earliest opportunity nor do I know for a fact that they don't try to aggregate it to learn about you (or even people in general), but that is what I interpreted the pitch as.
But, look, of course if they get a subpoena they will have to start scanning your email if they are technically able to collect it. That's just a wiretap, and little would prevent the author and operator of the server software from doing whatever they want... and they're clear that if you aren't sending email between two compatible accounts that there is no E2EE.
We can talk about how they should have been clearer about the need to use Tor to avoid IP logging (even if they don't do it, someone between you and ProtonMail certainly could). That's a good idea. But they are actually very clear that E2EE with your email is not what you should expect in general. And I don't think they have much incentive to scan my email from unencrypted sources to do anything nefarious, but I don't think anyone has any ability to prove they do or don't at present.
I never said it didn't matter. I think the data retention laws and for what crimes the police are able to get certain warrants in the EU and Switzerland can be better.
But that is not a proton issue that is an issue with our current governments.
Ah I see. It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright. Here's what I would expect my future vendor to say about this:
"Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company no matter what they promise or avoid telling you. We do tell you. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
> It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright
You’re telling us that you never considered that an incorporated company, bound by democratic laws, would be required to respond to criminal activity warrants?
What fantasy land do HNers on this thread live in?
End-to-end encrypted emails, not massive collection of metadata to build advertising profiles, and, maybe this will sound strange, but I wanted to pay for these services because I want to show everyone that there is a paying market and you don't have to rely on advertising to be profitable in this space.
No service is capable of completely hiding IPs and still getting you the data. If you "threat model" includes hiding from Western governments, I'd recommend not using the internet.
As a user, I'd take that to mean that they wouldn't keep any IP logs unless I turned logging on. I wouldn't expect that they would enable logging on their own.
Interestingly, ProtonMail's privacy policy lists a number of cases in which they may log your IP address permanently (including if you breach their Terms and Conditions). But a request from law enforcement is not one them.
Use of the service for any “unlawful or prohibited activities” violates the TOS, so if law enforcement has evidence of that (which they may), then PM has a clear right to log IP.
Is that so? I thought, if one violates the TOS, the other side may terminate the service. I did not know they then had the automatic right to then log data suitable for tracking and identification.
A user with the intent to engage in unlawful activities should read the terms of services in full. If that user only reads the homepage of the service, without understanding the implication of each word, and does not bother to review the terms in details, that is on him.
Moreover, I would like to point out that ProtonMail is about encryption of email *content*. It is foolish to expect more from them. They won't protect your identity: law enforcement can know who you are and who you communicate with, but they cannot know the content of your emails (if you recipient uses encryption services as well).
Not necessarily. It's possible that their statement is true that they don't keep IP logs, but the Swiss police showed up with a court order for the equivalent of a US wiretap or pen register, requiring them to begin logging the IP address for that account when it signed in.
I think trusting your security or privacy to website-based email is a bad idea. If the email is being displayed in your browser, then the authorities can coerce the company that owns the website to include JavaScript in that page that sends the plaintext content to them too -- or demand the website's TLS key and start intercepting the traffic that you see.
The only encryption-based security that you can reliably trust is encryption that happens locally on a device you control, and that doesn't involve a web page or website loaded from a 3rd party.
If you want privacy protection with real end-to-end encryption that the government can't get past trivially with court orders, use services where the decryption happens on devices that you own, such as WhatsApp or Signal or iMessage. If you must use email, do the encryption yourself on a hardened Linux distribution like Tails using PGP for email encryption; but this is much harder to set up than the above secure messengers.
I wouldn't say ProtonMail is a scam, but a trivial software change on their server-side would let the authorities see your email every time you do. If they can be compelled to make that change then the "encryption" you're paying for is worth nothing. The next time you sign in, a court-required modified version of their server software can capture your password, and then use whatever key derivation function gives them your encryption key.
This might not even require the company to actively participate. In the case of Snowden and LavaBit email, the US Government demanded LavaBit's TLS certificate so as to intercept the communications themselves at the ISP layer when LavaBit refused to comply with narrower court orders to provide information about his account.
What could police do with ProtonMail's TLS certificate and court authority to intercept and MITM traffic for your account? They can probably capture your password, use that to read all of your old email, and at minimum read your email as you read it. Even if decryption is happening in the browser somehow with JavaScript, that JavaScript is coming from the origin server that the government now controls by virtue of MITMing the traffic with the site's TLS cert, and so they can insert JavaScript that logs a plaintext copy of either the emails or the encryption key needed to decrypt them.
There is no security with web-based communications if the companies involved can be coerced with a court order. US based firms would be required to hand over their TLS cert if they weren't willing to help track someone, and at that point the government could do anything to your traffic.
The only secure encryption happens on your device with no browser involved.
By comparison, if you're using an iPhone, in theory the US Government could try to force Apple to modify WhatsApp/Signal on your phone, or force the App developers to do so. These companies would all fight tooth-and-nail in court against doing so. Plus, you can configure your iPhone to disable automatically updating apps, so once you have a working version of WhatsApp installed, unless Apple has some backdoor-ability to push an update of it to your phone anyway, you could turn off app update and be cautious & picky about when you choose to update WhatsApp or Signal. What I don't know how to do is verify the integrity of their binaries: to confirm that what you're getting is the same app distributed to everyone. Facebook would appeal to SCOTUS before allowing a government to install a backdoor into WhatsApp; so would Apple, based on their response to the government's request to unlock the San Bernadino shooter's phone.
All that being said, if the government's goal is simply ...
They claim this is not possible under Swiss law, fwiw. We’ve recently seen that it is possible under German law, with a competitor (Tutanota) building a server-side backdoor for one user.
...but we know it's possible under Swiss law, from this case, for them to be compelled to start logging specific account accesses, that they by default were not previously.
How is that any different from them being compelled to disable or weaken clientside encryption?
In both cases they're being compelled to make changes to their service.
The camel's nose is clearly already under the tent. Everybody needs to start diffing javascript served by them.
That's not the claim. The claim is that we don't know if X is possible under Swiss law. You seem to be the one claiming that because they said it's not possible, then it's not possible. If not, I don't know what you're claiming.
The GP says that it's possible under German law. Is it "FUD" to say that it could end up being possible under Swiss law?
Shouldn't there be fear, uncertainty, and doubt about any channel that activists use to communicate with each other?
> Everybody needs to start diffing javascript served by them.
It would be nice if there were something like Perspectives[0] or Binary Transparency / Sigstore[1] to raise the alarm when something like this happened, but the threat would also be avoided if ProtonMail was available as a SecureBookmark[2].
I'm not totally sure on this, but if you use their mail bridge, I'm pretty sure the decryption happens on your local PC and the keys never have to leave that.
They come off as a very dodgy company willing to twist the truth themselves. They claim that they can provide E2EE for email, being careful not to give away the fact that this is impossible for regular emails to non-PM customers.
Frankly I only use them because they're the biggest "private" email service and that provides a kind of safety in numbers.
As a business in that space, you probably need to have dodgy marketing in order to convince mainstream users. I'm not disagreeing that it's bad, but it's probably necessary business-wise.
While I concur that it's a bit misleading nothing is stopping you from using your own key and mail client (albeit with their "bridge" solution) to send E2EE e-mails.
If you rely on the keys they generate you can export them and use them accordingly but one should be weary of the handling of said keys if they were compelled to make a backdoor as others have noted.
That being said this does leave a bad taste in my mouth.
If they can be compelled to collect IP addresses - why can't they be compelled to collect your password and revel the contents of any mails the police wants to see? I mean, it's their site and AFAIK there's no way for you to prevent them from accessing the content of your emails, unless they are fully encrypted on the client side - in which case any random mail provider would work the same.
From where I stand, the only difference here is that ProtonMail has to receive the warrant before they give up all the info they have on you, and others may do it voluntarily even without that, just to keep on the good side of the police, but since it's not exactly hard to achieve such warrants (and in the US, as we learned, it's ok for the police to lie on such warrants and they know no punishment will come to them even if the lie is discovered later) the difference is minimal. If you have something the police really wants to see, and they can reveal it, they will.
I couldn't agree more. Anyone that thinks a company can hide/avoid all government (legally mandated) requests is just incredibly naive. I don't know why the anti-protonmail spin exists. Protonmail does the best they can, as far as I can tell, given the legal frameworks that are in place and the modern erosion of privacy.
Happy user of posteo here which claims to strip IP addresses and there IS no relation between accounts and payments. All government requests are transparently documented.
The web interface is roundcube, but if you just use IMAP, it could work for you.
No custom domains though for sending stuff, catch all redirects obviously work.
We know that PM saves all kind of metadata and happily provides it to any kind of agency. You have to use an anonymous VPN service (obviously not ProtonVPN) in combination with ProtonMail, if you want to avoid exposure by PM.
ProtonMail lost it's essence to be honest. As soon as my subscription runs out I'm gonna host my own mailserver instead. There are no advantages in using ProtonMail snymore.
I've been in the market for a service like protonmail because I'm trying to degoogle. Reading news like this and looking at the price of these services for two accounts has me thinking twice.
You can disable the recording of login sessions in Protonmail's settings dashboard. I do that, not only to avoid Protonmail learning of the logs, but by a hacker who, once upon breaching your account; also gets to learn the IP you use to login with.
Thanks, I had "Basic" on and turned it completely off. This should be Disabled by default. I created a new account to see what the default is (it's Basic): https://news.ycombinator.com/item?id=28428092
Their homepage says "By default, we do not keep any IP logs"
In 2021, any soft language like this should be a red flag for anyone who is against surveillance. Maybe in 2018 it was good enough. But in 2021 it's not. Come on, Protonmail, you're supposed to be leading the way -- don't make me figure it out myself.
Replace immediately with "By default we don't log IP, but may be required to by local law enforcement. We recommend everyone connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
People really don't seem to understand that Protonmail is a western company in a western country with pretty generous surveillance laws. Yes, your email text may be encrypted, but everything else is free game to the authorities unless you use additional protection.
Protonmail should be pushing more of this messaging in their branding. "Don't trust us further than you can throw us. We're doing our best, and here's what we recommend, use Tor, etc."
I live in Australia - and they're totally fucked by our laws and government policy.
"The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday." -- https://www.innovationaus.com/extraordinary-new-hacking-powe...
and:
"Amends: the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979 to: introduce data disruption warrants to enable the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online; and make minor technical corrections; " -- https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
The question was if email providers have to choose misleading people about privacy or going out of business. Specifically about IP logs.
Fastmail's privacy page says "Your data is for you and no one else".[1] So they do mislead about that. I didn't see anything about IP logs though. And Fastmail was just an example.
The scanning of email contents that Gmail does is, from a privacy standpoint, indistinguishable from them simply sending you the email. Their server has to know the contents of that email either way.
In both cases exactly the same entities read your email: you, the sender, and Gmail.
I don't see how you could go "yeah, this is a privacy improvement" if your information is still visible to exactly the same entities, but one of them isn't really mentioning it.
The difference is that protonmail, again, doesn't scan any data in my emails. Google does, then stores and tailors and sells ads. My privacy is violated when google scans my mail, and not when protonmail doesn't.
I'm not sure what you're trying to get at with the word "scan" here, so hopefully this abstraction will be useful.
Imagine you have a message written on a piece of paper. You intentionally show this message to two people, Alice and Bob, and are fully aware that they have both read and can perfectly remember the entire contents of the message.
Now imagine that Alice thought about the message independently (not recalling it, but actually thinking new thoughts), and that Bob did not do this.
Are you claiming that Alice violated your privacy by thinking about something you showed her and asked her to remember? Or perhaps would it only be a violation of privacy if she then subsequently told you one of those thoughts?
I don’t understand what you’re attempting to achieve with this. You’re weirdly abstracting about something that doesn’t need to be. People want to be able to have a private email correspondence about, for instance, dildos, and then not have to be served dildo ads outside of that context.
> I don’t understand what you’re attempting to achieve with this.
I was hoping to achieve a "yes" or "no", to at least one of the two questions. I don't know what GP thinks "scan" means when describing how a computer processes text, and was hoping that an analogy to a more natural concept would allow for that to be made clear. What's the actual action being taken that's the violation? It's clearly not simply being able to read the message, but is it "thinking" about it (for lack of a better word)? That's how I interpreted the initial comment, but it seems very reactionary, so I wanted to make sure I understood it.
> People want to be able to have a private email correspondence about, for instance, dildos, and then not have to be served dildo ads outside of that context.
Totally fair, but that's no longer about privacy (unless your concern is someone else watching your monitor over your shoulder, in which case that person is the one breaking your privacy).
So if I tell a friend a secret, and they plaster it on my wallpaper, and then I have a different friend over for dinner, my different friend is the one violating my privacy?
In that case no-one has violated your privacy - your wallpaper is private, so friend A didn't, and you invited friend B over, so they definitely didn't.
I would entertain the idea that friend A is being a bit of a douchebag by painting stuff all over your house without you asking them to, but if you subscribe to that thought process you'd already be running an ad-blocker and this scenario wouldn't ever occur in the first place.
Having to use an ad-blocker for this purpose is a band-aid for a much deeper problem. Running a website isn't free and I want to support them by not blocking their ads. But when the ads are part of a scheme that targets my private and personal information, I'm no longer willing to hold up my end of that contract.
The act of analyzing my data is what is the violation. The act of telling me is simply revealing that violation. This is why, when the US intelligence agencies were scanning and analyzing everyone in America's cell phone history and social graph, without interaction or active intervention, it was a privacy violation even when it wasn't being used. It doesn't matter who sees it. The fact that it is being scanned and analyzed for possible future use and abuse is the problem. Yes, this means that a computer in the middle of the rainforest analyzing my mail offline and nothing else is a violation of my privacy. And no, I do not believe that the two, Alice and Bob, can be equated.
> The act of analyzing my data is what is the violation.
So to be 100% clear on this: if you tell someone information, and they think about that information, that's a violation of your privacy?
I've definitely always assumed that the right to think about information is intrinsically coupled with the right to know about that information. I wouldn't give someone data that I didn't want them to think about.
> for possible future use and abuse
This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
>So to be 100% clear on this: if you tell someone information, and they think about that information, that's a violation of your privacy?
If your phone began analyzing your local photos for child porn, you'd probably be upset, no?
>This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
True, but google is CURRENTLY abusing it by selling ads to me based on it.
> If your phone began analyzing your local photos for child porn, you'd probably be upset, no?
Yep. "local" here is the key word, though. If a service I uploaded photos to began doing that, I would not be upset. And indeed, just about every image-hosting website in existence already does this, because they're legally required to.
Gmail is markedly not a local service.
> True, but google is CURRENTLY abusing it by selling ads to me based on it.
This makes it seem like your concern is with the advertisement funding model, not with privacy.
You don’t see the difference between “seeing an email” en transit vs training a ML algorithm on it and extracting values like when will your airplane depart, when is your vacation, etc and automatically propagating that to other google products? I mean, it sure is comfortable, but you can sure as hell know that they build an extensive profile out of your private emails and your ads are targeted based on that..
> You don’t see the difference between “seeing an email” en transit vs [...] extracting values like when will your airplane depart, when is your vacation, etc
I do not see any difference between these parts, no. If a human read my email I would expect them to be completely incapable of not working these things out, so I'm not really too concerned if a computer does it either.
> training a ML algorithm on it
Also not really. If it were a machine learning algorithm that was trying to write realistic emails there'd be a reasonable concern of it revealing things about the training data, but when it's just generating ad recommendations based on only your data that only you see, I'm not too sure there's a serious privacy concern there. I'm unaware of any allegations that you could uncover private details about someone else's life by looking at an advertisement you received on your own email inbox.
> and automatically propagating that to other google products?
I would definitely perceive this differently depending on the product, as Google products are usually distinct enough that you can functionally treat them as if they were different companies (and often they either used to be, or eventually become so). So in this case there are now four entities that know the contents of the email: the sender, the recipient, Gmail, and e.g., YouTube.
But again, I've not heard any claims that Google are using the contents of your emails to decide what YouTube videos to recommend you. It's certainly not outside the realms of plausibility, but that seems like the kind of thing people wouldn't ever shut up about, so I'm surprised that I haven't heard about it if it is in fact happening.
> you can sure as hell know that they build an extensive profile out of your private emails
Oh absolutely, but I don't see how that's a privacy violation when you gave them your private emails. How much thinking does someone have to do about a message you gave them before it becomes a privacy violation?
> and your ads are targeted based on that..
This is the main reason I'm okay with it. Google's entire business model relies on them preventing anyone else from seeing that data, so that they're the only ones who can target ads that effectively. If there was a significant risk of data leaks then I can absolutely see why people would be concerned, but Google has some absolutely gargantuan incentives to avoid that.
Most people accept search warrants signed by a judge for a crime. Proton mail was even nice enough to notify the user what they were the subject of a search.
With Gmail/Hotmail/etc your communication are at the finger tips of governments for non-criminal domestic surveillance. For example it has been alleged that the NSA leaked private emails of a journalist in order to score political damage.
Because of the dirty little secret of protonmail; it's actually just privacy cosplay. If they told people what's actually involved in having a truly private email account, most of their customers would say screw it and go back to Gmail.
I gave an example in another post. Basically "Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company, they just don't tell you it. We do. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
Of course not, because a company that strikes the perfect balance of being sorta-in-the-right-direction but then also using deliberately deceptive language to pretend they're all-the-way-in-the-right-direction is going to outcompete companies that genuinely go all the way.
I wonder how long the 'Swiss privacy' brand, which seems to be fairly valuable will hold if these things keep happening, I had to immediately think of Crypto AG
In 2021 the most powerful canary statement should be "Don't trust us. Seriously, treat us as an adversary. We still want you to be our customer of course, but here's how we really recommend you use our service, Tor, semi-anonymous payments, etc. In God we trust, for everyone else use math."
That canary statement would kill their userbase. Seriously, who expects a company to admit the value they provide is not much? They expect the more savvy users (ie, those who need the privacy, typically) to understand basic OPSEC.
I admit that the marketing is bad, I do not agree with it, and I do not tolerate it in terms of my own OPSEC. But, there's just no way they would just admit they provide hardly any value besides, in a VPN's example, being a tube to another place, and just another tube with ends that can be stopped.
Not having that canary may LITERALLY kill some of their users. If they have some decency they should own up to the truth and if they end up being out of business they will have a lot of goodwill for their next business.
And I 100% agree that they should. I'm just saying there's an incredibly slim chance they will. From a business perspective, which is the perspective they always take, it makes no sense.
> In the US companies can make canary statement...
What is far less clear is if you can trust the continuation of a canary statement to indicate the absence of the action it denies, since it is both legally disputed whether continuation of the statement could be mandated by government and because anyone who has an interest in the PR value of providing a canary statement also potentially has the same interest in continuing it as long as it is impractical to falsify.
>it is both legally disputed whether continuation of the statement could be mandated by government
Is compelled speech seriously in jeopardy? I saw the github issue for signal saying that some (EFF?) lawyers said that canaries are not that helpful, but that just implies that the government CAN compel speech. That would be bigger news than mentioned as an aside on a Github issue, I'd like to believe that would be news...
TBH in 2021 people engaging in potentially dangerous activities should be literate enough to understand, that no business will guarantee them full security and decline all requests from authorities to disclose their identity. The wording you suggest is equivalent of „do not dry your cat in microwave“ instruction - a legal protection from dumb customers, that does not contribute meaningfully to safety.
For the non-Swiss customers working with a Swiss provider can be a good enough protection to avoid inconvenience of Tor. After all, even in the mentioned case it required review and approval of 3 agencies before request came to Proton - from French police, from Europol, and then from Swiss authorities. If this is not enough barriers to protect from politically motivated prosecutions and corruption, then we have much bigger problem in Europe.
A corporation is a power centralization, and government authority can lean on power centralization.
In general, regardless of what their TOS say, never believe that a corporation can't be compelled by the law to do anything they could physically do. CEOs can be jailed; when's the last time we heard of one actually going to jail over user privacy?
The point being made agrees with you, and is just saying that since protonmail can't help but obey sometimes, they should make the effort to educate their customers about that fact and whatever their customers can personally do to mitigate the risks of that fact.
> CEOs can be jailed; when's the last time we heard of one actually going to jail over user privacy?
Ladar Levison from Lavabit came close. But even he admits that was because the FBI wanted to subvert every single Lavabit user's account (attempting vast overreach on the brazen assumption that "we are after Snowden" was going to pull the wool over everybody's eyes). Levison admits though, to having "responded to" at least two dozen subpoenas and complied with at least one warrant before.
The CEO of the phone company qwest claims that the insider trading charges he got prison for was only brought to court because he refused to allow the installation of NSA surveillance equipment.
A customer that specifically chooses Proton for privacy, must read and agree to privacy policy, which explicitly states, that Proton may in fact keep temporary IP logs and that user may opt in for login IP logs. Requests from authorities may ask for this kind of information and Proton will have to provide it.
The „opt-in“ part for login logs is particularly interesting, because in fact Proton recommends this as a security best practice. Whether it’s in the best interest of the customer or not, it’s an open question. I would say, in a risk model, where threat of human rights violation by Swiss government is much lower than risks of unauthorized party accessing the account, it makes sense. Tough luck for the criminals that followed this advice.
> In 499 BC, he shaved the head of his most trusted slave, tattooed a message on his head, and then waited for his hair to grow back. The slave was then sent to Aristagoras, who was instructed to shave the slave's head again and read the message, which told him to revolt against the Persians.
Since this was a trusted slave, the tattoo seems unnecessary. The slave could just tell Aristagoras "Histiaeus says to revolt against the Persians".
There was enough trust that the slave did not desert and that they were taking the message to the destination.
There was not enough trust that the slave would actually know the CONTENT of the message. As such the slave wouldn't even know to where to desert to :)
Do as terrorists and generals do.just use one mail account, never send mail, use the draft feature, and start everything as a discussion about an elaborate real world spy/crime novel.
3 days ago i did this very thing. when the oppressive govt banned internet, i had to talk to someone outside india and then i dictated them some text. reddit keeps ip logs for 100 days so i had a dormant account for over a year. i asked the guy to log in, type that message and post.
that way the govt can demand from reddit that account ip but since the only ip available is from outside india, they cant do shit.
i was ready to dictate base64 image character by character but the internet blockade remained for only 2 days so yeah. there are plenty of ways
ah yes. unless they are actively listening in am i not safe enough as compared to DPI censorship and network analyzers mandated by the said oppressive government?
> . I know that when an individual uses an electronic device to communicate withothers in order to commit a crime, the individual’s electronic device will generallyserve both as an instrumentality for committing the crime, and also as a storagemedium for evidence of the crime. The electronic devices are an instrumentalityof the crime because it is used as a means of committing the criminal offense.The electronic devices are also likely to be a storage medium for evidence ofcrime. From my training and experience, I believe that an electronic device usedto commit a crime of this type may contain: data that is evidence of how theelectronic device was used; data that was sent or received; and other records thatindicate the nature of the offense.
If the tech. companies involved have monetized surveillance, and no I am not talking about the kind they do for advertising, but instead the $ for data on users/portal, all that jazz, fees for LE levels of access, cost for responses, etc the LE are also the customers too then?
I'm fine with Proton treating my data as a liability. Give me the tools to take away that liability by only sending them noise through an anonymous email address. I will pay for that.
Sure, the wording istingray suggested is a bit over the top. But the existing wording "By default, we do not keep any IP logs" is misleading. Why even say it? They should simply delete it.
My first reading of "by default" here is that I can optionally enable it through my account.
Really, it's a phrase that means 3 things: I can enable it, ProtonMail can enable it[0], or the authorities can compel ProtonMail to enable it.
Saying any of that, or at least linking to a page that does, would be a smart move.
[0] https://protonmail.com/privacy-policy - "IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions"
It is in contrast to the immediately following paragraph, which discusses a user-controllable setting that does cause ip logs to be retained permanently.
In the twitter screenshot linked to in this post, there is a discussion of the authentication logging feature in the immediately following paragraph (the screenshot discussing IP logging).
I'd read that as "by default we don't keep logs, so we can't be compelled to provide IPs for sessions in the past. We can still be compelled to provide that information for current/future connections."
The problem is that engaging in "potentially dangerous activities" includes such a wide range of people. Think about a journalist in Afghanistan, a whisteblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities. Are they "dumb" because they don't understand all the ins and outs of surveillance? How about some empathy for them as users?
The proposed statement above is intended to help people like that.
Do I have such activities? Nope. But I believe that those activities should be enabled, whether for me in the future or others around the world.
I advocate on behalf such "dumb" people by supporting simple services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
Also ProtonMail's only reason for being is that they are supposed to provide some higher level of privacy. If they don't, how are they any different than a commodity grade SMTP/IMAP provider? I will withhold judgement until I know more about the case but the early context does not look good for ProtonMail's value proposition, which is the least of things.
Is it though? I don't know much about this company but their main selling point seems to be end to end encryption for mail messages. That's not a "privacy" feature by itself. Now it is a tool that you can use it to gain more privacy, but you could also have people who use it to cc all their emails to their entire facebook list. So it seems it all depends on how you use it and what type of privacy you try to achieve.
End to end encryption is a privacy feature by itself.
The example of using an email service to send a mass email to a dislist is irrelevant to the possibility that it would also be able to preserve privacy in other communications. You could send an email directly to the local police chief if you wanted but that does not preclude wanting privacy elsewhere.
I think you are confusing privacy with security, which is a common mistake, not your fault -- end-to-end encryption is what secures the messages, by itself it does not ensure that the messages get to the right place or that the encryption keys are belonging to the right people. It needs to be used in combination with other methods and techniques. Explicit features that are in the domain of "privacy" would be ensuring messages are deleted on a regular basis, or some kind of key cycling, or an anonymizing service like tor, etc.
To use your example of emailing the police chief: let's say your threat profile is that you're being stalked by a criminal, and you want to email the police to give them information on this crime, but you don't want the criminal to know. If the criminal breaks into your email, or if your house is broken into and a hidden camera is placed behind your computer, it makes little difference whether you have end-to-end encryption or not, your privacy is still violated. Does that explain it better? Maybe Proton could have some better messaging around this, if their customers are getting privacy and security confused?
I think you're using a definition of end-to-end encryption that's too narrow, same with privacy. E2E schemes try to ensure that your messages can only be read by their intended recipient. That's undeniably a privacy feature, since having private messages read by a third party (without consent) would be a privacy violation.
Security and privacy are intertwined, imagine your server getting hacked (security problem) leading to your private documents being exposed on the internet (privacy violation).
I understand they are billed that way but in practice I don't believe they fulfill that goal, as the job of making the messages unreadable is mostly already done by transport security (SMTP TLS). Sure it can protect against some things if the mail server is the target, but as we see here, there is still a large amount of identifying metadata that they (unavoidably) have on you. The goal with "privacy" is to ensure that your communications are undetectable and unidentifiable, and I would hardly call it that if it's still regularly going through a well-known mail server attached to a highly identifiable account. And of course it depends on how much you actually use the E2E encryption which is technically optional, for example if you send/receive a lot of mail from gmail users that aren't using S/MIME, which still seems to be the case for a lot, then it won't be enabled and your messages are still vulnerable in a server hack.
* Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China*
The former's safe because no one's going to deliver IPs to Afghanistan and the latter are doomed, because the US and China are following a policy of total surveillance. That ship has sailed decades ago.
I wouldn't be surprised if they or anyone else in the future deliver users IPs to the Taliban government specially with they get recognition from more nations.
You do not have to understand all aspects of privacy to realize that governments may have sufficient resources to track your identity and to put enough pressure on businesses to provide information they need.
At the same time, Tor is not the only, the required and the sufficient way to ensure privacy. There are different circumstances requiring different approaches. In many cases Tor will be redundant, in some cases it may be impossible to use, will offer insufficient protection or will actually put the person in an immediate danger, so giving this kind of advice is at least equally harmful as not having full disclosure on logs.
> Are they "dumb" because they don't understand all the ins and outs of surveillance?
US military personell and from other nations is posting on TikTok. At least those probably don't work in reconnaissance.
They aren't stupid and this isn't a technical problem, it is a legislative problem. Real security has been undermined since the early 2000 and before. Western powers just ape China or Russia at this point.
That the Swiss people gave authorities these surveillance capabilities is pretty stupid though. Alpine air must have been pretty thin that day.
Looks like your run of the mill radical left occupation of housing (the stuff you see in big European cities like Berlin and Paris where they have that tradition).
Their bouts with law enforcement trying to evict them could be the reason for the arrests. If the google translate is not completely misleading then they refused to give their names or fingerprints when initially arrested.
> If this is not enough barriers to protect from politically motivated prosecutions and corruption, then we have much bigger problem in Europe.
Well, in this case isn't it clear that these barriers were in fact not enough? Or do you think anti-squatting is a major enough problem that it warranted this level of international cooperation, without any politically motivated thinking?
>A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers.
I once tried to create a Protonmail account over TOR and I believe they require a phone number from 'malicious' IPs so if you want anonymity Protonmail is not the service for you.
If they don’t do this then spammers will use their service en masse and degrade the service for all customers by black holing their ips and domain through all other email providers.
> This isn't the Hotmail age where everyone expects free email.
It totally is.
I was running my own mail server for a while. The thing that finally pushed me into not bothering any more was when I looked at my logs and realised 82% of my non-spam non-marketing email was captured by google (where at least one recipient was either @gmail.com or a gsuite custom domain).
>This isn't the Hotmail age where everyone expects free email.
Protonmail does offer a free tier, which is the problem. I'm sure they would be happy to take a payment instead, as the whole point of phone verification is to impose a cost on account creation. Perhaps they can rework their account registration flow to offer the ability to upgrade to a paid account at the verification step.
If you're upgrading to a paid account, isn't that even worse than the initial step in terms of anonymity? I get that they need to make money to survive, but this requirement isn't displaced by e2ee - it provides a misleading and false sense of security.
Anonymity toward state actors is compromised in either situation, whether phone verification or payment validation.
Doubt I'm the only one who thinks this, but the value proposition of their service is cancelled by their stated terms, which at least they make available. I have similar doubts about the veracity of claims by VPN providers (including mine) in terms of not keeping logs.
tor remains the only usable anonymising method with a decent track record. It's a shame Protonmail discriminates against it.
They support Bitcoin as a payment method. If you take precautions (ie use a Monero -> Bitcoin payment service over tor) I don't see it as compromising your identity.
I try to sign up a protonmail through tor with brave browser at 2021/09/06. Everything goes well until last step.
Are you human?
If you are having trouble creating your account, please request an invitation and we will respond within one business day. Request an invite
I created an account made explicitly to be used over Tor some time ago and I was never asked to provide any phone number, but maybe that changed at some point.
If you need it one time for registration while staying anonymous using a burner SIM will work just fine. This way you anonimously create the account and then keep your location hidden using Tor. Authorities may even know who you are but will be unable to locate you.
But the mule only gives you some extra functionality, resilience, and is like having an email address just for spam or a home VPN endpoint. It gives you very little in terms of anonimity, which is why you'd go to Tor anyway. It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule. And you forward to your own mail server which again does little to hide anything. That's a long traceable chain that can be compromised or at least broken (to force you out) at every link.
This is great to make sure companies don't sell your phone number or use it to create some social graph, and to access your accounts independent of your normal phone. But if you're looking to hide your identity or location from your service provider and the authorities then it's barely a speedbump.
Let me explain both my threat model and my use-case.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.
_all_ VPNs are useless. They are the biggest security theater and a massive success of marketing. But really, it's completely bazaar to trust a VPN provider.
They provide protection from your local network, but you they can do all the same things and more.
My ISP is subject to my local laws. Which are not good, in terms of my privacy.
My VPN provider is not - but is obviously subject to their local laws. Which are almost certainly also not good for my privacy either.
Spreading the threat across two different jurisdictions is without doubt "somehow better" than just using my ISP, at least in the case of protection against snooping by non serious crime law enforcement.
(Where I am, organisations like local councils, the taxi commission, fishing inspectors, and dog catchers - can all access our "mandatory telecommunications metal data retention" stuff with very little oversight... While my VPN is still in five eyes, so there's no point pretending national security, intelligence, or serious crime like terrorism/drugtrafficing would have no trouble getting cross jurisdictional access, I'm pretty sure the fishing inspectors or dog catchers won't have that sort of access.)
It can’t fix the problem that it reveals the ip address you’re connecting to though. Even if the sites you’re visiting are all on servers that virtual host heaps of other sites as well, it certainly narrows that haystack down to a handful of bits of hay with your bright shiny needle standing out in the middle.
My ISP throttles connections (strangely including Zoom).
My ISP mines my data and sells it to the highest bidder despite costs not coming down.
My ISP determines what I can look at and can't (such as torrent sites).
My ISP is participating in anti-competitive behavior and I need the internet but I don't have a meaningful way to tell them to fuck off.
My VPN doesn't log. My VPN doesn't filter my traffic. My VPN reduces what my ISP can know about me and monetize me. My VPN allows me to access sites appearing in different countries or as a different user which changes what content websites serve to me, including price of products.
VPNs are a soft security practice, but one hell of a way to tell your ISP to fuck off. I think there's this group of people that say "oh, a security feature isn't bullet proof, therefore it is useless." But this is just dumb. All security features are probabilistic in nature and depend not only on how you use them, but your threat model and the will of your adversary. For people, like me, trying to escape dragnet operations VPNs do help. But alone they aren't enough and that's okay.
In Sweden we got the "datalagringsdirektivet" that says that every operator must keep their traffic for 6 months. VPN-providers are not bound to this law so that's my reason.
You need a VPN provider outside your legislation of course. Access is still not impossible, but much more unlikely. Perhaps choose a country not on good terms with your own.
Is the parent suggesting that no one should bother to read the Terms and Privacy Policy, linked to from the homepage. https://protonmail.com/privacy-policy
Despite the parent's claim, the Privacy Policy says the company may log IP address. Temporarily. Irrespective of any request from local authorities regarding a specific user. IOW, they may log anyone's IP address temporarily regardless of whether the particular user is casuing trouble; they can log IP address for everyone. The policy says they log this data for the purposes of preventing fraud and abuse. The problem for privacy-conscious users is that if they log the data, then that entices authorities to try to successfully request it.
The policy, which imposes no obligations on the company BTW, reads as follows:
"IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."
There is nothing that says "By default we do not retain any logs". This clearly states they may be expected to retain IP logs. ("IP logs may be kept temporarily...")
But wait there's more.
"We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation)."
This clearly states the company may disclose the data they possess, e.g., IP logs collected to combat fraud and abuse, if in response to a request from competent local authorities.
Further down is a curious statement about decrypting messages.
"If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over."
Why include a statement such as this, specifically the part that says "that we do not possess the ability to decrypt". The company already specified it may disclose the data it possesses. This further statement suggests there could be some situation where they may have the ability to decrypt some messages. Besides their own communications with customers, why would they ever have encrypted messages that they can decrypt. They could state something like "If the request is made for encrypted communications addressed to us or sent by us, ...", but they do not. As such, their statement must include other messages, too.
I pasted an email I sent to Protonmail above. If they can't come up with language that's clear, use text from their privacy policy verbatim. Start educating users not to trust anything but what's in the policy, and even treat that as adversarial.
> "IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."
Just how transient do logs need to be to fit this criteria?
Am guessing the 7 years or so we need for some of our specific logs might fit the temporary definition too.....
Nothing is even defined. There is nothing in this policy that obligates the company to do, or restricts the company from doing, anything.
This is the way most tech company "Privacy Policies" are written.
There is a significant difference between a statement such as "We (Company) do not do X" versus a promise such as "Company shall not do X" or a statement such as "We do Y. We may do Z" versus a promise such as "Company shall do Y."
Why not have our own "Policies" as users that we publish for tech companies to read. In them, we could describe what we do and what we do not do, and what we may or may not do. Tech companies could rely on these statements. You can see how silly that sounds. Yet users are expected to read and rely on hundreds of different "privacy policies", collection of non-binding statements like "We take privacy seriously".
I wouldnt trust any of them to be honest. Privacy policies really arent worth anything.
I would look for websites that generally do not ask for data. Then send them the minimum data you can get away with. I would avoid "signing in" or "signing up" to any website. There is an immense amount of data and information available from free from the web, no "account" is necessary.
For example I dont send any extra HTTP headers like Cookies or User-Agent, I dont use Javascript. I dont request images, CSS. I dont automatically follow links in src tags. Yet I can still read and comment on HN and I can read every website posted to HN. Thats a lot of websites. I can read them just fine while not sending them any more data than is needed. Because I do not use a large, complex graphical browser sponsored by an online ad-supported vendor to make HTTP requests, I can easily control what I send. This is far better IMO than sending unknown amounts of data (letting the websites control what the browser sends via headers, Javascript and src tags) and then hoping the websites dont do things with the data that we dont like.
Privacy policies do not limit websites from collecting data nor do they limit how the data can be used. They are "policies" not agreements. If a website operator does things behind the scenes that violate privacy but that it does not disclose in a "privacy policy" what can a user do. How would the user even know. Or the website could clearly violate their own "privacy policy", but no one outside the website's operators would know. Even if users discover the violation, what would be the repurcussions. Its too late, because a violation means privacy has been blown.
Show me a case where a tech company got sued for violating a privacy policy. How can anyone prove a violation if the operations of the website are not open for public inspection.
Generally I use custom utilities for HTTP generation, URL extraction, chunked transfer decoding, URL encoding/decoding, GZIP/ZIP/PDF/MP4 extraction, etc. Thus I can use any TCP client I want to make HTTP requests from the command line. I do not need a browser to request content. Nor do I need projects like curl or projects that use libcurl like youtube-dl. For large downloads I use tnftp. The shell script I use to download YouTube videos is 424 bytes.
For reading HTML I prefer links. It has the best rendering of HTML tables, IMO, and is for me the easiest source code to work with. I did use lynx back in the late 90's but would never go back to it. Its bloated. Its slow. Im not sure why anyone interested in text-only browsers would use it other than they are unaware of or have not tried alternatives.
Your observations are correct, the regulation is able to deal with the damage after it was done, and apply some form of punishment after the fact. It takes whistleblowers and activists to reveal some of the wrongdoings, otherwise the violations remain unknown to us.
Therefore there has to be a greater push towards proactive measures - letting people vote with their wallet by making informed choices; the prerequisite for that is for the relevant information to be available to them.
Have a look at some of the research I've been involved in, we're trying to solve this exact problem: http://privacy-facts.eu/
There is a project for bringing relevant privacy facts closer to users, so they can make informed decisions before choosing to buy a specific product or service. Check out the second screenshot on this page: http://privacy-facts.eu/features/
The idea is to express everything in unambiguous terms, so there's no way to weasel out of it with "yeah, but not by default" or, "well, it depends", etc.
All the Protonmail customers out there, what did you do about this?
For starters, I emailed Protonmail support.
Here's mine:
Hi,
Your homepage reads "By default, we do not keep any IP logs..."
This language is soft and misleading. Maybe in 2018 when I first began using ProtonMail it was good enough. But in 2021 it's not. I expect better from ProtonMail.
Replace immediately with something clearer. "By default we don't log IP, but may be required to by law enforcement. We recommend all customers connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
If you can't come up with anything better for users, just fall back on your privacy statement verbatim and avoid any marketing language.
Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities.
I advocate on behalf such people by supporting services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
I expect Protonmail to educate users like this about how Protonmail itself can be turned into an adversary. Educate users about how to use Tor. Do better. Improve the internet.
I look forward to your reply.
Also, registering a new account through Tor requires a phone number for verification, even though Proton says no unique identification is required to register. If this requirement isn't removed by the time I renew my account I will no longer renew.
From my understanding it depends on how naughty your current exit node has been. Most tor exits in my experience allow creation and you just need to verify another email (just use a random burner- they only block a few. Supposedly some well behaved exits require just a captcha but I've never seen it.
Using Tor to access a regular web site, ie: through an exit node, is (nearly) no different than using a proxy. Just assume all exit nodes are "naughty" and do your thing accordingly.
Sad to say, Proton's onion service is for their old version. Proton has recently rolled out a new updated version of their service, and as far as I'm aware they don't offer a Tor onion service for that newer version.
So Proton users who like to connect via Tor onion services have been faced with a choice of either staying on the old version of ProtonMail, or giving up on connecting via a Tor onion service. It definitely leaves the impression that they don't care much about Tor anymore, or that it's at best an afterthought for them.
I tested this, and you're right: Their Tor service runs the (in my opinion nearly as usable) older version.
It's plausible that Proton does not care about their Tor service, but there may be another reason: The new version relies more on Javascript code than their old version, and a Tor user is more likely to browse with scripts disabled than a regular user. Proton may be holding back the rollout of the newer version until they have tested it more without Javascript. This is only a hypothesis, and I came up with it just now; take it for what it is.
I didn't do anything about this, because I expect any commercial service to log IPs at least for a short period of time to fight abuse. I'm using this service because I don't want the service provider's staff or someone that hacks their servers to be able to read my mails. Ideally I would like to also have privacy (through E2EE) when e-mailing other PM users, but I'm not counting on that. As the Tutanota case shows, such secure e-mail providers can be forced by law to intercept e-mails.
Their page is full of what are now obviously lies. They admit that in the cases of "extreme crimes" they might be forced to give up information. _By no stretch of the imagination are these peaceful political protests "extreme crimes"._
I specifically advocate for the sorts of people that Protonmail ratted out and had arrested - climate change activists.
FWIW, what they were accused of was squatting, not protesting climate change. I still think that's a ludicrous abuse of police powers, but it's worth being accurate.
And in the spirit of accuracy : the reason for the arrest was the violence during an eviction (several injured police officers), not the squatting itself.
From what I gathered from a (French) blog posting by a squatting collective, posted elsewhere in this thread, the arrests are in relation to an eviction.
The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
I myself am a middle-aged "have" , but I do worry about climate and I do empathize with those that "have not".
However, violence during an eviction is not peaceful. People were hurt, and a legal response was due. Seems to me that arresting someone after the fact, and dealing with the matter in a court of law is the peaceful thing to do?
When I read "extreme crimes", I don't think of a scuffle with the cops over what started as a misdemeanor arrest or non-criminal enforcement action. Protonmail should change their wording to be clear that governments can and do compel them to collect such information for ordinary crimes.
Yup, fully agree: Protonmail should just say "we comply with the law". Though at this point the security reputation of the Swiss should have given anyone pause to think (Crypto AG, Omnisec AG, etc)
My point was just that 1) the arrest was related to squatting, not the climate 2) these people, idealist and well-intentioned as they were, were not "peaceful" (at least, not when faced with a brigade of police officers)
> The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
Usually they need to stop work for a few days because their hands/wrists are aching due to hitting too hard on protestors. Anti-riot are perfectly equipped and physically trained to be in fights, it's literally their job. And while there are generally at least a few "semi-pro" violent protestors on the other side, they are not so well equipped like the police.
That's fine in my "paying ProtonMail customer" view. Use VPN + Tor if you don't want your IP address be known. I use ProtonMail to reduce my exposure to Google tracking/possibility of business execution leaks they might use in their favor and keep alternatives alive.
Protonmail did not provide the authorities with the users IP address...they did allow the account to monitored which they are required by their laws to allow. It was the users sloppy OPSEC that allowed the authorities to eventually track them down. In the end, I believe, it was linking the user to a past Gmail account that finally did him in. Listen to this podcast episode, the presenter does a fairly good job summarizing the situation.
The Privacy, Security, & OSINT Show – Episode 227
Lie that you care about user privacy, give sucke- I mean, users' data to law enforcement anyway, blame the users when they get nailed due to your snitching. It's a perfect business model!
Not my problem. I pay Protonmail to work on behalf of users, and empower users to the extent allowed by law. This includes educating users about the adversarial actions that Protonmail itself can take against them (warrant, rogue employee, hackers). Otherwise I can take my $ elsewhere, email services are cheap.
> Protonmail did not provide the authorities with the users IP address...they did allow the account to monitored which they are required by their laws to allow.
Something their marketing material appears to disclaim. This is just excuse-making. ProtonMail did what ProtonMail has (for years!) led their customers to believe they would not do. And they did.
I think there's an argument to be made that any commercial email/messaging provider simply can't do what ProtonMail claimed to do. But that doesn't change the fact that ProtonMail did it.
> ProtonMail did what ProtonMail has (for years!) led their customers to believe they would not do.
My rule is to give any corporate statement about what they "will not do" exactly zero credence.
The only thing worth anything in that context is open source where independent programmers can verify that the code cannot support undesirable behaviors. And even then you're not safe, because code running on someone else's machine might actually be anything. So in the end, self-hosted open source software is the only way.
Right now that requires some degree of technical know-how, but I believe that's a solvable problem the same way operating systems have turned the technical practice of process management into something users don't even need to think about.
> ProtonMail is a well-known and well-regarded mail service and is often recommended to users looking to distance themselves from Google's less-than-ideal security practices. Unfortunately, however, ProtonMail was recently forced to cooperate with Swiss authorities in providing user data (date of account creation), which was subsequently handed over to American security authorities and enforcement agencies.
and
> Proton reached out to us to confirm that the only data provided to Swiss authorities was the date of account creation. [1]
I've worked with back end webservices for 10 years or so but I'm struggling to understand the concept of allowing a singular account to be monitored. What does this actually mean? An account in all of the systems I've dealt with is basically the collective understanding of a bunch of database queries. How does one allow an account to be monitored in any way which is less frightening than providing an IP address from a log?
theyre quite transparent about their service, and far more transparent than any of their competitors. the same criticism can also be leveled against your comment. "but i used tor, the defualt mode for which has js enabled and somehow it leaked my ip!" if you dont know what youre doing, and want to evade state law enforcement, you better figure out what youre doing. thats not on proton.
I didn't ever have proof, just a gut feeling, but I never really bought into Protonmail. I created an account but rarely used it and as far as I know has been deleted for a few years now.
> Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username.
I'm sorry dude, but that decision from switching to fastmail was not very productive to counteract the specific case mentioned on the OP.
If anything, it's even worse since fastmail apparently always logs your IP.
Moreover:
> We process mail sent and received from your account to block spam and fraud. We receive information from third party services to assist us in identifying spam.
Looks like your emails aren't even encrypted. If any government body what's your email bodies, they'll have it. They even share it with 3rd parties for fraud detection.
With protonmail and similar services, they'll just log your IP if they're asked to do so, which you can obfuscate using a decent enough VPN.
One thing I've noticed is that many HN users don't believe that courts can compel companies to take positive actions to surveil their customers. This incident illustrates that, yes, courts can compel companies to keep logs even if their infrastructure is built to not keep them at all.
We cannot rely on what companies say about their privacy guarantees, or rely on vendors' technical analysis of their own black box systems, because a simple court order can essentially be a backdoor.
I don't trust any "secure" communications service that hasn't been subpoenaed and provided nothing in return. Having a national security letter canary doesn't hurt either.
I was COO of a vpn company for several years. It’s almost impossible not to keep any ip info. We had issues with fraud and one of the best ways to prevent or limit it was to track IP address and save it for several months.
I agree PM should be more forthright in their messaging but realistically I don’t believe any company that takes payments and doesn’t track any info at all.
I don’t remember the actual marketing message as it was about 7 years ago, but I know in the TOS it was carefully written to include that it had to collect some ip info to prevent fraud.
Also a ProtonMail user. While I would prefer that ProtonMail never captures or divulged my ip and or logged my access I pay because I was a long time gmail user and am trying to ween myself off of alphabet in general. I don’t want my mail skimmed for ads or worse.
I wanted to test how Protonmail is doing for new users I created an account from scratch just now over Tor.
1. Am asked to verify new account by entering a cell phone (edit: this is horrible. They lie and say account creation is anonymous, as pointed out by the poster below)
2. Upon login, "Basic" logs are selected which do not display IP. You can enable "Advanced" logs to log IP. I would suggest Protonmail make it crystal clear that these "Basic" logs do not store IP. In 2021, lies by omission are not good enough. Get rid of the soft language.
This is completely false. I have created accounts (for others) over tor, without ever divulging a number. The exit node is a factor here. Sometimes email is required; if the need is there, throwaway emails work. I hate to tragedy-of-the-commons a good service, though, which is why I have a subscription.
If you're a criminal and use email, especially email paid for in your name, you're an idiot. Switzerland has been tightening its laws just like every other country, all of them are fascist.
so today we are redefining what "not logging data" means. it changes meaning when used in the same sentence as the expression "by default". so by default, not logging data is not really not logging data.
we've redefined quite a few things in the past few months. will be interesting to see where we go from here.
It has not really changed meaning. Asshole companies blatantly lying and using dark patterns only means one thing: that the company is a piece of trash and does not respect their customers.
Question: is it possible they do not log any of the data but were required to capture it on the next login? All the talk here implicitly assumes ProtonMail provided historical information.
As far as i understand from the article, this is roughly what happened.
Protonmail got a warrant, and thus enabled logging for the user (as is required by law).
I’m aware that this is a very silly sounding question, but I’m very confused about what’s going on here.
If the subject of this investigation had been using ProtonVPN to connect to ProtonMail, would this have (in a marginal way) protected their anonymity? If ProtonMail can be compelled to begin logging, surely the same must be said of ProtonVPN right?
It’s interesting how many “privacy focused” companies tout being based in Switzerland as some big badge of honor, which a layman consumer such as myself is supposed to be really impressed by due to the overall reputation of “Swiss privacy laws.”
In practice, I’ve never been to Switzerland. I don’t know any person that has had any legal issues there, let alone someone that’s litigated a digital privacy case there. I do not speak German or French, and don’t know where to start when it comes to looking up specific cases or court proceedings, so I’d be extremely slow on the uptake of the actual ins and outs of how the Swiss privacy model works from a practical standpoint.
The “based in Switzerland” thing strikes me as a bit of a black box bit of marketing speak. How much time, energy and money did ProtonMail expend fighting this surreptitious logging mandate? Does “Swiss privacy” actualy mean anything if ProtonMail is happy to hand over your IP address when spooked?
Shhh, the entire country runs on similar myths, most prominently banking. But then, all that the common man is capable of understanding is myths, sooo ...
> It’s interesting how many “privacy focused” companies tout being based in Switzerland as some big badge of honor, which a layman consumer such as myself is supposed to be really impressed by due to the overall reputation of “Swiss privacy laws.”
I believe it comes about due to the old trope of Swiss banks being the most secure places to hide money, which of course is not true and hasn't been for a long time. Even in that period, I am sure they complied with Interpol/Europol requests to divulge account details of evil masterminds with a beeellion dollars hidden away in a Swiss vault.
I used to work for a now defunct Swiss company that had “Swiss quality, security and privacy” plastered all over the website and marketing materials. The number of actual Swiss people on the team could be counted on one hand, the rest of developers being from every European country out there, with the most represented ones being Ukraine and Romania. And from talking with my coworkers, the situation is the same across other Swiss IT companies.
I would not pay any attention to the “Swiss X” marketing.
Almost every company in Switzerland that produces software has a bunch of eastern Europeans on the payroll, that either immigrated to the country or work remotely. But if the company started in Switzerland, or management and especially senior devs are based in Switzerland, I feel like that's good enough to apply the "Swiss quality" marketing because the Swiss _do_ have high standards and expected high quality of work produced.
So, you are complaining that they had immigrants working for them? They are part of the EU free movement region, so that is hardly surprising. Immigrants on the payroll don't change whether or not a company is Swiss.
Were they inside the country? Were also they subject to Swiss laws? Aren't these the things that would make a company Swiss? Even if the company was started by a person that isn't Swiss, I'm pretty sure it is still a Swiss company if it is initially located in Switzerland and governed by Swiss laws.
I am not complaining about the company hiring immigrants and allowing remote work across the Europe. I just haven't seen anything inherently Swiss in it, anything different from any other European company I worked for, that would justify the "Swiss quality" marketing.
Then why would you bring up the nationalities of the folks working there instead of pointing out things about the quality that you find lacking as compared to the advertising?
There wasn't any of that there. The only detail in the complaint was about the non-Swiss folks working there. And I really, really don't understand how it just isn't low-key racism. Could you explain it better for me?
The comment (and what people expect of a "Swiss product") was about the local/nationak law environment which certainly always holds true (for better or worse). "Created by Swiss people" as a feature would be a rather meaningless in the modern world.
> The “based in Switzerland” thing strikes me as a bit of a black box bit of marketing speak. How much time, energy and money did ProtonMail expend fighting this surreptitious logging mandate? Does “Swiss privacy” actualy mean anything if ProtonMail is happy to hand over your IP address when spooked?
it does not; witness the swiss banking system's capitulation to the US, crypto AG, etc
Swiss banking was doing business in the US on US soil, they didn’t capitulate, they greedily extended beyond swiss borders and got caught helping foreign people evade their taxes with employees outside swiss borders.
"Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with CIA continuing as sole owner until about 2018."
I'm Swiss and I volunteer for an organisation called Digital Society Switzerland. Although much smaller (and less powerful) we are similar to what the EFF is doing but on a national level.
I can only confirm your doubts about the "Swiss privacy laws". The current laws in Switzerland are very week (at least compared to the GDPR) and it has powerful surveillance laws in place (6 months data retention for telecommunication data, mass surveillance of internet traffic entering and leaving the country). If at all, being based in Switzerland as a privacy friendly company is rather a risk than giving you a "badge of honor".
I can only speculate where this myth and reputation of "Swiss privacy laws" is coming from. I guess it is related to the bank secret we had in place for a long time: It allowed you to own a bank account anonymously. While many states (especially the US) protested strongly (and for good reasons), it gave Switzerland an aura of discretion.
Completely unrelated, the only company I know of that deserves the "it's Swiss so it must be top notch" is Victorinox, their pocket knives and multitools are second to none quality wise.
As far as I know, Swiss laws regarding online privacy aren’t all that great. They’re even more regressive than other countries. Swiss quality doesn’t mean much in software, if anything most Swiss companies are very much behind in terms of best practices or modernity of software. Whenever I see “Swiss software quality”, I run the other way now that I know how the sauce is made.
Even the government sucks at online security, see the debacle of the city of Rolle and the cyberattack they suffered last month. If this is not pure ignorance and incompetence, I don’t know what is.
Not even mentioning several “made in Switzerland” software company whose only claim to Swissness is that they have an office with two people in Switzerland and all the rest are European or Indian contractors (not that these people are worse, just that it’s a marketing thing to tout Swiss software if you’re going to outsource 90% of your development offshore)
Most of the time, claiming Swiss anything is a marketing move and an excuse to justify charging much much more for something.
I don't have any opinion about "made in Switzerland" for software (other than that it does make a good impression for my customers), but anecdotally (at least when shopping within Switzerland) I have noticed that the "made in Switzerland" stuff at the store is better quality. And sure it's more expensive, but all the crap products are expensive too.
Translation: "The company @ProtonMail delivered IPs of climate activists to the police, after which the activists were arrested and searched. ProtonMail claims on its website, however, that it does not store the IP addresses of its users."
The year 2020 and 2021 was marked by the establishment and repression of a series of occupations in the district of Place Sainte Marthe, in Paris, in order to fight against its gentrification. Some 20 people were arrested, three searches were carried out and several people were sentenced to suspended prison sentences or to fines of several thousand euros (more info here and here). In addition, seven people are on trial in early 2022 for “theft and degradation in assembly and home invasion” following the occupation of a with a file of more than 1000 pages. During the investigation, the police focused on the collective “Youth For Climate”. In particular, they were able to use photos published on Instagram, even if they were blurred because of the clothes.
The police also noticed that the collective communicated via a protonmail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. Protonmail responded to this request by providing the IP address and the fingerprint of the browser used by the collective. It is therefore imperative to go through the tor network (or at least a VPN) when using a Protonmail mailbox (or another secure mailbox) if you want to guarantee sufficient security.
618 comments
[ 3.2 ms ] story [ 321 ms ] threadhttps://protonmail.com/privacy-policy
They also provide a report of all warrants received https://protonmail.com/blog/transparency-report/
And even on their English website, the marketing is misleading. They say that the service is "anonymous" and also: "By default, we do not keep any IP logs which can be linked to your anonymous email account".
https://protonmail.com/blog/protonmail-mr-robot-secure-email...
Scroll down to comment:
> Liam, October 14, 2015 at 10:30 PM
> But https://protonmail.com/security-details page says “No tracking or logging of personally identifiable information. Unlike competing services, we do not save any tracking information. We do not record metadata such as the IP addresses used to log into accounts.” So, now it turns to be that you introduced tracking and logging? Is this data encrypted as well?
> Admin, October 17, 2015 at 9:14 PM
> We don’t save any of this data by default, the user must explicitly turn it on for us to save it.
There should be a reasonable assumption that given they have end-to-end encryption for the service, they just encrypt the logging for the user and store it encrypted without the key themselves like they do the emails.
Also to note, they at least have an onion link to use their email service.
https://twitter.com/andyyen/status/1434600373059297284
"As described in the link above, under Swiss law, we can be forced to collect info on accounts belonging to users under criminal investigation. This is obviously not done by default, but only if we get a legal order."
Activists beware.
Weird definition of privacy we've got going these days
If it's illegal to provide a completely anonymous email service, then you should not claim to provide a completely anonymous email service.
Except maybe Lavabit, that guy apparently shut everything down to avoid doing something along these lines. So maybe he wasn't actually lying.
Also: One more reason NAT was a good thing over IPv6. The closer we get to the platonic ideal of "UUID per person" the more likely justice systems will use it that way.
The day everyone learns how to self-host mail on ephemeral compute instances is the day law enforcement starts requiring MX domain logs to be maintained in a historical manner. Work around that magically, and some law'll go on the books to try to tame the super spooky criminal communicators hiding from law enforcement.
This is why we can't have nice things.
This still doesn’t protect your privacy because your ISP knows what prefix they gave you and will likely provide that to the authorities if you broke the law while using that address. Just like they would even if you used NAT and ipv4 so I don’t get where the parent comment thinks that is protecting their privacy at all.
IP's address Internet endpoints, not people using them, yet States, prosecutors, and law enforcement regularly try to create the illusion that an IP has anything to do with who uses something.
IPv6 makes that temptation worse. IPv4 forces you to realize IP's can be ambiguous. IPv6, through having more addresses than people on Earth, checks off the Institutional checkbox for "raw material to contribute to a UUID identity scheme". Just look at China's proposals for a more governable international Telecom network, and the intention to use device persistent addressing as a control mechanism becomes obvious.
Where IPv4 creates enough decentralization and localized namespace unscrambling to provide enough friction via statefulness to thwart these types of efforts, I'm not at all confident IPv6 will do the same. I believe it is just what the Doctor ordered for laying the foundation of coupling IP's and net addresses in the minds of the masses to personal identifiers.
Which is not by any stretch the way we want things to go.
My iPhone spoofs the MAC address each time it connects to WiFi, so support for changing your /64 is not going to be a challenge even with consumer devices. Whether we lose this ability or not is another question (but they could easily make the same requirements of “hard device uuid” on IPv4 if they wanted. These are laws and regulations after all, not technical limitations).
If anything IPv6 gives you an even greater amount of plausible deniability because like you said you could be running a vpn with a billion different devices connecting to it.
IPv6 just means your laptop could have an internet routable IP associated with it. You can easily change to one of the billions upon billions of possible addresses that your assigned prefix will give you (just like you could have something like 10.0.0.0/8 with millions and millions of addresses behind your internet routable IPv4 address. Your ISP will turn you over all the same if the authorities ask who that address belongs to.
> No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.
Except your phone number? That's highly personal. https://news.ycombinator.com/item?id=28428092
(I recall encountering this too when creating an account a few months ago.)
If you need trust, theres no way around rolling your own service.
I'm not sure how your tech-stack has to look like for you to claim that you can't log IP addresses and user-agents etc...
That's a cute idea, but it won't get them out of complying with a warrant.
This does not mean you need to log everything all the time. (usually that is actually quite illegal too) but you need to have infrastructure in place to allow for police investigations.
I don't get how people don't understand this. companies need to operate according to the law of the land, this being one of them.
However, better than most (both by jurisdiction and their own rules) than other email providers - and I'd have thought any of their users who were serious about anonymity would have used Tor/Tails etc to connect anyway and used pgp for their messages.
Details of connections to the account (IP and connection fingerprint) shouldn't matter if you were taking your privacy seriously.
Basically just signing up for protonmail doesn't make you secure and there's nothing they could do to help if you just rely on that.
So tutanota would be a good alternative to protonmail. And mailbox.org is a good alternative to fastmail. Both are based in Germany.
Germany will handle your data as fast as you can order an hans schnitzel.
[1] - https://militarybases.com/overseas/germany/
When you have 21 bases in your land.
> Storage only takes place for IP addresses made anonymous which are therefore not personal data any more.
What the heck does "IP addresses made anonymous" mean?
I don't thinks that dedicated server provider (like Hetzner) or cloud provider (like Digital Ocean or Vultr) stores traffic logs with enough details to be useful in such case.
But payment will be a problem...
Even if they don’t, as long as they have the email address then they can probably find the mail server even if the payment is anonymous.
Anonymous/protected enough payment is the problem.
One expensive but possible option would be to build a server yourself with sufficient traps to shut off when it's tapered with. Then set it up with full disk encryption and put it in a shared rack.
What would be the benefit of being in a shared rack? Wouldn't the service provider still know which physical system is yours if you only rented a 1/2/3U space? (Or is there an advantage at a network layer?)
Going for a rack has the advantage that you own the hardware and can install the anti-tamper measures so that the server can't be turned against you. Anonymity wise, renting a server makes things a lot easier.
But as sibling comment mention, it can be seen as destroying of evidences in many jurisdictions :-(
Things like hiding or destroying evidence of a crime generally are separate crimes of which you can be convicted even if you're acquitted of the original crime (e.g. burying a corpse in the woods or throwing a gun in the river).
Destruction of evidence with the intent to hide it from prosecution also may enable so called 'adverse inference' where essentially the jury/judge can assume that the destroyed evidence actually showed what the prosecution intended to find there. For example, if you're being prosecuted for possession of child sexual abuse material, there's a warrant for your hard drive, but it gets fully destroyed because you have rigged some device to destroy it (and the prosecution proves that you did that with the intent to destroy evidence) then the court may take it as a fact that the hard drive did indeed contain CSAM and treat it as sufficient evidence to convict you.
In short, self-hosted service on a rented service does not provide much protection.
But, as far as I understand, case law is not in my favor in this case :-(
I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.
Email can't guarantee E2EE without a block cipher tool like GPG. Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.
If you email google, google gets to do whatever googly stuff it would like to do with its algorithm. If you email exchange, roundcube, ISP, hotmail, it could wind up being archived to tape, or simply be sitting for a long time in some unencrypted mail spool, maybe in a public cloud. If you selfhost, you would be forgiven if you find you have made a mistake or simply got pwned.
I've never selfhosted email, but I understand it is a lot of work to set up if you aren't familiar, and while maintenance is okay once you get rolling, there are occasional emergencies or hiccups that require intervention.
Aside from being much slower, regular mail is quite better since you can easily inspect the envelope for evidence of tampering, while email will be imperceptibly copied.
What? If Alice encrypts an email to Bob, using Bob's PGP key on her laptop, then it doesn't matter how many MTAs that email passes through, the email stays encrypted at every hop.
> it could wind up being archived to tape
I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack the private key and read the email.
That seems expensive (and illegal) for a company to do just on a whim (assuming the sender and recipient are periodically deleting old emails), and I'd like to think that a judge would turn down a request for a warrant that covers data that won't be readable for a decade or more.
>I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack
No, I'm saying when you send the email, the next MTA might not use encrypted transport and any mailbox/mail spool/cache might not store the data encrypted in any way.
You can of course get E2EE if you use GPG (you always could), but if somebody doesn't know how to use GPG or uses it wrong, that is problematic.
You can also just broadcast your gpg block message via public/ham radio or even hire a skywriter to spend his day tracing out your GPG cyphertext as a huge QR code in the sky :-)
Except that's not true. Often envelopes can be opened and resealed without any trace, meaning contents can be read or changed.
Notionally, I would imagine something that looks like "email" and acts like "e-mail" (to the end user) could eventually exist that provides the same (conceptual) security that the Signal protocol provides (and perhaps a hosting provider option that's the same level of user confidentiality that we get the Signal foundation), although you're correct that foundationally it would be a different protocol. Backwards-compatibility would be required, at least for seamless transition (perhaps represented as "secure" and "plaintext")
Wasn't Ladar Levison (the individual behind Lavabit) working on something like this? https://darkmail.info/
- The ability to login from multiple devices (using both dedicated clients and webmail) and subsequently being able to immediately access all my old messages, too.
- Global filtering, tagging, folders, read/unread tracking etc.
- Full-text search that doesn't require downloading all messages to your local device beforehand.
But if you want truly private and secure communication, you'll have to forget about email. Even with encryption there's still way too much metadata floating around that can identify you.
This also applies to ISP's and wiretaps. They need to provide NAT mappings when doing a wiretap if i remember correctly.
It gives no worse privacy guarantees than protonmail and possibly way better - because if you use protonmail through a web client and they get a court order to serve you a "special" client that forwards your certificate you won't notice it.
try using Tor to create a protonmail account and they require both javascript and a phone number.
yeh yeh client side encryption requires javascript, but seems better to just have an unlinked email that can be read server side and there are plenty of Tor-only email providers for that.
phone number under an "anti-spam" guise is just suspect.
Vendors really need to figure out how to thread the needle of "No don't trust us" but still encourage customers to buy. Protonmail failed here. Apple's still very much in the "trust no one but us!" vibe, and it's just not sustainable.
I'll be switching my Protonmail use to default to Tor now. Open to Tor-first vendors...are there any?
I like how Brave has "open in Tor" displayed on Tor-mirrored sites. There's even an option for "Automatically redirect .onion" sites too. Makes it easy to switch over.
What if Protonmail pushed their Tor services more? "Guide to using Protonmail as privately as possible", have a switch for "Private Mode" that kicks you over to Tor/download Tor.
Tor is a powerful tool for increasing the privacy of its users, though it is worth noting that it prioritizes performance over privacy. Tor's threat model does not include global adversaries, particularly those who can access traffic metadata for large numbers of ISPs- though, hidden services do fare significantly better than your usual clearnet services, usually requiring DoS attacks to deanonymize their hosts, and protecting their users especially. But note that Tor is not a mix network- it does not provide mathematically provable anonymity against a global passive adversary, unlike systems such as Loopix. See from this paper describing Tor in 2004, and consider reading the whole thing for a better understanding of Tor: https://www.usenix.org/legacy/publications/library/proceedin...
Tor's Threat Model "A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers. In low-latency anonymity systems that use layered encryption, the adversary’s typical goal is to observe both the initiator and the responder. By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to force distinct patterns. Rather than focusing on these traffic confirmation attacks, we aim to prevent traffic analysis attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. Our adversary might try to link an initiator Alice with her communication partners, or try to build a profile of Alice’s behavior. He might mount passive attacks by observing the network edges and correlating traffic entering and leaving the network by relationships in packet timing, volume, or externally visible user-selected options. The adversary can also mount active attacks by compromising routers or keys; by replaying traffic; by selectively denying service to trustworthy routers to move users to compromised routers, or denying service to users to see if traffic elsewhere in the network stops; or by introducing patterns into traffic that can later be detected. The adversary might subvert the directory servers to give users differing views of network state. Additionally, he can try to decrease the network’s reliability by attacking nodes or by performing antisocial activities from reliable nodes and trying to get them taken down—making the network unreliable flushes users to other less anonymous systems, where they may be easier to attack."
Tor increases the costs to uncover your identity, especially so in the context of a hidden service, which the entity in question (Protonmail) actually does offer to users. Perfection is the enemy of the good- Tor is not built to deal with global adversaries unlike a mix network, but surely any increase in privacy is a good thing, no? You do not complain that your wrench does not serve the purpose of a hammer quite as well as a hammer might- you either put some more energy into it, or you buy a hammer.
Again, provide evidence or stop spreading FUD.
The USG persecutes and imprisons journalists for exposing its war crimes, anyways I'm going to download this Tor binary from them because it says 'totally legit' on the packaging and there's no "hard evidence" to the contrary...
Downloading Tor from a particular IP in Iran? We'll add a little something extra...
Or maybe you're a US citizen with a set of known IPs on a "watchlist".
If you were relying on Protonmail to conceal evidence of criminal activity for you, you may not have thought that all the way through.
https://www.wired.com/2015/10/mr-robot-uses-protonmail-still...
https://protonmail.com/support/knowledge-base/imap-smtp-and-...
But you are still making an IP connection. JS/no JS is not relevant to this discussion.
I wonder what this “activist” did to earn himself Europol attention. At least before the world went insane, that would only happen for serious crimes.
If so, on which basis do you ironically call squatting a "terrible crime"?
Squatters in your house in France means that you you have zero rights on this place until a lengthy process gives it back to you, ruined. You are then expected to be grateful and can forget about any reimbursement from the poor people who stole your property.
Sure, it's a crime, but it's a relatively minor one. I suppose if you were the victim you'd have a different point of view.
This can happen to the slumlord (who will then send someone to beat up the squatters), to the big capitalist (who will go through the courts and win) and to smalltime owners where that is maybe their family home or future retirement apartment (who will suffer the most).
Homelessness/lack of housing is a problem, but squatting is in most cases not the right solution.
Then starts a possibly very long process to have them evicted/ If they have a child you are basically screwed and won't be able to get your property back. Or you will wait months/years and get a ruin back.
Please give your opinion about squatting primary and secondary homes of people. Who worked to buy them and have zero rights afterwards, when a colony of parasites come and destroy their belongings.
This is what happens in France.
But the law allowed him, as a good landlord, to work on the outside of the house, for the good of his tenants. So he did.
He installed security cameras, and reported every minor infraction of the squatters to the police. The police loved it, and duly did everything. Oh look, a cm of your wheel is parked outside the allowed boundary. That's a ticket. Of course he duly tested the very loud alarm every evening, to make sure it works.
He did a paint job, first removing the old paint with the noisiest dustiest old tools he could find, then painting it in an old ugly pink he found on a flea market somewhere. Then decided the quality wasn't good and removed the paint again. One day, the squatters had enough and actually went to a court to demand he let their poor baby sleep. Judge just laughed, and told them all work happened before 22:00 so he was in his right.
Squatters ran away after a few months, which supposedly is a happy outcome, at least compared to what the law could do for him.
Vandalising banks is stupid and also an efficient way to make powerful people dislike you.
Unfortunately this sort of extremist group is harmful to people and organisations genuinely trying to do something for the environment.
https://www.oxfam.org/sites/www.oxfam.org/files/file_attachm...
https://ourworldindata.org/co2-by-income-region#emissions-by...
Sure, ProtonMail and its current operators could opt to stop operating in such jurisdictions, but usually it's too late for that when you get the [secret] court order, because if you refuse the operators personally are quickly found in contempt of court (or whatever other bad legal circumstance), and eventually that can lead to similar InterPol/EuroPol (other MLAT) warrants.
[0]: https://en.wikipedia.org/wiki/Warrant_canary
[1] https://theconversation.com/explainer-what-is-an-interpol-re...
[2] https://www.journalofdemocracy.org/articles/weaponizing-inte...
[0] - https://mediabiasfactcheck.com/nordic-monitor/
Something is going to move.
It also seems that it is not any restaurant but one of the 'victims' of the 2015 terrorist attacks [1]
Basically political extremists trying to disguise themselves as environmental activists. Not interesting people, to say the least.
[1] https://www.tellerreport.com/news/2021-01-04-%0A---justice-o...
Brilliant!
I have seen a ton of disturbing pieces about ProtonMail. Every time I've looked into them, they seem to be maliciously motivated and usually not true, or otherwise twisting of the truth. This has been a confusing thing for me because why is there a small subset of people so vehemently against them?
In this case, I'm not surprised. They say quite clearly they can be compelled to collect IP addresses - including in the linked tweet. This seems like a pretty clear cut case of them being compelled to provide an IP address. What the authorities can't do, is read that person's email. And that's what I and others pay for.
I'm not sure what there is to be upset about here? Other than perhaps France prosecuting this individual to begin with? If we had faith that ProtonMail wouldn't hand over anything to the government, why would anyone even care about having encrypted emails?
Tor solves this. Protonmail's Tor support is lukewarm. They have a Tor based login without captchas. It's mentioned on their homepage in the bottom menu under "Onion Site", (/tor). And there's one blog post from 2017 that still promotes their v2/shorter onion address.
I expect Protonmail to push its users to login through Tor. "Don't trust us, trust math". Embed Tor support in their apps as well. Rebuild their iOS app to offer to drive all connections through Tor.
And frankly, for $50 a year for email, I expect Protonmail to be thinking ahead about this, rather than me coming up with dumb ideas on a forum. Protonmail was neat in 2018 but 3 years later it's stagnant.
Tor is mentioned on their homepage in the bottom menu under "Onion Site". However, this menu link redirects to their Tor placeholder page, rather than directly to the Tor service: https://protonmail.com/tor
There's one blog post from 2017 that still promotes their old v2 onion address: https://protonmail.com/blog/tor-encrypted-email/
Protonmail's Tor service is located at: https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...
Alright then, what more do you want them to do? Spend millions in court fighting every warrant issued for their users and go bankrupt defending criminal activity?
from https://pando.com/2014/12/09/clearing-the-air-around-tor/
1. whether or not your request stays within the tor network or not (if you use the .onion address, no need for an exit node)
2. given both entry and exit nodes can be literally all over the world: your threat opposition level. I doubt the NSA will be happy to help French authorities trying to catch a teenager who blockaded a government parking garage).
Is there any evidence this is what happened?
An alternate scenario is that they were not keeping logs, and were then compelled by the authorities to start keeping them on that user.
I, for one, will not renew my ProtonMail account if that's their status quo.
Sure, the law would (hopefully) be changed, but at the moment, this is the best they can legally do?
Put alert warning that account has logging enabled
Change the service so collecting logs is not possible
Stop adding captcha to tor users login because you want to identify users
Frequently not legal
>Put alert warning that account has logging enabled
See above. Gag orders a problem with government in general. They do have a warrant canary page though, as well as a transparency report.
https://protonmail.com/blog/transparency-report/
>Change the service so collecting logs is not possible
You mean stop serving HTTP and MX requests?
>Stop adding captcha to tor users login because you want to identify users
You mean let bots brute-force my password?
Unless you are naive enough to assume that ProtonMail is incapable of logging IP addresses (in which case they'd be incapable of serving HTTP requests...see the problem?) then they can log. And they most certainly aren't going to declare independence from Switzerland and refuse to turn on IP logging when required to by law.
Whereas with E2E-E, they actually are incapable of turning over readable emails.
This is also why I don't get protonmail in the first place. Unless you use pgp or equivalent, you'll always be subject to law enforcement. Just that protonmail cares more and caters more to activists and so might not give it out without checking that the asker is really legit and then give the minimal amount possible. But they'll always be able to turn over your emails and log IPs, it's not protonmail's fault the laws were voted into action like this.
They tout that off-by-default statement on their homepage, underneath the header of "Anonymous Email," with the closing sentence of "Your privacy comes first."
So why even market that? It provides no meaningful security.
There is a difference between "available to police, not retroactively, and only with a valid warrant" and "available to any government agency constantly and in bulk, as well as to data-collecting commercial entities, Russian and Chinese hackers, and their dogs". Don't you agree?
They're not being as transparent as possible in their marketing, which is at odds with their allure of security.
We are trusting they wouldn't comply or no one would make that request?
This is the benefit if being located in Switzerland, where banking is one of the main pillars of the economy and which historically has been much more supportive of personal privacy than most other countries.
They eventually caved under US pressure on some things, so it's not such a "haven" as it used to be, but I believe it is still the country that respects individuals' rights the most.
Not perfect by any means, just better than most others.
I'm not taking sides on privacy or the threat of govt (or other sourced) tyranny, I'm just explaining the logic to answer your question:
Let's say you engaged in a long history of using protonmail innocently, then one day you decided to start commiting crimes for the first time and attract police interest. You would know that your historical logs were not kept, and it was only after you started attracting police attention that you would be at risk of incriminating yourself through proton mail. Maybe, on the run from the law, it would be safe for you to hide at your old friends house because there was no log to link you to him.
Yes, it is also the case that you may not have realized that ordinary behavior had been criminalized by an evil govt all along blah blah blah... I'm just pointing out that there is a difference where you saw none.
in the case where they receive a court order, they first log your IP and then they give it.
but you know this from their terms of service.
if you stop using protonmail when you start your criminal career, they will not give your IP because they didn't save it.
it's different in the end, not the same.
I see that you want to protect Protonmail, but if they want to stop being misleading they can just remove the IP log sentence
I would much prefer this, as a Protonmail paying customer.
Tor is an improvement. It's still a limited tool.
I can't but help read your post in comic book guys voice.
Traffic analysis, at a cost, could establish that the suspect is using Tor.
TorMetrics shows slightly more than 1,250 currently-running Tor exit nodes. I'll presume this is typical, history shows it's pretty consisten over the past 3 months.
https://metrics.torproject.org/relayflags.html?start=2021-06...
I'm going to presume that a court could conceivably issue an order to log all Tor-based traffic. A state actor / APT might then be able to correlate a known IP and traffic at a given point in time with other data to identify a source IP. This might be combined with other measures to encourage circuit-jumping until the suspect is on a specific known or monitored Tor circuit.
Yes, costs increase. I don't see this as technically infeasible, however.
Might not be rolled out just for a house-squatter, however.
Frankly, I don't think anyone is safe from the tip of a nation state, even small ones. But I do think we should protect everyone else and Tor would have done that.
Because this was clearly civil disobedience and that is what we really should be protecting.
https://www.cactusvpn.com/vpn/is-tor-safe/
Just ... don't think it's a majykal bullet. It's not. Tradecraft matters, vulnerabilities exist. Examine and review your threat models.
Even if a nation state was targeting you, it would still take months for a timing/bandwidth attack to identify a user. Even then it would only provide your adversary a probability of certainty and requires consistent traffic from the victim through a compromised exit node.
No system is 100% perfect but tor will make most attacks prohibitively expensive.
Remember: all you need is 33 bits.
Here, data enter the Tor system, but don't leave it as the onion service itself has a Tor address.
Yes, traffic analysis and timing correlations may still be used to draw inferences, but again, costs are raised, and that's the critical factor.
I'm a privacy activist and certainly think that a company should be able to not keep logs. If the law in the country they are in (or area, see for example the data retention directive in the EU) we should of course (and I am) work to change those laws.
It should come as no surprise to anyone who is privacy minded and actively seek out privacy focused services that are located within the EU or Switzerland that your IP (or other information) can be requested with a warrant and that a company is required to hand that over.
I get that you think people should already know this, but do you feel they should be punished for not already knowing this, and not reminded by a company that markets itself on protecting its users? Protonmail was forced to get an IP address, but they're not forced to keep the fact that they respond to warrants a big secret.
Not everybody who is an activist is a big techie, or even computer-literate.
> We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.
It would also be nice if they were allowed to notify the customer but I'm not familiar enough with Swiss laws to know if they can.
(also a paying Protonmail customer)
Of course Protonmail is accessible via Tor. Not that you should need to do that to remain private.
Gmail does all of this for free though, right?
Gmail Pro (paid G Suite) has never done that, and Gmail Perso (Free) hasn't done that since 2017.
Because I am aware of no reason to think that Google stores my gmail with zero access. I don't know for a fact that ProtonMail discards this information at the earliest opportunity nor do I know for a fact that they don't try to aggregate it to learn about you (or even people in general), but that is what I interpreted the pitch as.
But, look, of course if they get a subpoena they will have to start scanning your email if they are technically able to collect it. That's just a wiretap, and little would prevent the author and operator of the server software from doing whatever they want... and they're clear that if you aren't sending email between two compatible accounts that there is no E2EE.
We can talk about how they should have been clearer about the need to use Tor to avoid IP logging (even if they don't do it, someone between you and ProtonMail certainly could). That's a good idea. But they are actually very clear that E2EE with your email is not what you should expect in general. And I don't think they have much incentive to scan my email from unencrypted sources to do anything nefarious, but I don't think anyone has any ability to prove they do or don't at present.
But that is not a proton issue that is an issue with our current governments.
"Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company no matter what they promise or avoid telling you. We do tell you. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
You’re telling us that you never considered that an incorporated company, bound by democratic laws, would be required to respond to criminal activity warrants?
What fantasy land do HNers on this thread live in?
No service is capable of completely hiding IPs and still getting you the data. If you "threat model" includes hiding from Western governments, I'd recommend not using the internet.
Interestingly, ProtonMail's privacy policy lists a number of cases in which they may log your IP address permanently (including if you breach their Terms and Conditions). But a request from law enforcement is not one them.
Moreover, I would like to point out that ProtonMail is about encryption of email *content*. It is foolish to expect more from them. They won't protect your identity: law enforcement can know who you are and who you communicate with, but they cannot know the content of your emails (if you recipient uses encryption services as well).
I think trusting your security or privacy to website-based email is a bad idea. If the email is being displayed in your browser, then the authorities can coerce the company that owns the website to include JavaScript in that page that sends the plaintext content to them too -- or demand the website's TLS key and start intercepting the traffic that you see.
The only encryption-based security that you can reliably trust is encryption that happens locally on a device you control, and that doesn't involve a web page or website loaded from a 3rd party.
If you want privacy protection with real end-to-end encryption that the government can't get past trivially with court orders, use services where the decryption happens on devices that you own, such as WhatsApp or Signal or iMessage. If you must use email, do the encryption yourself on a hardened Linux distribution like Tails using PGP for email encryption; but this is much harder to set up than the above secure messengers.
I wouldn't say ProtonMail is a scam, but a trivial software change on their server-side would let the authorities see your email every time you do. If they can be compelled to make that change then the "encryption" you're paying for is worth nothing. The next time you sign in, a court-required modified version of their server software can capture your password, and then use whatever key derivation function gives them your encryption key.
This might not even require the company to actively participate. In the case of Snowden and LavaBit email, the US Government demanded LavaBit's TLS certificate so as to intercept the communications themselves at the ISP layer when LavaBit refused to comply with narrower court orders to provide information about his account.
What could police do with ProtonMail's TLS certificate and court authority to intercept and MITM traffic for your account? They can probably capture your password, use that to read all of your old email, and at minimum read your email as you read it. Even if decryption is happening in the browser somehow with JavaScript, that JavaScript is coming from the origin server that the government now controls by virtue of MITMing the traffic with the site's TLS cert, and so they can insert JavaScript that logs a plaintext copy of either the emails or the encryption key needed to decrypt them.
There is no security with web-based communications if the companies involved can be coerced with a court order. US based firms would be required to hand over their TLS cert if they weren't willing to help track someone, and at that point the government could do anything to your traffic.
The only secure encryption happens on your device with no browser involved.
By comparison, if you're using an iPhone, in theory the US Government could try to force Apple to modify WhatsApp/Signal on your phone, or force the App developers to do so. These companies would all fight tooth-and-nail in court against doing so. Plus, you can configure your iPhone to disable automatically updating apps, so once you have a working version of WhatsApp installed, unless Apple has some backdoor-ability to push an update of it to your phone anyway, you could turn off app update and be cautious & picky about when you choose to update WhatsApp or Signal. What I don't know how to do is verify the integrity of their binaries: to confirm that what you're getting is the same app distributed to everyone. Facebook would appeal to SCOTUS before allowing a government to install a backdoor into WhatsApp; so would Apple, based on their response to the government's request to unlock the San Bernadino shooter's phone.
All that being said, if the government's goal is simply ...
If they were forced to log the IP address, they can be forced to log user password. This makes entire encrypted mailbox useless.
What if authorities ask, serve this user this malicious JacaScript code to obtain their encryption key?
PM has to obey and the result is the same.
How is that any different from them being compelled to disable or weaken clientside encryption?
In both cases they're being compelled to make changes to their service.
The camel's nose is clearly already under the tent. Everybody needs to start diffing javascript served by them.
The GP says that it's possible under German law. Is it "FUD" to say that it could end up being possible under Swiss law?
Shouldn't there be fear, uncertainty, and doubt about any channel that activists use to communicate with each other?
It would be nice if there were something like Perspectives[0] or Binary Transparency / Sigstore[1] to raise the alarm when something like this happened, but the threat would also be avoided if ProtonMail was available as a SecureBookmark[2].
[0] https://www.techrepublic.com/blog/data-center/ssl-tls-certif...
[1] https://security.googleblog.com/2021/03/introducing-sigstore...
[2] https://coins.github.io/secure-bookmark/
They come off as a very dodgy company willing to twist the truth themselves. They claim that they can provide E2EE for email, being careful not to give away the fact that this is impossible for regular emails to non-PM customers.
Frankly I only use them because they're the biggest "private" email service and that provides a kind of safety in numbers.
While I concur that it's a bit misleading nothing is stopping you from using your own key and mail client (albeit with their "bridge" solution) to send E2EE e-mails.
If you rely on the keys they generate you can export them and use them accordingly but one should be weary of the handling of said keys if they were compelled to make a backdoor as others have noted.
That being said this does leave a bad taste in my mouth.
From where I stand, the only difference here is that ProtonMail has to receive the warrant before they give up all the info they have on you, and others may do it voluntarily even without that, just to keep on the good side of the police, but since it's not exactly hard to achieve such warrants (and in the US, as we learned, it's ok for the police to lie on such warrants and they know no punishment will come to them even if the lie is discovered later) the difference is minimal. If you have something the police really wants to see, and they can reveal it, they will.
The web interface is roundcube, but if you just use IMAP, it could work for you.
No custom domains though for sending stuff, catch all redirects obviously work.
https://posteo.de/en/site/transparency_report
ProtonMail lost it's essence to be honest. As soon as my subscription runs out I'm gonna host my own mailserver instead. There are no advantages in using ProtonMail snymore.
I might end up doing the same. I think I'm stubborn enough to pull it off. Personally I got my eye on https://gitlab.com/simple-nixos-mailserver/nixos-mailserver
I've been in the market for a service like protonmail because I'm trying to degoogle. Reading news like this and looking at the price of these services for two accounts has me thinking twice.
Their homepage says "By default, we do not keep any IP logs"
In 2021, any soft language like this should be a red flag for anyone who is against surveillance. Maybe in 2018 it was good enough. But in 2021 it's not. Come on, Protonmail, you're supposed to be leading the way -- don't make me figure it out myself.
Replace immediately with "By default we don't log IP, but may be required to by local law enforcement. We recommend everyone connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
but...
I live in Australia - and they're totally fucked by our laws and government policy.
"The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday." -- https://www.innovationaus.com/extraordinary-new-hacking-powe...
and:
"Amends: the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979 to: introduce data disruption warrants to enable the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online; and make minor technical corrections; " -- https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
Fastmail's privacy page says "Your data is for you and no one else".[1] So they do mislead about that. I didn't see anything about IP logs though. And Fastmail was just an example.
[1] https://www.fastmail.com/privacy-and-security/
The privacy violation of creating a profile on me based on my mail to tailor ads is not the same thing as simply delivering mail.
I don't see how you could go "yeah, this is a privacy improvement" if your information is still visible to exactly the same entities, but one of them isn't really mentioning it.
Imagine you have a message written on a piece of paper. You intentionally show this message to two people, Alice and Bob, and are fully aware that they have both read and can perfectly remember the entire contents of the message.
Now imagine that Alice thought about the message independently (not recalling it, but actually thinking new thoughts), and that Bob did not do this.
Are you claiming that Alice violated your privacy by thinking about something you showed her and asked her to remember? Or perhaps would it only be a violation of privacy if she then subsequently told you one of those thoughts?
I was hoping to achieve a "yes" or "no", to at least one of the two questions. I don't know what GP thinks "scan" means when describing how a computer processes text, and was hoping that an analogy to a more natural concept would allow for that to be made clear. What's the actual action being taken that's the violation? It's clearly not simply being able to read the message, but is it "thinking" about it (for lack of a better word)? That's how I interpreted the initial comment, but it seems very reactionary, so I wanted to make sure I understood it.
> People want to be able to have a private email correspondence about, for instance, dildos, and then not have to be served dildo ads outside of that context.
Totally fair, but that's no longer about privacy (unless your concern is someone else watching your monitor over your shoulder, in which case that person is the one breaking your privacy).
I would entertain the idea that friend A is being a bit of a douchebag by painting stuff all over your house without you asking them to, but if you subscribe to that thought process you'd already be running an ad-blocker and this scenario wouldn't ever occur in the first place.
So to be 100% clear on this: if you tell someone information, and they think about that information, that's a violation of your privacy?
I've definitely always assumed that the right to think about information is intrinsically coupled with the right to know about that information. I wouldn't give someone data that I didn't want them to think about.
> for possible future use and abuse
This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
If your phone began analyzing your local photos for child porn, you'd probably be upset, no?
>This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
True, but google is CURRENTLY abusing it by selling ads to me based on it.
Yep. "local" here is the key word, though. If a service I uploaded photos to began doing that, I would not be upset. And indeed, just about every image-hosting website in existence already does this, because they're legally required to.
Gmail is markedly not a local service.
> True, but google is CURRENTLY abusing it by selling ads to me based on it.
This makes it seem like your concern is with the advertisement funding model, not with privacy.
I do not see any difference between these parts, no. If a human read my email I would expect them to be completely incapable of not working these things out, so I'm not really too concerned if a computer does it either.
> training a ML algorithm on it
Also not really. If it were a machine learning algorithm that was trying to write realistic emails there'd be a reasonable concern of it revealing things about the training data, but when it's just generating ad recommendations based on only your data that only you see, I'm not too sure there's a serious privacy concern there. I'm unaware of any allegations that you could uncover private details about someone else's life by looking at an advertisement you received on your own email inbox.
> and automatically propagating that to other google products?
I would definitely perceive this differently depending on the product, as Google products are usually distinct enough that you can functionally treat them as if they were different companies (and often they either used to be, or eventually become so). So in this case there are now four entities that know the contents of the email: the sender, the recipient, Gmail, and e.g., YouTube.
But again, I've not heard any claims that Google are using the contents of your emails to decide what YouTube videos to recommend you. It's certainly not outside the realms of plausibility, but that seems like the kind of thing people wouldn't ever shut up about, so I'm surprised that I haven't heard about it if it is in fact happening.
> you can sure as hell know that they build an extensive profile out of your private emails
Oh absolutely, but I don't see how that's a privacy violation when you gave them your private emails. How much thinking does someone have to do about a message you gave them before it becomes a privacy violation?
> and your ads are targeted based on that..
This is the main reason I'm okay with it. Google's entire business model relies on them preventing anyone else from seeing that data, so that they're the only ones who can target ads that effectively. If there was a significant risk of data leaks then I can absolutely see why people would be concerned, but Google has some absolutely gargantuan incentives to avoid that.
With Gmail/Hotmail/etc your communication are at the finger tips of governments for non-criminal domestic surveillance. For example it has been alleged that the NSA leaked private emails of a journalist in order to score political damage.
https://nypost.com/2021/08/11/tucker-carlson-unmasking-claim...
https://en.wikipedia.org/wiki/Crypto_AG
In fact, it turned 15 years old this past April[3].
[1] https://www.rsync.net/resources/notices/canary.txt
[2] https://en.wikipedia.org/wiki/Warrant_canary#Usage
[3] https://twitter.com/rsyncnet/status/1387090538273206274
https://www.rsync.net/resources/regulatory/privacy.html
I was referring to Protonmail's canary specifically, in the event that wasn't clear.
In 2021 the most powerful canary statement should be "Don't trust us. Seriously, treat us as an adversary. We still want you to be our customer of course, but here's how we really recommend you use our service, Tor, semi-anonymous payments, etc. In God we trust, for everyone else use math."
Would love to sign up for some Tor-first services. So far the best we've got are Tor services that mirror public ones.
I admit that the marketing is bad, I do not agree with it, and I do not tolerate it in terms of my own OPSEC. But, there's just no way they would just admit they provide hardly any value besides, in a VPN's example, being a tube to another place, and just another tube with ends that can be stopped.
What is far less clear is if you can trust the continuation of a canary statement to indicate the absence of the action it denies, since it is both legally disputed whether continuation of the statement could be mandated by government and because anyone who has an interest in the PR value of providing a canary statement also potentially has the same interest in continuing it as long as it is impractical to falsify.
Is compelled speech seriously in jeopardy? I saw the github issue for signal saying that some (EFF?) lawyers said that canaries are not that helpful, but that just implies that the government CAN compel speech. That would be bigger news than mentioned as an aside on a Github issue, I'd like to believe that would be news...
For the non-Swiss customers working with a Swiss provider can be a good enough protection to avoid inconvenience of Tor. After all, even in the mentioned case it required review and approval of 3 agencies before request came to Proton - from French police, from Europol, and then from Swiss authorities. If this is not enough barriers to protect from politically motivated prosecutions and corruption, then we have much bigger problem in Europe.
In general, regardless of what their TOS say, never believe that a corporation can't be compelled by the law to do anything they could physically do. CEOs can be jailed; when's the last time we heard of one actually going to jail over user privacy?
Ladar Levison from Lavabit came close. But even he admits that was because the FBI wanted to subvert every single Lavabit user's account (attempting vast overreach on the brazen assumption that "we are after Snowden" was going to pull the wool over everybody's eyes). Levison admits though, to having "responded to" at least two dozen subpoenas and complied with at least one warrant before.
https://en.wikipedia.org/wiki/Lavabit#Suspension_and_gag_ord...
https://en.wikipedia.org/wiki/Joseph_Nacchio
The „opt-in“ part for login logs is particularly interesting, because in fact Proton recommends this as a security best practice. Whether it’s in the best interest of the customer or not, it’s an open question. I would say, in a risk model, where threat of human rights violation by Swiss government is much lower than risks of unauthorized party accessing the account, it makes sense. Tough luck for the criminals that followed this advice.
https://protonmail.com/privacy-policy
https://en.wikipedia.org/wiki/Histiaeus#Ionian_revolt_(499-4...
Sure the bitrate is a bit slow and it's UDP only but our governments have proved over and over again that they can't learn from history.
Since this was a trusted slave, the tattoo seems unnecessary. The slave could just tell Aristagoras "Histiaeus says to revolt against the Persians".
There was enough trust that the slave did not desert and that they were taking the message to the destination.
There was not enough trust that the slave would actually know the CONTENT of the message. As such the slave wouldn't even know to where to desert to :)
that way the govt can demand from reddit that account ip but since the only ip available is from outside india, they cant do shit.
i was ready to dictate base64 image character by character but the internet blockade remained for only 2 days so yeah. there are plenty of ways
Oppressive government?
Right from a recent court filing, search warrant.
Really, it's a phrase that means 3 things: I can enable it, ProtonMail can enable it[0], or the authorities can compel ProtonMail to enable it.
Saying any of that, or at least linking to a page that does, would be a smart move.
[0] https://protonmail.com/privacy-policy - "IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions"
https://i.imgur.com/6sZFn78.png
https://twitter.com/OnEstLaTech/status/1434576598418796549?t...
The proposed statement above is intended to help people like that.
Do I have such activities? Nope. But I believe that those activities should be enabled, whether for me in the future or others around the world.
I advocate on behalf such "dumb" people by supporting simple services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
To use your example of emailing the police chief: let's say your threat profile is that you're being stalked by a criminal, and you want to email the police to give them information on this crime, but you don't want the criminal to know. If the criminal breaks into your email, or if your house is broken into and a hidden camera is placed behind your computer, it makes little difference whether you have end-to-end encryption or not, your privacy is still violated. Does that explain it better? Maybe Proton could have some better messaging around this, if their customers are getting privacy and security confused?
Security and privacy are intertwined, imagine your server getting hacked (security problem) leading to your private documents being exposed on the internet (privacy violation).
The former's safe because no one's going to deliver IPs to Afghanistan and the latter are doomed, because the US and China are following a policy of total surveillance. That ship has sailed decades ago.
At the same time, Tor is not the only, the required and the sufficient way to ensure privacy. There are different circumstances requiring different approaches. In many cases Tor will be redundant, in some cases it may be impossible to use, will offer insufficient protection or will actually put the person in an immediate danger, so giving this kind of advice is at least equally harmful as not having full disclosure on logs.
US military personell and from other nations is posting on TikTok. At least those probably don't work in reconnaissance.
They aren't stupid and this isn't a technical problem, it is a legislative problem. Real security has been undermined since the early 2000 and before. Western powers just ape China or Russia at this point.
That the Swiss people gave authorities these surveillance capabilities is pretty stupid though. Alpine air must have been pretty thin that day.
https://paris-luttes.info/communique-sur-l-affaire-de-la-145...
Looks like your run of the mill radical left occupation of housing (the stuff you see in big European cities like Berlin and Paris where they have that tradition).
Their bouts with law enforcement trying to evict them could be the reason for the arrests. If the google translate is not completely misleading then they refused to give their names or fingerprints when initially arrested.
https://twitter.com/MetPoliceEvents/status/14342276656791429...
These seem to have been climate activists engaging in sit-ins.
Surely these are the very sorts of people that secure accounts are intended to protect?
Well, in this case isn't it clear that these barriers were in fact not enough? Or do you think anti-squatting is a major enough problem that it warranted this level of international cooperation, without any politically motivated thinking?
From what I understand, connecting to an onion address 'just' involves 6 routers, not the typical 3. (Of course an oversimplification.)
Or am I misunderstanding your threat model here?
Even though they claim no identity is required to register.
I confirmed this today when I created a fresh Protonmal account over Tor: https://news.ycombinator.com/item?id=28428092
If they don't provide it, someone else will, and I'll pay them instead. This isn't the Hotmail age where everyone expects free email.
It totally is.
I was running my own mail server for a while. The thing that finally pushed me into not bothering any more was when I looked at my logs and realised 82% of my non-spam non-marketing email was captured by google (where at least one recipient was either @gmail.com or a gsuite custom domain).
Protonmail does offer a free tier, which is the problem. I'm sure they would be happy to take a payment instead, as the whole point of phone verification is to impose a cost on account creation. Perhaps they can rework their account registration flow to offer the ability to upgrade to a paid account at the verification step.
Anonymity toward state actors is compromised in either situation, whether phone verification or payment validation.
Doubt I'm the only one who thinks this, but the value proposition of their service is cancelled by their stated terms, which at least they make available. I have similar doubts about the veracity of claims by VPN providers (including mine) in terms of not keeping logs.
tor remains the only usable anonymising method with a decent track record. It's a shame Protonmail discriminates against it.
I have two - both on MVNOs, not in my name, and sitting in my office doing nothing but relaying sms to email:
https://news.ycombinator.com/item?id=28251107
But the mule only gives you some extra functionality, resilience, and is like having an email address just for spam or a home VPN endpoint. It gives you very little in terms of anonimity, which is why you'd go to Tor anyway. It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule. And you forward to your own mail server which again does little to hide anything. That's a long traceable chain that can be compromised or at least broken (to force you out) at every link.
This is great to make sure companies don't sell your phone number or use it to create some social graph, and to access your accounts independent of your normal phone. But if you're looking to hide your identity or location from your service provider and the authorities then it's barely a speedbump.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.
They provide protection from your local network, but you they can do all the same things and more.
My VPN provider is not - but is obviously subject to their local laws. Which are almost certainly also not good for my privacy either.
Spreading the threat across two different jurisdictions is without doubt "somehow better" than just using my ISP, at least in the case of protection against snooping by non serious crime law enforcement.
(Where I am, organisations like local councils, the taxi commission, fishing inspectors, and dog catchers - can all access our "mandatory telecommunications metal data retention" stuff with very little oversight... While my VPN is still in five eyes, so there's no point pretending national security, intelligence, or serious crime like terrorism/drugtrafficing would have no trouble getting cross jurisdictional access, I'm pretty sure the fishing inspectors or dog catchers won't have that sort of access.)
I don't know where things stand with other browsers.
My ISP mines my data and sells it to the highest bidder despite costs not coming down.
My ISP determines what I can look at and can't (such as torrent sites).
My ISP is participating in anti-competitive behavior and I need the internet but I don't have a meaningful way to tell them to fuck off.
My VPN doesn't log. My VPN doesn't filter my traffic. My VPN reduces what my ISP can know about me and monetize me. My VPN allows me to access sites appearing in different countries or as a different user which changes what content websites serve to me, including price of products.
VPNs are a soft security practice, but one hell of a way to tell your ISP to fuck off. I think there's this group of people that say "oh, a security feature isn't bullet proof, therefore it is useless." But this is just dumb. All security features are probabilistic in nature and depend not only on how you use them, but your threat model and the will of your adversary. For people, like me, trying to escape dragnet operations VPNs do help. But alone they aren't enough and that's okay.
I just want to prevent my ISP from throttling my torrents.
You really can't talk about the "use" of any of these tools without a threat model.
Is the parent suggesting that no one should bother to read the Terms and Privacy Policy, linked to from the homepage. https://protonmail.com/privacy-policy
Despite the parent's claim, the Privacy Policy says the company may log IP address. Temporarily. Irrespective of any request from local authorities regarding a specific user. IOW, they may log anyone's IP address temporarily regardless of whether the particular user is casuing trouble; they can log IP address for everyone. The policy says they log this data for the purposes of preventing fraud and abuse. The problem for privacy-conscious users is that if they log the data, then that entices authorities to try to successfully request it.
The policy, which imposes no obligations on the company BTW, reads as follows:
"IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."
There is nothing that says "By default we do not retain any logs". This clearly states they may be expected to retain IP logs. ("IP logs may be kept temporarily...")
But wait there's more.
"We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation)."
This clearly states the company may disclose the data they possess, e.g., IP logs collected to combat fraud and abuse, if in response to a request from competent local authorities.
Further down is a curious statement about decrypting messages.
"If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over."
Why include a statement such as this, specifically the part that says "that we do not possess the ability to decrypt". The company already specified it may disclose the data it possesses. This further statement suggests there could be some situation where they may have the ability to decrypt some messages. Besides their own communications with customers, why would they ever have encrypted messages that they can decrypt. They could state something like "If the request is made for encrypted communications addressed to us or sent by us, ...", but they do not. As such, their statement must include other messages, too.
Just how transient do logs need to be to fit this criteria?
Am guessing the 7 years or so we need for some of our specific logs might fit the temporary definition too.....
This is the way most tech company "Privacy Policies" are written.
There is a significant difference between a statement such as "We (Company) do not do X" versus a promise such as "Company shall not do X" or a statement such as "We do Y. We may do Z" versus a promise such as "Company shall do Y."
Why not have our own "Policies" as users that we publish for tech companies to read. In them, we could describe what we do and what we do not do, and what we may or may not do. Tech companies could rely on these statements. You can see how silly that sounds. Yet users are expected to read and rely on hundreds of different "privacy policies", collection of non-binding statements like "We take privacy seriously".
Edit: And amusingly it only gives protonmail.com a B.
I would look for websites that generally do not ask for data. Then send them the minimum data you can get away with. I would avoid "signing in" or "signing up" to any website. There is an immense amount of data and information available from free from the web, no "account" is necessary.
For example I dont send any extra HTTP headers like Cookies or User-Agent, I dont use Javascript. I dont request images, CSS. I dont automatically follow links in src tags. Yet I can still read and comment on HN and I can read every website posted to HN. Thats a lot of websites. I can read them just fine while not sending them any more data than is needed. Because I do not use a large, complex graphical browser sponsored by an online ad-supported vendor to make HTTP requests, I can easily control what I send. This is far better IMO than sending unknown amounts of data (letting the websites control what the browser sends via headers, Javascript and src tags) and then hoping the websites dont do things with the data that we dont like.
Privacy policies do not limit websites from collecting data nor do they limit how the data can be used. They are "policies" not agreements. If a website operator does things behind the scenes that violate privacy but that it does not disclose in a "privacy policy" what can a user do. How would the user even know. Or the website could clearly violate their own "privacy policy", but no one outside the website's operators would know. Even if users discover the violation, what would be the repurcussions. Its too late, because a violation means privacy has been blown.
Show me a case where a tech company got sued for violating a privacy policy. How can anyone prove a violation if the operations of the website are not open for public inspection.
For reading HTML I prefer links. It has the best rendering of HTML tables, IMO, and is for me the easiest source code to work with. I did use lynx back in the late 90's but would never go back to it. Its bloated. Its slow. Im not sure why anyone interested in text-only browsers would use it other than they are unaware of or have not tried alternatives.
Your observations are correct, the regulation is able to deal with the damage after it was done, and apply some form of punishment after the fact. It takes whistleblowers and activists to reveal some of the wrongdoings, otherwise the violations remain unknown to us.
Therefore there has to be a greater push towards proactive measures - letting people vote with their wallet by making informed choices; the prerequisite for that is for the relevant information to be available to them.
Have a look at some of the research I've been involved in, we're trying to solve this exact problem: http://privacy-facts.eu/
The idea is to express everything in unambiguous terms, so there's no way to weasel out of it with "yeah, but not by default" or, "well, it depends", etc.
For starters, I emailed Protonmail support.
Here's mine: Hi, Your homepage reads "By default, we do not keep any IP logs..."
This language is soft and misleading. Maybe in 2018 when I first began using ProtonMail it was good enough. But in 2021 it's not. I expect better from ProtonMail.
Replace immediately with something clearer. "By default we don't log IP, but may be required to by law enforcement. We recommend all customers connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
If you can't come up with anything better for users, just fall back on your privacy statement verbatim and avoid any marketing language.
Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities.
I advocate on behalf such people by supporting services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
I expect Protonmail to educate users like this about how Protonmail itself can be turned into an adversary. Educate users about how to use Tor. Do better. Improve the internet.
I look forward to your reply.
Also, registering a new account through Tor requires a phone number for verification, even though Proton says no unique identification is required to register. If this requirement isn't removed by the time I renew my account I will no longer renew.
https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7... is the URL that people should be using with Tor if they are concerned with being traced.
Using Tor to access a regular web site, ie: through an exit node, is (nearly) no different than using a proxy. Just assume all exit nodes are "naughty" and do your thing accordingly.
So Proton users who like to connect via Tor onion services have been faced with a choice of either staying on the old version of ProtonMail, or giving up on connecting via a Tor onion service. It definitely leaves the impression that they don't care much about Tor anymore, or that it's at best an afterthought for them.
It's plausible that Proton does not care about their Tor service, but there may be another reason: The new version relies more on Javascript code than their old version, and a Tor user is more likely to browse with scripts disabled than a regular user. Proton may be holding back the rollout of the newer version until they have tested it more without Javascript. This is only a hypothesis, and I came up with it just now; take it for what it is.
Perhaps there is a greater reliance on scripts in the new version, but this makes it seem more likely that they've abandoned the Tor version.
They are thinking about them. They want to make sure such people don't get them in trouble with the US or China, so they sell them out immediately.
Their page is full of what are now obviously lies. They admit that in the cases of "extreme crimes" they might be forced to give up information. _By no stretch of the imagination are these peaceful political protests "extreme crimes"._
I specifically advocate for the sorts of people that Protonmail ratted out and had arrested - climate change activists.
The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
I myself am a middle-aged "have" , but I do worry about climate and I do empathize with those that "have not".
However, violence during an eviction is not peaceful. People were hurt, and a legal response was due. Seems to me that arresting someone after the fact, and dealing with the matter in a court of law is the peaceful thing to do?
My point was just that 1) the arrest was related to squatting, not the climate 2) these people, idealist and well-intentioned as they were, were not "peaceful" (at least, not when faced with a brigade of police officers)
> The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
Usually they need to stop work for a few days because their hands/wrists are aching due to hitting too hard on protestors. Anti-riot are perfectly equipped and physically trained to be in fights, it's literally their job. And while there are generally at least a few "semi-pro" violent protestors on the other side, they are not so well equipped like the police.
Something their marketing material appears to disclaim. This is just excuse-making. ProtonMail did what ProtonMail has (for years!) led their customers to believe they would not do. And they did.
I think there's an argument to be made that any commercial email/messaging provider simply can't do what ProtonMail claimed to do. But that doesn't change the fact that ProtonMail did it.
My rule is to give any corporate statement about what they "will not do" exactly zero credence.
The only thing worth anything in that context is open source where independent programmers can verify that the code cannot support undesirable behaviors. And even then you're not safe, because code running on someone else's machine might actually be anything. So in the end, self-hosted open source software is the only way.
Right now that requires some degree of technical know-how, but I believe that's a solvable problem the same way operating systems have turned the technical practice of process management into something users don't even need to think about.
and
> Proton reached out to us to confirm that the only data provided to Swiss authorities was the date of account creation. [1]
[1] https://proprivacy.com/privacy-news/protonmail-authorities-u...
A week ago: "Proton reached out to us to confirm that the only data provided to Swiss authorities was the date of account creation." [1]
Today: Article published claiming Proton gave up user data. Did Proton officially now state they "allowed the account to be monitored"?
Am I getting this right?
[1] https://proprivacy.com/privacy-news/protonmail-authorities-u...
``` if user.isUnderInvestigation { log(request.sourceIP) } ```
> Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username.
I'm sorry dude, but that decision from switching to fastmail was not very productive to counteract the specific case mentioned on the OP.
If anything, it's even worse since fastmail apparently always logs your IP.
Moreover: > We process mail sent and received from your account to block spam and fraud. We receive information from third party services to assist us in identifying spam.
Looks like your emails aren't even encrypted. If any government body what's your email bodies, they'll have it. They even share it with 3rd parties for fraud detection. With protonmail and similar services, they'll just log your IP if they're asked to do so, which you can obfuscate using a decent enough VPN.
I can't understand what just happened. I truly believed it's all save and secure.
We cannot rely on what companies say about their privacy guarantees, or rely on vendors' technical analysis of their own black box systems, because a simple court order can essentially be a backdoor.
I agree PM should be more forthright in their messaging but realistically I don’t believe any company that takes payments and doesn’t track any info at all.
People who have paid a few months in a row or have a good history you don't need to store the actual IP addresses
maybe only the number of used ipaddresses and increase your level of monitoring if the numbers hits a certain threshold
the only reason you store IP address is because of laziness. Fair enough
I'll call that a win for all customers who emailed Protonmail about this.
HN discussion: https://news.ycombinator.com/item?id=28443449
I wanted to test how Protonmail is doing for new users I created an account from scratch just now over Tor.
1. Am asked to verify new account by entering a cell phone (edit: this is horrible. They lie and say account creation is anonymous, as pointed out by the poster below)
2. Upon login, "Basic" logs are selected which do not display IP. You can enable "Advanced" logs to log IP. I would suggest Protonmail make it crystal clear that these "Basic" logs do not store IP. In 2021, lies by omission are not good enough. Get rid of the soft language.
3. Their help page [1] says that "Advanced" (IP stored) logs are enabled by default. However, I created the account and it's just the Basic (no IP) logs. https://protonmail.com/support/knowledge-base/authentication...
Interestingly the sentence on their front page, right before the most commonly quoted snippet in this thread, is:
> No personal information is required to create your secure email account.
A phone number is quite a personal, unique identifier.
For those concerned about using a temp mail site, it's only used to verify the account; it can never be used to recover it.
But the account is made and I can log into it just fine, perfectly accessible.
I just did it yesterday. The text from them says "Your Proton verification code is: ######"
Welp.......Now, please excuse me, I need to go check my Protonmail settings pronto....
so today we are redefining what "not logging data" means. it changes meaning when used in the same sentence as the expression "by default". so by default, not logging data is not really not logging data.
we've redefined quite a few things in the past few months. will be interesting to see where we go from here.
If the subject of this investigation had been using ProtonVPN to connect to ProtonMail, would this have (in a marginal way) protected their anonymity? If ProtonMail can be compelled to begin logging, surely the same must be said of ProtonVPN right?
It’s interesting how many “privacy focused” companies tout being based in Switzerland as some big badge of honor, which a layman consumer such as myself is supposed to be really impressed by due to the overall reputation of “Swiss privacy laws.”
In practice, I’ve never been to Switzerland. I don’t know any person that has had any legal issues there, let alone someone that’s litigated a digital privacy case there. I do not speak German or French, and don’t know where to start when it comes to looking up specific cases or court proceedings, so I’d be extremely slow on the uptake of the actual ins and outs of how the Swiss privacy model works from a practical standpoint.
The “based in Switzerland” thing strikes me as a bit of a black box bit of marketing speak. How much time, energy and money did ProtonMail expend fighting this surreptitious logging mandate? Does “Swiss privacy” actualy mean anything if ProtonMail is happy to hand over your IP address when spooked?
I believe it comes about due to the old trope of Swiss banks being the most secure places to hide money, which of course is not true and hasn't been for a long time. Even in that period, I am sure they complied with Interpol/Europol requests to divulge account details of evil masterminds with a beeellion dollars hidden away in a Swiss vault.
I would not pay any attention to the “Swiss X” marketing.
Were they inside the country? Were also they subject to Swiss laws? Aren't these the things that would make a company Swiss? Even if the company was started by a person that isn't Swiss, I'm pretty sure it is still a Swiss company if it is initially located in Switzerland and governed by Swiss laws.
There wasn't any of that there. The only detail in the complaint was about the non-Swiss folks working there. And I really, really don't understand how it just isn't low-key racism. Could you explain it better for me?
it does not; witness the swiss banking system's capitulation to the US, crypto AG, etc
https://en.wikipedia.org/wiki/Crypto_AG
I can only confirm your doubts about the "Swiss privacy laws". The current laws in Switzerland are very week (at least compared to the GDPR) and it has powerful surveillance laws in place (6 months data retention for telecommunication data, mass surveillance of internet traffic entering and leaving the country). If at all, being based in Switzerland as a privacy friendly company is rather a risk than giving you a "badge of honor".
I can only speculate where this myth and reputation of "Swiss privacy laws" is coming from. I guess it is related to the bank secret we had in place for a long time: It allowed you to own a bank account anonymously. While many states (especially the US) protested strongly (and for good reasons), it gave Switzerland an aura of discretion.
Even the government sucks at online security, see the debacle of the city of Rolle and the cyberattack they suffered last month. If this is not pure ignorance and incompetence, I don’t know what is.
Not even mentioning several “made in Switzerland” software company whose only claim to Swissness is that they have an office with two people in Switzerland and all the rest are European or Indian contractors (not that these people are worse, just that it’s a marketing thing to tout Swiss software if you’re going to outsource 90% of your development offshore)
Most of the time, claiming Swiss anything is a marketing move and an excuse to justify charging much much more for something.
https://nitter.eu/OnEstLaTech/status/1434575322465382404
Translation: "The company @ProtonMail delivered IPs of climate activists to the police, after which the activists were arrested and searched. ProtonMail claims on its website, however, that it does not store the IP addresses of its users."
Source (in French): https://secoursrouge.org/france-suisse-securite-it-protonmai...
Translation (via Google Translate):
The year 2020 and 2021 was marked by the establishment and repression of a series of occupations in the district of Place Sainte Marthe, in Paris, in order to fight against its gentrification. Some 20 people were arrested, three searches were carried out and several people were sentenced to suspended prison sentences or to fines of several thousand euros (more info here and here). In addition, seven people are on trial in early 2022 for “theft and degradation in assembly and home invasion” following the occupation of a with a file of more than 1000 pages. During the investigation, the police focused on the collective “Youth For Climate”. In particular, they were able to use photos published on Instagram, even if they were blurred because of the clothes.
The police also noticed that the collective communicated via a protonmail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. Protonmail responded to this request by providing the IP address and the fingerprint of the browser used by the collective. It is therefore imperative to go through the tor network (or at least a VPN) when using a Protonmail mailbox (or another secure mailbox) if you want to guarantee sufficient security.
(Disclaimer, Protonmail user.)