Their homepage says "By default, we do not keep any IP logs"
In 2021, any soft language like this should be a red flag for anyone who is against surveillance. Maybe in 2018 it was good enough. But in 2021 it's not. Come on, Protonmail, you're supposed to be leading the way -- don't make me figure it out myself.
Replace immediately with "By default we don't log IP, but may be required to by local law enforcement. We recommend everyone connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
All the Protonmail customers out there, what did you do about this?
For starters, I emailed Protonmail support.
Here's mine:
Hi,
Your homepage reads "By default, we do not keep any IP logs..."
This language is soft and misleading. Maybe in 2018 when I first began using ProtonMail it was good enough. But in 2021 it's not. I expect better from ProtonMail.
Replace immediately with something clearer. "By default we don't log IP, but may be required to by law enforcement. We recommend all customers connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
If you can't come up with anything better for users, just fall back on your privacy statement verbatim and avoid any marketing language.
Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities.
I advocate on behalf such people by supporting services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
I expect Protonmail to educate users like this about how Protonmail itself can be turned into an adversary. Educate users about how to use Tor. Do better. Improve the internet.
I look forward to your reply.
Also, registering a new account through Tor requires a phone number for verification, even though Proton says no unique identification is required to register. If this requirement isn't removed by the time I renew my account I will no longer renew.
From my understanding it depends on how naughty your current exit node has been. Most tor exits in my experience allow creation and you just need to verify another email (just use a random burner- they only block a few. Supposedly some well behaved exits require just a captcha but I've never seen it.
Sad to say, Proton's onion service is for their old version. Proton has recently rolled out a new updated version of their service, and as far as I'm aware they don't offer a Tor onion service for that newer version.
So Proton users who like to connect via Tor onion services have been faced with a choice of either staying on the old version of ProtonMail, or giving up on connecting via a Tor onion service. It definitely leaves the impression that they don't care much about Tor anymore, or that it's at best an afterthought for them.
I tested this, and you're right: Their Tor service runs the (in my opinion nearly as usable) older version.
It's plausible that Proton does not care about their Tor service, but there may be another reason: The new version relies more on Javascript code than their old version, and a Tor user is more likely to browse with scripts disabled than a regular user. Proton may be holding back the rollout of the newer version until they have tested it more without Javascript. This is only a hypothesis, and I came up with it just now; take it for what it is.
Using Tor to access a regular web site, ie: through an exit node, is (nearly) no different than using a proxy. Just assume all exit nodes are "naughty" and do your thing accordingly.
Their page is full of what are now obviously lies. They admit that in the cases of "extreme crimes" they might be forced to give up information. _By no stretch of the imagination are these peaceful political protests "extreme crimes"._
I specifically advocate for the sorts of people that Protonmail ratted out and had arrested - climate change activists.
From what I gathered from a (French) blog posting by a squatting collective, posted elsewhere in this thread, the arrests are in relation to an eviction.
The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
I myself am a middle-aged "have" , but I do worry about climate and I do empathize with those that "have not".
However, violence during an eviction is not peaceful. People were hurt, and a legal response was due. Seems to me that arresting someone after the fact, and dealing with the matter in a court of law is the peaceful thing to do?
When I read "extreme crimes", I don't think of a scuffle with the cops over what started as a misdemeanor arrest or non-criminal enforcement action. Protonmail should change their wording to be clear that governments can and do compel them to collect such information for ordinary crimes.
Yup, fully agree: Protonmail should just say "we comply with the law". Though at this point the security reputation of the Swiss should have given anyone pause to think (Crypto AG, Omnisec AG, etc)
My point was just that 1) the arrest was related to squatting, not the climate 2) these people, idealist and well-intentioned as they were, were not "peaceful" (at least, not when faced with a brigade of police officers)
> The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
Usually they need to stop work for a few days because their hands/wrists are aching due to hitting too hard on protestors. Anti-riot are perfectly equipped and physically trained to be in fights, it's literally their job. And while there are generally at least a few "semi-pro" violent protestors on the other side, they are not so well equipped like the police.
FWIW, what they were accused of was squatting, not protesting climate change. I still think that's a ludicrous abuse of police powers, but it's worth being accurate.
And in the spirit of accuracy : the reason for the arrest was the violence during an eviction (several injured police officers), not the squatting itself.
That's fine in my "paying ProtonMail customer" view. Use VPN + Tor if you don't want your IP address be known. I use ProtonMail to reduce my exposure to Google tracking/possibility of business execution leaks they might use in their favor and keep alternatives alive.
I didn't do anything about this, because I expect any commercial service to log IPs at least for a short period of time to fight abuse. I'm using this service because I don't want the service provider's staff or someone that hacks their servers to be able to read my mails. Ideally I would like to also have privacy (through E2EE) when e-mailing other PM users, but I'm not counting on that. As the Tutanota case shows, such secure e-mail providers can be forced by law to intercept e-mails.
TBH in 2021 people engaging in potentially dangerous activities should be literate enough to understand, that no business will guarantee them full security and decline all requests from authorities to disclose their identity. The wording you suggest is equivalent of „do not dry your cat in microwave“ instruction - a legal protection from dumb customers, that does not contribute meaningfully to safety.
For the non-Swiss customers working with a Swiss provider can be a good enough protection to avoid inconvenience of Tor. After all, even in the mentioned case it required review and approval of 3 agencies before request came to Proton - from French police, from Europol, and then from Swiss authorities. If this is not enough barriers to protect from politically motivated prosecutions and corruption, then we have much bigger problem in Europe.
The problem is that engaging in "potentially dangerous activities" includes such a wide range of people. Think about a journalist in Afghanistan, a whisteblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities. Are they "dumb" because they don't understand all the ins and outs of surveillance? How about some empathy for them as users?
The proposed statement above is intended to help people like that.
Do I have such activities? Nope. But I believe that those activities should be enabled, whether for me in the future or others around the world.
I advocate on behalf such "dumb" people by supporting simple services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
Also ProtonMail's only reason for being is that they are supposed to provide some higher level of privacy. If they don't, how are they any different than a commodity grade SMTP/IMAP provider? I will withhold judgement until I know more about the case but the early context does not look good for ProtonMail's value proposition, which is the least of things.
Is it though? I don't know much about this company but their main selling point seems to be end to end encryption for mail messages. That's not a "privacy" feature by itself. Now it is a tool that you can use it to gain more privacy, but you could also have people who use it to cc all their emails to their entire facebook list. So it seems it all depends on how you use it and what type of privacy you try to achieve.
End to end encryption is a privacy feature by itself.
The example of using an email service to send a mass email to a dislist is irrelevant to the possibility that it would also be able to preserve privacy in other communications. You could send an email directly to the local police chief if you wanted but that does not preclude wanting privacy elsewhere.
I think you are confusing privacy with security, which is a common mistake, not your fault -- end-to-end encryption is what secures the messages, by itself it does not ensure that the messages get to the right place or that the encryption keys are belonging to the right people. It needs to be used in combination with other methods and techniques. Explicit features that are in the domain of "privacy" would be ensuring messages are deleted on a regular basis, or some kind of key cycling, or an anonymizing service like tor, etc.
To use your example of emailing the police chief: let's say your threat profile is that you're being stalked by a criminal, and you want to email the police to give them information on this crime, but you don't want the criminal to know. If the criminal breaks into your email, or if your house is broken into and a hidden camera is placed behind your computer, it makes little difference whether you have end-to-end encryption or not, your privacy is still violated. Does that explain it better? Maybe Proton could have some better messaging around this, if their customers are getting privacy and security confused?
I think you're using a definition of end-to-end encryption that's too narrow, same with privacy. E2E schemes try to ensure that your messages can only be read by their intended recipient. That's undeniably a privacy feature, since having private messages read by a third party (without consent) would be a privacy violation.
Security and privacy are intertwined, imagine your server getting hacked (security problem) leading to your private documents being exposed on the internet (privacy violation).
I understand they are billed that way but in practice I don't believe they fulfill that goal, as the job of making the messages unreadable is mostly already done by transport security (SMTP TLS). Sure it can protect against some things if the mail server is the target, but as we see here, there is still a large amount of identifying metadata that they (unavoidably) have on you. The goal with "privacy" is to ensure that your communications are undetectable and unidentifiable, and I would hardly call it that if it's still regularly going through a well-known mail server attached to a highly identifiable account. And of course it depends on how much you actually use the E2E encryption which is technically optional, for example if you send/receive a lot of mail from gmail users that aren't using S/MIME, which still seems to be the case for a lot, then it won't be enabled and your messages are still vulnerable in a server hack.
* Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China*
The former's safe because no one's going to deliver IPs to Afghanistan and the latter are doomed, because the US and China are following a policy of total surveillance. That ship has sailed decades ago.
I wouldn't be surprised if they or anyone else in the future deliver users IPs to the Taliban government specially with they get recognition from more nations.
You do not have to understand all aspects of privacy to realize that governments may have sufficient resources to track your identity and to put enough pressure on businesses to provide information they need.
At the same time, Tor is not the only, the required and the sufficient way to ensure privacy. There are different circumstances requiring different approaches. In many cases Tor will be redundant, in some cases it may be impossible to use, will offer insufficient protection or will actually put the person in an immediate danger, so giving this kind of advice is at least equally harmful as not having full disclosure on logs.
> Are they "dumb" because they don't understand all the ins and outs of surveillance?
US military personell and from other nations is posting on TikTok. At least those probably don't work in reconnaissance.
They aren't stupid and this isn't a technical problem, it is a legislative problem. Real security has been undermined since the early 2000 and before. Western powers just ape China or Russia at this point.
That the Swiss people gave authorities these surveillance capabilities is pretty stupid though. Alpine air must have been pretty thin that day.
A corporation is a power centralization, and government authority can lean on power centralization.
In general, regardless of what their TOS say, never believe that a corporation can't be compelled by the law to do anything they could physically do. CEOs can be jailed; when's the last time we heard of one actually going to jail over user privacy?
> CEOs can be jailed; when's the last time we heard of one actually going to jail over user privacy?
Ladar Levison from Lavabit came close. But even he admits that was because the FBI wanted to subvert every single Lavabit user's account (attempting vast overreach on the brazen assumption that "we are after Snowden" was going to pull the wool over everybody's eyes). Levison admits though, to having "responded to" at least two dozen subpoenas and complied with at least one warrant before.
The CEO of the phone company qwest claims that the insider trading charges he got prison for was only brought to court because he refused to allow the installation of NSA surveillance equipment.
The point being made agrees with you, and is just saying that since protonmail can't help but obey sometimes, they should make the effort to educate their customers about that fact and whatever their customers can personally do to mitigate the risks of that fact.
A customer that specifically chooses Proton for privacy, must read and agree to privacy policy, which explicitly states, that Proton may in fact keep temporary IP logs and that user may opt in for login IP logs. Requests from authorities may ask for this kind of information and Proton will have to provide it.
The „opt-in“ part for login logs is particularly interesting, because in fact Proton recommends this as a security best practice. Whether it’s in the best interest of the customer or not, it’s an open question. I would say, in a risk model, where threat of human rights violation by Swiss government is much lower than risks of unauthorized party accessing the account, it makes sense. Tough luck for the criminals that followed this advice.
3 days ago i did this very thing. when the oppressive govt banned internet, i had to talk to someone outside india and then i dictated them some text. reddit keeps ip logs for 100 days so i had a dormant account for over a year. i asked the guy to log in, type that message and post.
that way the govt can demand from reddit that account ip but since the only ip available is from outside india, they cant do shit.
i was ready to dictate base64 image character by character but the internet blockade remained for only 2 days so yeah. there are plenty of ways
ah yes. unless they are actively listening in am i not safe enough as compared to DPI censorship and network analyzers mandated by the said oppressive government?
> In 499 BC, he shaved the head of his most trusted slave, tattooed a message on his head, and then waited for his hair to grow back. The slave was then sent to Aristagoras, who was instructed to shave the slave's head again and read the message, which told him to revolt against the Persians.
Since this was a trusted slave, the tattoo seems unnecessary. The slave could just tell Aristagoras "Histiaeus says to revolt against the Persians".
There was enough trust that the slave did not desert and that they were taking the message to the destination.
There was not enough trust that the slave would actually know the CONTENT of the message. As such the slave wouldn't even know to where to desert to :)
Do as terrorists and generals do.just use one mail account, never send mail, use the draft feature, and start everything as a discussion about an elaborate real world spy/crime novel.
> . I know that when an individual uses an electronic device to communicate withothers in order to commit a crime, the individual’s electronic device will generallyserve both as an instrumentality for committing the crime, and also as a storagemedium for evidence of the crime. The electronic devices are an instrumentalityof the crime because it is used as a means of committing the criminal offense.The electronic devices are also likely to be a storage medium for evidence ofcrime. From my training and experience, I believe that an electronic device usedto commit a crime of this type may contain: data that is evidence of how theelectronic device was used; data that was sent or received; and other records thatindicate the nature of the offense.
If the tech. companies involved have monetized surveillance, and no I am not talking about the kind they do for advertising, but instead the $ for data on users/portal, all that jazz, fees for LE levels of access, cost for responses, etc the LE are also the customers too then?
I'm fine with Proton treating my data as a liability. Give me the tools to take away that liability by only sending them noise through an anonymous email address. I will pay for that.
Sure, the wording istingray suggested is a bit over the top. But the existing wording "By default, we do not keep any IP logs" is misleading. Why even say it? They should simply delete it.
I'd read that as "by default we don't keep logs, so we can't be compelled to provide IPs for sessions in the past. We can still be compelled to provide that information for current/future connections."
It is in contrast to the immediately following paragraph, which discusses a user-controllable setting that does cause ip logs to be retained permanently.
In the twitter screenshot linked to in this post, there is a discussion of the authentication logging feature in the immediately following paragraph (the screenshot discussing IP logging).
My first reading of "by default" here is that I can optionally enable it through my account.
Really, it's a phrase that means 3 things: I can enable it, ProtonMail can enable it[0], or the authorities can compel ProtonMail to enable it.
Saying any of that, or at least linking to a page that does, would be a smart move.
[0] https://protonmail.com/privacy-policy - "IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions"
> If this is not enough barriers to protect from politically motivated prosecutions and corruption, then we have much bigger problem in Europe.
Well, in this case isn't it clear that these barriers were in fact not enough? Or do you think anti-squatting is a major enough problem that it warranted this level of international cooperation, without any politically motivated thinking?
Looks like your run of the mill radical left occupation of housing (the stuff you see in big European cities like Berlin and Paris where they have that tradition).
Their bouts with law enforcement trying to evict them could be the reason for the arrests. If the google translate is not completely misleading then they refused to give their names or fingerprints when initially arrested.
I once tried to create a Protonmail account over TOR and I believe they require a phone number from 'malicious' IPs so if you want anonymity Protonmail is not the service for you.
If they don’t do this then spammers will use their service en masse and degrade the service for all customers by black holing their ips and domain through all other email providers.
>This isn't the Hotmail age where everyone expects free email.
Protonmail does offer a free tier, which is the problem. I'm sure they would be happy to take a payment instead, as the whole point of phone verification is to impose a cost on account creation. Perhaps they can rework their account registration flow to offer the ability to upgrade to a paid account at the verification step.
If you're upgrading to a paid account, isn't that even worse than the initial step in terms of anonymity? I get that they need to make money to survive, but this requirement isn't displaced by e2ee - it provides a misleading and false sense of security.
Anonymity toward state actors is compromised in either situation, whether phone verification or payment validation.
Doubt I'm the only one who thinks this, but the value proposition of their service is cancelled by their stated terms, which at least they make available. I have similar doubts about the veracity of claims by VPN providers (including mine) in terms of not keeping logs.
tor remains the only usable anonymising method with a decent track record. It's a shame Protonmail discriminates against it.
They support Bitcoin as a payment method. If you take precautions (ie use a Monero -> Bitcoin payment service over tor) I don't see it as compromising your identity.
> This isn't the Hotmail age where everyone expects free email.
It totally is.
I was running my own mail server for a while. The thing that finally pushed me into not bothering any more was when I looked at my logs and realised 82% of my non-spam non-marketing email was captured by google (where at least one recipient was either @gmail.com or a gsuite custom domain).
I try to sign up a protonmail through tor with brave browser at 2021/09/06. Everything goes well until last step.
Are you human?
If you are having trouble creating your account, please request an invitation and we will respond within one business day. Request an invite
If you need it one time for registration while staying anonymous using a burner SIM will work just fine. This way you anonimously create the account and then keep your location hidden using Tor. Authorities may even know who you are but will be unable to locate you.
But the mule only gives you some extra functionality, resilience, and is like having an email address just for spam or a home VPN endpoint. It gives you very little in terms of anonimity, which is why you'd go to Tor anyway. It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule. And you forward to your own mail server which again does little to hide anything. That's a long traceable chain that can be compromised or at least broken (to force you out) at every link.
This is great to make sure companies don't sell your phone number or use it to create some social graph, and to access your accounts independent of your normal phone. But if you're looking to hide your identity or location from your service provider and the authorities then it's barely a speedbump.
Let me explain both my threat model and my use-case.
My threat model is not state level actors or law enforcement. My threat model is simply individuals working at providers I use that get curious and go hunting for my traffic. So, for instance, someone that works at my ISP or for my cellular provider or (github/twilio/twitter).
I don't want these private actors to see my name or my phone number. However, VOIP numbers are typically blocked by providers for purposes of authentication and security because they need you to "burn" an actual SIM card number just to incur costs on you. This is their blunt response to a rather difficult spam/scam problem that would just explode if no costs were involved.
...
My use-case is that I don't want to carry around three phones everywhere I go and eSIMs don't work for these functions (again, their numbers are often discriminated against). I also don't want a single SIM card to correlate across multiple providers - that is why I have three (one personal SIM (not in my name) and two "mule" SIMs).
...
"It's still in your proximity even if it's not in your name so anyone able to obtain your IPs from the services you use would also be able to get the location of your mule."
No, they are rarely in my proximity. In fact, at this moment they are 12000 miles away from me. I keep them at my office and might move them to a datacenter ... but only if I can convert them from a phone form factor to a rpi-with-cellular-hat form factor ... or maybe ssh into the phone ?
Well, remember - their interactions with these 2FA Mules are SMS only - there is no IP/network connection made here. So the providers, at least, don't have an IP address to look up. Also, in case it is not obvious, I fully control my entire mail and dns infrastructure - as in, I own the machines and rent the racks.
I created an account made explicitly to be used over Tor some time ago and I was never asked to provide any phone number, but maybe that changed at some point.
One thing I've noticed is that many HN users don't believe that courts can compel companies to take positive actions to surveil their customers. This incident illustrates that, yes, courts can compel companies to keep logs even if their infrastructure is built to not keep them at all.
We cannot rely on what companies say about their privacy guarantees, or rely on vendors' technical analysis of their own black box systems, because a simple court order can essentially be a backdoor.
Protonmail did not provide the authorities with the users IP address...they did allow the account to monitored which they are required by their laws to allow. It was the users sloppy OPSEC that allowed the authorities to eventually track them down. In the end, I believe, it was linking the user to a past Gmail account that finally did him in. Listen to this podcast episode, the presenter does a fairly good job summarizing the situation.
The Privacy, Security, & OSINT Show – Episode 227
> ProtonMail is a well-known and well-regarded mail service and is often recommended to users looking to distance themselves from Google's less-than-ideal security practices. Unfortunately, however, ProtonMail was recently forced to cooperate with Swiss authorities in providing user data (date of account creation), which was subsequently handed over to American security authorities and enforcement agencies.
and
> Proton reached out to us to confirm that the only data provided to Swiss authorities was the date of account creation. [1]
Lie that you care about user privacy, give sucke- I mean, users' data to law enforcement anyway, blame the users when they get nailed due to your snitching. It's a perfect business model!
Not my problem. I pay Protonmail to work on behalf of users, and empower users to the extent allowed by law. This includes educating users about the adversarial actions that Protonmail itself can take against them (warrant, rogue employee, hackers). Otherwise I can take my $ elsewhere, email services are cheap.
> Protonmail did not provide the authorities with the users IP address...they did allow the account to monitored which they are required by their laws to allow.
Something their marketing material appears to disclaim. This is just excuse-making. ProtonMail did what ProtonMail has (for years!) led their customers to believe they would not do. And they did.
I think there's an argument to be made that any commercial email/messaging provider simply can't do what ProtonMail claimed to do. But that doesn't change the fact that ProtonMail did it.
> ProtonMail did what ProtonMail has (for years!) led their customers to believe they would not do.
My rule is to give any corporate statement about what they "will not do" exactly zero credence.
The only thing worth anything in that context is open source where independent programmers can verify that the code cannot support undesirable behaviors. And even then you're not safe, because code running on someone else's machine might actually be anything. So in the end, self-hosted open source software is the only way.
Right now that requires some degree of technical know-how, but I believe that's a solvable problem the same way operating systems have turned the technical practice of process management into something users don't even need to think about.
I've worked with back end webservices for 10 years or so but I'm struggling to understand the concept of allowing a singular account to be monitored. What does this actually mean? An account in all of the systems I've dealt with is basically the collective understanding of a bunch of database queries. How does one allow an account to be monitored in any way which is less frightening than providing an IP address from a log?
People really don't seem to understand that Protonmail is a western company in a western country with pretty generous surveillance laws. Yes, your email text may be encrypted, but everything else is free game to the authorities unless you use additional protection.
I wonder how long the 'Swiss privacy' brand, which seems to be fairly valuable will hold if these things keep happening, I had to immediately think of Crypto AG
Protonmail should be pushing more of this messaging in their branding. "Don't trust us further than you can throw us. We're doing our best, and here's what we recommend, use Tor, etc."
I gave an example in another post. Basically "Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company, they just don't tell you it. We do. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
Of course not, because a company that strikes the perfect balance of being sorta-in-the-right-direction but then also using deliberately deceptive language to pretend they're all-the-way-in-the-right-direction is going to outcompete companies that genuinely go all the way.
Because of the dirty little secret of protonmail; it's actually just privacy cosplay. If they told people what's actually involved in having a truly private email account, most of their customers would say screw it and go back to Gmail.
I live in Australia - and they're totally fucked by our laws and government policy.
"The Australian Federal Police (AFP) and Australian Criminal Intelligence Commission (ACIC) will now be able to access the computers and networks of those suspected of conducting criminal activity online, and even take over their online accounts covertly, under the Identify and Disrupt bill, which was passed by the Senate on Wednesday." -- https://www.innovationaus.com/extraordinary-new-hacking-powe...
and:
"Amends: the Surveillance Devices Act 2004 and Telecommunications (Interception and Access) Act 1979 to: introduce data disruption warrants to enable the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) to disrupt data by modifying, adding, copying or deleting data in order to frustrate the commission of serious offences online; and make minor technical corrections; " -- https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat...
The question was if email providers have to choose misleading people about privacy or going out of business. Specifically about IP logs.
Fastmail's privacy page says "Your data is for you and no one else".[1] So they do mislead about that. I didn't see anything about IP logs though. And Fastmail was just an example.
Most people accept search warrants signed by a judge for a crime. Proton mail was even nice enough to notify the user what they were the subject of a search.
With Gmail/Hotmail/etc your communication are at the finger tips of governments for non-criminal domestic surveillance. For example it has been alleged that the NSA leaked private emails of a journalist in order to score political damage.
The scanning of email contents that Gmail does is, from a privacy standpoint, indistinguishable from them simply sending you the email. Their server has to know the contents of that email either way.
In both cases exactly the same entities read your email: you, the sender, and Gmail.
I don't see how you could go "yeah, this is a privacy improvement" if your information is still visible to exactly the same entities, but one of them isn't really mentioning it.
The difference is that protonmail, again, doesn't scan any data in my emails. Google does, then stores and tailors and sells ads. My privacy is violated when google scans my mail, and not when protonmail doesn't.
I'm not sure what you're trying to get at with the word "scan" here, so hopefully this abstraction will be useful.
Imagine you have a message written on a piece of paper. You intentionally show this message to two people, Alice and Bob, and are fully aware that they have both read and can perfectly remember the entire contents of the message.
Now imagine that Alice thought about the message independently (not recalling it, but actually thinking new thoughts), and that Bob did not do this.
Are you claiming that Alice violated your privacy by thinking about something you showed her and asked her to remember? Or perhaps would it only be a violation of privacy if she then subsequently told you one of those thoughts?
I don’t understand what you’re attempting to achieve with this. You’re weirdly abstracting about something that doesn’t need to be. People want to be able to have a private email correspondence about, for instance, dildos, and then not have to be served dildo ads outside of that context.
> I don’t understand what you’re attempting to achieve with this.
I was hoping to achieve a "yes" or "no", to at least one of the two questions. I don't know what GP thinks "scan" means when describing how a computer processes text, and was hoping that an analogy to a more natural concept would allow for that to be made clear. What's the actual action being taken that's the violation? It's clearly not simply being able to read the message, but is it "thinking" about it (for lack of a better word)? That's how I interpreted the initial comment, but it seems very reactionary, so I wanted to make sure I understood it.
> People want to be able to have a private email correspondence about, for instance, dildos, and then not have to be served dildo ads outside of that context.
Totally fair, but that's no longer about privacy (unless your concern is someone else watching your monitor over your shoulder, in which case that person is the one breaking your privacy).
So if I tell a friend a secret, and they plaster it on my wallpaper, and then I have a different friend over for dinner, my different friend is the one violating my privacy?
In that case no-one has violated your privacy - your wallpaper is private, so friend A didn't, and you invited friend B over, so they definitely didn't.
I would entertain the idea that friend A is being a bit of a douchebag by painting stuff all over your house without you asking them to, but if you subscribe to that thought process you'd already be running an ad-blocker and this scenario wouldn't ever occur in the first place.
Having to use an ad-blocker for this purpose is a band-aid for a much deeper problem. Running a website isn't free and I want to support them by not blocking their ads. But when the ads are part of a scheme that targets my private and personal information, I'm no longer willing to hold up my end of that contract.
The act of analyzing my data is what is the violation. The act of telling me is simply revealing that violation. This is why, when the US intelligence agencies were scanning and analyzing everyone in America's cell phone history and social graph, without interaction or active intervention, it was a privacy violation even when it wasn't being used. It doesn't matter who sees it. The fact that it is being scanned and analyzed for possible future use and abuse is the problem. Yes, this means that a computer in the middle of the rainforest analyzing my mail offline and nothing else is a violation of my privacy. And no, I do not believe that the two, Alice and Bob, can be equated.
> The act of analyzing my data is what is the violation.
So to be 100% clear on this: if you tell someone information, and they think about that information, that's a violation of your privacy?
I've definitely always assumed that the right to think about information is intrinsically coupled with the right to know about that information. I wouldn't give someone data that I didn't want them to think about.
> for possible future use and abuse
This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
>So to be 100% clear on this: if you tell someone information, and they think about that information, that's a violation of your privacy?
If your phone began analyzing your local photos for child porn, you'd probably be upset, no?
>This is a completely reasonable concern to hold, but surely "they could possibly do something bad later" applies to every email provider in existence.
True, but google is CURRENTLY abusing it by selling ads to me based on it.
> If your phone began analyzing your local photos for child porn, you'd probably be upset, no?
Yep. "local" here is the key word, though. If a service I uploaded photos to began doing that, I would not be upset. And indeed, just about every image-hosting website in existence already does this, because they're legally required to.
Gmail is markedly not a local service.
> True, but google is CURRENTLY abusing it by selling ads to me based on it.
This makes it seem like your concern is with the advertisement funding model, not with privacy.
You don’t see the difference between “seeing an email” en transit vs training a ML algorithm on it and extracting values like when will your airplane depart, when is your vacation, etc and automatically propagating that to other google products? I mean, it sure is comfortable, but you can sure as hell know that they build an extensive profile out of your private emails and your ads are targeted based on that..
> You don’t see the difference between “seeing an email” en transit vs [...] extracting values like when will your airplane depart, when is your vacation, etc
I do not see any difference between these parts, no. If a human read my email I would expect them to be completely incapable of not working these things out, so I'm not really too concerned if a computer does it either.
> training a ML algorithm on it
Also not really. If it were a machine learning algorithm that was trying to write realistic emails there'd be a reasonable concern of it revealing things about the training data, but when it's just generating ad recommendations based on only your data that only you see, I'm not too sure there's a serious privacy concern there. I'm unaware of any allegations that you could uncover private details about someone else's life by looking at an advertisement you received on your own email inbox.
> and automatically propagating that to other google products?
I would definitely perceive this differently depending on the product, as Google products are usually distinct enough that you can functionally treat them as if they were different companies (and often they either used to be, or eventually become so). So in this case there are now four entities that know the contents of the email: the sender, the recipient, Gmail, and e.g., YouTube.
But again, I've not heard any claims that Google are using the contents of your emails to decide what YouTube videos to recommend you. It's certainly not outside the realms of plausibility, but that seems like the kind of thing people wouldn't ever shut up about, so I'm surprised that I haven't heard about it if it is in fact happening.
> you can sure as hell know that they build an extensive profile out of your private emails
Oh absolutely, but I don't see how that's a privacy violation when you gave them your private emails. How much thinking does someone have to do about a message you gave them before it becomes a privacy violation?
> and your ads are targeted based on that..
This is the main reason I'm okay with it. Google's entire business model relies on them preventing anyone else from seeing that data, so that they're the only ones who can target ads that effectively. If there was a significant risk of data leaks then I can absolutely see why people would be concerned, but Google has some absolutely gargantuan incentives to avoid that.
I don't trust any "secure" communications service that hasn't been subpoenaed and provided nothing in return. Having a national security letter canary doesn't hurt either.
I didn't ever have proof, just a gut feeling, but I never really bought into Protonmail. I created an account but rarely used it and as far as I know has been deleted for a few years now.
> Each time you connect to our service, we log your IP address, your client identifier (browser or mail client information) and your username.
I'm sorry dude, but that decision from switching to fastmail was not very productive to counteract the specific case mentioned on the OP.
If anything, it's even worse since fastmail apparently always logs your IP.
Moreover:
> We process mail sent and received from your account to block spam and fraud. We receive information from third party services to assist us in identifying spam.
Looks like your emails aren't even encrypted. If any government body what's your email bodies, they'll have it. They even share it with 3rd parties for fraud detection.
With protonmail and similar services, they'll just log your IP if they're asked to do so, which you can obfuscate using a decent enough VPN.
theyre quite transparent about their service, and far more transparent than any of their competitors. the same criticism can also be leveled against your comment. "but i used tor, the defualt mode for which has js enabled and somehow it leaked my ip!" if you dont know what youre doing, and want to evade state law enforcement, you better figure out what youre doing. thats not on proton.
I was COO of a vpn company for several years. It’s almost impossible not to keep any ip info. We had issues with fraud and one of the best ways to prevent or limit it was to track IP address and save it for several months.
I agree PM should be more forthright in their messaging but realistically I don’t believe any company that takes payments and doesn’t track any info at all.
I don’t remember the actual marketing message as it was about 7 years ago, but I know in the TOS it was carefully written to include that it had to collect some ip info to prevent fraud.
>A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers.
In 2021 the most powerful canary statement should be "Don't trust us. Seriously, treat us as an adversary. We still want you to be our customer of course, but here's how we really recommend you use our service, Tor, semi-anonymous payments, etc. In God we trust, for everyone else use math."
That canary statement would kill their userbase. Seriously, who expects a company to admit the value they provide is not much? They expect the more savvy users (ie, those who need the privacy, typically) to understand basic OPSEC.
I admit that the marketing is bad, I do not agree with it, and I do not tolerate it in terms of my own OPSEC. But, there's just no way they would just admit they provide hardly any value besides, in a VPN's example, being a tube to another place, and just another tube with ends that can be stopped.
Not having that canary may LITERALLY kill some of their users. If they have some decency they should own up to the truth and if they end up being out of business they will have a lot of goodwill for their next business.
And I 100% agree that they should. I'm just saying there's an incredibly slim chance they will. From a business perspective, which is the perspective they always take, it makes no sense.
> In the US companies can make canary statement...
What is far less clear is if you can trust the continuation of a canary statement to indicate the absence of the action it denies, since it is both legally disputed whether continuation of the statement could be mandated by government and because anyone who has an interest in the PR value of providing a canary statement also potentially has the same interest in continuing it as long as it is impractical to falsify.
>it is both legally disputed whether continuation of the statement could be mandated by government
Is compelled speech seriously in jeopardy? I saw the github issue for signal saying that some (EFF?) lawyers said that canaries are not that helpful, but that just implies that the government CAN compel speech. That would be bigger news than mentioned as an aside on a Github issue, I'd like to believe that would be news...
_all_ VPNs are useless. They are the biggest security theater and a massive success of marketing. But really, it's completely bazaar to trust a VPN provider.
They provide protection from your local network, but you they can do all the same things and more.
You need a VPN provider outside your legislation of course. Access is still not impossible, but much more unlikely. Perhaps choose a country not on good terms with your own.
My ISP throttles connections (strangely including Zoom).
My ISP mines my data and sells it to the highest bidder despite costs not coming down.
My ISP determines what I can look at and can't (such as torrent sites).
My ISP is participating in anti-competitive behavior and I need the internet but I don't have a meaningful way to tell them to fuck off.
My VPN doesn't log. My VPN doesn't filter my traffic. My VPN reduces what my ISP can know about me and monetize me. My VPN allows me to access sites appearing in different countries or as a different user which changes what content websites serve to me, including price of products.
VPNs are a soft security practice, but one hell of a way to tell your ISP to fuck off. I think there's this group of people that say "oh, a security feature isn't bullet proof, therefore it is useless." But this is just dumb. All security features are probabilistic in nature and depend not only on how you use them, but your threat model and the will of your adversary. For people, like me, trying to escape dragnet operations VPNs do help. But alone they aren't enough and that's okay.
My ISP is subject to my local laws. Which are not good, in terms of my privacy.
My VPN provider is not - but is obviously subject to their local laws. Which are almost certainly also not good for my privacy either.
Spreading the threat across two different jurisdictions is without doubt "somehow better" than just using my ISP, at least in the case of protection against snooping by non serious crime law enforcement.
(Where I am, organisations like local councils, the taxi commission, fishing inspectors, and dog catchers - can all access our "mandatory telecommunications metal data retention" stuff with very little oversight... While my VPN is still in five eyes, so there's no point pretending national security, intelligence, or serious crime like terrorism/drugtrafficing would have no trouble getting cross jurisdictional access, I'm pretty sure the fishing inspectors or dog catchers won't have that sort of access.)
It can’t fix the problem that it reveals the ip address you’re connecting to though. Even if the sites you’re visiting are all on servers that virtual host heaps of other sites as well, it certainly narrows that haystack down to a handful of bits of hay with your bright shiny needle standing out in the middle.
In Sweden we got the "datalagringsdirektivet" that says that every operator must keep their traffic for 6 months. VPN-providers are not bound to this law so that's my reason.
Is the parent suggesting that no one should bother to read the Terms and Privacy Policy, linked to from the homepage. https://protonmail.com/privacy-policy
Despite the parent's claim, the Privacy Policy says the company may log IP address. Temporarily. Irrespective of any request from local authorities regarding a specific user. IOW, they may log anyone's IP address temporarily regardless of whether the particular user is casuing trouble; they can log IP address for everyone. The policy says they log this data for the purposes of preventing fraud and abuse. The problem for privacy-conscious users is that if they log the data, then that entices authorities to try to successfully request it.
The policy, which imposes no obligations on the company BTW, reads as follows:
"IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."
There is nothing that says "By default we do not retain any logs". This clearly states they may be expected to retain IP logs. ("IP logs may be kept temporarily...")
But wait there's more.
"We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation)."
This clearly states the company may disclose the data they possess, e.g., IP logs collected to combat fraud and abuse, if in response to a request from competent local authorities.
Further down is a curious statement about decrypting messages.
"If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over."
Why include a statement such as this, specifically the part that says "that we do not possess the ability to decrypt". The company already specified it may disclose the data it possesses. This further statement suggests there could be some situation where they may have the ability to decrypt some messages. Besides their own communications with customers, why would they ever have encrypted messages that they can decrypt. They could state something like "If the request is made for encrypted communications addressed to us or sent by us, ...", but they do not. As such, their statement must include other messages, too.
> "IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."
Just how transient do logs need to be to fit this criteria?
Am guessing the 7 years or so we need for some of our specific logs might fit the temporary definition too.....
Nothing is even defined. There is nothing in this policy that obligates the company to do, or restricts the company from doing, anything.
This is the way most tech company "Privacy Policies" are written.
There is a significant difference between a statement such as "We (Company) do not do X" versus a promise such as "Company shall not do X" or a statement such as "We do Y. We may do Z" versus a promise such as "Company shall do Y."
Why not have our own "Policies" as users that we publish for tech companies to read. In them, we could describe what we do and what we do not do, and what we may or may not do. Tech companies could rely on these statements. You can see how silly that sounds. Yet users are expected to read and rely on hundreds of different "privacy policies", collection of non-binding statements like "We take privacy seriously".
I wouldnt trust any of them to be honest. Privacy policies really arent worth anything.
I would look for websites that generally do not ask for data. Then send them the minimum data you can get away with. I would avoid "signing in" or "signing up" to any website. There is an immense amount of data and information available from free from the web, no "account" is necessary.
For example I dont send any extra HTTP headers like Cookies or User-Agent, I dont use Javascript. I dont request images, CSS. I dont automatically follow links in src tags. Yet I can still read and comment on HN and I can read every website posted to HN. Thats a lot of websites. I can read them just fine while not sending them any more data than is needed. Because I do not use a large, complex graphical browser sponsored by an online ad-supported vendor to make HTTP requests, I can easily control what I send. This is far better IMO than sending unknown amounts of data (letting the websites control what the browser sends via headers, Javascript and src tags) and then hoping the websites dont do things with the data that we dont like.
Privacy policies do not limit websites from collecting data nor do they limit how the data can be used. They are "policies" not agreements. If a website operator does things behind the scenes that violate privacy but that it does not disclose in a "privacy policy" what can a user do. How would the user even know. Or the website could clearly violate their own "privacy policy", but no one outside the website's operators would know. Even if users discover the violation, what would be the repurcussions. Its too late, because a violation means privacy has been blown.
Show me a case where a tech company got sued for violating a privacy policy. How can anyone prove a violation if the operations of the website are not open for public inspection.
Your observations are correct, the regulation is able to deal with the damage after it was done, and apply some form of punishment after the fact. It takes whistleblowers and activists to reveal some of the wrongdoings, otherwise the violations remain unknown to us.
Therefore there has to be a greater push towards proactive measures - letting people vote with their wallet by making informed choices; the prerequisite for that is for the relevant information to be available to them.
Have a look at some of the research I've been involved in, we're trying to solve this exact problem: http://privacy-facts.eu/
Generally I use custom utilities for HTTP generation, URL extraction, chunked transfer decoding, URL encoding/decoding, GZIP/ZIP/PDF/MP4 extraction, etc. Thus I can use any TCP client I want to make HTTP requests from the command line. I do not need a browser to request content. Nor do I need projects like curl or projects that use libcurl like youtube-dl. For large downloads I use tnftp. The shell script I use to download YouTube videos is 424 bytes.
For reading HTML I prefer links. It has the best rendering of HTML tables, IMO, and is for me the easiest source code to work with. I did use lynx back in the late 90's but would never go back to it. Its bloated. Its slow. Im not sure why anyone interested in text-only browsers would use it other than they are unaware of or have not tried alternatives.
There is a project for bringing relevant privacy facts closer to users, so they can make informed decisions before choosing to buy a specific product or service. Check out the second screenshot on this page: http://privacy-facts.eu/features/
The idea is to express everything in unambiguous terms, so there's no way to weasel out of it with "yeah, but not by default" or, "well, it depends", etc.
I pasted an email I sent to Protonmail above. If they can't come up with language that's clear, use text from their privacy policy verbatim. Start educating users not to trust anything but what's in the policy, and even treat that as adversarial.
Disclaimer: I have a ProtonMail account that I pay for.
I have seen a ton of disturbing pieces about ProtonMail. Every time I've looked into them, they seem to be maliciously motivated and usually not true, or otherwise twisting of the truth. This has been a confusing thing for me because why is there a small subset of people so vehemently against them?
In this case, I'm not surprised. They say quite clearly they can be compelled to collect IP addresses - including in the linked tweet. This seems like a pretty clear cut case of them being compelled to provide an IP address. What the authorities can't do, is read that person's email. And that's what I and others pay for.
I'm not sure what there is to be upset about here? Other than perhaps France prosecuting this individual to begin with? If we had faith that ProtonMail wouldn't hand over anything to the government, why would anyone even care about having encrypted emails?
One of the first sentence on their website is "By default, we do not keep any IP logs". If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising. The fact that only the anonymous feature is important to you will not change the fact that they do the opposite of what they advertise regarding IP logs
So also a proton customer here. "By default we do not keep any IP logs" and this case does not seem like the default? Seems like they were required to by law to log and turn over this specific IP? (Of course I haven't seen the actual case but I would assume that meant a warrant.)
As a user, I'd take that to mean that they wouldn't keep any IP logs unless I turned logging on. I wouldn't expect that they would enable logging on their own.
Interestingly, ProtonMail's privacy policy lists a number of cases in which they may log your IP address permanently (including if you breach their Terms and Conditions). But a request from law enforcement is not one them.
Use of the service for any “unlawful or prohibited activities” violates the TOS, so if law enforcement has evidence of that (which they may), then PM has a clear right to log IP.
Is that so? I thought, if one violates the TOS, the other side may terminate the service. I did not know they then had the automatic right to then log data suitable for tracking and identification.
A user with the intent to engage in unlawful activities should read the terms of services in full. If that user only reads the homepage of the service, without understanding the implication of each word, and does not bother to review the terms in details, that is on him.
Moreover, I would like to point out that ProtonMail is about encryption of email *content*. It is foolish to expect more from them. They won't protect your identity: law enforcement can know who you are and who you communicate with, but they cannot know the content of your emails (if you recipient uses encryption services as well).
Tor helps, but is not especially robust against state-level actors / APTs. An actor running a sufficient number of entry/exit nodes could perform at least some traffic analysis.
In comic-book voice, then: what would an intelligence agency or police force's response to a suspect known to be using Tor be?
Traffic analysis, at a cost, could establish that the suspect is using Tor.
TorMetrics shows slightly more than 1,250 currently-running Tor exit nodes. I'll presume this is typical, history shows it's pretty consisten over the past 3 months.
I'm going to presume that a court could conceivably issue an order to log all Tor-based traffic. A state actor / APT might then be able to correlate a known IP and traffic at a given point in time with other data to identify a source IP. This might be combined with other measures to encourage circuit-jumping until the suspect is on a specific known or monitored Tor circuit.
Yes, costs increase. I don't see this as technically infeasible, however.
Might not be rolled out just for a house-squatter, however.
Yeah, what you outline means Tor is Swiss cheese (ha, ha, long game pun), when it comes to traffic analysis. Are all the IPs for Paris to Tor being logged at the ISP level? You bet!
Frankly, I don't think anyone is safe from the tip of a nation state, even small ones. But I do think we should protect everyone else and Tor would have done that.
Because this was clearly civil disobedience and that is what we really should be protecting.
No it’s not bulletproof but there isn’t really any other network with the same availability which would protect against a targeted and sustained analysis.
Even if a nation state was targeting you, it would still take months for a timing/bandwidth attack to identify a user. Even then it would only provide your adversary a probability of certainty and requires consistent traffic from the victim through a compromised exit node.
No system is 100% perfect but tor will make most attacks prohibitively expensive.
I mean they are misleading in so far you want them to...
I'm a privacy activist and certainly think that a company should be able to not keep logs. If the law in the country they are in (or area, see for example the data retention directive in the EU) we should of course (and I am) work to change those laws.
It should come as no surprise to anyone who is privacy minded and actively seek out privacy focused services that are located within the EU or Switzerland that your IP (or other information) can be requested with a warrant and that a company is required to hand that over.
As a privacy activist, what's productive about arguing that protonmail shouldn't need to make a greater effort to pound into their customers' heads exactly what you just explained?
I get that you think people should already know this, but do you feel they should be punished for not already knowing this, and not reminded by a company that markets itself on protecting its users? Protonmail was forced to get an IP address, but they're not forced to keep the fact that they respond to warrants a big secret.
Not everybody who is an activist is a big techie, or even computer-literate.
They clearly spell out in their privacy policy that they respond to warrants....
> We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.
It would also be nice if they were allowed to notify the customer but I'm not familiar enough with Swiss laws to know if they can.
It's not misleading in that many services do keep records by default. If people don't understand what default means, they should grow their understanding, not be outraged that their uninformed opinion was wrong.
I'm pretty sure it means that both the user and the company is bound by the terms of service and privacy policy that clearly spells out that they comply with legal warrants (from switz authorities) and provide the limited data that they are asked for if they have it (IPs being one such thing).
That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
Of course Protonmail is accessible via Tor. Not that you should need to do that to remain private.
> That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
That's an interesting point, but I'd contend there is a difference between scanning for known virus patterns vs. feeding your email into ML algorithms to do God knows what with.
If someone comes to Google, asking for the content of someone's email, is Google technically unable to provide that information for past emails?
Because I am aware of no reason to think that Google stores my gmail with zero access. I don't know for a fact that ProtonMail discards this information at the earliest opportunity nor do I know for a fact that they don't try to aggregate it to learn about you (or even people in general), but that is what I interpreted the pitch as.
But, look, of course if they get a subpoena they will have to start scanning your email if they are technically able to collect it. That's just a wiretap, and little would prevent the author and operator of the server software from doing whatever they want... and they're clear that if you aren't sending email between two compatible accounts that there is no E2EE.
We can talk about how they should have been clearer about the need to use Tor to avoid IP logging (even if they don't do it, someone between you and ProtonMail certainly could). That's a good idea. But they are actually very clear that E2EE with your email is not what you should expect in general. And I don't think they have much incentive to scan my email from unencrypted sources to do anything nefarious, but I don't think anyone has any ability to prove they do or don't at present.
End-to-end encrypted emails, not massive collection of metadata to build advertising profiles, and, maybe this will sound strange, but I wanted to pay for these services because I want to show everyone that there is a paying market and you don't have to rely on advertising to be profitable in this space.
No service is capable of completely hiding IPs and still getting you the data. If you "threat model" includes hiding from Western governments, I'd recommend not using the internet.
I never said it didn't matter. I think the data retention laws and for what crimes the police are able to get certain warrants in the EU and Switzerland can be better.
But that is not a proton issue that is an issue with our current governments.
Ah I see. It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright. Here's what I would expect my future vendor to say about this:
"Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company no matter what they promise or avoid telling you. We do tell you. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
> It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright
You’re telling us that you never considered that an incorporated company, bound by democratic laws, would be required to respond to criminal activity warrants?
What fantasy land do HNers on this thread live in?
>If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising
Is there any evidence this is what happened?
An alternate scenario is that they were not keeping logs, and were then compelled by the authorities to start keeping them on that user.
No. With on-demand logging, they can find the owner of the account (assuming he doesn't take further measures), but you can't retroactively prove someone used that account to do something at a specific time. For example, you could not prove that the individual was logged in at internet cafe xy near the time of the crime. Also, an opsec mishap (such as logging in without protection) will not be fatal unless you're already under surveillance.
I'm not taking sides on privacy or the threat of govt (or other sourced) tyranny, I'm just explaining the logic to answer your question:
Let's say you engaged in a long history of using protonmail innocently, then one day you decided to start commiting crimes for the first time and attract police interest. You would know that your historical logs were not kept, and it was only after you started attracting police attention that you would be at risk of incriminating yourself through proton mail. Maybe, on the run from the law, it would be safe for you to hide at your old friends house because there was no log to link you to him.
Yes, it is also the case that you may not have realized that ordinary behavior had been criminalized by an evil govt all along blah blah blah... I'm just pointing out that there is a difference where you saw none.
No history of when you logged in from where and, possibly, plausible deniability about about you being the only user of that account (through you'd probably need to prepare for this to be believable).
I mean it's either this or traffic analysis. If you use your clearnet IP address to do illegal things, it's nothing more than reasonable that you can get in trouble for it.
This is also why I don't get protonmail in the first place. Unless you use pgp or equivalent, you'll always be subject to law enforcement. Just that protonmail cares more and caters more to activists and so might not give it out without checking that the asker is really legit and then give the minimal amount possible. But they'll always be able to turn over your emails and log IPs, it's not protonmail's fault the laws were voted into action like this.
They tout that off-by-default statement on their homepage, underneath the header of "Anonymous Email," with the closing sentence of "Your privacy comes first."
So why even market that? It provides no meaningful security.
Were _you_ mislead by this? Did you really expect a Switzerland-based company not to comply with law of the land?
There is a difference between "available to police, not retroactively, and only with a valid warrant" and "available to any government agency constantly and in bulk, as well as to data-collecting commercial entities, Russian and Chinese hackers, and their dogs".
Don't you agree?
Really solid explanation of what you’re paying for as a proton customer - and despite this unfortunate situation for the French advocate is why myself and others will continue their paid ProtonMail plans
Fair point. I still don't think they've worded that well enough. I would probably not have read "By default" to have the context of "Unless asked to do so by authorities."
They're not being as transparent as possible in their marketing, which is at odds with their allure of security.
As far as I know, Swiss law does not allow for "secret data collecting orders", unlike US after "Patriot Act".
This is the benefit if being located in Switzerland, where banking is one of the main pillars of the economy and which historically has been much more supportive of personal privacy than most other countries.
They eventually caved under US pressure on some things, so it's not such a "haven" as it used to be, but I believe it is still the country that respects individuals' rights the most.
Not perfect by any means, just better than most others.
Unless you are naive enough to assume that ProtonMail is incapable of logging IP addresses (in which case they'd be incapable of serving HTTP requests...see the problem?) then they can log. And they most certainly aren't going to declare independence from Switzerland and refuse to turn on IP logging when required to by law.
Whereas with E2E-E, they actually are incapable of turning over readable emails.
what other status quo do you expect from them?
Having to provide IP logs after a warrant has been issued is the law in switserland (and most if not all of the EU).
Sure, the law would (hopefully) be changed, but at the moment, this is the best they can legally do?
Not necessarily. It's possible that their statement is true that they don't keep IP logs, but the Swiss police showed up with a court order for the equivalent of a US wiretap or pen register, requiring them to begin logging the IP address for that account when it signed in.
I think trusting your security or privacy to website-based email is a bad idea. If the email is being displayed in your browser, then the authorities can coerce the company that owns the website to include JavaScript in that page that sends the plaintext content to them too -- or demand the website's TLS key and start intercepting the traffic that you see.
The only encryption-based security that you can reliably trust is encryption that happens locally on a device you control, and that doesn't involve a web page or website loaded from a 3rd party.
If you want privacy protection with real end-to-end encryption that the government can't get past trivially with court orders, use services where the decryption happens on devices that you own, such as WhatsApp or Signal or iMessage. If you must use email, do the encryption yourself on a hardened Linux distribution like Tails using PGP for email encryption; but this is much harder to set up than the above secure messengers.
I wouldn't say ProtonMail is a scam, but a trivial software change on their server-side would let the authorities see your email every time you do. If they can be compelled to make that change then the "encryption" you're paying for is worth nothing. The next time you sign in, a court-required modified version of their server software can capture your password, and then use whatever key derivation function gives them your encryption key.
This might not even require the company to actively participate. In the case of Snowden and LavaBit email, the US Government demanded LavaBit's TLS certificate so as to intercept the communications themselves at the ISP layer when LavaBit refused to comply with narrower court orders to provide information about his account.
What could police do with ProtonMail's TLS certificate and court authority to intercept and MITM traffic for your account? They can probably capture your password, use that to read all of your old email, and at minimum read your email as you read it. Even if decryption is happening in the browser somehow with JavaScript, that JavaScript is coming from the origin server that the government now controls by virtue of MITMing the traffic with the site's TLS cert, and so they can insert JavaScript that logs a plaintext copy of either the emails or the encryption key needed to decrypt them.
There is no security with web-based communications if the companies involved can be coerced with a court order. US based firms would be required to hand over their TLS cert if they weren't willing to help track someone, and at that point the government could do anything to your traffic.
The only secure encryption happens on your device with no browser involved.
By comparison, if you're using an iPhone, in theory the US Government could try to force Apple to modify WhatsApp/Signal on your phone, or force the App developers to do so. These companies would all fight tooth-and-nail in court against doing so. Plus, you can configure your iPhone to disable automatically updating apps, so once you have a working version of WhatsApp installed, unless Apple has some backdoor-ability to push an update of it to your phone anyway, you could turn off app update and be cautious & picky about when you choose to update WhatsApp or Signal. What I don't know how to do is verify the integrity of their binaries: to confirm that what you're getting is the same app distributed to everyone. Facebook would appeal to SCOTUS before allowing a government to install a backdoor into WhatsApp; so would Apple, based on their response to the government's request to unlock the San Bernadino shooter's phone.
All that being said, if the government's goal is simply to discover your identity, which was the case here, then Signal and WhatsApp won't help you. Their accounts are based on a phone number. If the govt has your phone number then unless it's a burner acquired with no name registration then they'll know who you are, and regardless will be able to find out approximately where you are, if you continue to use that phone number. They can triangulate where you are fairly rapidly with modern technology, and this is assuming that the cell company can't simply send a signal asking the phone for its GPS-based location; but even if the govt only knows your nearest cell towers, narrowing that down to a building is a matter of minutes once they're in the area.
If you need to communicate in a way that keeps your identity a secret then you're probably best off using a free email service over Tor from a machine running Tails Linux, accessed from various locations that provide public wifi.
Tor solves this. Protonmail's Tor support is lukewarm. They have a Tor based login without captchas. It's mentioned on their homepage in the bottom menu under "Onion Site", (/tor). And there's one blog post from 2017 that still promotes their v2/shorter onion address.
I expect Protonmail to push its users to login through Tor. "Don't trust us, trust math". Embed Tor support in their apps as well. Rebuild their iOS app to offer to drive all connections through Tor.
And frankly, for $50 a year for email, I expect Protonmail to be thinking ahead about this, rather than me coming up with dumb ideas on a forum. Protonmail was neat in 2018 but 3 years later it's stagnant.
How is that lukewarm? Sounds like first class support if they have a dedicated onion address and not just let you connect to the regular clearnet. Or is that address only in that old blog post and not mentioned in places you'd usually look? It's a bit unclear to me.
It's lukewarm because what less could you do besides not support Tor?
Tor is mentioned on their homepage in the bottom menu under "Onion Site". However, this menu link redirects to their Tor placeholder page, rather than directly to the Tor service: https://protonmail.com/tor
> It's lukewarm because what less could you do besides not support Tor?
Alright then, what more do you want them to do? Spend millions in court fighting every warrant issued for their users and go bankrupt defending criminal activity?
The authorities don't need to run exit nodes, they just pwn enough routers, have enough interception devices or buy enough netflow data that they can trace data flowing through the Tor work back to its original location.
Sure, but if that becomes a problem for you depends on
1. whether or not your request stays within the tor network or not (if you use the .onion address, no need for an exit node)
2. given both entry and exit nodes can be literally all over the world: your threat opposition level. I doubt the NSA will be happy to help French authorities trying to catch a teenager who blockaded a government parking garage).
"What makes Tor different from the usual thesaurus-full of government projects is that Tor is essentially a very elaborate math trick, using layers of math puzzles to create a network-within-the-network. That math is being implemented in front of a global audience of millions of sophisticated watchers. It is likely the most examined codebase in the world. It has been subjected to multiple public audits. The math, well known and widely standardized, will work for everyone, or it will not, whoever pays the bills."
"Trusting mathematics" would be a much more accurate claim if we were talking about mix networks, such as Loopix (https://arxiv.org/abs/1703.00536). But Tor is vulnerable to confirmation attacks to varying degrees, (depending on whether you are accessing clearnet or not, of course) which is very much worth noting in the context of a global passive adversary.
I couldn't agree more. Anyone that thinks a company can hide/avoid all government (legally mandated) requests is just incredibly naive. I don't know why the anti-protonmail spin exists. Protonmail does the best they can, as far as I can tell, given the legal frameworks that are in place and the modern erosion of privacy.
If they can be compelled to collect IP addresses - why can't they be compelled to collect your password and revel the contents of any mails the police wants to see? I mean, it's their site and AFAIK there's no way for you to prevent them from accessing the content of your emails, unless they are fully encrypted on the client side - in which case any random mail provider would work the same.
From where I stand, the only difference here is that ProtonMail has to receive the warrant before they give up all the info they have on you, and others may do it voluntarily even without that, just to keep on the good side of the police, but since it's not exactly hard to achieve such warrants (and in the US, as we learned, it's ok for the police to lie on such warrants and they know no punishment will come to them even if the lie is discovered later) the difference is minimal. If you have something the police really wants to see, and they can reveal it, they will.
They claim this is not possible under Swiss law, fwiw. We’ve recently seen that it is possible under German law, with a competitor (Tutanota) building a server-side backdoor for one user.
...but we know it's possible under Swiss law, from this case, for them to be compelled to start logging specific account accesses, that they by default were not previously.
How is that any different from them being compelled to disable or weaken clientside encryption?
In both cases they're being compelled to make changes to their service.
The camel's nose is clearly already under the tent. Everybody needs to start diffing javascript served by them.
> Everybody needs to start diffing javascript served by them.
It would be nice if there were something like Perspectives[0] or Binary Transparency / Sigstore[1] to raise the alarm when something like this happened, but the threat would also be avoided if ProtonMail was available as a SecureBookmark[2].
That's not the claim. The claim is that we don't know if X is possible under Swiss law. You seem to be the one claiming that because they said it's not possible, then it's not possible. If not, I don't know what you're claiming.
The GP says that it's possible under German law. Is it "FUD" to say that it could end up being possible under Swiss law?
Shouldn't there be fear, uncertainty, and doubt about any channel that activists use to communicate with each other?
I'm not totally sure on this, but if you use their mail bridge, I'm pretty sure the decryption happens on your local PC and the keys never have to leave that.
They come off as a very dodgy company willing to twist the truth themselves. They claim that they can provide E2EE for email, being careful not to give away the fact that this is impossible for regular emails to non-PM customers.
Frankly I only use them because they're the biggest "private" email service and that provides a kind of safety in numbers.
As a business in that space, you probably need to have dodgy marketing in order to convince mainstream users. I'm not disagreeing that it's bad, but it's probably necessary business-wise.
While I concur that it's a bit misleading nothing is stopping you from using your own key and mail client (albeit with their "bridge" solution) to send E2EE e-mails.
If you rely on the keys they generate you can export them and use them accordingly but one should be weary of the handling of said keys if they were compelled to make a backdoor as others have noted.
That being said this does leave a bad taste in my mouth.
this seems to be the reply from protonmail on reddit[0]
>Hi everyone, Proton team here. We are also deeply concerned about this case. In the interest of transparency, here's some more context.
In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. Details about how we handle Swiss law enforcement requests can found in our transparency report:
Transparency with the user community is extremely important to us and we have been publishing a transparency report since 2015.
As detailed in our transparency report, our published threat model, and also our privacy policy, under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account. Under no circumstances however, can our encryption be bypassed.
Our legal team does in fact screen all requests that we receive but in this case, it appears that an act contrary to Swiss law did in fact take place (and this was also the determination of the Federal Department of Justice which does a legal review of each case). This means we did not have grounds to refuse the request. Thus Swiss law gives us no possibility to appeal this particular request.
The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used). We will continue to campaign against such laws and abuses.
to me this seems like they did all the could in regards to handling this request.
In other words, your information is safe from the police if the police doesn't want it, but the second they want it, they're getting it and Proton can't do anything about it. The "default" is only useful for hiding your past actions before the police took interest in you, but not for any action since it happened.
I have a protonmail account. When I log in to the interface, I see the body of emails, without providing any key on the client (not that it'd help since the client is a generic browser running their website code). This implies the process exists to recover the body of my emails. Also, I type in the password in their web UI in cleartext - there's no other way to gain access - which means they also have access to my cleartext password and could be forced to disclose it to the third parties. So unless you provide some contrary evidence, your assertion is false.
PM mails are encrypted with PGP at rest, as is metadata. The police can request to log incoming and outgoing mail metadata if available but not retroactively.
Right, if you trust that they only store the encrypted version. But the comment at the top of the thread is talking about logging once the police are interested in you. At that point they can log anything you send to them (or somebody else sends to them), including plaintext emails.
Yes, but it's hardly surprising that criminal investigations tend to evaporate some privacy standards very quickly. ProtonMail doesn't want to get hit by the stick too.
And before anyone suggests that PM should have been more "open/honest" about this, I disagree, the fact that a criminal investigation will do this is well known and mentioning it would be akin to asking your bank to plaster "if the world economy implodes, we might not be able to pay out your account" all over their frontpages.
From what I understood, they don't log ip addresses by default, but can be compelled to legally. They can only provide ip addresses for subsequent logins.
I found this informative article [1], and another [2] on the misuse of the so-called Interpol Red Notice, which I assume is like a BOLO, but not truely a warrant.
What's weird is why they'd need all these hoops to jump through if it's squatting? It's pretty easy to find the squatter - they usually are at the same place they're squatting, and the real owners of the place would be eager for the police to come and find them there. Once you found them, you could seize their devices and get all the IP information (at least) from them and from the carriers. it's weird why would you need to look for a squatter in such a convoluted way?
Has your home in France been squatted? No? Or maybe you do not own a house in France?
If so, on which basis do you ironically call squatting a "terrible crime"?
Squatters in your house in France means that you you have zero rights on this place until a lengthy process gives it back to you, ruined. You are then expected to be grateful and can forget about any reimbursement from the poor people who stole your property.
Someone had squatters after working 3 months outside the country. He basically had zero rights to throw them out, and the law considered him as a sort of landlord for non-paying tenants, with all relevant responsibilities. As his and their legal address where now identical, he was partially responsible/paying for their healthcare.
But the law allowed him, as a good landlord, to work on the outside of the house, for the good of his tenants. So he did.
He installed security cameras, and reported every minor infraction of the squatters to the police. The police loved it, and duly did everything. Oh look, a cm of your wheel is parked outside the allowed boundary. That's a ticket. Of course he duly tested the very loud alarm every evening, to make sure it works.
He did a paint job, first removing the old paint with the noisiest dustiest old tools he could find, then painting it in an old ugly pink he found on a flea market somewhere. Then decided the quality wasn't good and removed the paint again. One day, the squatters had enough and actually went to a court to demand he let their poor baby sleep. Judge just laughed, and told them all work happened before 22:00 so he was in his right.
Squatters ran away after a few months, which supposedly is a happy outcome, at least compared to what the law could do for him.
ficklepickle is poking fun at the fact that the crime is minor, relative to the weight behind the warrant. It would be like if the FBI put you on their website and the news stations aired your photo, for driving without a license.
Sure, it's a crime, but it's a relatively minor one. I suppose if you were the victim you'd have a different point of view.
I Don't know about France but in some places its near impossible to evict squatters, meaning if your property stands empty a month (e.g. waiting for new tenant or repairs) and some squatters move in you are basically screwed for years to come - they won't pay rent, you'll lose thousands and much lifetime evicting them, and for a few years they'll run down your property as they have no legal or other interest in maintaining it, so you are out huge amounts of money.
This can happen to the slumlord (who will then send someone to beat up the squatters), to the big capitalist (who will go through the courts and win) and to smalltime owners where that is maybe their family home or future retirement apartment (who will suffer the most).
Homelessness/lack of housing is a problem, but squatting is in most cases not the right solution.
But if someone just moves into your property why can’t police just kick them out? That’s an illegal action. If someone came into your house and started stealing your things and you call the cops on them you don’t go to court to prove those things are really yours.
Because in many locations around the world, it's not as simple as a criminal offence, it's a civil dispute, as once you have commenced "squatting", you are now an occupant, rather than a clear trespasser. Many squatters find squatting manuals online detailing the local laws and how best to approach it to maximum time available in the property.
In France once someone entered your house (and stayed a generally agreed upon 48 hours) you have no right to evict them.
Then starts a possibly very long process to have them evicted/ If they have a child you are basically screwed and won't be able to get your property back. Or you will wait months/years and get a ruin back.
Please give your opinion about squatting primary and secondary homes of people. Who worked to buy them and have zero rights afterwards, when a colony of parasites come and destroy their belongings.
It depends on jurisdiction. For example the UK has the infamous gag orders that are even harder to fight in court (successfully) than their US counterparts.
Sure, ProtonMail and its current operators could opt to stop operating in such jurisdictions, but usually it's too late for that when you get the [secret] court order, because if you refuse the operators personally are quickly found in contempt of court (or whatever other bad legal circumstance), and eventually that can lead to similar InterPol/EuroPol (other MLAT) warrants.
But if you ever want to do business in the UK or travel to/through the UK, or in/to/through any country that might have MLAT with the UK ... then you're highly incentivized to take them at least a bit seriously to avoid really (sorry, royally!) pissing them off.
Probably the movement to squat in empty buildings and organize more of the same in response to pandemic evictions, that's been getting the kind of attention its very dangerous for left wing groups to get.
I wanted to test how Protonmail is doing for new users I created an account from scratch just now over Tor.
1. Am asked to verify new account by entering a cell phone (edit: this is horrible. They lie and say account creation is anonymous, as pointed out by the poster below)
2. Upon login, "Basic" logs are selected which do not display IP. You can enable "Advanced" logs to log IP. I would suggest Protonmail make it crystal clear that these "Basic" logs do not store IP. In 2021, lies by omission are not good enough. Get rid of the soft language.
This is completely false. I have created accounts (for others) over tor, without ever divulging a number. The exit node is a factor here. Sometimes email is required; if the need is there, throwaway emails work. I hate to tragedy-of-the-commons a good service, though, which is why I have a subscription.
Protonmail customer here. Sigh. This is why I keep my own domain and can point it wherever I need. Dear Protonmail, email is fucking cheap and easy, I pay you $58 a year to solve stupid shit like this.
Vendors really need to figure out how to thread the needle of "No don't trust us" but still encourage customers to buy. Protonmail failed here. Apple's still very much in the "trust no one but us!" vibe, and it's just not sustainable.
I'll be switching my Protonmail use to default to Tor now. Open to Tor-first vendors...are there any?
I like how Brave has "open in Tor" displayed on Tor-mirrored sites. There's even an option for "Automatically redirect .onion" sites too. Makes it easy to switch over.
What if Protonmail pushed their Tor services more? "Guide to using Protonmail as privately as possible", have a switch for "Private Mode" that kicks you over to Tor/download Tor.
Where "this" is using soft language like "by default" to hide shortcomings. I expect Protonmail to do more to educate users to be aware of how surveillance happens, whether a rogue employee enables the function on their end, warrant, etc.
"hide shortcomings" like what? Doesn't language like "by default" infer/suggest/imply that there would be circumstances in which they would save logs? And wouldn't an obvious circumstance like that be a warrant?
I think for most people the interpretation of "by default" means "we will not log your IP unless you enable it", i.e. the power is in the hands of the user. The complaint people are making here is that this statement should really have a clarifying clause saying "or unless requested to do so by law enforcement".
This wouldn't even have resulted in the catching of the person in question, due to the use of an Onion Service, your link referring to the guy downgrading HTTPS on bitcoin exchanges. Hacker News users have surprisingly little comprehension of just what Tor is, so much so that I made an account here just now. Lurkers, please read:
Tor is a powerful tool for increasing the privacy of its users, though it is worth noting that it prioritizes performance over privacy. Tor's threat model does not include global adversaries, particularly those who can access traffic metadata for large numbers of ISPs- though, hidden services do fare significantly better than your usual clearnet services, usually requiring DoS attacks to deanonymize their hosts, and protecting their users especially. But note that Tor is not a mix network- it does not provide mathematically provable anonymity against a global passive adversary, unlike systems such as Loopix. See from this paper describing Tor in 2004, and consider reading the whole thing for a better understanding of Tor: https://www.usenix.org/legacy/publications/library/proceedin...
Tor's Threat Model
"A global passive adversary is the most commonly assumed threat when analyzing theoretical anonymity designs. But like all practical low-latency systems, Tor does not protect against such a strong adversary. Instead, we assume an adversary who can observe some fraction of network traffic; who can generate, modify, delete, or delay traffic; who can operate onion routers of his own; and who can compromise some fraction of the onion routers. In low-latency anonymity systems that use layered encryption, the adversary’s typical goal is to observe both the initiator and the responder. By observing both ends, passive attackers can confirm a suspicion that Alice is talking to Bob if the timing and volume patterns of the traffic on the connection are distinct enough; active attackers can induce timing signatures on the traffic to force distinct patterns. Rather than focusing on these traffic confirmation attacks, we aim to prevent traffic analysis attacks, where the adversary uses traffic patterns to learn which points in the network he should attack. Our adversary might try to link an initiator Alice with her communication partners, or try to build a profile of Alice’s behavior. He might mount passive attacks by observing the network edges and correlating traffic entering and leaving the network by relationships in packet timing, volume, or externally visible user-selected options. The adversary can also mount active attacks by compromising routers or keys; by replaying traffic; by selectively denying service to trustworthy routers to move users to compromised routers, or denying service to users to see if traffic elsewhere in the network stops; or by introducing patterns into traffic that can later be detected. The adversary might subvert the directory servers to give users differing views of network state. Additionally, he can try to decrease the network’s reliability by attacking nodes or by performing antisocial activities from reliable nodes and trying to get them taken down—making the network unreliable flushes users to other less anonymous systems, where they may be easier to attack."
Tor increases the costs to uncover your identity, especially so in the context of a hidden service, which the entity in question (Protonmail) actually does offer to users. Perfection is the enemy of the good- Tor is not built to deal with global adversaries unlike a mix network, but surely any increase in privacy is a good thing, no? You do not complain that your wrench does not serve the purpose of a hammer quite as well as a hammer might- you either put some more energy into it, or you buy a hammer.
"Open source" means literally nothing for the majority of Tor users that are downloading prebuilt binaries from US Government-funded www.torproject.org/download/
And yet, confirmation attacks and traffic shaping by global adversaries are where the actual design flaws lie, inherent to any 'low-latency' (read: performance trumps privacy) anonymizing network, and you know that. Even efforts such as the Invisible Internet Project (I2P) which pile on tactic after tactic to improve upon this, but are too scared to delve in outright mixing traffic, are vulnerable to traffic confirmation attacks.
The USG persecutes and imprisons journalists for exposing its war crimes, anyways I'm going to download this Tor binary from them because it says 'totally legit' on the packaging and there's no "hard evidence" to the contrary...
Don’t those binaries come with signatures you can verify? People in the community would notice if building from source produced different signatures than the binaries provided directly by torproject
I’m a web developer, and I assume a lot of HNers are too. So I’m really confused by the lack of understanding around IP addresses in the comments here.
Everyone realizes that, by default, literally just connecting to another service over the web, will expose your IP address?
It’s trivial to monitor and report your IP to the authorities, as soon as you login to ProtonMail, despite lack of “logging”.
Logs only matter for historical data. This legal request is impossible to /not comply/ with.
Does anyone here have a feasible way to solve this? Or is it just a bunch of ProtonMail hating FUD?
> Does anyone here have a feasible way to solve this?
Current solutions like TOR, I2P, VPNs and/or mobile proxy services are just a matter of time and legality until they come obsolete due to their publicly known nature.
I am convinced that the only way to solve this is by simply not downloading the website from its origin. The origin tracks you, so don't talk to them. Talk to your peers and receive a ledged copy of it instead.
The only problem is that this contradicts all that came after Web 2.0, because every website _wants_ unique identities for every person visiting them; including ETag-based tracking mechanisms of CDNs.
I think it's not possible with supporting Web Browser APIs the same way in JavaScript (as of now, due to fetch and XHR and how WebSockets are abused for HDCP/DRM to prevent caching), but I think that a static website delivering network with a trustless cryptography based peer-to-peer end-to-end encrypted statistically-correct cache is certainly feasible. I believe that because that's exactly what I'm building for the last two years [1].
> I’m asking if there’s any feasible way for ProtonMail to not have the ability to know which IP addresses connect to their services.
Maybe ProtonMail could offer an alternative .onion service? This way they couldn't legally be forced to give a way the IPs, because on the other end it's a TOR exit node anyways. And by design they cannot see the real IP from their point of view, so a legal enforcement would be useless.
You can just not save the info. Not surprised that web developers have no concept of not saving everything anymore, but it is technically feasible. In many cases the IP wouldn't even reach your service and you only see it in the log of some load balancer or other proxy. How fleeting those logs are is a matter of choice.
You can come up with an excuse, depending on the service it might be laborious to get an IP on a running live system that doesn't otherwise care about connection information.
Depending on the truthfulness of that you might make yourself guilty of impeding investigations though.
> Not surprised that web developers have no concept of not saving everything anymore
Your contempt for web devs seems to correlate with your lack of understanding of how the web works. Responses like yours make me cringe, in how uninformed they are, despite trying to sound smart.
IP addresses can and will be exposed in any situation that a user connects to a service - it’s a fundamental property of the web. You cannot tell Government agencies, esp. when they have a 3-country-approved warrant, that “we don’t know how to”.
If you terminate a connection at the load balancer, they will make you monitor it. If that’s not owned by you, they will send the warrant onto your cloud provider or whoever.
I have no contempt for web devs beyond those that implement invasive tracking against their users.
I could setup a service that masks any clients IP address towards my service with no problem. If a client connects through TOR or similar network I would not be the wiser either. So apart from just not logging connection attempts, there are other tricks.
Of course that doesn't work if law enforcement is knocking on your door and forcing you to do that. But there are still mechanisms that would allow IPs to be hidden. The state cannot know the intricacies of the mechanisms your service employs. protonmail.com could point to a server in Timbuktu that makes any request in delegation for a client to hide IPs.
This privacy arms race is pure idiocy though and the problem is legislation and lacking control and supervision of police forces within European countries that decided they should be so afraid to call one emergency legislation after another for more than two decades.
You are mixing around client and server side ideas, so I’m still convinced that you don’t know how web services work.
You also don’t seem to understand the gravity of an international criminal warrant, and counter with ideas of “paying a provider in Timbuktu to mask IPs”.
I don’t like feeding trolls, so I’ll stop replying now.
Translation: "The company @ProtonMail delivered IPs of climate activists to the police, after which the activists were arrested and searched. ProtonMail claims on its website, however, that it does not store the IP addresses of its users."
The year 2020 and 2021 was marked by the establishment and repression of a series of occupations in the district of Place Sainte Marthe, in Paris, in order to fight against its gentrification. Some 20 people were arrested, three searches were carried out and several people were sentenced to suspended prison sentences or to fines of several thousand euros (more info here and here). In addition, seven people are on trial in early 2022 for “theft and degradation in assembly and home invasion” following the occupation of a with a file of more than 1000 pages. During the investigation, the police focused on the collective “Youth For Climate”. In particular, they were able to use photos published on Instagram, even if they were blurred because of the clothes.
The police also noticed that the collective communicated via a protonmail email address. They therefore sent a requisition (via EUROPOL) to the Swiss company managing the messaging system in order to find out the identity of the creator of the address. Protonmail responded to this request by providing the IP address and the fingerprint of the browser used by the collective. It is therefore imperative to go through the tor network (or at least a VPN) when using a Protonmail mailbox (or another secure mailbox) if you want to guarantee sufficient security.
Has ProtonMail done anything wrong themselves, or is this just a case of them existing in the wrong country? If they refused to cooperate, could the government have just seized their servers and collected the data they wanted themselves?
They never advertised that they don’t keep logs they just said they aren’t permanent, in fact you can view your own connection logs if you enable it in which case they are maintained forever.
And even on their English website, the marketing is misleading. They say that the service is "anonymous" and also: "By default, we do not keep any IP logs which can be linked to your anonymous email account".
The CEO's position on Twitter is that "by default" (from the sentence you're quoting) means when there is no criminal investigation, but when there is a legal order in place, Protonmail will collect the IP...
"As described in the link above, under Swiss law, we can be forced to collect info on accounts belonging to users under criminal investigation. This is obviously not done by default, but only if we get a legal order."
If you thought that Protonmail (or any other company) was going to go to break the law in order to avoid keeping logs on you despite a Swiss-backed warrant saying they had to do so, then you had the wrong impression. But I never got the impression Protonmail was saying that.
I have never used the service and don't know or care a thing about it. But their advertising is laughably inconsistent with the reality of the service provided.
If it's illegal to provide a completely anonymous email service, then you should not claim to provide a completely anonymous email service.
Once again: if you can't see their server software, you should assume they are FOS, and are capable of recording anything.
Also:
One more reason NAT was a good thing over IPv6. The closer we get to the platonic ideal of "UUID per person" the more likely justice systems will use it that way.
The day everyone learns how to self-host mail on ephemeral compute instances is the day law enforcement starts requiring MX domain logs to be maintained in a historical manner. Work around that magically, and some law'll go on the books to try to tame the super spooky criminal communicators hiding from law enforcement.
Theoretically yes but if your ISP assigns your home a /64 you can use 2^64 different addresses to access the internet.
This still doesn’t protect your privacy because your ISP knows what prefix they gave you and will likely provide that to the authorities if you broke the law while using that address. Just like they would even if you used NAT and ipv4 so I don’t get where the parent comment thinks that is protecting their privacy at all.
Plausible deniability. My NAT and DHCP leases can be shortened, and not logged. At best you know something came from my network, and I may have many users on my network. For nodes, VPN, etc...
IP's address Internet endpoints, not people using them, yet States, prosecutors, and law enforcement regularly try to create the illusion that an IP has anything to do with who uses something.
IPv6 makes that temptation worse. IPv4 forces you to realize IP's can be ambiguous. IPv6, through having more addresses than people on Earth, checks off the Institutional checkbox for "raw material to contribute to a UUID identity scheme". Just look at China's proposals for a more governable international Telecom network, and the intention to use device persistent addressing as a control mechanism becomes obvious.
Where IPv4 creates enough decentralization and localized namespace unscrambling to provide enough friction via statefulness to thwart these types of efforts, I'm not at all confident IPv6 will do the same. I believe it is just what the Doctor ordered for laying the foundation of coupling IP's and net addresses in the minds of the masses to personal identifiers.
Which is not by any stretch the way we want things to go.
If your location is assigned a /48 you can then set up over 65,000 subnets with 2^64 possible endpoints in each.
My iPhone spoofs the MAC address each time it connects to WiFi, so support for changing your /64 is not going to be a challenge even with consumer devices. Whether we lose this ability or not is another question (but they could easily make the same requirements of “hard device uuid” on IPv4 if they wanted. These are laws and regulations after all, not technical limitations).
If anything IPv6 gives you an even greater amount of plausible deniability because like you said you could be running a vpn with a billion different devices connecting to it.
IPv6 just means your laptop could have an internet routable IP associated with it. You can easily change to one of the billions upon billions of possible addresses that your assigned prefix will give you (just like you could have something like 10.0.0.0/8 with millions and millions of addresses behind your internet routable IPv4 address. Your ISP will turn you over all the same if the authorities ask who that address belongs to.
> But https://protonmail.com/security-details page says “No tracking or logging of personally identifiable information. Unlike competing services, we do not save any tracking information. We do not record metadata such as the IP addresses used to log into accounts.” So, now it turns to be that you introduced tracking and logging? Is this data encrypted as well?
> Admin, October 17, 2015 at 9:14 PM
> We don’t save any of this data by default, the user must explicitly turn it on for us to save it.
There should be a reasonable assumption that given they have end-to-end encryption for the service, they just encrypt the logging for the user and store it encrypted without the key themselves like they do the emails.
Also to note, they at least have an onion link to use their email service.
> No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.
Anyone who ever says "we don't log" is definitely logging, and that statement alone should tell you that they are untrustworthy. No one is stupid enough to take on that kind of liability. The same applies for VPNs.
If you need trust, theres no way around rolling your own service.
Yeah, that seems more a mechanism to prevent forensics analysis of a hard disk to retrieve transient logs that might've been briefly written to disk (?). I hope it isn't being as a means to prevent the means to log for future connections, for the reasons you state.
expect you need to have the infrastructure in place to gather data for police investigations in many countries.
If you don't have this infrastructure in place, you are breaking the law as a company which could have enourmous consequences.
This does not mean you need to log everything all the time. (usually that is actually quite illegal too) but you need to have infrastructure in place to allow for police investigations.
I don't get how people don't understand this. companies need to operate according to the law of the land, this being one of them.
Legally nothing wrong - but they've maybe been a bit disingenuous to their users.
However, better than most (both by jurisdiction and their own rules) than other email providers - and I'd have thought any of their users who were serious about anonymity would have used Tor/Tails etc to connect anyway and used pgp for their messages.
Details of connections to the account (IP and connection fingerprint) shouldn't matter if you were taking your privacy seriously.
Basically just signing up for protonmail doesn't make you secure and there's nothing they could do to help if you just rely on that.
Part of the issue is that the bar for subversive activities in the eyes of western law enforcement seems to be getting lower and lower. I don't know the specifics of this case, but it seems many authorities are also not shy about using these methods to identify and track peaceful protesters as well.
while i agree this is a problem, this is something that isn't to blame on protonmail (or any other company following the law). This is something that should be changed through politics/lawmaking.
Honest question, because I've been asking it of myself: what do you expect from such a service?
I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.
It's impossible to choose a "secure" email provider, unfortunately.
Email can't guarantee E2EE without a block cipher tool like GPG. Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.
If you email google, google gets to do whatever googly stuff it would like to do with its algorithm.
If you email exchange, roundcube, ISP, hotmail, it could wind up being archived to tape, or simply be sitting for a long time in some unencrypted mail spool, maybe in a public cloud.
If you selfhost, you would be forgiven if you find you have made a mistake or simply got pwned.
I've never selfhosted email, but I understand it is a lot of work to set up if you aren't familiar, and while maintenance is okay once you get rolling, there are occasional emergencies or hiccups that require intervention.
Aside from being much slower, regular mail is quite better since you can easily inspect the envelope for evidence of tampering, while email will be imperceptibly copied.
> Even if your provider stores and transmits only encrypted email data, once sent it does not maintain that guarantee while being passed by another entity's MTA.
What? If Alice encrypts an email to Bob, using Bob's PGP key on her laptop, then it doesn't matter how many MTAs that email passes through, the email stays encrypted at every hop.
> it could wind up being archived to tape
I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack the private key and read the email.
That seems expensive (and illegal) for a company to do just on a whim (assuming the sender and recipient are periodically deleting old emails), and I'd like to think that a judge would turn down a request for a warrant that covers data that won't be readable for a decade or more.
Yes, you have to bring your block cipher unless you are 100% sure all the MTAs are using your e2ee scheme.
>I guess you're saying that an encrypted email could travel through a provider that keeps a copy of it in the hopes that quantum computers will one day be cheaply available enough that they can crack
No, I'm saying when you send the email, the next MTA might not use encrypted transport and any mailbox/mail spool/cache might not store the data encrypted in any way.
You can of course get E2EE if you use GPG (you always could), but if somebody doesn't know how to use GPG or uses it wrong, that is problematic.
You can also just broadcast your gpg block message via public/ham radio or even hire a skywriter to spend his day tracing out your GPG cyphertext as a huge QR code in the sky :-)
> I basically decided to just give up. Email is an insecure protocol and there's not much that can be done about it. Choosing a "secure" email provider feels like choosing a "secure" VPN provider: it's impossible to verify the provider's claims so it's a kind of security theatre.
Notionally, I would imagine something that looks like "email" and acts like "e-mail" (to the end user) could eventually exist that provides the same (conceptual) security that the Signal protocol provides (and perhaps a hosting provider option that's the same level of user confidentiality that we get the Signal foundation), although you're correct that foundationally it would be a different protocol. Backwards-compatibility would be required, at least for seamless transition (perhaps represented as "secure" and "plaintext")
Wasn't Ladar Levison (the individual behind Lavabit) working on something like this? https://darkmail.info/
A number of features I expect from e-mail seem rather between hard up to impossible to achieve if you insist on the "your server cannot be trusted, either" model of operations, though:
- The ability to login from multiple devices (using both dedicated clients and webmail) and subsequently being able to immediately access all my old messages, too.
- Global filtering, tagging, folders, read/unread tracking etc.
- Full-text search that doesn't require downloading all messages to your local device beforehand.
For this specific issue, find a provider that can be accessed through Tor.
But if you want truly private and secure communication, you'll have to forget about email. Even with encryption there's still way too much metadata floating around that can identify you.
I agree that one should not use it for private comms. But many people have to use it, and they would rather not use a provider like MS or Google. For those people, mailbox.org is a good offering (IMO).
Your own self-hosted service on rented server / cloud instance?
AFAIU (IANAL!!!) you can refuse to give evidences against yourself in most jurisdictions.
I don't thinks that dedicated server provider (like Hetzner) or cloud provider (like Digital Ocean or Vultr) stores traffic logs with enough details to be useful in such case.
You can't be compelled to incriminate yourself, but your server provider can very much be compelled to give access to the server. And once the server is physically compromised the battle is lost, anyway, but in that case probably with a larger papertrail leading to you.
One expensive but possible option would be to build a server yourself with sufficient traps to shut off when it's tapered with. Then set it up with full disk encryption and put it in a shared rack.
Dedicated server (with standard hardware) can be prepared to be almost tamper-protected, for almost everything realistic attacks. Yes, it will be prone to freeze memory (physical freeze, with liquid nitrogen or liquid helium), but I don't think that it is what police in any country will do.
But as sibling comment mention, it can be seen as destroying of evidences in many jurisdictions :-(
What would be the benefit of being in a shared rack? Wouldn't the service provider still know which physical system is yours if you only rented a 1/2/3U space? (Or is there an advantage at a network layer?)
The shared part is only for pricing, since renting a full rack for a single server is a bit overkill :)
Going for a rack has the advantage that you own the hardware and can install the anti-tamper measures so that the server can't be turned against you. Anonymity wise, renting a server makes things a lot easier.
In most jurisdictions you can refuse to testify against yourself but you are still required to give up all physical evidence against yourself if an appropriate warrant requests them, the immunity only applies to things in your mind.
Things like hiding or destroying evidence of a crime generally are separate crimes of which you can be convicted even if you're acquitted of the original crime (e.g. burying a corpse in the woods or throwing a gun in the river).
Destruction of evidence with the intent to hide it from prosecution also may enable so called 'adverse inference' where essentially the jury/judge can assume that the destroyed evidence actually showed what the prosecution intended to find there. For example, if you're being prosecuted for possession of child sexual abuse material, there's a warrant for your hard drive, but it gets fully destroyed because you have rigged some device to destroy it (and the prosecution proves that you did that with the intent to destroy evidence) then the court may take it as a fact that the hard drive did indeed contain CSAM and treat it as sufficient evidence to convict you.
In short, self-hosted service on a rented service does not provide much protection.
Anything that you access using thunderbird with GPG configured?
It gives no worse privacy guarantees than protonmail and possibly way better - because if you use protonmail through a web client and they get a court order to serve you a "special" client that forwards your certificate you won't notice it.
One option not mentioned yet is Posteo. They don't keep your IP and strip it in case your mail client sets it in the headers. They also don't take any personal identification for signup or billing (you can even send them letters with money to pay for a mailbox).
I don't know what came of it, but they've been told by the German constitutional court that their approach ("we're using NAT, we don't know the IP on the actual server") doesn't fly and does not protect them from complying with a court order.
ProtonMail went under fire several months back about opting to use Google's reCaptcha for login in a time crunch, rather than setting up hCaptcha even if it took a little extra time.
The tradeoff was cost vs. user privacy and they chose cost, which is NOT why a lot of us pay PM to begin with.
This is unacceptable, but unfortunately there are no alternatives that hit all the check marks PM has in terms of features.
The response of "use Tor to connect" doesn't really help. If you so much as accidentally connect once with a normal IP, that's enough to nab you.
You cannot expect anyone to openly not comply with the law on your behalf. It looks like ProtonMail had to log and cough up that IP in the context of a criminal investigation. The politics of how it became a criminal investigation in the first place have nothing to do with PM.
Thanks. This is quite a different narrative than the Twitter thread and makes a bit more sense.
People likening this to exposing the hiding places of Jews to the Nazis is probably the saddest and most infuriating comparison I've seen in recent times.
> IANAL, but I have a hard time seeing how young people squatting buildings in Paris is an extreme criminal case. In any case, I have an issue with this lack of transparency from ProtonMail, if any police service can ask them to log IP addresses, that is not anonymous
(Quote from the Twitter thread, by same author.)
Yeah, that is the problem. We don't know who, we don't know why, we don't know shit. All we know is that the request took place. We don't know if the request was or is justified. Those who trust police or dislike climate activism might say 'of course' and those who distrust police or like climate activism might say 'of course it wasn't justified'. Meanwhile, police (Europol in this case) are not releasing details for the neutral readers to make up their mind, because they're still fully in the investigation.
I'm very much pro-privacy, and actually I find the environment very important, but I also want to give Europol the benefit of the doubt. So I suspect a climate activist, using Protonmail, might've gone a step or two too far. And if Protonmail just runs some VPS in some other countries, they'll have to abide by the law in these, on top of Swiss law. That a Swiss company has to cooperate with Europol because Europol has mandate in Switzerland is also a no-brainer.
I'm seeing a lot of comments along the lines of "there's nothing ProtonMail could have done in this case."
This is patently false. The first thing they could have done is not hosted their service in a jurisdiction susceptible to these kinds of logging requests, at least not openly. In other words, they could have concealed the location of their services.
Instead, ProtonMail is attempting to have their cake and eat it too: on the one hand, they repeatedly publicize the fact that they have 'Swiss privacy laws' as a selling point, but yet on the other hand when a privacy violation such as this occurs, they claim that their hands are tied because of....Swiss laws.
> This is patently false. The first thing they could have done is not hosted their service in a jurisdiction susceptible to these kinds of logging requests, at least not openly. In other words, they could have concealed the location of their services.
Where is that ? Which country doesn't have a law that allows authorities to request such information ? I'm not aware of any, at least not among any sufficiently developed countries with useful infrastructures.
You appear to have missed a significant portion of my post:
> at least not openly. In other words, they could have concealed the location of their services.
> Instead, ProtonMail is attempting to have their cake and eat it too: on the one hand, they repeatedly publicize the fact that they have 'Swiss privacy laws' as a selling point, but yet on the other hand when a privacy violation such as this occurs, they claim that their hands are tied because of....Swiss laws.
> at least not openly. In other words, they could have concealed the location of their services.
You can't provide a paid commercial service while hiding your business entity. And, on top of that, DNS and SMTP make this basically impossible technically as well. So what you're looking for is, at least when it comes to email, something that doesn't and can't exist.
> You can't provide a paid commercial service while hiding your business entity.
You absolutely can. This is how many entities on the dark web function. And in fact, so do many entities on the clear web (see the RBN and its successors as an example).
It always amazes me that there is this hardcore of people on hn who are so anti ProtonMail.
If you use gmail, It is my understanding that google ai will routinely read all your messages and add anything interesting to your profile so they can target you for ads. Law enforcement also has open access to everything in your mailbox all of the time.
ProtonMail don't read your email but will supply metadata to authorities in response to a lawful warrant.
That still feels like a difference between gmail and ProtonMail. I pay for that difference, your money your choice.
Moreover, it doesn't matter if they use it for commercial purposes, what matter here is that governments can force protonmail to collect IPs and nothing else.
You're on Gmail or outlook ?
Well, now governments can have your IP, email contents and anything else you can imagine.
I don't disagree, but this is always the risk for platforms that try to sell privacy in a bottle.
Hard to incorporate what threat vectors their users should be mindful of and recommend steps to mitigate in their marketing without scaring people off who want to do nothing but outsource their privacy™ to someone else and not think twice about it, even if some of those people are hn users…
We know that PM saves all kind of metadata and happily provides it to any kind of agency. You have to use an anonymous VPN service (obviously not ProtonVPN) in combination with ProtonMail, if you want to avoid exposure by PM.
ProtonMail lost it's essence to be honest. As soon as my subscription runs out I'm gonna host my own mailserver instead. There are no advantages in using ProtonMail snymore.
I've been in the market for a service like protonmail because I'm trying to degoogle. Reading news like this and looking at the price of these services for two accounts has me thinking twice.
This comment will probably get buried. But I’m a paying ProtonMail customer and I noticed a number of things that seem to indicate the company is doing things to enable user surveillance without it being directly attributed to the company.
1) Malware scanning services. I noticed that links in my email are sent to a third party to be scanned for malicious content. I never signed up for this service.
2) Mobile phone analytics. Using a third party for mobile analytics known to track users.
3) CDN: using a content delivery network in countries that do not have the same privacy requirements as ProtonMail’s corporate domicile.
Privacy is a gimmick for the company at the very least, a front at the worst. I still use them because I trust other companies even less.
I moved from Gmail to ProtonMail exactly because they were promising strong encryption, no logging of IPs and no data leaked outside for whatever reason.
I know that every IT company eventually turns into a bunch of creepy and greedy jerks that end up contradicting all of their initial "don't be evil" statements. But please, Proton, don't do this so early in the process. I'm tired of migrating from one jerk company to a we-are-not-jerks-yet company all the time. If it turns out that Proton really leaked the IP and device info of an activist to the authorities I'll just go back to setting up my own mail server like it's 1995 and f*ck all this madness.
Cryptographers and developers need to step up their game...
There needs to be a messaging service where as well as the messages being encrypted, the graph of who is talking to who and when must be encrypted.
I'm imagining a system where your device forwards hundreds of messages for other people, hiding your own message flow.
I perhaps send a few hundred messages per day, and even multiplying that by 1000, and the typical message length of a few words, it's still a tiny amount of data transfer.
Basically, you want to run a messaging service over an onion routing network (Tor, I2P), or even better, a mix network. You should check out Nym (https://nymtech.net/) and come back with what you think about it. It is very suitable to what you want, and Loopix is resistant to global adversaries.
https://arxiv.org/abs/1703.00536 (Loopix's paper)
But yes, the problem with an encrypted tor-for-email would be the exit node would get all the emails and probably be responsible for the final content.
If you think that's bad, Tutanota was forced by the court to change their SW, so that all incoming e-mails for a specific account would be intercepted before encryption: https://news.ycombinator.com/item?id=27303712
Hushmail had a similar warrant, they changed their login form so it would send the password in the clear to the server, which they used to decrypt the mail and logged all the traffic to help trace the user. If you get targeted these "anonymous" email services aren't going to be good for much in practice.
I read here ProtonMail were compelled to log the IP by the authorities...
Could they have done anything else? Could any sort of malicious compliance have been an out?
Like: "if we hear there is an investigation on you then we want nothing to do with your shit and we'll delete your account"?
I suppose this would land them in hot water, but there might be something else really clever?
Also a ProtonMail user. While I would prefer that ProtonMail never captures or divulged my ip and or logged my access I pay because I was a long time gmail user and am trying to ween myself off of alphabet in general. I don’t want my mail skimmed for ads or worse.
I don't really know but eco terrorism is something that is more than likely to increase, with all the floods, forest fires, hurricanes, Greta thunberg, ipcc reports, and recently Biden authorizing some oil contract thing.
In this case it seems that they are a far left group that has decided to squat a restaurant for good old 'class struggle' reasons and vowed not to back down...
It also seems that it is not any restaurant but one of the 'victims' of the 2015 terrorist attacks [1]
Basically political extremists trying to disguise themselves as environmental activists. Not interesting people, to say the least.
I am fairly law abiding except for when it comes to the intersection of a vehicle and a heavy pedal.
But
Configuring logging on a user's IP address information on a private email service for what appears to be a fairly petty crime seems rather like dropping a nuke on an ant, both on the side of the French/Europol LE, and also for Swiss authorities, and then Swiss companies to be responsive to something so petty.
For something this "Organizing a Climate Camp" [1] involved I'd expect at least a serious felony, or a dramatic terrorist incident with loss of life.
If the crimes involved are truly so minor, it raises the spectre of what would they do for an actual serious crime?
They are far-left extremists who use climate change as an excuse to vandalize small businesses. This dude was arrested for occupying and vandalizing a restaurant.
Question: is it possible they do not log any of the data but were required to capture it on the next login? All the talk here implicitly assumes ProtonMail provided historical information.
As far as i understand from the article, this is roughly what happened.
Protonmail got a warrant, and thus enabled logging for the user (as is required by law).
This same sort of issue came up with Tutanota a while back. What do people expect when law enforcement shows up with a valid warrant? Is the service provider supposed to open fire?
Anonymity (which is different than privacy) is something that can only be achieved in very particular circumstances for a limited time. It always involves work on the part of the person involved, usually ongoing. It isn't something you can just go out and buy. Most people have no need of it most of the time.
Would be good to have some other sources for this story.
So a Swiss company has been apparently forced to provide details of a user who is under investigation by police in another country? I'm curious about the way that actually works, that a Swiss court receives a request from a foreign police force and a private company has no recourse to refuse or appeal the resulting order. Seems a bit weird to me, although I don't know a lot about the legal system there.
Technology people always want to imagine that technology will save/deceive them.
Imagine a situation where some "enemy of the state" is using some "secure" service like "securomail" or similar.
Is it hard to imagine Police/Interpol/KGB coming to the offices of "securomail" and demanding providing IP addresses, no longer encrypting, installing malware for this particular user, etc? Or else all the C-level of "securomail" are "helping the enemy of the state" with all the consequences.
There is always this "5$ wrench human layer" which no technology will protect from.
"By default, we do not keep any IP logs" is obvious to mean "We MAY keep IP logs"... I don't know how people read it as simply "We do not keep IP logs". It's on you if choose to use it and get busted doing something illegal with it. Protonmail is not or should not be a safehouse for criminals.
It seems that they were compelled by Swiss authorities to start logging a particular user (i.e., logging their IPs which were not logged by default). ProtonMail seems like a very bad actor in that case. Even if they must have to obey that order, they could have prevented the user explicitly before doing so.
You can disable the recording of login sessions in Protonmail's settings dashboard. I do that, not only to avoid Protonmail learning of the logs, but by a hacker who, once upon breaching your account; also gets to learn the IP you use to login with.
Thanks, I had "Basic" on and turned it completely off. This should be Disabled by default. I created a new account to see what the default is (it's Basic): https://news.ycombinator.com/item?id=28428092
You're better of using some service in China that does log ip's if you're not living in China(not being part of the five eyes anglo sphere is the goal) and vice versa if you are living in China. Security via sovereign obscurity.
and the lesson here is that everyone who called out Protonmail for being sus (suspect) on signup was correct.
try using Tor to create a protonmail account and they require both javascript and a phone number.
yeh yeh client side encryption requires javascript, but seems better to just have an unlinked email that can be read server side and there are plenty of Tor-only email providers for that.
phone number under an "anti-spam" guise is just suspect.
I don't think that ProtonMail complying with the law here is in any way the problem. They simply have to.
However, in this case just as in a few other ones before this one, it has become pretty clear to me that ProtonMail's marketing is deceptive at best an in a few cases some of their claims just blatantly not true.
What surprised me most is that when I pointed this out in the past, I was immediately attacked by what appeared to be like Apple-style fanboys, whole would not stand by anyone criticizing ProtonMail.
To this day I'm not so sure if that was just the genuinely zealous behavior of a few deranged individuals, or if it might have been a concerted commercial effort at damage control.
Either way, to me ProtonMail certainly is not what it claims to be (if not explicitly than at least implied). To me it's just another commercial entity trying to make a profit by tapping a relative niche market while convincing gullible people they are something they actually are not, in any way that will make them a bigger profit. Nothing really shocking about that, and mostly just standard behavior for any other modern commercial entity operating within a capitalistic economy.
The only good answer to this is end-to-end encryption, keys held by the individuals, and full decentralization. You must not put your private communications into the hands of any company, as great as they are.
Activists challenging their governments should use services hosted outside the jurisdiction where they live. Europeans should use Russian or maybe American services and vice versa. And encrypt in transit.
Is anything actually known about what he is charged with? It seems totally possible that he has committed a crime unrelated or semi-related to his climate activism.
Happy user of posteo here which claims to strip IP addresses and there IS no relation between accounts and payments. All government requests are transparently documented.
The web interface is roundcube, but if you just use IMAP, it could work for you.
No custom domains though for sending stuff, catch all redirects obviously work.
i'm swiss. i think it's interesting to contemplate that, in 2021, being a pacific climate activist, namely sitting in front of a bank with massive investments in fossil fuels or that sort of things to attract attention on the science, will result in you getting the full treatment reserved to terrorists.
I'm looking forward to the day where email is not mistakenly used for clandestine communication.
Why hasn't there been made a Tor-only, store-and-forward, text-only communication app? You'd think this would be a no-brainer for communities that need real private communications.
I'm surprised nobody questions the "why" did the police did that. A climate activist doesn't sound like someone who requires strong police investigation. And, for that matter, not that strong since the police didn't read the content of the emails but merely used one IP address.
But here, it's not climate activist. It's people illegally occupying private properties, iow squatting. They do it for political reasons, fine, but it's illegal nonetheless.
Also, I'm a bit surprised that these are climate activist at work here since gentrification (the process they fight against by squatting) is not really a climate issue but more a problem (as I read it) of capitalism.
(now I understand the whole issue down here revolves around disclosure of expected-to-be-protected information, but well, there's a big picture too...)
Is Europol legitimized to do that? If so, I think there needs to be a discussion because I don't believe they have any mandate whatsoever. It is basically a criminal organisation because there is no accountability.
I'm also a proton mail user. It sounds like you have privacy as long as you don't break any European law. That's certainly not the "Swiss bunker" style of service I was expecting
The crime of the person arrested seems to be squatting a building in paris. The title was probably chosen with good intentions, but when I read climate activist, I imagined he committed violence.
Pretty sure it says right on their site that protonmail/vpn cooperate with law enforcement when "something obviously illigal" is claimed. They have thousands of cases they give data on every year. The whole "swedish court system" is marketing. If they were legitimate they'd be talking about data center black boxes, why they were funded by NSA interests, how things actually works.
My bet is this, proton can't actually afford to defend against thousands of court cases, so they comply. They can't afford for their service to look insecure, so theyre selective in divulging how much surveillance they have to comply with.
so today we are redefining what "not logging data" means. it changes meaning when used in the same sentence as the expression "by default". so by default, not logging data is not really not logging data.
we've redefined quite a few things in the past few months. will be interesting to see where we go from here.
It has not really changed meaning. Asshole companies blatantly lying and using dark patterns only means one thing: that the company is a piece of trash and does not respect their customers.
I’m aware that this is a very silly sounding question, but I’m very confused about what’s going on here.
If the subject of this investigation had been using ProtonVPN to connect to ProtonMail, would this have (in a marginal way) protected their anonymity? If ProtonMail can be compelled to begin logging, surely the same must be said of ProtonVPN right?
It’s interesting how many “privacy focused” companies tout being based in Switzerland as some big badge of honor, which a layman consumer such as myself is supposed to be really impressed by due to the overall reputation of “Swiss privacy laws.”
In practice, I’ve never been to Switzerland. I don’t know any person that has had any legal issues there, let alone someone that’s litigated a digital privacy case there. I do not speak German or French, and don’t know where to start when it comes to looking up specific cases or court proceedings, so I’d be extremely slow on the uptake of the actual ins and outs of how the Swiss privacy model works from a practical standpoint.
The “based in Switzerland” thing strikes me as a bit of a black box bit of marketing speak. How much time, energy and money did ProtonMail expend fighting this surreptitious logging mandate? Does “Swiss privacy” actualy mean anything if ProtonMail is happy to hand over your IP address when spooked?
I used to work for a now defunct Swiss company that had “Swiss quality, security and privacy” plastered all over the website and marketing materials. The number of actual Swiss people on the team could be counted on one hand, the rest of developers being from every European country out there, with the most represented ones being Ukraine and Romania. And from talking with my coworkers, the situation is the same across other Swiss IT companies.
I would not pay any attention to the “Swiss X” marketing.
Almost every company in Switzerland that produces software has a bunch of eastern Europeans on the payroll, that either immigrated to the country or work remotely. But if the company started in Switzerland, or management and especially senior devs are based in Switzerland, I feel like that's good enough to apply the "Swiss quality" marketing because the Swiss _do_ have high standards and expected high quality of work produced.
So, you are complaining that they had immigrants working for them? They are part of the EU free movement region, so that is hardly surprising. Immigrants on the payroll don't change whether or not a company is Swiss.
Were they inside the country? Were also they subject to Swiss laws? Aren't these the things that would make a company Swiss? Even if the company was started by a person that isn't Swiss, I'm pretty sure it is still a Swiss company if it is initially located in Switzerland and governed by Swiss laws.
I am not complaining about the company hiring immigrants and allowing remote work across the Europe. I just haven't seen anything inherently Swiss in it, anything different from any other European company I worked for, that would justify the "Swiss quality" marketing.
Then why would you bring up the nationalities of the folks working there instead of pointing out things about the quality that you find lacking as compared to the advertising?
There wasn't any of that there. The only detail in the complaint was about the non-Swiss folks working there. And I really, really don't understand how it just isn't low-key racism. Could you explain it better for me?
The comment (and what people expect of a "Swiss product") was about the local/nationak law environment which certainly always holds true (for better or worse). "Created by Swiss people" as a feature would be a rather meaningless in the modern world.
"Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with CIA continuing as sole owner until about 2018."
> The “based in Switzerland” thing strikes me as a bit of a black box bit of marketing speak. How much time, energy and money did ProtonMail expend fighting this surreptitious logging mandate? Does “Swiss privacy” actualy mean anything if ProtonMail is happy to hand over your IP address when spooked?
it does not; witness the swiss banking system's capitulation to the US, crypto AG, etc
Swiss banking was doing business in the US on US soil, they didn’t capitulate, they greedily extended beyond swiss borders and got caught helping foreign people evade their taxes with employees outside swiss borders.
As far as I know, Swiss laws regarding online privacy aren’t all that great. They’re even more regressive than other countries. Swiss quality doesn’t mean much in software, if anything most Swiss companies are very much behind in terms of best practices or modernity of software. Whenever I see “Swiss software quality”, I run the other way now that I know how the sauce is made.
Even the government sucks at online security, see the debacle of the city of Rolle and the cyberattack they suffered last month. If this is not pure ignorance and incompetence, I don’t know what is.
Not even mentioning several “made in Switzerland” software company whose only claim to Swissness is that they have an office with two people in Switzerland and all the rest are European or Indian contractors (not that these people are worse, just that it’s a marketing thing to tout Swiss software if you’re going to outsource 90% of your development offshore)
Most of the time, claiming Swiss anything is a marketing move and an excuse to justify charging much much more for something.
I don't have any opinion about "made in Switzerland" for software (other than that it does make a good impression for my customers), but anecdotally (at least when shopping within Switzerland) I have noticed that the "made in Switzerland" stuff at the store is better quality. And sure it's more expensive, but all the crap products are expensive too.
Shhh, the entire country runs on similar myths, most prominently banking. But then, all that the common man is capable of understanding is myths, sooo ...
I'm Swiss and I volunteer for an organisation called Digital Society Switzerland. Although much smaller (and less powerful) we are similar to what the EFF is doing but on a national level.
I can only confirm your doubts about the "Swiss privacy laws". The current laws in Switzerland are very week (at least compared to the GDPR) and it has powerful surveillance laws in place (6 months data retention for telecommunication data, mass surveillance of internet traffic entering and leaving the country). If at all, being based in Switzerland as a privacy friendly company is rather a risk than giving you a "badge of honor".
I can only speculate where this myth and reputation of "Swiss privacy laws" is coming from. I guess it is related to the bank secret we had in place for a long time: It allowed you to own a bank account anonymously. While many states (especially the US) protested strongly (and for good reasons), it gave Switzerland an aura of discretion.
Completely unrelated, the only company I know of that deserves the "it's Swiss so it must be top notch" is Victorinox, their pocket knives and multitools are second to none quality wise.
> It’s interesting how many “privacy focused” companies tout being based in Switzerland as some big badge of honor, which a layman consumer such as myself is supposed to be really impressed by due to the overall reputation of “Swiss privacy laws.”
I believe it comes about due to the old trope of Swiss banks being the most secure places to hide money, which of course is not true and hasn't been for a long time. Even in that period, I am sure they complied with Interpol/Europol requests to divulge account details of evil masterminds with a beeellion dollars hidden away in a Swiss vault.
For me, I NEVER expect protection from any governmemnt authorities. They have unlimited resources (compared to a regular person), and you can't fight city hall, as the saying goes.
The reason I use tutamota (similar to protonmail) is to stop the Googles and Yahoos and hotmails from scanning all of my emails, using them to advertise to me, selling the information to advertisers. Could you imagine if the US post office opened up all your mail, read it, and sold this information to anyone who asked? Preposterous. And keep track and sell who you send stuff to and who you receive info from? Of course, if the government decided to monitor you regular mail, they could. Fine. Nothing anyone can do about that. But at least the USPS doesn't read everything you send and sell that info to commercial entities.
So, that is why I use those types of services. I don't want to be anywhere near Googlemail, or Yahoomail, or Hotmail, etc.
This, 100%. I think Protonmail gives people a false sense of security. I want to protect myself from companies that collect my data to profile me and sell that profile to people with money who want to manipulate me (aka advertisers). All of the parties I communicate with via email use more insecure providers, so even if Protonmail was perfectly secure, my emails are vulnerable anyway. I think it's important to keep in mind that the providers you're sending email to also have the ability to scan those emails and profile you based on them. As an additional layer of protection from this profiling, it's helpful to use a wildcard alias both when sending and recieving mail to make it harder (but not impossible) for third parties to build a single profile of you.
Personally, I've switched from Protonmail to Fastmail. Yes, Fastmail is in Australia which has draconian state surviellance laws and will comply with state requests for your data and share it with other countries. But you can't assume that any other email provider won't, as evidenced by what Protonmail just did. And Fastmail has better features for protecting you from being profiled, such as unlimited wildcard aliases, and the ability to create filters and deactivate aliases directly from incoming messages, in addition to a far better overall email experience.
Well, it only gives a false sense of security to people who are not paying attention. It literally says that it will give information to governments with a valid search warrant. They never have hidden that, ever. While, yes, it is true that if you send an email to a gmail, yahoo mail, hotmail, etc, those companies don't have access to all of your emails. That's the best one can hope for. They can't read my payments to the company that I lease my office from, my payments to my VOIP provider, etc. I agree with using multiple emails - I must have 8 or 10 of them. And not for nothing. One I use for only personal friends and acquaintance, so I don't get junk emails, one for only personal business accounts, one for my business accounts, some for general information, one I use as junk email when I have to fill in an email and don't know if I want to use that service, etc. And most of them are email names like YRV782SQLN483@hotmail.com.
You are right about Protonmail and Fastmail giving up info to legit governmental agency subpoenas. It's just obvious. Any company will do this, no matter what.
I chose tutanota after an extensive search, because I don't want aliases, I want completely separate email accounts, because if you have aliases, they all still come to the same exact account and I would still have to wade through all the emails. The filters really don't do it for me personally.
And tutanota was the least expensive option that I found. Emails are only $1 per month - $12 per year, while Protonmail is $5 per month after the first email address, at least that is what I remembered at the time. So that is 500% more in cost. So if I have Protonmail, it would cost me $240 per year (if paid annually, otherwise more if paid monthly) for 5 extra email accounts, while tutanota is $60 per year.
Yeah, the USPS cannot open your mail without a warrant, which is a pretty nice assurance to have. That would be pretty bad if it was how you described- all the more reason for us to make sure the USPS stays around :)
Edit: Note, this is a "nice assurance to have" because private shipping companies generally reserve the right to open anything that they are shipping.
Right. And that would be my point. That why do people use gmail and yahoomail, etc, when they have permanent records of every single word you write, but people would be outraged if the USPS scanned every piece of mail contents and sold it to advertisers.
And again, with private shipping companies, it's not like they are going to open 100% of everything. But the large email companies can, and have it forever. Can look at it 10 years from now, if they choose.
Does not negate what I said. I said that the USPS does not open your mail, scan it, and sell it to the highest bidder. And, actually, the article you linked to only gives that information to government entities, which, in my post, I said that you should not worry about the government, because they have infinite resources compared to the average person.
So not too sure on your point that you're trying to make. Yeah, if there's a subpoena, I'm sure the government could open and read every single piece of mail you send or receive, but that's what I said.
But, Google or Yahoo or Facebook is not going to have access to this information. But they will if you use their email system. Why do you think they offer it for free? Through the generosity of Sergey Brinn and Larry Page's black, black hearts?
We've banned this account for repeatedly breaking the site guidelines, such as by using HN primarily for political battle, flamewar comments, name-calling, and personal attacks.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
"And companies like Google shouldn’t be able to monetize data they collect without consent even if they aren’t technically “selling” it. Data collection, use, and sharing should be minimized by default."
If you meant "selling the information" more broadly as EFF used it here (which I think is not an unreasonable way ultimately, just not what most people would commonly understand the phrase as), then please next time clarify. As EFF had to clarify in their article, that's not what most people understand those phrase as. If you want to avoid confusion, it would be more clear if you say "you don't want your data monetized".
OK, fine, maybe I was being a touch hyperbolic. But really, the thing is - they keep your information for forever. It's on their hard drives. There's no guarantee that what they say today, won't change tomorrow, or in 2 years, or 5 years. That's the real creepy part for me.
This is seriously messed up. Purely because their marketing has been very aggressive to promote total and complete anonymity, directly sometimes and mostly indirectly. If it’s true that the French wording makes it seem like they don’t keep logs at all whatsoever, then I believe the person arrested has grounds to sue them, and I would hope they do. But even if not, I consider their marketing is a total and complete dark pattern from now on imo.
Tremendously disappointed.
What’s next? Is ddg selling search data to google?
Generally speaking, it is wise to assume that any entity under which trust is centralized is far easier for a government to persuade. At least DuckDuckGo is friendly to Tor.
"We won't store your IP, except when its sought by the government, which is the only reason you'd ever realistically pay for a service that doesn't store your IP."
Even if ProtonMail had not stored these data, it could have easily been, legally or not, collected from the ISP(s) providing Proton with their internet access.
Their homepage says "By default, we do not keep any IP logs"
In 2021, any soft language like this should be a red flag for anyone who is against surveillance. Maybe in 2018 it was good enough. But in 2021 it's not. Come on, Protonmail, you're supposed to be leading the way -- don't make me figure it out myself.
Replace immediately with "By default we don't log IP, but may be required to by local law enforcement. We recommend everyone connect through Protonmail through Tor. This month, 60% of our users connected through Tor".