[HN Gopher] Climate activist arrested after ProtonMail provided ...
___________________________________________________________________
Climate activist arrested after ProtonMail provided his IP address
Author : kdunglas
Score : 383 points
Date : 2021-09-05 19:59 UTC (3 hours ago)
(HTM) web link (twitter.com)
(TXT) w3m dump (twitter.com)
| S_A_P wrote:
| Also a ProtonMail user. While I would prefer that ProtonMail
| never captures or divulged my ip and or logged my access I pay
| because I was a long time gmail user and am trying to ween myself
| off of alphabet in general. I don't want my mail skimmed for ads
| or worse.
| leipert wrote:
| Happy user of posteo here which claims to strip IP addresses and
| there IS no relation between accounts and payments. All
| government requests are transparently documented.
|
| The web interface is roundcube, but if you just use IMAP, it
| could work for you.
|
| No custom domains though for sending stuff, catch all redirects
| obviously work.
|
| https://posteo.de/en/site/transparency_report
| elmo2you wrote:
| I don't think that ProtonMail complying with the law here is in
| any way the problem. They simply have to.
|
| However, in this case just as in a few other ones before this
| one, it has become pretty clear to me that ProtonMail's marketing
| is deceptive at best an in a few cases some of their claims just
| blatantly not true.
|
| What surprised me most is that when I pointed this out in the
| past, I was immediately attacked by what appeared to be like
| Apple-style fanboys, whole would not stand by anyone criticizing
| ProtonMail.
|
| To this day I'm not so sure if that was just the genuinely
| zealous behavior of a few deranged individuals, or if it might
| have been a concerted commercial effort at damage control.
|
| Either way, to me ProtonMail certainly is not what it claims to
| be (if not explicitly than at least implied). To me it's just
| another commercial entity trying to make a profit by tapping a
| relative niche market while convincing gullible people they are
| something they actually are not, in any way that will make them a
| bigger profit. Nothing really shocking about that, and mostly
| just standard behavior for any other modern commercial entity
| operating within a capitalistic economy.
| istingray wrote:
| Disclaimer: Paying Protonmail customer
|
| I wanted to test how Protonmail is doing for new users I created
| an account from scratch just now over Tor.
|
| 1. Am asked to verify new account by entering a cell phone
| (bogus)
|
| 2. Upon login, "Basic" logs are selected which do not display IP.
| You can enable "Advanced" logs to log IP. I would suggest
| Protonmail make it crystal clear that these "Basic" logs do not
| store IP. In 2021, lies by omission are not good enough. Get rid
| of the soft language.
|
| 3. Their help page [1] says that "Advanced" (IP stored) logs are
| enabled by default. However, I created the account and it's just
| the Basic (no IP) logs. https://protonmail.com/support/knowledge-
| base/authentication...
| chrononaut wrote:
| > 1. Am asked to verify new account by entering a cell phone
| (bogus)
|
| Interestingly the sentence on their front page, right before
| the most commonly quoted snippet in this thread, is:
|
| > No personal information is required to create your secure
| email account.
|
| A phone number is quite a personal, unique identifier.
| gtsop wrote:
| Paying customer
|
| I do not trust protonmail with my privacy. I only use them to
| sign up for various services, trying to escape the data mining
| google does.
|
| Not sure I want to support a company that is dishonest however.
| I'm reaching the bye-bye point myself slowly but surely.
| [deleted]
| gigel82 wrote:
| So with FastMail under Australian privacy-bashing laws and now
| this, what are our options for secure, private e-mail?
| Youden wrote:
| Honest question, because I've been asking it of myself: what do
| you expect from such a service?
|
| I basically decided to just give up. Email is an insecure
| protocol and there's not much that can be done about it.
| Choosing a "secure" email provider feels like choosing a
| "secure" VPN provider: it's impossible to verify the provider's
| claims so it's a kind of security theatre.
| cartoonworld wrote:
| It's impossible to choose a "secure" email provider,
| unfortunately.
|
| Email can't guarantee E2EE without a block cipher tool like
| GPG. Even if your provider stores and transmits _only_
| encrypted email data, once sent it does not maintain that
| guarantee while being passed by another entity 's MTA.
|
| If you email google, google gets to do whatever googly stuff
| it would like to do with its algorithm. If you email
| exchange, roundcube, ISP, hotmail, it could wind up being
| archived to tape, or simply be sitting for a long time in
| some unencrypted mail spool, maybe in a public cloud. If you
| selfhost, you would be forgiven if you find you have made a
| mistake or simply got pwned.
|
| I've never selfhosted email, but I understand it is a lot of
| work to set up if you aren't familiar, and while maintenance
| is okay once you get rolling, there are occasional
| emergencies or hiccups that require intervention.
|
| Aside from being _much_ slower, regular mail is quite better
| since you can easily inspect the envelope for evidence of
| tampering, while email will be imperceptibly copied.
| chrononaut wrote:
| > I basically decided to just give up. Email is an insecure
| protocol and there's not much that can be done about it.
| Choosing a "secure" email provider feels like choosing a
| "secure" VPN provider: it's impossible to verify the
| provider's claims so it's a kind of security theatre.
|
| Notionally, I would imagine something that looks like "email"
| and acts like "e-mail" (to the end user) could eventually
| exist that provides the same (conceptual) security that the
| Signal protocol provides (and perhaps a hosting provider
| option that's the same level of user confidentiality that we
| get the Signal foundation), although you're correct that
| foundationally it would be a different protocol. Backwards-
| compatibility would be required, at least for seamless
| transition (perhaps represented as "secure" and "plaintext")
|
| Wasn't Ladar Levison (the individual behind Lavabit) working
| on something like this? https://darkmail.info/
| skitter wrote:
| One option not mentioned yet is Posteo. They don't keep your IP
| and strip it in case your mail client sets it in the headers.
| They also don't take any personal identification for signup or
| billing (you can even send them letters with money to pay for a
| mailbox).
| luckylion wrote:
| I don't know what came of it, but they've been told by the
| German constitutional court that their approach ("we're using
| NAT, we don't know the IP on the actual server") doesn't fly
| and does not protect them from complying with a court order.
| kazen44 wrote:
| This is correct.
|
| This also applies to ISP's and wiretaps. They need to
| provide NAT mappings when doing a wiretap if i remember
| correctly.
| Saris wrote:
| I say don't use email, it's not a good choice for private
| communications.
| uuidgen wrote:
| Anything that you access using thunderbird with GPG configured?
|
| It gives no worse privacy guarantees than protonmail and
| possibly way better - because if you use protonmail through a
| web client and they get a court order to serve you a "special"
| client that forwards your certificate you won't notice it.
| CameronNemo wrote:
| Protonmail and fastmail are different offerings. Proton offers
| encryption features, while fastmail makes no effort to promote
| encryption.
|
| So tutanota would be a good alternative to protonmail. And
| mailbox.org is a good alternative to fastmail. Both are based
| in Germany.
| superflit wrote:
| Occupied Germany is worse[1]
|
| Germany will handle your data as fast as you can order an
| hans schnitzel.
|
| [1] - https://militarybases.com/overseas/germany/
| merb wrote:
| well posteo didn't. they tried to fight it as long as
| possible.
| superflit wrote:
| There is no fighting.
|
| When you have 21 bases in your land.
| krono wrote:
| Email from any serviceprovider can be considered as secure and
| private as public conversations.
| keewee7 wrote:
| If you're doing subversive activities against a Western country
| you should probably use some Russian or Chinese state-owned
| service.
| glitcher wrote:
| Part of the issue is that the bar for subversive activities
| in the eyes of western law enforcement seems to be getting
| lower and lower. I don't know the specifics of this case, but
| it seems many authorities are also not shy about using these
| methods to identify and track peaceful protesters as well.
| kazen44 wrote:
| while i agree this is a problem, this is something that
| isn't to blame on protonmail (or any other company
| following the law). This is something that should be
| changed through politics/lawmaking.
| rakoo wrote:
| For this specific issue, find a provider that can be accessed
| through Tor.
|
| But if you want truly private and secure communication, you'll
| have to forget about email. Even with encryption there's still
| way too much metadata floating around that can identify you.
| blacklion wrote:
| Your own self-hosted service on rented server / cloud instance?
| AFAIU (IANAL!!!) you can refuse to give evidences against
| yourself in most jurisdictions.
|
| I don't thinks that dedicated server provider (like Hetzner) or
| cloud provider (like Digital Ocean or Vultr) stores traffic
| logs with enough details to be useful in such case.
|
| But payment will be a problem...
| upbeat_general wrote:
| It's certainly possible that they store IP addresses.
|
| Even if they don't, as long as they have the email address
| then they can probably find the mail server even if the
| payment is anonymous.
| ta988 wrote:
| They absolutely keep who used which IP at what time. And
| they do not allow anonymous purchases.
| Sebb767 wrote:
| You can't be compelled to incriminate yourself, but your
| server provider can very much be compelled to give access to
| the server. And once the server is physically compromised the
| battle is lost, anyway, but in that case probably with a
| larger papertrail leading to you.
|
| One expensive but possible option would be to build a server
| yourself with sufficient traps to shut off when it's tapered
| with. Then set it up with full disk encryption and put it in
| a shared rack.
| CraneWorm wrote:
| I read here ProtonMail were compelled to log the IP by the
| authorities... Could they have done anything else? Could any sort
| of malicious compliance have been an out? Like: "if we hear there
| is an investigation on you then we want nothing to do with your
| shit and we'll delete your account"?
|
| I suppose this would land them in hot water, but there might be
| something else really clever?
| josephcsible wrote:
| Has ProtonMail done anything wrong themselves, or is this just a
| case of them existing in the wrong country? If they refused to
| cooperate, could the government have just seized their servers
| and collected the data they wanted themselves?
| goldcd wrote:
| Legally nothing wrong - but they've maybe been a bit
| disingenuous to their users.
|
| However, better than most (both by jurisdiction and their own
| rules) than other email providers - and I'd have thought any of
| their users who were serious about anonymity would have used
| Tor/Tails etc to connect anyway and used pgp for their
| messages.
|
| Details of connections to the account (IP and connection
| fingerprint) shouldn't matter if you were taking your privacy
| seriously.
|
| Basically just signing up for protonmail doesn't make you
| secure and there's nothing they could do to help if you just
| rely on that.
| bawolff wrote:
| I think the argument is that their advertising is misleading
| (i.e. if they really didn't keep logs, there would be nothing
| to hand over)
| [deleted]
| [deleted]
| dogma1138 wrote:
| They never advertised that they don't keep logs they just
| said they aren't permanent, in fact you can view your own
| connection logs if you enable it in which case they are
| maintained forever.
|
| https://protonmail.com/privacy-policy
|
| They also provide a report of all warrants received
| https://protonmail.com/blog/transparency-report/
| tromp wrote:
| That begs the question which of the warrants listed there
| relates to this climate activist.
| kdunglas wrote:
| They claim that they don't keep logs on their French
| homepage. The climate activist is French: https://twitter.c
| om/onestlatech/status/1434596410977030155?s...
|
| And even on their English website, the marketing is
| misleading. They say that the service is "anonymous" and
| also: "By default, we do not keep any IP logs which can be
| linked to your anonymous email account".
| kafkaIncarnate wrote:
| REALLY misleading. They created this feature for Mr.
| Robot, the TV show, too:
|
| https://protonmail.com/blog/protonmail-mr-robot-secure-
| email...
|
| Scroll down to comment:
|
| > Liam, October 14, 2015 at 10:30 PM
|
| > But https://protonmail.com/security-details page says
| "No tracking or logging of personally identifiable
| information. Unlike competing services, we do not save
| any tracking information. We do not record metadata such
| as the IP addresses used to log into accounts." So, now
| it turns to be that you introduced tracking and logging?
| Is this data encrypted as well?
|
| > Admin, October 17, 2015 at 9:14 PM
|
| > We don't save any of this data by default, the user
| must explicitly turn it on for us to save it.
|
| There should be a reasonable assumption that given they
| have end-to-end encryption for the service, they just
| encrypt the logging for the user and store it encrypted
| without the key themselves like they do the emails.
|
| Also to note, they at least have an onion link to use
| their email service.
| gregsadetsky wrote:
| The CEO's position on Twitter is that "by default" (from
| the sentence you're quoting) means when there is no
| criminal investigation, but when there is a legal order
| in place, Protonmail will collect the IP...
|
| https://twitter.com/andyyen/status/1434600373059297284
|
| "As described in the link above, under Swiss law, we can
| be forced to collect info on accounts belonging to users
| under criminal investigation. This is obviously not done
| by default, but only if we get a legal order."
|
| Activists beware.
| civilized wrote:
| "We won't keep logs on you, except if you're in trouble
| with The Authorities, then we'll definitely keep logs on
| you and rat you out"
|
| Weird definition of privacy we've got going these days
| istingray wrote:
| "We don't keep IP addresses. (we keep PI addresses which
| are tooooootally different and you didn't ask about
| those)"
| rossdavidh wrote:
| If you thought that Protonmail (or any other company) was
| going to go to break the law in order to avoid keeping
| logs on you despite a Swiss-backed warrant saying they
| had to do so, then you had the wrong impression. But I
| never got the impression Protonmail was saying that.
| civilized wrote:
| I have never used the service and don't know or care a
| thing about it. But their advertising is laughably
| inconsistent with the reality of the service provided.
|
| If it's illegal to provide a completely anonymous email
| service, then you should not claim to provide a
| completely anonymous email service.
| freshhawk wrote:
| I think everyone has gotten used to this particular lie,
| because it's so widespread and all the "privacy" email
| providers say things like this.
|
| Except maybe Lavabit, that guy apparently shut everything
| down to avoid doing something along these lines. So maybe
| he wasn't actually lying.
| salawat wrote:
| Once again: if you can't see their server software, you
| should assume they are FOS, and are capable of recording
| anything.
|
| Also: One more reason NAT was a good thing over IPv6. The
| closer we get to the platonic ideal of "UUID per person"
| the more likely justice systems will use it that way.
|
| The day everyone learns how to self-host mail on
| ephemeral compute instances is the day law enforcement
| starts requiring MX domain logs to be maintained in a
| historical manner. Work around that magically, and some
| law'll go on the books to try to tame the super spooky
| criminal communicators hiding from law enforcement.
|
| This is why we can't have nice things.
| CraneWorm wrote:
| doesn't the amount of available IPv6 mean you can get a
| new one every time?
| kemotep wrote:
| Theoretically yes but if your ISP assigns your home a /64
| you can use 2^64 different addresses to access the
| internet.
|
| This still doesn't protect your privacy because your ISP
| knows what prefix they gave you and will likely provide
| that to the authorities if you broke the law while using
| that address. Just like they would even if you used NAT
| and ipv4 so I don't get where the parent comment thinks
| that is protecting their privacy at all.
| jrochkind1 wrote:
| "obviously"?
| u_r_dumb wrote:
| Literally on their front page:
|
| > No personal information is required to create your secure
| email account. By default, we do not keep any IP logs which
| can be linked to your anonymous email account. Your privacy
| comes first.
| bombcar wrote:
| Privacy comes first. Then comes the warrant. Then comes
| the IP in the report printout.
| chrononaut wrote:
| > No personal information is required to create your
| secure email account.
|
| Except your phone number? That's highly personal.
| https://news.ycombinator.com/item?id=28428092
|
| (I recall encountering this too when creating an account
| a few months ago.)
| feu wrote:
| I've created around 10 accounts in the last fews months,
| and a few more previously. I have never once given (or
| been asked to give) my phone number.
| ramesh31 wrote:
| Anyone who ever says "we don't log" is _definitely_ logging,
| and that statement alone should tell you that they are
| untrustworthy. No one is stupid enough to take on that kind
| of liability. The same applies for VPNs.
|
| If you need trust, theres no way around rolling your own
| service.
| drexlspivey wrote:
| Logging is the liability not the other way around. You
| can't be forced to hand over something you don't have
| kazen44 wrote:
| expect you need to have the infrastructure in place to
| gather data for police investigations in many countries.
| If you don't have this infrastructure in place, you are
| breaking the law as a company which could have enourmous
| consequences.
|
| This does not mean you need to log everything all the
| time. (usually that is actually quite illegal too) but
| you need to have infrastructure in place to allow for
| police investigations.
|
| I don't get how people don't understand this. companies
| need to operate according to the law of the land, this
| being one of them.
| Raed667 wrote:
| You can be forced to log though.
|
| I'm not sure how your tech-stack has to look like for you
| to claim that you can't log IP addresses and user-agents
| etc...
| drexlspivey wrote:
| Some VPN providers run their servers without hard drives.
| luckylion wrote:
| Thank god their servers aren't on a network where they
| could simply send the log entries to a different server.
|
| That's a cute idea, but it won't get them out of
| complying with a warrant.
| chrononaut wrote:
| Yeah, that seems more a mechanism to prevent forensics
| analysis of a hard disk to retrieve transient logs that
| might've been briefly written to disk (?). I hope it
| isn't being as a means to prevent the means to log for
| future connections, for the reasons you state.
| kazen44 wrote:
| for those who are curious,
|
| this seems to be the reply from protonmail on reddit[0]
|
| >Hi everyone, Proton team here. We are also deeply concerned
| about this case. In the interest of transparency, here's some
| more context.
|
| In this case, Proton received a legally binding order from the
| Swiss Federal Department of Justice which we are obligated to
| comply with. Details about how we handle Swiss law enforcement
| requests can found in our transparency report:
|
| https://protonmail.com/blog/transparency-report/
|
| Transparency with the user community is extremely important to us
| and we have been publishing a transparency report since 2015.
|
| As detailed in our transparency report, our published threat
| model, and also our privacy policy, under Swiss law, Proton can
| be forced to collect info on accounts belonging to users under
| Swiss criminal investigation. This is obviously not done by
| default, but only if Proton gets a legal order for a specific
| account. Under no circumstances however, can our encryption be
| bypassed.
|
| Our legal team does in fact screen all requests that we receive
| but in this case, it appears that an act contrary to Swiss law
| did in fact take place (and this was also the determination of
| the Federal Department of Justice which does a legal review of
| each case). This means we did not have grounds to refuse the
| request. Thus Swiss law gives us no possibility to appeal this
| particular request.
|
| The prosecution in this case seems quite aggressive.
| Unfortunately, this is a pattern we have increasingly seen in
| recent years around the world (for example in France where terror
| laws are inappropriately used). We will continue to campaign
| against such laws and abuses.
|
| to me this seems like they did all the could in regards to
| handling this request.
|
| [0]https://www.reddit.com/r/ProtonMail/comments/pil6xi/climate_..
| .
| Kenji wrote:
| If you're a criminal and use email, especially email paid for in
| your name, you're an idiot. Switzerland has been tightening its
| laws just like every other country, all of them are fascist.
| m-p-3 wrote:
| For those using Tor, the Onion v3 address is
| protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
| blondin wrote:
| okay.
|
| so today we are redefining what "not logging data" means. it
| changes meaning when used in the same sentence as the expression
| "by default". so by default, not logging data is not really not
| logging data.
|
| we've redefined quite a few things in the past few months. will
| be interesting to see where we go from here.
| throwawayswede wrote:
| It has not really changed meaning. Asshole companies blatantly
| lying and using dark patterns only means one thing: that the
| company is a piece of trash and does not respect their
| customers.
| rad_gruchalski wrote:
| Question: is it possible they do not log any of the data but were
| required to capture it on the next login? All the talk here
| implicitly assumes ProtonMail provided historical information.
| kazen44 wrote:
| As far as i understand from the article, this is roughly what
| happened. Protonmail got a warrant, and thus enabled logging
| for the user (as is required by law).
| regnull wrote:
| The only good answer to this is end-to-end encryption, keys held
| by the individuals, and full decentralization. You must not put
| your private communications into the hands of any company, as
| great as they are.
| newbie789 wrote:
| I'm aware that this is a very silly sounding question, but I'm
| very confused about what's going on here.
|
| If the subject of this investigation had been using ProtonVPN to
| connect to ProtonMail, would this have (in a marginal way)
| protected their anonymity? If Proton _Mail_ can be compelled to
| begin logging, surely the same must be said of Proton _VPN_
| right?
|
| It's interesting how many "privacy focused" companies tout being
| based in Switzerland as some big badge of honor, which a layman
| consumer such as myself is supposed to be really impressed by due
| to the overall reputation of "Swiss privacy laws."
|
| In practice, I've never been to Switzerland. I don't know any
| person that has had any legal issues there, let alone someone
| that's litigated a digital privacy case there. I do not speak
| German or French, and don't know where to start when it comes to
| looking up specific cases or court proceedings, so I'd be
| extremely slow on the uptake of the actual ins and outs of how
| the Swiss privacy model works from a practical standpoint.
|
| The "based in Switzerland" thing strikes me as a bit of a black
| box bit of marketing speak. How much time, energy and money did
| ProtonMail expend fighting this surreptitious logging mandate?
| Does "Swiss privacy" actualy mean anything if ProtonMail is happy
| to hand over your IP address when spooked?
| H8crilA wrote:
| Shhh, the entire country runs on similar myths, most
| prominently banking. But then, all that the common man is
| capable of understanding is myths, sooo ...
| llampx wrote:
| > It's interesting how many "privacy focused" companies tout
| being based in Switzerland as some big badge of honor, which a
| layman consumer such as myself is supposed to be really
| impressed by due to the overall reputation of "Swiss privacy
| laws."
|
| I believe it comes about due to the old trope of Swiss banks
| being the most secure places to hide money, which of course is
| not true and hasn't been for a long time. Even in that period,
| I am sure they complied with Interpol/Europol requests to
| divulge account details of evil masterminds with a beeellion
| dollars hidden away in a Swiss vault.
| shantara wrote:
| I used to work for a now defunct Swiss company that had "Swiss
| quality, security and privacy" plastered all over the website
| and marketing materials. The number of actual Swiss people on
| the team could be counted on one hand, the rest of developers
| being from every European country out there, with the most
| represented ones being Ukraine and Romania. And from talking
| with my coworkers, the situation is the same across other Swiss
| IT companies.
|
| I would not pay any attention to the "Swiss X" marketing.
| FpUser wrote:
| Proble is not with ProtonMail. Problem is with the government
| arresting people for this type of action.
| dredmorbius wrote:
| Also mentioned in another submitted tweet:
|
| https://nitter.eu/OnEstLaTech/status/1434575322465382404
|
| Translation: "The company @ProtonMail delivered IPs of climate
| activists to the police, after which the activists were arrested
| and searched. ProtonMail claims on its website, however, that it
| does not store the IP addresses of its users."
|
| Source (in French): https://secoursrouge.org/france-suisse-
| securite-it-protonmai...
|
| Translation (via Google Translate):
|
| _The year 2020 and 2021 was marked by the establishment and
| repression of a series of occupations in the district of Place
| Sainte Marthe, in Paris, in order to fight against its
| gentrification. Some 20 people were arrested, three searches were
| carried out and several people were sentenced to suspended prison
| sentences or to fines of several thousand euros (more info here
| and here). In addition, seven people are on trial in early 2022
| for "theft and degradation in assembly and home invasion"
| following the occupation of a with a file of more than 1000
| pages. During the investigation, the police focused on the
| collective "Youth For Climate". In particular, they were able to
| use photos published on Instagram, even if they were blurred
| because of the clothes._
|
| _The police also noticed that the collective communicated via a
| protonmail email address. They therefore sent a requisition (via
| EUROPOL) to the Swiss company managing the messaging system in
| order to find out the identity of the creator of the address.
| Protonmail responded to this request by providing the IP address
| and the fingerprint of the browser used by the collective. It is
| therefore imperative to go through the tor network (or at least a
| VPN) when using a Protonmail mailbox (or another secure mailbox)
| if you want to guarantee sufficient security._
|
| (Disclaimer, Protonmail user.)
| throwawayswede wrote:
| This is seriously messed up. Purely because their marketing has
| been very aggressive to promote total and complete anonymity,
| directly sometimes and mostly indirectly. If it's true that the
| French wording makes it seem like they don't keep logs at all
| whatsoever, then I believe the person arrested has grounds to sue
| them, and I would hope they do. But even if not, I consider their
| marketing is a total and complete dark pattern from now on imo.
|
| Tremendously disappointed.
|
| What's next? Is ddg selling search data to google?
| skarz wrote:
| We know that PM saves all kind of metadata and happily provides
| it to any kind of agency. You have to use an anonymous VPN
| service (obviously not ProtonVPN) in combination with ProtonMail,
| if you want to avoid exposure by PM.
|
| ProtonMail lost it's essence to be honest. As soon as my
| subscription runs out I'm gonna host my own mailserver instead.
| There are no advantages in using ProtonMail snymore.
| londons_explore wrote:
| Cryptographers and developers need to step up their game...
|
| There needs to be a messaging service where as well as the
| messages being encrypted, the graph of who is talking to who and
| when must be encrypted.
|
| I'm imagining a system where your device forwards hundreds of
| messages for _other people_ , hiding your own message flow.
|
| I perhaps send a few hundred messages per day, and even
| multiplying that by 1000, and the typical message length of a few
| words, it's still a tiny amount of data transfer.
| bickeringyokel wrote:
| Interesting idea, but is that not a liability to yourself if
| nefarious or illegal messages are passing through your device?
| dlvktrsh wrote:
| I knew they were snitch
| doc_gunthrop wrote:
| It seems the lesson here is to always use a VPN (or Tor) if
| you're under such threat.
| vmception wrote:
| and the lesson here is that everyone who called out Protonmail
| for being sus (suspect) on signup was correct.
|
| try using Tor to create a protonmail account and they require
| both javascript and a phone number.
|
| yeh yeh client side encryption requires javascript, but seems
| better to just have an unlinked email that can be read server
| side and there are plenty of Tor-only email providers for that.
|
| phone number under an "anti-spam" guise is just suspect.
| istingray wrote:
| Protonmail customer here. Sigh. This is why I keep my own domain
| and can point it wherever I need. Dear Protonmail, email is
| fucking cheap and easy, I pay you $58 a year to solve stupid shit
| like this.
|
| Vendors really need to figure out how to thread the needle of "No
| don't trust us" but still encourage customers to buy. Protonmail
| failed here. Apple's still very much in the "trust no one but
| us!" vibe, and it's just not sustainable.
|
| I'll be switching my Protonmail use to default to Tor now. Open
| to Tor-first vendors...are there any?
|
| I like how Brave has "open in Tor" displayed on Tor-mirrored
| sites. There's even an option for "Automatically redirect .onion"
| sites too. Makes it easy to switch over.
|
| What if Protonmail pushed their Tor services more? "Guide to
| using Protonmail as privately as possible", have a switch for
| "Private Mode" that kicks you over to Tor/download Tor.
| pphysch wrote:
| Tor is a State Dept/DARPA project, so at best a sidegrade from
| Proton if your concern is being surveilled by Western
| governments.
| sneak wrote:
| Tor is open source. Point to the vulnerability you are
| claiming, or stop spreading FUD.
| arglebarglegar wrote:
| it's been known for a while that the NSA runs tor nodes,
| right?
| cortesoft wrote:
| https://nusenu.medium.com/tracking-one-year-of-malicious-
| tor...
| acheron wrote:
| Where "this" in "solve stupid shit like this" is "hide you from
| police with a legally authorized warrant"?
|
| If you were relying on Protonmail to conceal evidence of
| criminal activity for you, you may not have thought that all
| the way through.
| istingray wrote:
| Where "this" is using soft language like "by default" to hide
| shortcomings. I expect Protonmail to do more to educate users
| to be aware of how surveillance happens, whether a rogue
| employee enables the function on their end, warrant, etc.
| 1vuio0pswjnm7 wrote:
| Is Javascript required to sign up or use ProtonMail.
|
| https://www.wired.com/2015/10/mr-robot-uses-protonmail-still...
| codetrotter wrote:
| No, you can use any SMTP/IMAP/POP3 capable client instead of
| using their web interface.
|
| https://protonmail.com/support/knowledge-base/imap-smtp-and-...
|
| But you are still making an IP connection. JS/no JS is not
| relevant to this discussion.
| [deleted]
| [deleted]
| SavantIdiot wrote:
| Do we still like Runbox? Based in Norway. They claim to be the
| most secure email provider due to Norwegian laws:
|
| https://runbox.com/why-runbox/privacy-protection/email-priva...
| mikl wrote:
| I guess there isn't much Protonmail can do if the prosecutor
| shows up with an ~Interpol~ Europol warrant.
|
| I wonder what this "activist" did to earn himself Europol
| attention. At least before the world went insane, that would only
| happen for serious crimes.
| ficklepickle wrote:
| The terrible crime of squatting, according to some comments in
| that thread
| BrandoElFollito wrote:
| Has your home in France been squatted? No? Or maybe you do
| not own a house in France?
|
| If so, on which basis do you ironically call squatting a
| "terrible crime"?
|
| Squatters in your house in France means that you you have
| zero rights on this place until a lengthy process gives it
| back to you, ruined. You are then expected to be grateful and
| can forget about any reimbursement from the poor people who
| stole your property.
| [deleted]
| folmar wrote:
| Interpol warrants are widely used for fighting political
| opponents [https://stockholmcf.org/wp-
| content/uploads/2017/09/Abuse-Of-...]
| [http://www.opinione.it/societa/2017/08/29/claudia-
| candelmo-e...]
| [deleted]
| keewee7 wrote:
| The Climate Action youth movement is sometimes explicitly anti-
| capitalist in a very "direct action" way.
|
| Vandalising banks is stupid and also an efficient way to make
| powerful people dislike you.
| mytailorisrich wrote:
| They do seem to be a far left group using the "climate"
| umbrella. This squatting 'action' has nothing to do with the
| environment, it's class struggle.
|
| Unfortunately this sort of extremist group is harmful to
| people and organisations genuinely trying to do something for
| the environment.
| freshhawk wrote:
| Probably the movement to squat in empty buildings and
| organize more of the same in response to pandemic evictions,
| that's been getting the kind of attention its very dangerous
| for left wing groups to get.
| [deleted]
| nicce wrote:
| If you don't collect data, you can't give it even if you
| wanted?
| MattGaiser wrote:
| I suspect that you can order to collect it going forward.
| dheera wrote:
| If they order to collect someone's data, can't ProtonMail
| just say "we've been ordered to collect data for a user" on
| the front page?
| danuker wrote:
| Certain organizations can compel you to start gathering data.
| kazen44 wrote:
| expect you are legally required to actually gather this data
| if a warrant is issued.
| vmoore wrote:
| You can disable the recording of login sessions in Protonmail's
| settings dashboard. I do that, not only to avoid Protonmail
| learning of the logs, but by a hacker who, once upon breaching
| your account; also gets to learn the IP you use to login with.
| istingray wrote:
| Thanks, I had "Basic" on and turned it completely off. This
| should be Disabled by default. I created a new account to see
| what the default is (it's Basic):
| https://news.ycombinator.com/item?id=28428092
| alfiedotwtf wrote:
| I'm looking forward to the day where email is not mistakenly used
| for clandestine communication.
|
| Why hasn't there been made a Tor-only, store-and-forward, text-
| only communication app? You'd think this would be a no-brainer
| for communities that need _real_ private communications.
| blub wrote:
| If you think that's bad, Tutanota was forced by the court to
| change their SW, so that all incoming e-mails for a specific
| account would be intercepted before encryption:
| https://news.ycombinator.com/item?id=27303712
| freshhawk wrote:
| Hushmail had a similar warrant, they changed their login form
| so it would send the password in the clear to the server, which
| they used to decrypt the mail and logged all the traffic to
| help trace the user. If you get targeted these "anonymous"
| email services aren't going to be good for much in practice.
| istingray wrote:
| Disclaimer: Paying Protonmail customer
|
| Their homepage says "By default, we do not keep any IP logs"
|
| In 2021, any soft language like this should be a red flag for
| anyone who is against surveillance. Maybe in 2018 it was good
| enough. But in 2021 it's not. Come on, Protonmail, you're
| supposed to be leading the way -- don't make me figure it out
| myself.
|
| Replace immediately with "By default we don't log IP, but may be
| required to by local law enforcement. We recommend everyone
| connect through Protonmail through Tor. This month, 60% of our
| users connected through Tor".
| sigmoid10 wrote:
| People really don't seem to understand that Protonmail is a
| western company in a western country with pretty generous
| surveillance laws. Yes, your email text may be encrypted, but
| everything else is free game to the authorities unless you use
| additional protection.
| istingray wrote:
| Protonmail should be pushing more of this messaging in their
| branding. "Don't trust us further than you can throw us.
| We're doing our best, and here's what we recommend, use Tor,
| etc."
| winrid wrote:
| This is just not realistic, though.
| pseudalopex wrote:
| Why not?
| umvi wrote:
| "we aren't much better than Gmail from a privacy
| standpoint, but please still give us money"
| Barrin92 wrote:
| I wonder how long the 'Swiss privacy' brand, which seems to
| be fairly valuable will hold if these things keep happening,
| I had to immediately think of Crypto AG
|
| https://en.wikipedia.org/wiki/Crypto_AG
| znpy wrote:
| In the US companies can make canary statement...
| https://en.wikipedia.org/wiki/Warrant_canary
| dredmorbius wrote:
| The canary is dead, and the fact is widely publiscised, if
| not necessarily well known.
| istingray wrote:
| Those canary things seem so 2018.
|
| In 2021 the most powerful canary statement should be "Don't
| trust us. Seriously, treat us as an adversary. We still want
| you to be our customer of course, but here's how we really
| recommend you use our service, Tor, semi-anonymous payments,
| etc. In God we trust, for everyone else use math."
| cabalamat wrote:
| I wonder how many TOR nodes are run by the NSA?
| calvinmorrison wrote:
| Doesn't matter if you are going to an internal onion address
| ivan_gammel wrote:
| TBH in 2021 people engaging in potentially dangerous activities
| should be literate enough to understand, that no business will
| guarantee them full security and decline all requests from
| authorities to disclose their identity. The wording you suggest
| is equivalent of ,,do not dry your cat in microwave"
| instruction - a legal protection from dumb customers, that does
| not contribute meaningfully to safety.
|
| For the non-Swiss customers working with a Swiss provider can
| be a good enough protection to avoid inconvenience of Tor.
| After all, even in the mentioned case it required review and
| approval of 3 agencies before request came to Proton - from
| French police, from Europol, and then from Swiss authorities.
| If this is not enough barriers to protect from politically
| motivated prosecutions and corruption, then we have much bigger
| problem in Europe.
| Thorrez wrote:
| Sure, the wording istingray suggested is a bit over the top.
| But the existing wording "By default, we do not keep any IP
| logs" is misleading. Why even say it? They should simply
| delete it.
| ivan_gammel wrote:
| How do you understand ,,by default" and ,,keep" in this
| phrase? Does it actually mean that they do not _collect_
| the logs?
| lelandfe wrote:
| My first reading of "by default" here is that I can
| optionally enable it through my account.
|
| Really, it's a phrase that means 3 things: I can enable
| it, ProtonMail can enable it[0], or the authorities can
| compel ProtonMail to enable it.
|
| Saying _any_ of that, or at least linking to a page that
| does, would be a smart move.
|
| [0] https://protonmail.com/privacy-policy - "IP logs may
| be kept temporarily to combat abuse and fraud, and your
| IP address may be retained permanently if you are engaged
| in activities that breach our terms and conditions"
| akimball wrote:
| It's not protection FROM your customers. It is protection FOR
| your customers. Most customers are not technically astute
| shadowgovt wrote:
| A corporation is a power centralization, and government
| authority can lean on power centralization.
|
| In general, regardless of what their TOS say, never believe
| that a corporation can't be compelled by the law to do
| anything they could physically do. CEOs can be jailed;
| when's the last time we heard of one _actually_ going to
| jail over user privacy?
| pessimizer wrote:
| The point being made agrees with you, and is just saying
| that since protonmail can't help but obey sometimes, they
| should make the effort to educate their customers about
| that fact and whatever their customers can personally do
| to mitigate the risks of that fact.
| ivan_gammel wrote:
| A customer that specifically chooses Proton for privacy,
| must read and agree to privacy policy, which explicitly
| states, that Proton may in fact keep temporary IP logs and
| that user may opt in for login IP logs. Requests from
| authorities may ask for this kind of information and Proton
| will have to provide it.
|
| The ,,opt-in" part for login logs is particularly
| interesting, because in fact Proton recommends this as a
| security best practice. Whether it's in the best interest
| of the customer or not, it's an open question. I would say,
| in a risk model, where threat of human rights violation by
| Swiss government is much lower than risks of unauthorized
| party accessing the account, it makes sense. Tough luck for
| the criminals that followed this advice.
|
| https://protonmail.com/privacy-policy
| keewee7 wrote:
| Why is a "Climate activist" being arrested?
| jokoon wrote:
| I don't really know but eco terrorism is something that is more
| than likely to increase, with all the floods, forest fires,
| hurricanes, Greta thunberg, ipcc reports, and recently Biden
| authorizing some oil contract thing.
|
| Something is going to move.
| mytailorisrich wrote:
| In this case it seems that they are a far left group that has
| decided to squat a restaurant for good old 'class struggle'
| reasons and vowed not to back down...
|
| It also seems that it is not any restaurant but one of the
| 'victims' of the 2015 terrorist attacks [1]
|
| Basically political extremists trying to disguise themselves as
| environmental activists. Not interesting people, to say the
| least.
|
| [1] https://www.tellerreport.com/news/2021-01-04-%0A---
| justice-o...
| [deleted]
| AdmiralAsshat wrote:
| "We won't store your IP, except when its sought by the
| government, which is the only reason you'd ever realistically pay
| for a service that doesn't store your IP."
|
| Brilliant!
| COGlory wrote:
| Disclaimer: I have a ProtonMail account that I pay for.
|
| I have seen a ton of disturbing pieces about ProtonMail. Every
| time I've looked into them, they seem to be maliciously motivated
| and usually not true, or otherwise twisting of the truth. This
| has been a confusing thing for me because why is there a small
| subset of people so vehemently against them?
|
| In this case, I'm not surprised. They say quite clearly they can
| be compelled to collect IP addresses - including in the linked
| tweet. This seems like a pretty clear cut case of them being
| compelled to provide an IP address. What the authorities can't
| do, is read that person's email. And that's what I and others pay
| for.
|
| I'm not sure what there is to be upset about here? Other than
| perhaps France prosecuting this individual to begin with? If we
| had faith that ProtonMail wouldn't hand over anything to the
| government, why would anyone even care about having encrypted
| emails?
| istingray wrote:
| I'm also a Protonmail customer.
|
| Tor solves this. Protonmail's Tor support is lukewarm. They
| have a Tor based login without captchas. It's mentioned on
| their homepage in the bottom menu under "Onion Site", (/tor).
| And there's one blog post from 2017 that still promotes their
| v2/shorter onion address.
|
| I expect Protonmail to push its users to login through Tor.
| "Don't trust us, trust math". Embed Tor support in their apps
| as well. Rebuild their iOS app to offer to drive all
| connections through Tor.
|
| And frankly, for $50 a year for email, I expect Protonmail to
| be thinking ahead about this, rather than me coming up with
| dumb ideas on a forum. Protonmail was neat in 2018 but 3 years
| later it's stagnant.
| Aachen wrote:
| How is that lukewarm? Sounds like first class support if they
| have a dedicated onion address and not just let you connect
| to the regular clearnet. Or is that address _only_ in that
| old blog post and not mentioned in places you 'd usually
| look? It's a bit unclear to me.
| istingray wrote:
| It's lukewarm because what _less_ could you do besides not
| support Tor?
|
| Tor is mentioned on their homepage in the bottom menu under
| "Onion Site". However, this menu link redirects to their
| Tor placeholder page, rather than directly to the Tor
| service: https://protonmail.com/tor
|
| There's one blog post from 2017 that still promotes their
| old v2 onion address: https://protonmail.com/blog/tor-
| encrypted-email/
|
| Protonmail's Tor service is located at: https://protonmailr
| mez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...
| cortesoft wrote:
| What does using Tor have to do with trusting math?
| istingray wrote:
| "What makes Tor different from the usual thesaurus-full of
| government projects is that Tor is essentially a very
| elaborate math trick, using layers of math puzzles to
| create a network-within-the-network. That math is being
| implemented in front of a global audience of millions of
| sophisticated watchers. It is likely the most examined
| codebase in the world. It has been subjected to multiple
| public audits. The math, well known and widely
| standardized, will work for everyone, or it will not,
| whoever pays the bills."
|
| from https://pando.com/2014/12/09/clearing-the-air-around-
| tor/
| polote wrote:
| One of the first sentence on their website is "By default, we
| do not keep any IP logs". If as soon as police show up (Which
| is almost the only case that people would want their IP hidden)
| they give IP logs, it is clearly false advertising. The fact
| that only the anonymous feature is important to you will not
| change the fact that they do the opposite of what they
| advertise regarding IP logs
| COGlory wrote:
| >If as soon as police show up (Which is almost the only case
| that people would want their IP hidden) they give IP logs, it
| is clearly false advertising
|
| Is there any evidence this is what happened?
|
| An alternate scenario is that they were not keeping logs, and
| were then compelled by the authorities to start keeping them
| on that user.
| bdibs wrote:
| Wouldn't "any" include authority compelled logging?
| COGlory wrote:
| Perhaps, but I'd imagine that semantically, "by default"
| negates that since this is clearly not a default
| situation.
| hh3k0 wrote:
| Stop trying to defend indefensible behavior by getting
| hung up on semantics.
|
| I, for one, will not renew my ProtonMail account if
| that's their status quo.
| kazen44 wrote:
| what other status quo do you expect from them? Having to
| provide IP logs after a warrant has been issued is the
| law in switserland (and most if not all of the EU).
|
| Sure, the law would (hopefully) be changed, but at the
| moment, this is the best they can legally do?
| ipaddr wrote:
| Tell users you are being logged on website.
|
| Put alert warning that account has logging enabled
|
| Change the service so collecting logs is not possible
|
| Stop adding captcha to tor users login because you want
| to identify users
| polote wrote:
| The end result is the same either way
| Sebb767 wrote:
| No. With on-demand logging, they can find the owner of
| the account (assuming he doesn't take further measures),
| but you can't retroactively prove someone used that
| account to do something at a specific time. For example,
| you could not prove that the individual was logged in at
| internet cafe xy near the time of the crime. Also, an
| opsec mishap (such as logging in without protection) will
| not be fatal unless you're already under surveillance.
| COGlory wrote:
| No, if they were not collecting logs by default, then it
| is clearly not false advertising.
| polote wrote:
| So the default is when nobody ask for the logs? What the
| point of not collecting IP unless for the time it is
| useful?
| Aachen wrote:
| I mean it's either this or traffic analysis. If you use
| your clearnet IP address to do illegal things, it's
| nothing more than reasonable that you can get in trouble
| for it.
|
| This is also why I don't get protonmail in the first
| place. Unless you use pgp or equivalent, you'll always be
| subject to law enforcement. Just that protonmail cares
| more and caters more to activists and so might not give
| it out without checking that the asker is really legit
| and then give the minimal amount possible. But they'll
| always be able to turn over your emails and log IPs, it's
| not protonmail's fault the laws were voted into action
| like this.
| Sebb767 wrote:
| No history of when you logged in from where and,
| possibly, plausible deniability about about you being the
| only user of that account (through you'd probably need to
| prepare for this to be believable).
| lelandfe wrote:
| Technically correct but misleading.
|
| They tout that off-by-default statement on their
| homepage, underneath the header of "Anonymous Email,"
| with the closing sentence of "Your privacy comes first."
|
| So why even market that? It provides no meaningful
| security.
| IlliOnato wrote:
| Were _you_ mislead by this? Did you really expect a
| Switzerland-based company not to comply with law of the
| land?
|
| There is a difference between "available to police, not
| retroactively, and only with a valid warrant" and
| "available to any government agency constantly and in
| bulk, as well as to data-collecting commercial entities,
| Russian and Chinese hackers, and their dogs". Don't you
| agree?
| lelandfe wrote:
| Fair point. I still don't think they've worded that well
| enough. I would probably not have read "By default" to
| have the context of "Unless asked to do so by
| authorities."
|
| They're not being as transparent as possible in their
| marketing, which is at odds with their allure of
| security.
| kylehotchkiss wrote:
| Really solid explanation of what you're paying for as a
| proton customer - and despite this unfortunate situation
| for the French advocate is why myself and others will
| continue their paid ProtonMail plans
| fsckboy wrote:
| no, the end result is not the same either way.
|
| I'm not taking sides on privacy or the threat of govt (or
| other sourced) tyranny, I'm just explaining the logic to
| answer your question:
|
| Let's say you engaged in a long history of using
| protonmail innocently, then one day you decided to start
| commiting crimes for the first time and attract police
| interest. You would know that your historical logs were
| not kept, and it was only after you started attracting
| police attention that you would be at risk of
| incriminating yourself through proton mail. Maybe, on the
| run from the law, it would be safe for you to hide at
| your old friends house because there was no log to link
| you to him.
|
| Yes, it is also the case that you may not have realized
| that ordinary behavior had been criminalized by an evil
| govt all along blah blah blah... I'm just pointing out
| that there is a difference where you saw none.
| polote wrote:
| I said the end result is the same. Not that it is the
| same. In both case they give the IP when the police ask
| for it
| fsckboy wrote:
| In both cases they don't give the IP.
|
| in the case where they receive a court order, they first
| log your IP and then they give it.
|
| but you know this from their terms of service.
|
| if you stop using protonmail when you start your criminal
| career, they will not give your IP because they didn't
| save it.
|
| it's different in the end, not the same.
| ipaddr wrote:
| If you knew this, couldn't you login from someone's ip
| you want to frame the crime on?
| tephra wrote:
| So also a proton customer here. "By default we do not keep
| any IP logs" and this case does not seem like the default?
| Seems like they were required to by law to log and turn over
| this specific IP? (Of course I haven't seen the actual case
| but I would assume that meant a warrant.)
| jonas21 wrote:
| As a user, I'd take that to mean that they wouldn't keep
| any IP logs unless _I_ turned logging on. I wouldn 't
| expect that _they_ would enable logging on their own.
|
| Interestingly, ProtonMail's privacy policy lists a number
| of cases in which they may log your IP address permanently
| (including if you breach their Terms and Conditions). But a
| request from law enforcement is not one them.
| polote wrote:
| We do not kill people except the people we kill
|
| I see that you want to protect Protonmail, but if they want
| to stop being misleading they can just remove the IP log
| sentence
| istingray wrote:
| Put "By default we don't keep IP, but may be required to
| by local laws. We suggest you connect through Protonmail
| through Tor".
|
| I would much prefer this, as a Protonmail paying
| customer.
| dredmorbius wrote:
| Tor helps, but is not especially robust against state-
| level actors / APTs. An actor running a sufficient number
| of entry/exit nodes could perform at least some traffic
| analysis.
|
| Tor is an improvement. It's still a limited tool.
| s1artibartfast wrote:
| It's not misleading in that many services do keep records
| by default. If people don't understand what default
| means, they should grow their understanding, not be
| outraged that their uninformed opinion was wrong.
| istingray wrote:
| Default means "we do whatever the fuck we want, any
| assumptions are your fault"
| tephra wrote:
| I mean they are misleading in so far you want them to...
|
| I'm a privacy activist and certainly think that a company
| should be able to not keep logs. If the law in the
| country they are in (or area, see for example the data
| retention directive in the EU) we should of course (and I
| am) work to change those laws.
|
| It should come as no surprise to anyone who is privacy
| minded and actively seek out privacy focused services
| that are located within the EU or Switzerland that your
| IP (or other information) can be requested with a warrant
| and that a company is required to hand that over.
| istingray wrote:
| If this doesn't matter, what's important for you about
| being a Protonmail customer?
|
| (also a paying Protonmail customer)
| tephra wrote:
| I never said it didn't matter. I think the data retention
| laws and for what crimes the police are able to get
| certain warrants in the EU and Switzerland can be better.
|
| But that is not a proton issue that is an issue with our
| current governments.
| neltnerb wrote:
| That your emails are supposedly stored encrypted, that if
| other services support it end-to-end email encryption
| supposedly can be enabled easily, and that supposedly you
| cannot be served targeted ads because they cannot read
| the contents of your email (not that they have ads
| anyway).
|
| Of course Protonmail is accessible via Tor. Not that you
| should need to do that to remain private.
| vntok wrote:
| > That your emails are supposedly stored encrypted, that
| if other services support it end-to-end email encryption
| supposedly can be enabled easily, and that supposedly you
| cannot be served targeted ads because they cannot read
| the contents of your email (not that they have ads
| anyway).
|
| Gmail does all of this for free though, right?
| rileyphone wrote:
| The last point very much not so - having my email
| provided as a free product by the world's largest ad
| company isn't a relationship I want to pursue.
| aborsy wrote:
| >> What the authorities can't do, is read that person's email.
|
| What if authorities ask, serve this user this malicious
| JacaScript code to obtain their encryption key?
|
| PM has to obey and the result is the same.
| pgalvin wrote:
| They claim this is not possible under Swiss law, fwiw. We've
| recently seen that it is possible under German law, with a
| competitor (Tutanota) building a server-side backdoor for one
| user.
| caeril wrote:
| ...but we know it's possible under Swiss law, from this
| case, for them to be compelled to _start_ logging specific
| account accesses, that they by default _were not_
| previously.
|
| How is that any different from them being compelled to
| disable or weaken clientside encryption?
|
| In both cases they're being compelled to make changes to
| their service.
|
| The camel's nose is clearly already under the tent.
| Everybody needs to start diffing javascript served by them.
| feu wrote:
| >...but we know it's possible under Swiss law, from this
| case, for them to be compelled to start logging specific
| account accesses, that they by default were not
| previously.
|
| You're claiming that we know X is possible under Swiss
| law because they were compelled to start doing Y, there
| is no connection between those two things. Unless you can
| cite specific laws which do allow compelling injection of
| malicious JavaScript this seems like the spreading of
| FUD.
| c7DJTLrn wrote:
| I am also paying for ProtonMail.
|
| They come off as a very dodgy company willing to twist the
| truth themselves. They claim that they can provide E2EE for
| email, being careful not to give away the fact that this is
| impossible for regular emails to non-PM customers.
|
| Frankly I only use them because they're the biggest "private"
| email service and that provides a kind of safety in numbers.
| Sebb767 wrote:
| As a business in that space, you probably need to have dodgy
| marketing in order to convince mainstream users. I'm not
| disagreeing that it's bad, but it's probably necessary
| business-wise.
| JohnJamesRambo wrote:
| What does Youth for Climate do that required arrest? I'm
| unfamiliar with them.
___________________________________________________________________
(page generated 2021-09-05 23:00 UTC)