I wouldn't trust someone else to host my email ID. Get yourself your own domain at porkbun.com, make sure it's a .com or at least a very reliable TLD that won't be going anywhere, and then setup proton to point to it.
You are no longer locked into any one provider :) You can always transfer your domain and you can always transfer your email host.
I recall a blog post where an attacker got access to the blogger's domain through a social engineering attack on the registrar, and subsequently got access to their emails.
I'm curious if anyone knows the article I'm mentioning and how to prevent such an attack. I couldn't find the article back.
If the social engineering can get past 2FA, then the only options you have are
1. The registrar has offices in your country, so you can take legal action against them. Of course, this also means that your despotic government can force the registrar to ban you, etc.
2. The registrar is not in your country, so you depend on their benevolence to reverse the social engineering.
Ban everything you cannot control / understand! That is the classic Indian bureaucracy reaction.
For example, They also banned tinted windows in cars after an assualt happened in a car. Then, there was a time where they banned something or the other on a daily basis.
Even right now there is Section 144 imposed in multiple cities - which means a "ban" on "unlawful assembly" of 5 or more people. 5 or more people in multiple cities which have a population of millions! Now, how do they enforce / check these "assemblies of people" depends on the people you ask. I have already spoken too much.
The issue is India doesn't have a judicial agreement with Switzerland over data sharing (which includes User IP Addresses) for criminal investigations [0] while the US does [1], and Protonmail only honors Swiss litigation [2]
This should change with the new India-Switzerland FTA though.
I think the actual issue is that a government holds the insane belief that by blocking one out of many ways that someone could make an anonymous threat, it somehow contributes to the safety of their citizens.
> blocking one out of many ways that someone could make an anonymous threat, it somehow contributes to the safety of their citizens
If you make an anonymous bomb threat using Gmail in India, Google will hand off all information to the Indian government as they have operations in India and will be held liable, just like they would in the US.
This is the reason why Proton AG honors American law enforcement requests - the US and Switzerland have an agreement that data platforms in both countries need to honor each other's law enforcement requests.
If Proton AG won't give User metadata without litigation in Switzerland, it will get blocked in those jurisdictions it doesn't play ball with.
This is why most piracy platforms and data platforms will honor metadata requests from US Law Enforcement - you will become a toxic financial liability if you choose to flout US litigation.
Your statements are correct but they aren't relevant to parent's point. Blocking an email provider has absolutely no positive effect on the safety of the citizens. While it has the potential of a lot of negative effects, like the inability of other innocent citizens to use their email account. It is the same thing when the GoI went ahead and blocked pastebin.com because of a bunch of pastes.
> Blocking an email provider has absolutely no positive effect on the safety of the citizens.
If all the available platforms allow for data sharing and tracking on judicial orders, then a perpetrator does not have a safe way to give threats, without the risk of being identified.
In my opinion, this is a deterrent in itself, the fear of getting caught.
Ah my bad, I should have explicitly mentioned that merely a threat does not constitute a safety issue enough to justify a broad ban. If such a ban could prevent a real attack, then sure.
Yes, personally even I would feel disturbed and anxious when somebody threatens me, but it would be too broad to classify mental disturbance as a safety issue. I am saying this having survived an episode where my father was threatened for life.
> Blocking an email provider has absolutely no positive effect on the safety of the citizens
I agree that it's a half assed patched, but if a platform isn't responding to litigation or law enforcement requests, there is always the chance of bad actors weaponizing that loophole.
And it's not like Proton AG hasn't been linked to terror attacks. The perpetrator of the Bataclan Massacre used Protonmail to communicate with handlers, leading to the French government to require email platforms like Proton AG to honor French law enforcement requests [1].
Upvote this. Can't edit my previous comment which misread the wired article linked or can @Dang just delete the offending comment for incorrect/misleading info?
It was a temporary block due to an overly broad denylist the Indian government put out in 2013. Pastebin ended up getting unblocked in India in the same time period as well.
It feels like the Indian gov is reactionary and has tunnel vision. They fix one problem but never consider if that fix will cause problems elsewhere or if even if that fix is worth it.
The issue is that India has a body of hand picked bureaucrats, who have the authority to both target and ban platforms they cannot control or spy on.
The article clearly states that all was a hoax and there weren't any bombs. The Indian government is setting up a nice slippery slope here for total political control of the Internet.
Perhaps ProtonMail would be better off if they just pulled out of the country.
> issue is that India has a body of hand picked bureaucrats, who have the authority to both target and ban platforms they cannot control or spy on
Agreed. Indian jurisprudence has not kept up and is still stuck in an authoritarian mindset found in the Colonial British legal system (same problem in Pakistan, Malaysia, Kenya, and Singapore as well btw)
> setting up a nice slippery slope here for total political control of the Internet
The Indian government has always had the authority to control electronic communication due to the Indian Telegraph Act, 1885 [0] and it's equally authoritarian successor the Telecommunications Act, 2023 [1].
India always has been, and sadly, always will be an Illiberal Democracy, and for the exact same reasons that Malaysia, Kenya, and Pakistan will be as well.
It's the original sin of the British Colonial legal system.
> Now, how do they enforce / check these "assemblies of people" depends on the people you ask.
I assume police officers enforce / check them when they need to fill their ticket quota, want to get money through a bribe, or just want to punish someone who personally annoyed them? That's how it usually works with half-enforced laws.
In every law, there should be a requirement that it either gets enforced equally, or it loses power.
But who enforces the equality of the enforcement? The only feasible system for this is 100% transparency of all legal proceedings and massive penalties for obscuring any legal proceedings. Governments and law enforcement bodies have only ever paid lip service to these ideals. They always resort to excuses involving "national security", "Realpolitik" or other convenient constructs that just happen to bias the legal system towards the incumbent powers.
It doesn't even have to be that deliberate - these kinds of things end up being the reason you can use when you can't find/prove another.
Which has 'good' uses too I suppose, as in where everyone agrees it was correct even if technical process a bit silly. (Not just cop on the street arresting 'obvious' drug dealers or whatever for unlawfully assembling, but charging mafia with tax evasion, or sexual assaulter CEOs with securities fraud.)
But.. I'm guessing the majority of unlawful 5 or more assembly cases are not 'good'.
> In every law, there should be a requirement that it either gets enforced equally, or it loses power.
The evil twin of this is maximized enforcement where enforcement and punishment have become a strong focus and shaping societal behavior is maybe a justification. It is the point at which we have lost our way.
> If a law in place is found to be overly strict or general, then it should be changed or removed, and doing so should be simple and swift.
This would be a sweet world to live in. We'd have to change many reward systems to get there.
Pointedly, we'd have to improve public thinking - but most folks have already made their easy, positive changes. What's left are difficult positive changes and easy negative changes.
It's not specifically Indian. Canada just banned Flipper Zero devices because the little radios can replay car key fob signals and older cars are susceptible to replay attacks.
UK government has tried to ban encryption time and time again. This is what happens when you have old/incompetent career politicians in power instead of deep thinkers like scientists and engineers.
The U.K. has a system where experts in various fields like medicine and engineering are put in the lawmaking process, in addition to experts in becoming elected (ie raising money and selling non tangible ideas to people)
It’s not perfect of course, but in my opinion it’s better than a fully democratic system.
Do those unelected experts advise on new legislation, even write it (why not? We don't expect elected politicians to be experts in much more than ordinary people) or do they also vote to approve or reject those laws like elected politicians do?
Theoretically they do both. I think the system that the above commenter is alluding to is the House of Lords, where a bunch of unelected "lords" can vote on legislation. The idea is for the lords to be people with particular expertise who we want to be voting on stuff. For example if you have some very highly thought of scientist or engineer you reward them with a peerage and they can sit in the house of lords and vote on stuff. Of course the reality is not so great.
That's a stereotype and probably not true. Many deep thinkers are humanists.
It's probably more likely around the hyper rational types, but my boss is the most empathetic engineer I've ever worked for. This is anecdotal but your comment seems fairly clearly overbroad
I've seen the stereotype confirmed on HN several times already. Whenever I, a blind pedestrian, voice my concerns about driverless car technology, I am being downvoted and outright critizised. The undertone is "How can this single person try to block an emerging technology". That pretty much confirms the statement that tech people sometimes have a hard time with human concerns.
I am empathetic to your concerns but I may or may not agree with your proposed solutions. I do think it's always important to keep in mind that empathy and compassion aren't the same thing, or always aligned. Compassion is more utilitarian. Driverless cars will save a lot of lives when the technology is good enough, and the compassionate thing is implementing the technology when it saves more lives than it endangers. If that's the non-empathy you are getting from the HN community then the community is right, but again, I genuinely empathize even so.
It's worse than you think. Read the Criminal Justice Act (Offensive Weapons) Order 1988 (S.I 1988/2019) and marvel at some of the nonsense some politician thought it important to ban.
My personal favourite is "Death Stars", since it creates the mental image of some constable trying to confiscate a superlaser-equipped battlestation.
> the weapon sometimes known as a “shuriken”, “shaken” or “death star”, being a hard non-flexible plate having three or more sharp radiating points and designed to be thrown;
Its possible for young people to make these mistakes. My wife is not an old man and her default position is not to defend e2e encryption. So all it takes is a spurious argument against it (think of the children!) and without skin in the game she is happy to go along.
The argument is about proportional gain vs proportional loss and she is not aware of the devastating loss of privacy that would come from banning strong safe encryption.
You could prevent this by teaching rational thinking and cognitive biases at the school level, but I assume the reason that hasn’t happened yet because said students would start calling out the hyperbole that politicians and business people often like to employ.
Good unbiased Thinking requires effort. To optimize this there are caching mechanisms at multiple levels, from inside your brain to the societal level to save the energy required to do the thinking. If you deem that cache and all future ones to be invalid(untrustworthy) you'll have to do a lot of thinking from scratch.
If you want to practically brick such agent you'll just need to do a denial of service by bringing a huge deluge of claims that they have to spend more than their lifetime thinking through all of them critically.
I am not going to jump to the bait of defending my own wife as a rational person.
Instead I'll just point out that difference in information is not difference in ability. She just wasn't aware encryption was used basically everywhere, and so could be forgiven for not having at hand the information to refute the assertion that some back doors in one algorithm or system is harmless.
Only an education in these subjects will help, or a widespread awareness campaign by educated folks. Or even a law protecting it as a fundamental right.
Just as I criticize her field all the time, and am quickly embarrassed by my presumption of hyper rational super powers. Or at least I was for years.. I'm getting better.
Flipper Zero complies with all regulations, it's a certified consumer device. That it can record and replay a radio signal is not something that should be regulated.
We have laws for stealing cars, we don't need to ban specific tools that, among a multitude of other uses, might be used to steal a car.
The 1986 Assault Weapons Ban in the US restricted the sale and ownership of several non-existant gun attachments and modifications. It also for some reason banned specific guns like the KS-23 (quite ridiculous gun you should read on if you're a fan of them) that was only manufactured in the Soviet Union and other bloc states and literally couldn't be imported to the US normally regardless because it used the barrel off a 23mm aircraft cannon.
Remember to always put someone with no knowledge of guns in charge with making gun laws.
> For example, They also banned tinted windows in cars after an assualt happened
I think every jurisdiction should put limits on how tinted the windshield and front windows can be. Being able to see where a driver is looking is important in many situations in order to avoid collisions. It's especially important for pedestrians and cyclists that have to cross the path of cars.
I think this sort of government hand holding is unnecessary and promotes the surveillance state. I'm all for going back to the levels we had in the 70s. People should be given the means to be safe but it shouldn't forced on them, same with surveillance. I think putting bumper guards on everything in life leads to a society that is afraid of everything and values safety over liberty, like the society of today.
As a cyclist I have to be very aware of people opening their car doors into my lane.
This is a direct safety concerns for me and not some hurr durr soorvwaylanze concern about slippery slope fallacies. You wouldn't say this about OSHA either (I hope).
This is not about protecting the person tinting their window, but everyone around them. As such, it doesn't even qualify as government hand holding. Your not protecting someone from themselves.
> Ban everything you cannot control / understand! That is the classic Indian bureaucracy reaction.
This is the classic reaction of any government. I assure you Indian one is not in any way unique. That's why you need a strong constitution and an independent constitutional court - hardly possible, but at least it's a goal.
They are controlling it because they absolutely understand, and can give a narrative of how anonymity can be used for nefarious purposes.
I support banning of tinted glasses, because, for the population and education level here, these measures are necessary. Because one rape is too many, and what is to be done ought to be done. For those unaware, this ban on tinted glasses in a car or a vehicle came about when there were a spate of rapes and assaults on women done in a moving car with tinted windows.
Unlawful assembly laws are there in many countries.
In India, it is used often, but generally when there is a communal angle involved. India sees many rallies and protests (there is one massive one going on right now).
> For those unaware, this ban on tinted glasses in a car or a vehicle came about when there were a spate of rapes and assaults on women done in a moving car with tinted windows.
A moving car? Gee, wonder why they didn't ban moving cars as well.
There's a pretty egregious misunderstanding of how email works in both the article and the proposed ban.
Protonmail can only end-to-end encrypt email when the receiver is also using Protonmail. The email spec has no support for a universal encryption method, one of the reasons we'd be better off not using email at all today.
They also don't explain how the inability to track the sender's IP is specific to Protonmail. Unless I missed a key feature, Protonmail doesn't do anything to hide or obscure the sender's IP.
> inability to track the sender's IP is specific to Protonmail
The issue is India doesn't have a judicial agreement with Switzerland over data sharing (which includes User IP Addresses) for criminal investigations [0] while the US does [1], and Protonmail only honors Swiss litigation [2]
This should change with the new India-Switzerland FTA though.
I may be getting out over my skis here, hopefully someone will correct me if so. But I believe this is the main distinction with a Common Law system, where everything is default legal unless regulated by legislation. Effectively, laws are only blocklists under legal systems based on Common Law.
I don't know for sure if India is Common Law, though given its history with the British Empire I would guess that it isn't.
Former British Dependencies like India, Malaysia, Singapore, Canada, South Africa, New Zealand, Ireland, and Australia are ruled under Common Law with additional colonial authoritarian flourishes, as these dependencies could be overruled by Westminster until the mid-late 1900s.
England, Wales, and North Ireland are themselves Common Law, and it's somewhat common for Indian lawyers to cross apply to join the English Inns of Court as well. That said, modern India is starting to transition towards an American style common law system over the British one, as America has way more of an impact in India today.
Civil/Roman/Latin Law is a continental thing. You'll see influences of it in former Spanish, French, and Russian colonies.
Email supports end to end encryption between any two servers. You set each server up with a list of supported protocols and denied protocols.
If either side can't agree on the encryption algorithm, then the email does not go through.
If both sides do agree, which is almost always the case if both sides are using industry standard encryption methods, then the email is end to end encrypted.
On top of that, we have PGP encryption which allows the user to encrypt the email from everybody including the email provider. Only the recipient email address and possibly the subject line would be readable to the email providers.
As for the IP, if protonmail removes the sender's origin IP then it's removed and that's it.
Email is one of our best methods of international communication available today.
There aren't many services that support e2e encryption though. I've been a Protonmail user for years and only remember being able to send encrypted emails to other PM users, maybe Fastmail also supports the same protocols?
Regardless, if I'm not mistaken encryption protocols are layered on and not part of the official email spec. I'm not 100% on that so may it was added to the spec as an optional feature, but by no means is it common (especially with the market share Gmail owns).
Yes, but all emails exchanged between two Proton accounts, as well as between a Proton account and a non-Proton user who relies on PGP encryption, are protected by PGP.
But there's also server side encryption that is end to end. If both the sender and recipient uses a trusted mail server that uses encryption then nobody between the two can see the email.
But Google will usually provide logs/IP addresses (not content) to police without a warrant, which can be used to start tracking down the culprit. It isn't clear from the report if the Police got a warrant or even made a request to ProtonMail.
Most do not just sign in to a compromised account and send and email from their laptop... It usually involves some level of obscurity. Im sure if they want to find out bad enough they will- but I would be surprised if this was sent by someone just sitting there.
India for all intents and purposes is now an ethno-national state with no press freedom, severe persecution of minorities, and human rights violations aplenty.
I grew up in India when it was a relatively secular state. For example, when the Babri Masjid (mosque) was destroyed by Hindus in the early 90s, the national magazine, India Today and major newspapers led with the headline, "India's Shame" and acknowledge how bad that was for Indian secularism.
Less than a month ago the same mosque was now converted into a Hindu temple and the press and government led the cheerleading.
1. No press freedom: what explains the presence and popularity of the wire, scroll, news minute, the quint, etc? Traditional print media that’s critical of the current party in power includes The Hindu, Telegraph etc. That there’s no press freedom is false.
2. Ethno-nationalist state: what ethnicity are we talking about here? BJP loses often in elections locally, and majority of their opponents are Hindus.
What India has always been is illiberal. You are weakening your point by exaggerating the current conditions.
Moreover this prosed ban is because we have an overzealous bureaucracy that doesn’t understand technology and does not care to. It’s got nothing to do with what India has become.
As a data point, the previous government that grandparent speaks of also has been involved in actual suspension of democracy, abolition of press rights, and jailing of opposition leaders[1].
Indian administrations have always have had an authoritarian bent regardless of who has been in power.
Care to tell me what exactly is "misinformation" when every point has been cited from articles by reputable local/international media sources?
If your only argument is about a so called "western bias", forgive me for laughing. I'm under no obligation to kowtow to the delusions of an authoritarian country and it's supporters.
Tangential to the article being discussed, as this is not about secularism.
Not all the facts provided, just a one sided view that is parroted repeatedly in online forums with the intention of claiming a moral high ground when the facts are far more complex and intricate.
The mosque was converted by a judgement from India's Supreme Court. But yes, the administration's stunt of overtly participating in religious conflict by having the PM and country leaders inaugurate the temple sure leaves a bad taste.
Thankfully, religion as a whole is becoming increasingly irrelevant among new generations as Western individualism takes over. This incident will hopefully be remembered just as an appeasement tactic for old to middle-aged people and not an escalation.
>The mosque was converted by a judgement from India's Supreme Court
Many would say that doesn't change anything because they think that Indian supreme court is just another tool in the hand of Modi's government [1] [2] [3].
Many would say that regarding this decision, yes. But they'd be overlooking the kind of exceptional dilemma the court faced in this case - it was not just about determining what club gets a legal right over public property, but about defusing a several generations-long historical and religious conflict of vastly higher scale. In the end they had to pass a judgement that antagonized the least number of people and prevented large-scale disruption and violence. We can debate how right or wrong it was all day, but that won't take away the fact that there was no other way of resolving this without messing up social harmony.
Whether or not Modi's government has undue influence over the judiciary is still up for debate, but in this particular case, I fail to see how it could have made a difference either way.
Isnt it just convenient. To hell with due process and law and justice and equality.
Give a judgenent that offends least number of people, be it right or wrong.
You know how that sounds like? A corrupt judiciary that's at the whims of satisfying the ego of masses.
Btw
>The incident, which resulted in heavy casualties, had shaken the entire nation and the collective conscience of the society will only be satisfied if the capital punishment is awarded to the offender.
This quote from an actual judgment made by supreme court of India literally says so. To satisfy collective consciousness of masses, a man must die
That literally is the point of much of how the justice system functions all over the world.
Part of the factors they have to consider is for the people to be sufficiently satisfied that justice was done. After all, the system relies on the people having confidence that the system works. The perpetrator of a brutal rape and murder not being given the death penalty when the entire country is out on the streets demanding his blood, would be a grave miscarriage of justice (as long as he was indeed the perpetrator).
Especially with the case of the masjid, there wasn't going to be a right answer either way, as Hindus also made a historical claim to the land.
Such claims have absolutely no relevance to the story. The block request came from Tamil Nadu police where major politics is on the opposite end of the spectrum. I wish I could go back to the time where people actually read the article and stay on point.
India is illiberal and authoritarian, but boiling down the extremely complex issue of the Babri Masjid to "Hindus tore it down and replaced it with a temple" is very disingenuous. The case remained unaddressed - even through the rule of more secular parties - for decades for good reasons.
Plus, India has a long record of kneejerk censorship. There was the incident with GitHub back in 2014, and even before then there have been many cases of the national or state governments censoring material that could be construed as criticizing them or material they could construe as supporting a terrorist movement.
Yes, India is not liberal and Yes, India has leaders who concentrated power in their hands overrode the States. On the other side of the spectrum if you have lived experience of the 80s, you would understand chaos and anarchy of multiple ethno-insugrencies. As a man who grew up in South India, I am proponent of State's rights etc. But it's not magic, India's geography and demogrphics compel, this cycle of powerful center that is near authoritarian to weak center that is a monumental chaos. In between there are periods of some balance. That was the nature of India since the Mahajanapadha period.
This all seems a bit confused. This has nothing to do with encryption. ProtonMail cooperates with law enforcement to track down users, but they do need a proper legal process. They won't just release user information on a simple request. They do have the ability to capture IP addresses.
ProtonMail is accessible over Tor, but they don't allow registration/verification over Tor.
But do you have to provide any information during such a signup that could be used to identify you in response to a valid legal warrant of some type? The "verification".
This depends on the exit node, so if you are experiencing this, we recommend trying another one. If it persists, contact us here so we can take a closer look: https://proton.me/support/contact
Experiencing what? To phrase my question differently: can someone show up on a Tor connection and make a new account without giving Proton any indication of who they are? So that in the case they abuse the account somehow, the only thing that Proton can do is just cancel the account?
Experiencing an additional verification step - sorry if we were unclear. Yes, you should be able to create a new account using our onion page or access our website via Tor browser. Additionally, you can create a Proton Mail account while connected to a no-logs VPN, which will also help protect your identity.
> Unable to trace the IP address of the sender and failing to get assistance from Interpol, the Tamil Nadu police put in a request to India's Ministry of Electronics and Information Technology to block access to ProtonMail within the country, according to Hindustan Times. That request was granted today, with the government authority issuing an order to block the service in the region.
This is at the request of a state police of Tamilnadu.
This particular state in India is ruled by a Party that's against Modi and his party.
Question here, why can't Protonmail cooperate with the police investigating bombing threat against schools ?
you have to wonder just how much such rulings help anyone.
- practically nobody uses the service in the country (especially when dealing with hundreds of millions connected on the internet), and for some this might have a streissand effect.
- those using such services for nefarious reasons would have little to no reason to abide by it. IT law enforcement is already very ineffective as it is, and would only be used as a lever when dealing with cases the administration has special interest in.
- this is not really a matter of encryption but about data sharing arrangements with other countries (as correctly pointed out in the comments). funnily enough it is against the law to refuse decryption (https://en.wikipedia.org/wiki/Information_Technology_Act%2C_...).
> ProtonMail is the best choice if you want an end-to-end encrypted email platform
Is this native advertisement? There are many other choices, some of them being as good if not better. A few of them are small mom-and-pop businesses which didn't take on investment, and won't enshittify ( https://en.wiktionary.org/wiki/enshittification )
"On February 8, a bomb threat was sent to 13 schools in Chennai, a city in the state of Tamil Nadu in southern India. The threat turned out to be a hoax, and the Tamil Nadu police found that the email was sent via a ProtonMail account.
Unable to trace the IP address of the sender and failing to get assistance from Interpol, the Tamil Nadu police put in a request to India's Ministry of Electronics and Information Technology to block access to ProtonMail within the country"
In the US, local PDs can and have litigated telcos over swatting [0].
Every state has a Anti-Swatting Litigation Task Force within their AG now to take Telcos to court over swatting incidents.
On the other hand, India doesn't have a judicial agreement with Switzerland over data sharing for criminal investigations [1] (while the US does [2]), and Protonmail only honors Swiss litigation [3]
This should change with the new India-Switzerland FTA though.
They severely restricted the buying of SIM cards after the Mumbai terror attacks on the flimsy basis that the terrorists used cell phones to coordinate them .
In practice it means that it's a massive pain to get a local number when visiting family.
VOIP intra-country is also illegal, but it's not clear if that's regulatory capture or for similar "national security" grounds.
so apparently a child was abducted and one thing led to another and the child was recovered so the child revealed how he was shown tom and jerry cartoon.
the police then went on a fishing trip and literally cross referenced which user in a particular area watched tom and jerry on youtube at a particular time/date to find the cuprits.
if this wont get your antenna up, i dont think anything else will
YouTube/Gmail/etc etc and everything that the government is tracking. FWIW, they are tracking our internet with all sorts of fancy technology.
I think probably what I meant to ask is:
Normal police work meaning you can willy nilly go and canvass internet browsing history of thousands of citizens ? What stops them from taking political vendetta ?
The protonmail ID is actually my main Email-Id and is used everywhere, even on government sites.
Hope https://internetfreedom.in/ steps in or some other organization.