This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
Proton doesn’t get a free ride here.
They are bound Swiss law and should not be retaining any identifying information.
If they are going to give up everything they have on you when the feds come knocking, they shouldn’t keep anything or they shouldn’t market themselves as private and secure .
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
The user specifically requested that Proton retain this PII for account recovery.
Speaking of which, how do they implement recovery emails? Do they save your private keys only if account recovery is enabled?
Recovery email only restores access to the account, so you can get future emails. But all data is lost, emails sent in the past (saved emails) are not recovered.
No, Proton does get a free ride here. The information they provided was the recovery email address, which they were required to do by law.
The only data they don’t encrypt (can see) is that which they absolutely need to store unencrypted. If they encrypt your recovery email address, then… they can’t send you any recovery emails to it since they can’t see it.
This is 100% the fault of the user.
All any service can do is give you the best tools available to maintain your privacy, but they can’t stop you from shooting yourself in the foot.
Firefox is also great for privacy, but if I use it to fill out some info on some phishing sites then that’s not a them problem.
Don’t forget that most of your email arrives at their servers unencrypted, supposedly they immediately encrypt it, but you have to take their word on that. And there’s always the possibility that they are forced or just decide to make a copy of emails as they’re encrypting for your inbox.
They are bound by Swiss Law, so they have to comply with lawful orders. They are very up front about this even within their marketing that pertains to protection from other government authorities. They are also very good at explaining exactly what is protected and what inherently isn’t. A recovery email isn’t. In order for a recovery email to work by its very nature, Proton has to have a record of it. But at the same time they don’t require you to set one. Proton hasn’t done anything that they’ve promised not to. There comes a point where you need to put a little effort into understanding the product you’re using.
Don’t tell me, tell the guy they gave up . ?
They market to activists and people concerned with the business of protest, not Swiss law experts - and are very much are not up front about what could happen if they are contact by LE. Of course They don’t hide it, but you won’t find it on the front page, where they trumpet about Swiss privacy… You and I know the detail, many users may not.
At the end of the day, they attract a lot of activists and protesters to their service, with the offer of “safe and secure email. “ .
They hold a database of all them, in a jurisdiction that requires them to comply with legal requests for information.
They service some 6000 such requests from their database of every year, or around 30 per day.
You can decide for yourself who this efficient and eminently accessible single source of protesters information helps the most.
This information was just as clearly and easily accessible by the guy who was caught, as it is to you, and to me. If you’re going to commit crimes using a cloud service, the onus is really on you to put in a minimal amount of effort to familiarize yourself with what is protected and what isn’t. Proton is extremely up front about this, and give you all the information you need to be safe.
Proton never advertised to a single user that all your data is safe from the Swiss government. On the contrary, their main selling point is that the Swiss government is the primary driver of their secure offering. They encrypt what they can using zero trust encryption, and that is left over is secured by the Swiss Governments laws regarding businesses sharing information with foreign governments.
Proton promised to not comply with direct requests from foreign governments and they haven’t.
Proton promised to encrypt all the data they feasibly can so it was safe from Proton being able to hand it over to even Swiss authorities and they have.
Proton is not responsible for user error, nor the willful ignorance of its users.
I’ve never sought to absolve the user of responsibility, but nor am I ready to label him a criminal, which you seem to be able to do.
At the same time, my words were quite specifically a mild criticism of Proton who are, for reasons I have explain, not entirely the privacy haven it is perceived to be, because of design decisions, where it choose to host its servers and the fact that it has perhaps unknowingly created a highly functional database for law enforcement to query in demand.
I don’t label him anything. He clearly did something that guided his decision to use a more privacy-centric service to avoid the prying eyes of his own government. That could be crimes, civil disobedience, it doesn’t matter.
Proton deserves no criticism here. It has not created any functional database of any group of people to be queried by anybody, much less law enforcement. Thats complete nonsense with no evidence to back it up.
It is exactly the privacy haven it appears to be because to this date there has been no reason to believe otherwise. Proton has and continues to offer the protections it’s promised to, without deviation. You just seem to have some kind of personal bone to pick with Proton and are using this story to distort the truth in order to create some kind of anti-proton narrative. I’m no corporate fanboy, but right now we have very few privacy-focused cloud services and for the duration they remain so, I’m not going to tear them down for no reason.
Quite the opposite.
You’ve been triggered by very mild criticism of Proton and the small but nonetheless important risks associated with using that service.
You have accused the user in question of doing crimes - it’s there in your comment for everyone to see. You are unable to accept that a firm that according to their own data, services 6000 requests for information under the Law, is a useful source of information for Law Enforcement.
There’s no where for this conversation to go from here.
“Privacy” means two different things depending on the audience. For me privacy means that my information is not being used to advance some organizations commercial interest. For others it means that my information will never be shared with a government.
Don’t advertise to me
Or
Don’t narc on me
I guess I don’t really expect a company to resist pressure from government agencies on my behalf. Especially if I have been using their service to commit crimes in my country. If you are doing things your government would prefer you didn’t, hire a good lawyer and consult with them about what should be sent via email (spoiler, it’s nothing). The mafia doesn’t send emails, or put anything in writing, if you do crimes, you shouldn’t either.
I guess I don’t really expect a company to resist pressure from government agencies on my behalf.
Personally, I expect them to resist to the extent possible by law. The cops need to follow a lot of rules to make legally binding requests for data. I understand that if they do, there’s not much a company can do other than hand out the info, but if there’s a legal way to deny such a request, I expect the company to pursue it.
Pretty much. I’m not expecting a company to spend millions of dollars in court costs and lawyer fees on my behalf. But if it’s clear that the government is overreaching, the company should at least go “hey uhh judge, wtf?”
Companies selling data don’t tend to be picky who they sell to. Governments and police buy data all the time.
The best part is a government can buy data and and can change the rules on what is illegal.
So, if they decide tomorrow that your innocent behavior is a threat, you’re now a criminal.
As much as some of us may dislike it when a company does these kinds of things. You can’t really blame them for following the laws of the country that they are headquartered in.
You can blame them for operating there to begin with in cases like Apple in China, but you could hardly blame them for following the laws of the US where they are headquartered for example.
If the law of the land where the headquarters is requires them to give up the data they do have to partner nations then they don’t really have much choice in the long run if they want to continue to exist.
“Nobody’s going to jail for you” is pretty much the way to think about any cloud privacy service. They may not keep logs unless they’re required to, but in the end, they will comply to stay in business.
I don’t know much about the case beyond some very lazy peripheral searching, but it strikes me that Proton’s compliance isn’t an issue, but the requests themselves are totally unjustifiable and based on malicious prosecutions to nab some separatists on ridiculous terrorism charges for their nonviolent action and protests.
This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
If you use ANYTHING other than face to face meetings when discussing something illegal, you get what you deserve.
Or use WhatsApp like most of criminals
Doesn’t look like Proton did anything wrong, they can’t fight these requests and he was caught by identifying information he linked to his account.
Proton a few years ago disclosed the IP address of the user of a certain mailbox upon request by LEA. That was enough to get the person found and arrested (I don’t remember what the case was about). They HAVE to comply with these requests,
but they DON’T need to log/retain those infoETA: and I was wrong, thanks @[email protected] to set me straight. But I think the point still stands. I don’t want to be ALWAYS be tied to a VPN, there are some scenarios where I can’t use a VPN.That was the moment I decided to selfhost my email server.
That was the moment I decided to selfhost my email server.
So now the hosting you use will share the same(or likely much more) data if some government requests it.
They can get my encrypted drive. My domain name is registered to me so that’s clear it’s my email. But no content.
What I am find curious about this is if a recovery email would have any weight in court. I can add whatever recovery email I want to an account. It doesn’t have to be mine.
If your recovery email address is not yet verified, click the Verify now link and then the Send verification email button. You’ll be sent a link to confirm that the email address belongs to you.
https://proton.me/support/set-account-recovery-methods#how-to-add-or-change-a-recovery-email-address
Ah, makes sense.
Yes its a good thing the result is what it is, but you watch, theyll try to use it as justification. And as a small(ish) fyi, try running a tracert on whatever site youre looking at. Unless you are directly connected to that site, there are likely multiple hops -domains- that your connection passes through to get from your machine to the target. Each one of those has the potential to read what youre doing and reporting on it.
proton is untrustable
This is why you sign and encrypt the contents of email. If the recipient doesn’t have the public key, they can’t read the content.
Allowing a service provider to “handle your keys” is tantamount to letting the fox watch the henhouse.
Proton doesn’t provide IMAP/SMTP access for free accounts, so you won’t be able to encrypt emails locally.
This ultimately is the tech version of “trust me bro”. This means you are as secure on Proton as you are on GMail, depending upon how you use the service.
