- cross-posted to:
- privacy@lemmy.ml
- technology@lemmy.ml
- technology@lemmy.world
- cross-posted to:
- privacy@lemmy.ml
- technology@lemmy.ml
- technology@lemmy.world
i fucking knew it.
Another case of a user with terrible opsec that proton will end up being blamed for.
Logically, any service, whether private or not, is required by law to reveal the user data they have, if there is a court order for a criminal investigation. Proton cannot refuse, if it does not want to face a complaint that could even lead to the closure of its service. That is, in this headline the “Proton Mail” can be replaced by any other email, host, chat, social network, VPN, Lemmy, it can occur in any of them. As said, read TOS and PP of what you use
except they told users in the past that they dont have this informaion
They don’t have information about the content of the mails, but same as any other mail provider the account data and the IP, this is the data which they can provide to the police. The rest are informations from the ISP and from own investigations of the police itself. Because of this the title that “Proton discloses user data leading to arrest in Spain” is somewhat sensationalist.
Out of curiosity, can you link where Proton said they don’t have the user’s recovery email, that the users themselves attached to their Proton account?
Not really news. Proton follows the law. If they get a Swiss court order they will comply.
If you want to do illegal (under Swiss law) things, proton won’t cover you.
proton is untrustable
Email is untrustable
This is the second time, somehow people still defend them.
This isn’t the second time, Proton complies with Swiss law regularly.
Wow that makes it much better.
It remains standard operating procedure for any law abiding company, and it benefits no one to pretend that it isn’t.
Removed by mod
Email is bad in general and nothing can fix that
Removed by mod
PGP doesn’t protect anything but message contents. Additionally, if you key it compromised all of your messages are compromised.
the two you suggested though are US based though. they’d also have to answer to court orders right?
the two you suggested though are US based though.
Disroot is in Europe.
Removed by mod
okay but court orders tho? not immune, just like proton. also they can be administered gag orders(think lavabit), unlike proton
Removed by mod
Not sure how they’re better than proton is terms of compliance and anonymity
Removed by mod
Source: trust me bro
It’s just that more people use proton so more of them have their identity leaked. I don’t see how the terms of these 2 companies are better
Removed by mod
I’ve never heard of those 2 providers and they don’t seem to be any better. I’m just looking for facts to back that and so far I haven’t seen any
Being skeptical doesn’t mean being a troll or a fed, wtf. I don’t know what you’re on but it seems cool
As for the « are you trying to discredit … without evidence » I want to answer « what can be asserted without evidence can also be dismissed without evidence »
Removed by mod
I’ve never heard of those 2 providers and they don’t seem to be any better.
You never heard of the other two providers but yet you already draw the conclusion that they don’t seem to be better. What does “better” mean to you in this context ?
Their privacy policy. They log IP addresses and are not immune to legal actions, and as such, are not really better than Proton in terms of legal actions
Removed by mod
No company is going to legally go to bat for you for $10/mo. I love how Proton nonchalantly calls out the user’s dumb move in the article:
Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order…
Proton does require a recovery email address if you sign up to a mail forwarding service or similar, right after creating the account. In that case the account remains locked if you don’t, so that’s just a lie
In the article it says that that’s a one-time verification address. Though that leaves the question if/how long it’s stored
Still, it wasn’t optional for me, so I’m pretty annoyed that they’re saying it.
You can remove the mail after but indeed, I won’t trust proton with not keeping that info. The mail has to be entered in the recovery email field, and then sends mail to the recovery email when you have unread mail. So it’s not a one-time mail sent with a code.
It is worth noting though, that Proton doesn’t allow you to use certain domains for recovery addresses. Admittedly this was awhile ago and maybe things have changed there but when I first joined Proton they wouldn’t allow me to set a duck.com or simplelogin.com or addy.io address as a recovery email.
Obviously using an apple ID is stupid but Proton could make more of an effort too.
They are actually quite aggressive about blocking disposable emails, most free services don’t work. I have used protonmail a few times for semi-disposable accounts that used disposable emails to sign up, and some of them were banned later.
I actually set simplelogin as recovery lol
So they will ask proton again for the address where everything is being forwarded… Not a good plan.
It would be fun to daisy chain a bazillion emails, all forwarding to each other in circles and have the cops just call yahoo 20 times.
But all emails are encrypted so they can’t be read anyways.
No, only the ones on Proton. If you send or receive an email from outside, it’s unencrypted there.
But still, it’s little to no difference for law enforcement. They will get the real address and whichever little info Proton or the other provider has on you.
As far as I know, Simplelogin doesn’t store anything.
What would be a more appropriate email address to use - or just no recovery email?
It’s best for anonymity to not use one at all. Proton provides a recovery key to allow access to your account if you manage to lock yourself out. Keep that key somewhere safe/secure.
Thank you. Recovery key seems like a better route for sure
Ideally no recovery mail or you can create burner gmail account with a vpn
Doesn’t Gmail require a phone number upon registration? One of the worst choices for “burner” mails.
Do they now? I remember creating 10 gmail account using a free vpn back in 2022. iirc outlook doesn’t require a phone number
Oh, nice! Where was the VPN server, if you remember? Also heard of it being possible on a real Android device, but not on an Android VM so even harder to fake.
At any point in the process, does it warn you about setting up recovery with personal email addresses?
Feels like with as much as Proton advertises nowadays as a privacy protecting service, they need to be taking into consideration that a lot of their customers now are going to be average users who don’t know anything about proper OpSec. They should be much clearer about what things they can’t protect you from.
It shouldn’t be in a press release like this, they should be explaining the difference between privacy and anonymity to the customer. It’s not like their marketing team isn’t aware of the fact most people don’t know any better.
It’s in their best interests, too, because it doesn’t matter how many times you say “we provide privacy not anonymity”, the headlines are a bad look.
Unless you’re targeted by law enforcement, having a recovery email won’t be an issue. 99.99% of the userbase world never have a problem with this.
I get what you say, but it’s really nitpicking at this point I think.
Thing is, Protonmail has been telling people this from the very beginning. It’s like it gets rediscovered every year or so when somebody else gets busted.
Maybe also just consider any email insecure by default ? Like it’s fcking email, having privacy, let alone security or anonymity is just like trying to mod a skateboard into a secure highway vehicule imho
I don’t understand why people blame Proton, instead of OPSEC. A company complies with law, won’t go to jail for you, what they are thinking ?
Because proton put themselves into this position by making false advertising claims. Let’s not forget this isn’t the first time proton has given away the IP of an individual and last time was even worse because proton at the time was directly advertising they kept no IP logs which they had to quietly remove after giving the Swiss feds the IP.
They dont log by default, they log with a warrant, I guess. But still, hello, they are just companies, they don’t owe you nothing. You should all use anonymous services wich will close in fee weeks or months as it’s illegal to keep nothing
They dont log by default, they log with a warrant, I guess. But still, hello, they are just companies, they don’t owe you nothing. You should all use anonymous services wich will close in fee weeks or months as it’s illegal to keep nothing
If you look though my comment history you’ll see I’m a huge advocate for tor/I2P instead of VPNs
Proton is a service provider, not your confederate.
All the commenters suggesting that Proton is just a company and would always give in to legal requests and all other companies and any email provider would do the same, here’s some more to add. Yesterday I saw a now invalid toot comment from ProtonPrivacy on Mastodon Social where they wrote that it was Apple who was to blame and that Proton gave the recovery email address only because this was a case of a terrorism suspect suggesting that if that (terrorism) was not the case they would not have given in to the request. Today their comment sadly gives a 404 error. Searching a bit further this article comes up mentioning Proton and Wire :
In the new resolution, the National Audience judge recalls that in January, in a judicial report he issued on the case, he highlighted a conversation from July 12th and 13th, 2020, about the king’s visits, which was included in the Tsunami investigative evidence, and of which he admits that until that point he had not made reference in his investigation which extends over the period from 2016 to 2022. Specifically, one of the people under investigation, the Girona businessperson Josep Campmajó, spoke to the figure named Xuxu Rondinaire, with profile @marietadelulllviu, about mobilizations in 2019, using the Wire messenger app. The judge has asked for the identification of this person, information now obtained by the Civil Guard, which details that they used Europol to ask the Swiss authorities for the Wire firm to identify the person behind this pseudonym, with a profile that is also used in Proton Mail, an encrypted email system. In the police cooperation form requesting the information, the Spanish officers indicate to the Swiss authorities that the investigation is for the crime of terrorism.
So proton will only give users’ information to governments if the government calls the user a terrorist. Good thing governments don’t just throw that word around willy-nilly!
Proton is just a company and would always give in to legal requests and all other companies and any email provider would do the same
It’s amazing how people easily forget about lavabit and what a company that is committed to real privacy is about.
@lemmyreader Yes, the name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can’t decrypt data, but in terror cases Swiss courts can obtain recovery email.
That was a short honeymoon.
Are there any email solutions that are actually private?
only as private as you make it. they are required by law when mandated by a warrant to release IP & other (unencrypted) data they have on you. use a proxy to connect & take other opsec measures to conceal your online identity just like other sensitive web browsing activities if you want to use email “privately”.
this is really only helping anonymity though, as the email protocol has no built in encryption. unless you are using PGP it really isn’t apt for secure communication at all.
No, as email isn’t private
Tutanota is what a lot of the XMR people use/endorse.
For the record I used to use Protonmail and VPN, but one day my password just randomly stopped working and I lost access to everything. Switched over to Tutanota and Mullvad and have had zero issues since.
Bro this reads like an ad. You using VPN has nothing to do with YOU losing your password.
Edit: might add this is the classic bad user you see in tech support.
CAPS ON
types password
Login failed
tries the same password several times
gets locked out
blames the service
Lmao you’re right. Removed the first part. It came to look like an ad because I posted my first thought, then came back with my second one and appended it.
As far as the password goes, to this day I have no idea how it happened. I don’t want to admit I use the same password for everything, but ye know… it just stopped working for Proton one day.
It looks more like multiple companies were needed to pin the individual. I don’t expect any company to not comply with legal requests. My understanding is this is why it’s important to know what information a company retains.
For my own use, I have used Proton just to mitigate being a source of ad info and to get better service. I’m not interesting enough to overthrow anything.
Most info came from the fact that they made the move to link their personal iCloud Mail as a recovery method.
Infinite wisdom.
And then I am the one exaggerating… I’ll say it again, Proton is just another company that managed to find clever ways to profit from a group of people who value things such as “privacy”.
They’re just a very large marketing effort with little to nothing to show but everyone is convinced they’re actually protecting users while they keep pushing proprietary / half open and non standard stuff as solutions for problems already solved with truly open tools, standards and protocols.
Proton did nothing wrong here; in fact, it is working as intended.
No email content or attachment was provided in this case because they (Proton) have nothing to give. Now, imagine if this user were using Gmail instead of Proton.
The article title is clickbait and is trying to incite outrage from the crowd. Don’t fall for it.
now, imagine if this user were using Gmail instead of Proton.
Now imagine if the user was using Gmail + PGP… same end result. Proton delivered no extra value whatsoever.