30 comments

[ 2.4 ms ] story [ 74.6 ms ] thread
Very responsibly done! The issue was not that they had to share the logs with law enforcement, the issue was that marketing message was incorrect from them. This is a responsible step.
The fact that the messaging was there to begin with is the issue. People assume tech companies are immune from the law based on make believe claims that their ideals allow them to circumvent it.
Consumers relied upon ProtonMail's prominent and concise marketing claim. Consumers who signed up for the service are now in jeopardy, perhaps facing real [legal] injury based on reasonable expectation of not having their IP logged.

The privacy-centric nature of this abuse is unlikely to result in a class-action-type of response, but Caveat Emptor abuses can be dealt with by the marketplace, too.

What do you suggest they do to rectify the situation?
Pay damages.
I don't think you can get damages for what might happen in the future, only for real damages and probably only this activist that had his IP disclosed can prove damages.

Probably the best you could hope for would be to get out of a long term contract "I paid for a 2 year term based on promises that weren't true"

Otherwise, your best recourse to prevent your IP from being disclosed in the future is to find a provider that won't disclose it under any circumstances (probably not possible), or hide your IP yourself.

Here are some ideas: Proactive compensation, an apology letter, hosting an AMA live stream, and a postmortem on how this misleading messaging made it out in the first place.
Love how you put this. Yes, marketing message was incorrect.

Did they also fix the part about "no personal info to open an account?". They require a phone number to register through Tor >.<

(comment deleted)
Responsible to silently remove a lie?
Now if VPN providers would do the same because they can be compelled to log just like Proton was.
yup - you can claim all day long you don't log IPs and you may very well be telling the truth.

but if you live somewhere that a court can compell you to log IPs, then it's all rendered useless.

So a VPN provieder has to check with the laws of all the countries in the world to be able to function ? does'nt make sense you cant create logs if you don't log anything ..
computers and network devices, by their very nature, log all kinds of shit.

you actually have to go in and disable default logging in applications and OS level functions in order to make a system NOT log something.

a court is just compelling them to turn it back on or more specifically, turn it on as it may apply to a singular user.

and yes, if you operate some place - you have to comply with its laws. there's no technical way around this unless you're going full darknet.

Well if you can bribe some people in the middle that does not count hence the Panama based ISPs
I deleted my proton account about a year ago when I saw that I could not login from tor anymore, kudos to tutanota for allowing to register/login without a cell phone it must be really challenging !
Just FYI for anyone having this issue, Tor 2.0 is deprecated and has been hit or miss for roughly the past year. As long as you're using their Tor 3.0 onion address you should have few issues.
My solution - crappy china phone and the cheapest pre-paid sim card I can find. I turn it on, receive my SMS, then turn it off again. Doesn't track back to me because I paid cash, doesn't report my location because china phones don't have GPS, isn't on the VOIP or multiuser blacklist because its a "real" phone number.

https://www.aliexpress.com/wholesale?trafficChannel=main&d=y...

Yeah a bit overkill my threat model just encompass ISP/GAFAM not three letter agencies :D
It won't protect you against three letter agencies - it is more my double middle finger to everyone who thinks SMS verification has value, or somehow the gateway to marketing to me, or being able to harass me if they wanted. I have the telco turn off voice mail on the number so that nobody can produce phone records showing a completed call and say I was contacted.

https://www.youtube.com/watch?v=mewYpU5OSUM

> Doesn't track back to me because I paid cash

It tracks back to you if you turn it ON always in the vicinity of your real phone/home/work/etc.

There are hundreds of people in the same area, I’ll take that bet.
not always the same people? It's not a bet, it's just data/metadata that needs to be processed to de-anonymize you
Enhance.. enhance.. enhance.. override security.. pencil.. joshua.. trustn01.. 1-2-3-4-5.. Swordfish.. warmachinerox..
I'm glad they did that, but still wish they had removed it before keeping IP logs.
What deceptive marketing. I never did trust this company especially with reading the material on the forums.
IMO, Protonmail is clearly a honeypot. Among other things, you cannot create an anonymous account from Tor. If you do, it requires that you use a phone number for verification. This is not required if you connect through clearnet. It’s clear that they want something they can link to your identity, whether it’s an IP address/fingerprint or phone.
This is your daily reminder that any company you use is subject to the laws in whatever jurisdiction(s) it operates in. No amount of marketing and false promises should confuse you about that.

On a side note, personally I'd consider it an interesting intellectual exercise on how to best structure an enterprise that did its utmost to protect its users as much as possible for egregious law enforcement requests.

I imagine it would be some combination of operating only in certain countries and using subsidiaries in other countries. You might have to go as far as using crypto for payment.

Nothing is guaranteed of course and the unfortunate truth is such a service would be used by those doing things that illegal or that I simply would have no interest in enabling.