Very responsibly done! The issue was not that they had to share the logs with law enforcement, the issue was that marketing message was incorrect from them. This is a responsible step.
The fact that the messaging was there to begin with is the issue. People assume tech companies are immune from the law based on make believe claims that their ideals allow them to circumvent it.
Consumers relied upon ProtonMail's prominent and concise marketing claim. Consumers who signed up for the service are now in jeopardy, perhaps facing real [legal] injury based on reasonable expectation of not having their IP logged.
The privacy-centric nature of this abuse is unlikely to result in a class-action-type of response, but Caveat Emptor abuses can be dealt with by the marketplace, too.
I don't think you can get damages for what might happen in the future, only for real damages and probably only this activist that had his IP disclosed can prove damages.
Probably the best you could hope for would be to get out of a long term contract "I paid for a 2 year term based on promises that weren't true"
Otherwise, your best recourse to prevent your IP from being disclosed in the future is to find a provider that won't disclose it under any circumstances (probably not possible), or hide your IP yourself.
Here are some ideas: Proactive compensation, an apology letter, hosting an AMA live stream, and a postmortem on how this misleading messaging made it out in the first place.
So a VPN provieder has to check with the laws of all the countries in the world to be able to function ? does'nt make sense you cant create logs if you don't log anything ..
I deleted my proton account about a year ago when I saw that I could not login from tor anymore, kudos to tutanota for allowing to register/login without a cell phone it must be really challenging !
Just FYI for anyone having this issue, Tor 2.0 is deprecated and has been hit or miss for roughly the past year. As long as you're using their Tor 3.0 onion address you should have few issues.
My solution - crappy china phone and the cheapest pre-paid sim card I can find. I turn it on, receive my SMS, then turn it off again. Doesn't track back to me because I paid cash, doesn't report my location because china phones don't have GPS, isn't on the VOIP or multiuser blacklist because its a "real" phone number.
It won't protect you against three letter agencies - it is more my double middle finger to everyone who thinks SMS verification has value, or somehow the gateway to marketing to me, or being able to harass me if they wanted. I have the telco turn off voice mail on the number so that nobody can produce phone records showing a completed call and say I was contacted.
IMO, Protonmail is clearly a honeypot. Among other things, you cannot create an anonymous account from Tor. If you do, it requires that you use a phone number for verification. This is not required if you connect through clearnet. It’s clear that they want something they can link to your identity, whether it’s an IP address/fingerprint or phone.
This is your daily reminder that any company you use is subject to the laws in whatever jurisdiction(s) it operates in. No amount of marketing and false promises should confuse you about that.
On a side note, personally I'd consider it an interesting intellectual exercise on how to best structure an enterprise that did its utmost to protect its users as much as possible for egregious law enforcement requests.
I imagine it would be some combination of operating only in certain countries and using subsidiaries in other countries. You might have to go as far as using crypto for payment.
Nothing is guaranteed of course and the unfortunate truth is such a service would be used by those doing things that illegal or that I simply would have no interest in enabling.
30 comments
[ 2.4 ms ] story [ 74.6 ms ] threadThe privacy-centric nature of this abuse is unlikely to result in a class-action-type of response, but Caveat Emptor abuses can be dealt with by the marketplace, too.
Probably the best you could hope for would be to get out of a long term contract "I paid for a 2 year term based on promises that weren't true"
Otherwise, your best recourse to prevent your IP from being disclosed in the future is to find a provider that won't disclose it under any circumstances (probably not possible), or hide your IP yourself.
Did they also fix the part about "no personal info to open an account?". They require a phone number to register through Tor >.<
but if you live somewhere that a court can compell you to log IPs, then it's all rendered useless.
you actually have to go in and disable default logging in applications and OS level functions in order to make a system NOT log something.
a court is just compelling them to turn it back on or more specifically, turn it on as it may apply to a singular user.
and yes, if you operate some place - you have to comply with its laws. there's no technical way around this unless you're going full darknet.
https://www.aliexpress.com/wholesale?trafficChannel=main&d=y...
https://www.youtube.com/watch?v=mewYpU5OSUM
It tracks back to you if you turn it ON always in the vicinity of your real phone/home/work/etc.
On a side note, personally I'd consider it an interesting intellectual exercise on how to best structure an enterprise that did its utmost to protect its users as much as possible for egregious law enforcement requests.
I imagine it would be some combination of operating only in certain countries and using subsidiaries in other countries. You might have to go as far as using crypto for payment.
Nothing is guaranteed of course and the unfortunate truth is such a service would be used by those doing things that illegal or that I simply would have no interest in enabling.