One of the first sentence on their website is "By default, we do not keep any IP logs". If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising. The fact that only the anonymous feature is important to you will not change the fact that they do the opposite of what they advertise regarding IP logs
So also a proton customer here. "By default we do not keep any IP logs" and this case does not seem like the default? Seems like they were required to by law to log and turn over this specific IP? (Of course I haven't seen the actual case but I would assume that meant a warrant.)
As a user, I'd take that to mean that they wouldn't keep any IP logs unless I turned logging on. I wouldn't expect that they would enable logging on their own.
Interestingly, ProtonMail's privacy policy lists a number of cases in which they may log your IP address permanently (including if you breach their Terms and Conditions). But a request from law enforcement is not one them.
Use of the service for any “unlawful or prohibited activities” violates the TOS, so if law enforcement has evidence of that (which they may), then PM has a clear right to log IP.
Is that so? I thought, if one violates the TOS, the other side may terminate the service. I did not know they then had the automatic right to then log data suitable for tracking and identification.
A user with the intent to engage in unlawful activities should read the terms of services in full. If that user only reads the homepage of the service, without understanding the implication of each word, and does not bother to review the terms in details, that is on him.
Moreover, I would like to point out that ProtonMail is about encryption of email *content*. It is foolish to expect more from them. They won't protect your identity: law enforcement can know who you are and who you communicate with, but they cannot know the content of your emails (if you recipient uses encryption services as well).
Tor helps, but is not especially robust against state-level actors / APTs. An actor running a sufficient number of entry/exit nodes could perform at least some traffic analysis.
In comic-book voice, then: what would an intelligence agency or police force's response to a suspect known to be using Tor be?
Traffic analysis, at a cost, could establish that the suspect is using Tor.
TorMetrics shows slightly more than 1,250 currently-running Tor exit nodes. I'll presume this is typical, history shows it's pretty consisten over the past 3 months.
I'm going to presume that a court could conceivably issue an order to log all Tor-based traffic. A state actor / APT might then be able to correlate a known IP and traffic at a given point in time with other data to identify a source IP. This might be combined with other measures to encourage circuit-jumping until the suspect is on a specific known or monitored Tor circuit.
Yes, costs increase. I don't see this as technically infeasible, however.
Might not be rolled out just for a house-squatter, however.
Yeah, what you outline means Tor is Swiss cheese (ha, ha, long game pun), when it comes to traffic analysis. Are all the IPs for Paris to Tor being logged at the ISP level? You bet!
Frankly, I don't think anyone is safe from the tip of a nation state, even small ones. But I do think we should protect everyone else and Tor would have done that.
Because this was clearly civil disobedience and that is what we really should be protecting.
No it’s not bulletproof but there isn’t really any other network with the same availability which would protect against a targeted and sustained analysis.
Even if a nation state was targeting you, it would still take months for a timing/bandwidth attack to identify a user. Even then it would only provide your adversary a probability of certainty and requires consistent traffic from the victim through a compromised exit node.
No system is 100% perfect but tor will make most attacks prohibitively expensive.
I mean they are misleading in so far you want them to...
I'm a privacy activist and certainly think that a company should be able to not keep logs. If the law in the country they are in (or area, see for example the data retention directive in the EU) we should of course (and I am) work to change those laws.
It should come as no surprise to anyone who is privacy minded and actively seek out privacy focused services that are located within the EU or Switzerland that your IP (or other information) can be requested with a warrant and that a company is required to hand that over.
As a privacy activist, what's productive about arguing that protonmail shouldn't need to make a greater effort to pound into their customers' heads exactly what you just explained?
I get that you think people should already know this, but do you feel they should be punished for not already knowing this, and not reminded by a company that markets itself on protecting its users? Protonmail was forced to get an IP address, but they're not forced to keep the fact that they respond to warrants a big secret.
Not everybody who is an activist is a big techie, or even computer-literate.
They clearly spell out in their privacy policy that they respond to warrants....
> We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.
It would also be nice if they were allowed to notify the customer but I'm not familiar enough with Swiss laws to know if they can.
It's not misleading in that many services do keep records by default. If people don't understand what default means, they should grow their understanding, not be outraged that their uninformed opinion was wrong.
I'm pretty sure it means that both the user and the company is bound by the terms of service and privacy policy that clearly spells out that they comply with legal warrants (from switz authorities) and provide the limited data that they are asked for if they have it (IPs being one such thing).
That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
Of course Protonmail is accessible via Tor. Not that you should need to do that to remain private.
> That your emails are supposedly stored encrypted, that if other services support it end-to-end email encryption supposedly can be enabled easily, and that supposedly you cannot be served targeted ads because they cannot read the contents of your email (not that they have ads anyway).
That's an interesting point, but I'd contend there is a difference between scanning for known virus patterns vs. feeding your email into ML algorithms to do God knows what with.
If someone comes to Google, asking for the content of someone's email, is Google technically unable to provide that information for past emails?
Because I am aware of no reason to think that Google stores my gmail with zero access. I don't know for a fact that ProtonMail discards this information at the earliest opportunity nor do I know for a fact that they don't try to aggregate it to learn about you (or even people in general), but that is what I interpreted the pitch as.
But, look, of course if they get a subpoena they will have to start scanning your email if they are technically able to collect it. That's just a wiretap, and little would prevent the author and operator of the server software from doing whatever they want... and they're clear that if you aren't sending email between two compatible accounts that there is no E2EE.
We can talk about how they should have been clearer about the need to use Tor to avoid IP logging (even if they don't do it, someone between you and ProtonMail certainly could). That's a good idea. But they are actually very clear that E2EE with your email is not what you should expect in general. And I don't think they have much incentive to scan my email from unencrypted sources to do anything nefarious, but I don't think anyone has any ability to prove they do or don't at present.
End-to-end encrypted emails, not massive collection of metadata to build advertising profiles, and, maybe this will sound strange, but I wanted to pay for these services because I want to show everyone that there is a paying market and you don't have to rely on advertising to be profitable in this space.
No service is capable of completely hiding IPs and still getting you the data. If you "threat model" includes hiding from Western governments, I'd recommend not using the internet.
I never said it didn't matter. I think the data retention laws and for what crimes the police are able to get certain warrants in the EU and Switzerland can be better.
But that is not a proton issue that is an issue with our current governments.
Ah I see. It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright. Here's what I would expect my future vendor to say about this:
"Hey, we respect your needs. However, we have to tell you that you should treat us as a bit of an adversary. We will do what we can as a private company, but ultimately we can be compelled by the government, rogue employee, or if somehow we get hacked. This is the case for any company no matter what they promise or avoid telling you. We do tell you. As our customer, here's what we recommend you do: Use Tor, fund open source, vote, etc."
> It's an issue for my use of Protonmail, in that I may cancel and move to another vendor who is more forthright
You’re telling us that you never considered that an incorporated company, bound by democratic laws, would be required to respond to criminal activity warrants?
What fantasy land do HNers on this thread live in?
>If as soon as police show up (Which is almost the only case that people would want their IP hidden) they give IP logs, it is clearly false advertising
Is there any evidence this is what happened?
An alternate scenario is that they were not keeping logs, and were then compelled by the authorities to start keeping them on that user.
No. With on-demand logging, they can find the owner of the account (assuming he doesn't take further measures), but you can't retroactively prove someone used that account to do something at a specific time. For example, you could not prove that the individual was logged in at internet cafe xy near the time of the crime. Also, an opsec mishap (such as logging in without protection) will not be fatal unless you're already under surveillance.
I'm not taking sides on privacy or the threat of govt (or other sourced) tyranny, I'm just explaining the logic to answer your question:
Let's say you engaged in a long history of using protonmail innocently, then one day you decided to start commiting crimes for the first time and attract police interest. You would know that your historical logs were not kept, and it was only after you started attracting police attention that you would be at risk of incriminating yourself through proton mail. Maybe, on the run from the law, it would be safe for you to hide at your old friends house because there was no log to link you to him.
Yes, it is also the case that you may not have realized that ordinary behavior had been criminalized by an evil govt all along blah blah blah... I'm just pointing out that there is a difference where you saw none.
No history of when you logged in from where and, possibly, plausible deniability about about you being the only user of that account (through you'd probably need to prepare for this to be believable).
I mean it's either this or traffic analysis. If you use your clearnet IP address to do illegal things, it's nothing more than reasonable that you can get in trouble for it.
This is also why I don't get protonmail in the first place. Unless you use pgp or equivalent, you'll always be subject to law enforcement. Just that protonmail cares more and caters more to activists and so might not give it out without checking that the asker is really legit and then give the minimal amount possible. But they'll always be able to turn over your emails and log IPs, it's not protonmail's fault the laws were voted into action like this.
They tout that off-by-default statement on their homepage, underneath the header of "Anonymous Email," with the closing sentence of "Your privacy comes first."
So why even market that? It provides no meaningful security.
Were _you_ mislead by this? Did you really expect a Switzerland-based company not to comply with law of the land?
There is a difference between "available to police, not retroactively, and only with a valid warrant" and "available to any government agency constantly and in bulk, as well as to data-collecting commercial entities, Russian and Chinese hackers, and their dogs".
Don't you agree?
Really solid explanation of what you’re paying for as a proton customer - and despite this unfortunate situation for the French advocate is why myself and others will continue their paid ProtonMail plans
Fair point. I still don't think they've worded that well enough. I would probably not have read "By default" to have the context of "Unless asked to do so by authorities."
They're not being as transparent as possible in their marketing, which is at odds with their allure of security.
As far as I know, Swiss law does not allow for "secret data collecting orders", unlike US after "Patriot Act".
This is the benefit if being located in Switzerland, where banking is one of the main pillars of the economy and which historically has been much more supportive of personal privacy than most other countries.
They eventually caved under US pressure on some things, so it's not such a "haven" as it used to be, but I believe it is still the country that respects individuals' rights the most.
Not perfect by any means, just better than most others.
Unless you are naive enough to assume that ProtonMail is incapable of logging IP addresses (in which case they'd be incapable of serving HTTP requests...see the problem?) then they can log. And they most certainly aren't going to declare independence from Switzerland and refuse to turn on IP logging when required to by law.
Whereas with E2E-E, they actually are incapable of turning over readable emails.
what other status quo do you expect from them?
Having to provide IP logs after a warrant has been issued is the law in switserland (and most if not all of the EU).
Sure, the law would (hopefully) be changed, but at the moment, this is the best they can legally do?
Not necessarily. It's possible that their statement is true that they don't keep IP logs, but the Swiss police showed up with a court order for the equivalent of a US wiretap or pen register, requiring them to begin logging the IP address for that account when it signed in.
I think trusting your security or privacy to website-based email is a bad idea. If the email is being displayed in your browser, then the authorities can coerce the company that owns the website to include JavaScript in that page that sends the plaintext content to them too -- or demand the website's TLS key and start intercepting the traffic that you see.
The only encryption-based security that you can reliably trust is encryption that happens locally on a device you control, and that doesn't involve a web page or website loaded from a 3rd party.
If you want privacy protection with real end-to-end encryption that the government can't get past trivially with court orders, use services where the decryption happens on devices that you own, such as WhatsApp or Signal or iMessage. If you must use email, do the encryption yourself on a hardened Linux distribution like Tails using PGP for email encryption; but this is much harder to set up than the above secure messengers.
I wouldn't say ProtonMail is a scam, but a trivial software change on their server-side would let the authorities see your email every time you do. If they can be compelled to make that change then the "encryption" you're paying for is worth nothing. The next time you sign in, a court-required modified version of their server software can capture your password, and then use whatever key derivation function gives them your encryption key.
This might not even require the company to actively participate. In the case of Snowden and LavaBit email, the US Government demanded LavaBit's TLS certificate so as to intercept the communications themselves at the ISP layer when LavaBit refused to comply with narrower court orders to provide information about his account.
What could police do with ProtonMail's TLS certificate and court authority to intercept and MITM traffic for your account? They can probably capture your password, use that to read all of your old email, and at minimum read your email as you read it. Even if decryption is happening in the browser somehow with JavaScript, that JavaScript is coming from the origin server that the government now controls by virtue of MITMing the traffic with the site's TLS cert, and so they can insert JavaScript that logs a plaintext copy of either the emails or the encryption key needed to decrypt them.
There is no security with web-based communications if the companies involved can be coerced with a court order. US based firms would be required to hand over their TLS cert if they weren't willing to help track someone, and at that point the government could do anything to your traffic.
The only secure encryption happens on your device with no browser involved.
By comparison, if you're using an iPhone, in theory the US Government could try to force Apple to modify WhatsApp/Signal on your phone, or force the App developers to do so. These companies would all fight tooth-and-nail in court against doing so. Plus, you can configure your iPhone to disable automatically updating apps, so once you have a working version of WhatsApp installed, unless Apple has some backdoor-ability to push an update of it to your phone anyway, you could turn off app update and be cautious & picky about when you choose to update WhatsApp or Signal. What I don't know how to do is verify the integrity of their binaries: to confirm that what you're getting is the same app distributed to everyone. Facebook would appeal to SCOTUS before allowing a government to install a backdoor into WhatsApp; so would Apple, based on their response to the government's request to unlock the San Bernadino shooter's phone.
All that being said, if the government's goal is simply to discover your identity, which was the case here, then Signal and WhatsApp won't help you. Their accounts are based on a phone number. If the govt has your phone number then unless it's a burner acquired with no name registration then they'll know who you are, and regardless will be able to find out approximately where you are, if you continue to use that phone number. They can triangulate where you are fairly rapidly with modern technology, and this is assuming that the cell company can't simply send a signal asking the phone for its GPS-based location; but even if the govt only knows your nearest cell towers, narrowing that down to a building is a matter of minutes once they're in the area.
If you need to communicate in a way that keeps your identity a secret then you're probably best off using a free email service over Tor from a machine running Tails Linux, accessed from various locations that provide public wifi.
