This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
“Privacy” means two different things depending on the audience. For me privacy means that my information is not being used to advance some organizations commercial interest. For others it means that my information will never be shared with a government.
Don’t advertise to me
Or
Don’t narc on me
I guess I don’t really expect a company to resist pressure from government agencies on my behalf. Especially if I have been using their service to commit crimes in my country. If you are doing things your government would prefer you didn’t, hire a good lawyer and consult with them about what should be sent via email (spoiler, it’s nothing). The mafia doesn’t send emails, or put anything in writing, if you do crimes, you shouldn’t either.
I guess I don’t really expect a company to resist pressure from government agencies on my behalf.
Personally, I expect them to resist to the extent possible by law. The cops need to follow a lot of rules to make legally binding requests for data. I understand that if they do, there’s not much a company can do other than hand out the info, but if there’s a legal way to deny such a request, I expect the company to pursue it.
Pretty much. I’m not expecting a company to spend millions of dollars in court costs and lawyer fees on my behalf. But if it’s clear that the government is overreaching, the company should at least go “hey uhh judge, wtf?”
Companies selling data don’t tend to be picky who they sell to. Governments and police buy data all the time.
The best part is a government can buy data and and can change the rules on what is illegal.
So, if they decide tomorrow that your innocent behavior is a threat, you’re now a criminal.
Isn’t the old bit about organized crime how they always have a second set of books? After all they do want to be able to track their finances.
They provided the backup e-mail address
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
Just in case anyone thinks they decrypted mails and handed them over, nope. I hadn’t thought about that “settings” are not encrypted. Guess if you want to stay anonymous you shouldn’t add your private mail address in there as a backup.
Yeah. Even if they couldn’t hand over recovery emails, having a personal email as a backup to a “private and sensitive” email account is bad practice.
But what do you do if that field is needed? A throwaway address won’t work as it’s easy to recreate. Buy your own domain and run a server?
I don’t believe you need that field with Proton, correct me if I’m wrong. If you do need that field with an email provider, and you need complete opsec, use a different provider.
Its not
It wasn’t a requirement when I signed up several years ago, and to my knowledge, it’s still not required now. Just as long as you keep your email and password in something like a password manager and don’t fuck it up, you’re fine.
I put the Simplelogin email alias as my backup mail. Which forwards mail to my proton, so I guess it isn’t really a backup. Even more so if you realize I need to sign into simplelogin with my protonmail account and protonmail owns Simplelogin.
I just have no backup email at all. If I manage to lose my password manager file and forget my password, then I’m just fucking stupid anyway.
No, domain names are tied to a person and, even if that person register the domain with fake person details, there will be a digital payment associated with the purchase.
Some registrars accept crypto though.
Which also isn’t private. In fact, it’s the opposite of private since it’s a public blockchain.
Yes, I am aware. But nonetheless it is far easier to use anonymously/pseudonymously than “traditional” payment. Like, exchanging BTC/LTC from Monero, and buying said Monero via a non-kyc method as well. And whatever protections you want to layer, depending on how much effort you think “they” would spend on you.
It’s not needed, that’s just it.
Proton doesn’t require recovery. But if you want recovery without email addresses, there’re multiple different ways from recovery phases to recovery phone number to even an encrypted recovery file you download onto a local device.
I don’t know much about the case beyond some very lazy peripheral searching, but it strikes me that Proton’s compliance isn’t an issue, but the requests themselves are totally unjustifiable and based on malicious prosecutions to nab some separatists on ridiculous terrorism charges for their nonviolent action and protests.
This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
The same thing which happened in the past. Antiterrorism laws used for -if I remember correctly - and environmental activist.
Doesn’t look like Proton did anything wrong, they can’t fight these requests and he was caught by identifying information he linked to his account.
They could disclose the fact that they might need to give that info to authorities and warn users of that.
They never mention it here for example https://proton.me/blog/protonmail-threat-model
https://proton.me/legal/law-enforcement
Here the mention clearly the data mentioned in the privacy policy which in turns clearly states that you MAY provide a recovery account which will be associated with your account. I also think that anybody that should be concerned for this should understand that law enforcement can get ALL the data the company has on you.
As much as some of us may dislike it when a company does these kinds of things. You can’t really blame them for following the laws of the country that they are headquartered in.
You can blame them for operating there to begin with in cases like Apple in China, but you could hardly blame them for following the laws of the US where they are headquartered for example.
If the law of the land where the headquarters is requires them to give up the data they do have to partner nations then they don’t really have much choice in the long run if they want to continue to exist.
Plus there isn’t many jurisdictions with stronger privacy law than the swiss. It is unlike they made a bad choice for choosing a headquarters.
I guess they can operate on the public sea or the arctic, but I imagine the commute will be terrible.
“Nobody’s going to jail for you” is pretty much the way to think about any cloud privacy service. They may not keep logs unless they’re required to, but in the end, they will comply to stay in business.
If you use ANYTHING other than face to face meetings when discussing something illegal, you get what you deserve.
Although I like the idea of a drug smuggler typing “as per my previous email…”
Proton a few years ago disclosed the IP address of the user of a certain mailbox upon request by LEA. That was enough to get the person found and arrested (I don’t remember what the case was about). They HAVE to comply with these requests,
but they DON’T need to log/retain those infoETA: and I was wrong, thanks @Cheradenine@sh.itjust.works to set me straight. But I think the point still stands. I don’t want to be ALWAYS be tied to a VPN, there are some scenarios where I can’t use a VPN.That was the moment I decided to selfhost my email server.
Posteo doesn’t have to retain IPs and doesn’t, it also doesn’t retain payment info (though if you transfer by wire there’s still a window where a payment can be traced AFAIU).
They will also absolutely forward any and all traffic for a particular account to law enforcement when given a court order. What’s it with criminals thinking that they can outsource opsec to legitimate businesses. Defending against a state-level actor actively hunting you down, watching closely and pouncing on any and every mistake, is a vastly different beast than making sure google doesn’t know about the butt plug you just bought.
Agree with you, that’s why I buy my butt plugs (and similar toys) with my gmail account! 😁
“If law enforcement is going to look at my data, I’ll give them something to look at” lmao
That was the moment I decided to selfhost my email server.
So now the hosting you use will share the same(or likely much more) data if some government requests it.
They can get my encrypted drive. My domain name is registered to me so that’s clear it’s my email. But no content.
What I am find curious about this is if a recovery email would have any weight in court. I can add whatever recovery email I want to an account. It doesn’t have to be mine.
If your recovery email address is not yet verified, click the Verify now link and then the Send verification email button. You’ll be sent a link to confirm that the email address belongs to you.
https://proton.me/support/set-account-recovery-methods#how-to-add-or-change-a-recovery-email-address
Ah, makes sense.
I still find it fascinating that you can go to jail because there’s an IP address in a log file somewhere or because of a screenshot of a messenger communication.
Any more so than, say, fingerprints, DNA, or accounting records?
Definitely. I can just write a log file myself, change the creation date in the filesystem if I have to. There are websites that generate images of DM conversations on a myriad of platforms online. Manipulation of these artifacts is beyond trivial
Or, for that matter, surveillance video recordings stored on a server somewhere. It’s all just ones and zeros, but some combinations of ones and zeros are quite informative.
This is why you sign and encrypt the contents of email. If the recipient doesn’t have the public key, they can’t read the content.
Allowing a service provider to “handle your keys” is tantamount to letting the fox watch the henhouse.
Proton doesn’t provide IMAP/SMTP access for free accounts, so you won’t be able to encrypt emails locally.
This ultimately is the tech version of “trust me bro”. This means you are as secure on Proton as you are on GMail, depending upon how you use the service.
If the recipient doesn’t have the public key, they can’t read the content.
Sir, if your recipients don’t have a public key, you cannot even encrypt the message… That is how asymmetric-key crypto works.
This comment is completely off the mark. The information that they disclosed is the recovery email -the same exact thing which happened previously- not any content of any email.
Also, proton does encryption with PGP, but you can’t encrypt if the other side doesn’t use PGP (which is the case for 99.98% of humans on the planet). If they do, proton supports this including with arbitrary clients using their bridge.
FYI email contents were not decrypted or turned over to police, as far as I know Proton’s E2EE is still as good as whatever system you’re using. Proton doesn’t have the keys to decrypt your emails, it never did. What they have access to is metadata that is necessary to function when your private key is unavailable - e.g. your public encryption key used to encrypt incoming emails from non-Proton sources, or in this case, a recovery email address (I don’t know what the recovery process entails and whether it can restore encrypted emails).
Just encrypt with pgp and send encrypted text
Yes its a good thing the result is what it is, but you watch, theyll try to use it as justification. And as a small(ish) fyi, try running a tracert on whatever site youre looking at. Unless you are directly connected to that site, there are likely multiple hops -domains- that your connection passes through to get from your machine to the target. Each one of those has the potential to read what youre doing and reporting on it.