Put "By default we don't keep IP, but may be required to by local laws. We suggest you connect through Protonmail through Tor".

I would much prefer this, as a Protonmail paying customer.

Tor helps, but is not especially robust against state-level actors / APTs. An actor running a sufficient number of entry/exit nodes could perform at least some traffic analysis.

Tor is an improvement. It's still a limited tool.

It would have absolutely prevented this person from getting identified. It looks like some kids doing a climate protest.

I can't but help read your post in comic book guys voice.

In comic-book voice, then: what would an intelligence agency or police force's response to a suspect known to be using Tor be?

Traffic analysis, at a cost, could establish that the suspect is using Tor.

TorMetrics shows slightly more than 1,250 currently-running Tor exit nodes. I'll presume this is typical, history shows it's pretty consisten over the past 3 months.

https://metrics.torproject.org/relayflags.html?start=2021-06...

I'm going to presume that a court could conceivably issue an order to log all Tor-based traffic. A state actor / APT might then be able to correlate a known IP and traffic at a given point in time with other data to identify a source IP. This might be combined with other measures to encourage circuit-jumping until the suspect is on a specific known or monitored Tor circuit.

Yes, costs increase. I don't see this as technically infeasible, however.

Might not be rolled out just for a house-squatter, however.

Yeah, what you outline means Tor is Swiss cheese (ha, ha, long game pun), when it comes to traffic analysis. Are all the IPs for Paris to Tor being logged at the ISP level? You bet!

Frankly, I don't think anyone is safe from the tip of a nation state, even small ones. But I do think we should protect everyone else and Tor would have done that.

Because this was clearly civil disobedience and that is what we really should be protecting.

https://www.cactusvpn.com/vpn/is-tor-safe/

Agreed on goals. Tor undoubtedly helps, and even where it fails, the raised costs are themselves a win for the pro-privacy crowd.

Just ... don't think it's a majykal bullet. It's not. Tradecraft matters, vulnerabilities exist. Examine and review your threat models.

No it’s not bulletproof but there isn’t really any other network with the same availability which would protect against a targeted and sustained analysis.

Even if a nation state was targeting you, it would still take months for a timing/bandwidth attack to identify a user. Even then it would only provide your adversary a probability of certainty and requires consistent traffic from the victim through a compromised exit node.

No system is 100% perfect but tor will make most attacks prohibitively expensive.

Probabilities factored in with other data can be exceedingly useful.

Remember: all you need is 33 bits.

In discussion with Christine Webber on Mastodon: Onion services rather than simply using Tor as a transit service offers far more protection.

Here, data enter the Tor system, but don't leave it as the onion service itself has a Tor address.

Yes, traffic analysis and timing correlations may still be used to draw inferences, but again, costs are raised, and that's the critical factor.

I mean they are misleading in so far you want them to...

I'm a privacy activist and certainly think that a company should be able to not keep logs. If the law in the country they are in (or area, see for example the data retention directive in the EU) we should of course (and I am) work to change those laws.

It should come as no surprise to anyone who is privacy minded and actively seek out privacy focused services that are located within the EU or Switzerland that your IP (or other information) can be requested with a warrant and that a company is required to hand that over.

As a privacy activist, what's productive about arguing that protonmail shouldn't need to make a greater effort to pound into their customers' heads exactly what you just explained?

I get that you think people should already know this, but do you feel they should be punished for not already knowing this, and not reminded by a company that markets itself on protecting its users? Protonmail was forced to get an IP address, but they're not forced to keep the fact that they respond to warrants a big secret.

Not everybody who is an activist is a big techie, or even computer-literate.

They clearly spell out in their privacy policy that they respond to warrants....

> We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation). While we may comply with electronically delivered notices (see exceptions below), the disclosed data can only be used in court after we have received an original copy of the court order by registered post or in person, and provide a formal response.

It would also be nice if they were allowed to notify the customer but I'm not familiar enough with Swiss laws to know if they can.

It's not misleading in that many services do keep records by default. If people don't understand what default means, they should grow their understanding, not be outraged that their uninformed opinion was wrong.

I'm pretty sure it means that both the user and the company is bound by the terms of service and privacy policy that clearly spells out that they comply with legal warrants (from switz authorities) and provide the limited data that they are asked for if they have it (IPs being one such thing).