return to table of content

Proton Mail discloses user data leading to arrest in Spain

oooyay
65 replies
18h49m

I dislike that a website with privacy in the name collides privacy and anonymity. Privacy does not protect you from the state. Privacy is good enough to protect you from the public.

If you are doing battle with or an enemy of the state, much less an agent of the state acting in bad faith simple privacy will do nothing for you. Worse your misunderstanding of it is actually a vector, like in this case. The measures for anonymity you require will not incorporate fancy UIs, nice features, or even reasonable reliability at times because they will be sacrificed in the name of leaving no trace.

dathinab
34 replies
18h24m

Privacy is also meant to protect you from the state, or more specifically state abuse. It's an essential aspect of privacy.

Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.

Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).

Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).

Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.

They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.

Which doesn't mean their service is useless.

Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.

matheusmoreira
29 replies
17h39m

Some interesting facts about Proton Mail. It generates OpenPGP keys on their own servers, and if you want to use your own keys their instructions show users how to upload upload their entire OpenPGP secret keychain to Proton Mail. Not just encryption/signing subkeys, the master key also needs to be included.

I've emailed them to ask that they fix this. I also created a post on their user voice thing about it.

https://protonmail.uservoice.com/forums/284483-proton-mail/s...

TLDR; Proton Mail tells users to do this:

  gpg --armor --export-secret-keys "${USER_ID}" | import-into-proton-mail
They should support this instead:

  gpg --armor --export-secret-subkeys "${PROTON_ENCR_SUBKEY_ID}!" | import-into-proton-mail
  gpg --armor --export-secret-subkeys "${PROTON_SIGN_SUBKEY_ID}!" | import-into-proton-mail
First one leaks the user's master key to them.

underlogic
16 replies
16h38m

fix it? are you kidding!

that they demanded the private key tells you _everything_ you need to know about protonmail.

matheusmoreira
15 replies
16h5m

Well, they are literally in the business of making OpenPGP easy to use. I understand your worry but I can also understand where they're coming from. The fact is PGP is stupidly hard. I once ran into a gpg bug that deleted my master key. I got so frustrated I just gave up and forgot about it for years. Without services like Proton Mail, this stuff is just never going to be mainstream.

The only way to retain full control over all the keys is to do it the hard way: manually encrypt the emails and send that payload via SMTP. If we refuse to give them the keys, we can't enjoy the convenience of Proton Mail doing that automatically for us. Proton Mail offers a middle ground and it's a very attractive one if you accept the inherent risks associated with giving them the keys.

I'm not willing to give them the master key though. I want the ability to generate a bunch of subkeys just for them. Then I can just revoke those keys if they're ever compromised, and the emails will be encrypted and signed by my actual OpenPGP identity that I'm investing time into, not a separate master key generated for my Proton Mail account.

The support guys confirmed to me in writing via email that Proton Mail only ever uses the signing and encryption subkeys. They don't need the master key.

We use the signing subkey for signing and the encryption subkey for encryption, and you will have to import the whole OpenPGP at once.

So I asked them directly to add support for importing just the subkeys.

I made a post on their user voice thing about this too. It's garnered a bit of support already.

https://protonmail.uservoice.com/forums/284483-proton-mail/s...

Let's see what happens.

underlogic
7 replies
15h50m

It's a "trust me" story. Honeypot

matheusmoreira
3 replies
15h35m

I can't deny that possibility. Still, it should be an individual's choice to risk it or not.

42lux
1 replies
15h0m

It is but if I exchange emails with a Protonmail user I am writing with them like there is no encryption present.

matheusmoreira
0 replies
7h9m

That's probably wise. I wish there was a way to add metadata to the subkeys. I want to have one set of subkeys for Proton Mail and another set for absolute privacy. I want to mark them as "leaked" keys somehow. Not quite revoked but close.

I read the OpenPGP standard and it seems to have some kind of "notation" packets. Seems to be somewhat related to metadata but I can't figure out how it works or even what its purpose is and it looks like nothing ever uses that anyway.

medo-bear
0 replies
14h50m

Of course you are right, if majority of individuals were informed and if protonmail was proactive in informing their users about short commings. The problem is that most users are not informed and they think that protonmail is the bee's knees of email privacy and security, while protonmail only promotes that myth.

jorvi
2 replies
13h55m

It is also security theater. 99.9% of the time the other side you are communicating with stores their mails with server-side encryption. If your fancy encrypted e-mails have a "plaintext" mirror, your encryption is useless.

You want to optimize your 99.9% case for convenience (say, use Fastmail), and optimize your 00.1% case for security (manually managed PGP with a secondary anonymous e-mail). It makes no sense to trade away swathes of convenience and security just so you can be lazy with your 00.1% case.

matheusmoreira
0 replies
13h46m

I view Proton Mail as the convenient 99,9% case. It's a very polished service and it seems to offer a somewhat higher security baseline than the other email providers which probably don't even try to do anything encryption related.

The maximum security manual OpenPGP 0.1% case is still absolutely necessary though. No doubt about that. Anyone claiming that Proton Mail solved this doesn't actually understand how OpenPGP works. Not that I would fault them for failing to understand this ludicrously complicated stuff.

Y_Y
4 replies
14h3m

So can you put in a dummy master key after the export and before the upload?

matheusmoreira
3 replies
13h54m

Maybe. I haven't tried it. Someone actually suggested this to me on the #gnupg IRC but I just kinda forgot about it.

The --export-secret-subkeys command does just that: it replaces the master key with some GNU specific stub packet thing. It's conceivable that they could detect this and reject the uploaded key. In order to avoid that, one might edit the secret key packet manually instead. Just zero fill or randomize all the secret key bits or something. I assume it wouldn't match up with the public key though. Aren't the public and private keys mathematically related? Maybe you can detect that the key is bogus if you try to do cryptographic operations with it. Maybe the operation somehow fails or produces nonsense results. I don't really know enough cryptography to say.

Y_Y
1 replies
12h28m

RFC4880 uses ElGamal for the asymmetric encryption and so it's a discrete log problem. Roughly the private key x should satisfy `a=b^x mod n` where b and n are known, and a is part of the public key. It goes through similarly for elliptic curve-based schemes.

twiss
0 replies
6h48m

FWIW, OpenPGP doesn't only offer ElGamal, and we never use that algorithm. We use Curve25519 by default since quite a while, before which we used RSA. We've never used ElGamal and also don't allow importing ElGamal keys, since they're insecure and deprecated in the crypto refresh (the upcoming update to the OpenPGP standard): https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-cry....

twiss
0 replies
6h43m

Indeed filling the private key with zeros or random data wouldn't work, but we do support GNU Dummy keys as exported by `gpg --export-secret-subkeys` nowadays.

guappa
1 replies
13h20m

They could have kept the private key in the browser instead of in the server and let the user get the file there.

matheusmoreira
0 replies
5h40m

They could but then you open the mobile app or another computer and the key just isn't there. They could generate one subkey for each device but then you risk user emails being impossible to decrypt if they ever lose that device. Hell I'm a programmer and I somehow managed to get my own master key deleted because I ran smack into some gpg bug which I then reported and sent a patch for. If I can't do this without deleting my keys and being forced to revoke them from keyservers immediately after publishing, what hope do end users have?

The most secure solution is to generate keys on an OpenPGP smartcard like an NFC enabled YubiKey and use that key everywhere. Even that's incompatible with maximum reliability: YubiKeys can and will eventually fail and when they do your keys are gone. So you can't generate the encryption subkey on the smartcard, you need to generate it on a secure device, back it up to paper just like the master key, and then copy it to the smartcard. Otherwise you risk being unable to decrypt data later.

It's an incredibly hard problem and it's full of tradeoffs. I can at least respect their attempt to solve the problem.

emptysongglass
4 replies
16h7m

Proton Mail also still doesn't detect WIKD keys on the other side despite reporting it over 5 years ago.

emptysongglass
2 replies
11h52m

Actually, you have a bug that has been unfixed for 5 years now. I know because I submitted it. Still no action.

Here's my last message to Proton Mail support, request ID 822331. I was directly told no resources would be spent on fixing it:

Well, it has been multiple years now so can you guys maybe prioritize this? How long do you want me to continue waiting on this issue? I can't count on PM users to send my mailserver E2EE mail when the mobile app doesn't support it.
sevagh
1 replies
11h12m

So is the feature missing or is your support ticket open?

emptysongglass
0 replies
10h14m

It's been open for 5 years.

twiss
3 replies
12h13m

Hi! Crypto team lead here.

1. We don't generate OpenPGP keys on the server, we generate them in the client, and then encrypt them with a key derived from your password (which we never send to the server), and store the encrypted key on the server. Then, when you login again, we fetch and decrypt the private key, and use it in the client. The server never has access to your private keys.

2. We do support "GNU Dummy" keys now (which is what `gpg --export-secret-subkeys` creates). The required private key material needs to be in a single OpenPGP key though (with a dummy primary key), but that's what `gpg --export-secret-subkeys` does by default. Though, as mentioned above, we don't have access to the primary key on our servers either way.

2a. Note that "GNU Dummy" keys are a gpg-specific extension to OpenPGP [1]. The upcoming new version of the OpenPGP standard [2] allows a more standardized way of doing this by combining public key packets and private key packets in a single transferable private key, but it's not widely implemented yet.

3. I would argue that the private key material of the subkeys (used to encrypt and sign your emails) is actually much more important in this case (but of course we don't have access to that either). That's the reason we don't explicitly recommend this: it doesn't meaningfully improve security. But we don't stop you from doing it (now that we support it, even though it's a nonstandard feature), either.

[1]: https://github.com/gpg/gnupg/blob/master/doc/DETAILS#gnu-ext...

[2]: https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-cry...

matheusmoreira
2 replies
6h24m

We don't generate OpenPGP keys on the server, we generate them in the client, and then encrypt them with a key derived from your password (which we never send to the server), and store the encrypted key on the server.

I see, I stand corrected then. Thanks for clarifying. The Proton Mail interface contains buttons labeled "generate" so I got the impression it was being generated in the server. Is this password-derived key the "account key" which I see in the Proton Mail settings interface?

Please clarify what key derivation function is being used. The OpenPGP S2K which gpg uses is outdated and probably not secure enough. I know that Proton Mail is involved in the OpenPGP standards body in an effort to modernize it and that the new RFC contains support for the memory hard argon2 algorithm. Is that what's being used? If so then I would believe that it's even more secure than the encryption that gpg applies to the exported key output.

Are there instructions for verifying that all this is happening? I think a lot of folks on HN won't be convinced otherwise.

We do support "GNU Dummy" keys now (which is what `gpg --export-secret-subkeys` creates).

Wow that is GREAT and the exact information I wanted! I only believed otherwise because of the documented instructions, which contain the command I posted above. I double checked with Proton Mail support as well but everything led to believe that this was not supported when in fact it was.

Please add this fact to your documentation and instruct your support staff about this!!

I would argue that the private key material of the subkeys (used to encrypt and sign your emails) is actually much more important in this case (but of course we don't have access to that either).

I agree. Those are the keys which sign and encrypt the data after all.

It's just that I'm going to create an OpenPGP identity for things like signing code commits on git, signing packages I publish. I'm putting quite a bit of effort into getting it right. I printed out the master key to paper in paperkey and QR code format. I even contributed code to ZBar to add binary decoding support so that the key backup is easy to restore. I'll also be making an effort to join the decentralized web of trust.

So I was really hoping to be able to use Proton Mail with this identity instead of the key pair that's generated for the account. This way the emails I send can be signed by the same identity that I'll publish on the OpenPGP key servers. Looks like it's going to be possible after all.

Thanks for reaching out here on HN. I've been a really happy Proton Mail customer and now I'm even happier.

twiss
1 replies
4h14m

Is this password-derived key the "account key" which I see in the Proton Mail settings interface?

No, the account key is an OpenPGP key which is encrypted with a key derived from your password. The "key encryption key" is not separately visible. The address keys are in turn encrypted using the account key. (The account keys are also used to encrypt your contacts, for example, which are shared between all your addresses - while the address keys are specific to an email address and are used to encrypt emails etc.)

Please clarify what key derivation function is being used.

We use bcrypt, in addition to the OpenPGP S2K (i.e. the bcrypt output is fed as the "password" to OpenPGP's key encryption).

We are in the process of rolling out updates to OpenPGP.js and GopenPGP which support Argon2 for the OpenPGP S2K step, after which we'll start using that - but we aren't quite yet.

Are there instructions for verifying that all this is happening? I think a lot of folks on HN won't be convinced otherwise.

Take a look at https://github.com/ProtonMail/WebClients/blob/main/packages/..., for example. Though to be honest, if you want to verify that we aren't sending the password to the server anywhere, in principle you'd have to check the code of the entire web app (or whichever app you're using). It's all open source, but it's a lot of work, of course. But you can also check the latest audit report: https://proton.me/blog/security-audit. They also verified all of this stuff.

It's just that I'm going to create an OpenPGP identity for things like signing code commits on git, signing packages I publish. (...) So I was really hoping to be able to use Proton Mail with this identity instead of the key pair that's generated for the account.

Yeah, I understand. Though the typical advice from a cryptographer's perspective would be, it's better to use separate keys for separate purposes; and the simplest way to do that is to generate separate OpenPGP certificates, so that's what we'd generally recommend. But, if you want to generate separate subkeys and sign them all using a common primary key, that's also reasonable enough. And, we can improve the documentation on that, although it's a bit of a niche use case (not for HN of course, but for the general audience it is).

Thanks for reaching out here on HN. I've been a really happy Proton Mail customer and now I'm even happier.

Thanks, glad to hear! :)

matheusmoreira
0 replies
4h3m

Thanks for clarifying.

although it's a bit of a niche use case (not for HN of course, but for the general audience it is)

No doubt about that. Safe to assume that 99% of your users will not know or care about this. That's why I want to thank you for supporting this advanced key management feature for those of us who want it. To me that's evidence that Proton Mail takes OpenPGP seriously.

ta988
2 replies
16h58m

Of course they will not. If you look at everything they propose there is always that one thing that makes them control everything. Their IMAP bridge, key generation etc

trog
0 replies
16h39m

I don't know much about Proton Mail but presumably they want that so they can actually provide you with a more complete service, other than just being a mail gateway?

I would assume that any technically sophisticated users who just want an SMTP/IMAP server would never let their keys leave their control, but there might be other users for whom a "middle layer" service which has their keys is good enough. (I guess this is especially evident in cryptoassets where people seem to cheerfully let third parties manage their tokens, so it's not really surprising to me that there are a bunch of people willing to do it with their PGP keys for email purposes.)

I guess there's an argument about whether or not they're being responsible in providing such an option at all, which is fair enough.

matheusmoreira
0 replies
15h10m

It's how they make OpenPGP easy to use. Everyone who's ever tried it knows how hopelessly complicated it is. Their bridge's entire purpose is to present a standard email server to email clients so that all the OpenPGP stuff can be done automatically and transparently behind the scenes.

Does that create trust issues? Absolutely. Still, OpenPGP sucks and I just can't fault them for trying to fix it. They're even participating in the standards bodies alongside other OpenPGP projects trying to modernize the whole thing. Somehow it resulted in gpg forking the standard and making everything even worse. It was hard to use before, now it's hard and fragmented.

https://lwn.net/Articles/953797/

https://news.ycombinator.com/item?id=38554393

I suppose they could have gpg or OpenPGP smartcard integration in the bridge, then it could use those keys to sign and encrypt. That's more secure but creates quite a bit of hassle. Suddenly the web and mobile apps become incapable of sending OpenPGP email unless you have the smartcard connected. I've got two NFC enabled YubiKeys and I can't even begin to imagine how to connect this stuff to a smartphone. Looks like there isn't enough support for it.

https://news.ycombinator.com/item?id=40177539

happymellon
3 replies
14h42m

Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).

Anonymity is simply people not knowing who you are, not necessarily what you say. It's not privacy of communication, but privacy of identity.

I can post on the internet as Anonymous Coward, and those posts are public even though my identity is private.

I can encrypt an email and send it, and it will be picked up by all the relays. They can look up the source and identify me, but hopefully not read the email contents.

dathinab
1 replies
11h24m

yes but also sometimes just knowing a persons identity can infringe on their privacy

I would say anonymity is an aspect of privacy, one you sometimes but not always need.

e.g. I would say leaking who was present at a anonymous self help group isn't just breaking anonymity but also infringing on privacy

happymellon
0 replies
10h48m

I didn't say that identity wasn't privacy.

I said that the post I responded to was conflating two different types of privacy.

Who said things is different to what was said.

Bob and Alice spoke about something, is not the same as Anon to Anon "The government is listening".

One is the message and one is metadata. They are protected in different ways and leaked in different ways. Mixing the two means that you will probably not get the protection that you desire.

oooyay
0 replies
6h33m

Just because you don't use your name doesn't make the service anonymous. Pseudo anonymous is still in the privacy bucket because there's still likely (given websites today) personal information associated with your account. True anonymity could be achieved, but it'd be difficult to maintain.

lancebeet
8 replies
13h41m

You state this distinction as if it's established, but it's not a definition I've personally heard explicitly stated before. If I read the introduction of the Wikipedia article on "privacy", I find the following:

The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries' privacy laws, and in some cases, constitutions.

So according to Wikipedia, at least in some cases, privacy is protection against the state. Where does your definition come from?

rmbyrro
3 replies
12h26m

If there's a court order from due judicial process, isnt't it sanctioned invasion of privacy?

krageon
2 replies
11h35m

Sanctioned by the state, which the right to privacy should protect you from. The fact that your country habitually violates your rights doesn't change anything about the fact that you have a right to them.

rmbyrro
1 replies
10h57m

In every country's laws, there are limitations to rights and situations where rights can be lawfully broken.

Jerrrry
0 replies
6h56m

Obligatory George Carlin quote:

"Your rights? Right this way."

Klonoar
2 replies
13h23m

Their breakdown is what’s parroted up and down comment chains on this site when it comes to privacy/anonymity, so I’m frankly not sure how you’ve missed it over the years.

0xEF
1 replies
12h22m

That, and the terms themselves tend to invoke clues about the meaning. Privacy implies there is an identity, but it is kept hidden. Anonymity implies there is no identity established so there is nothing to hide.

We don't see much of the latter since most web services require an email to sign up, at minimum, which still leaves discoverable bread crumbs. The web services that require you to give up nothing to use them are far less popular, so I guess I can see why people might conflate the two.

toolz
0 replies
8h57m

I'm not sure where you're drawing your implications from, but that is not implied, to me. I frequently see the concept of privacy applied to situations where an entity isn't required to ID themselves for the sake of privacy.

The common description when contrasting anonymity vs privacy is that anonymity allows one to do things publicly without being ID'd while privacy allows one to do things without the public having knowledge. There is no implication or requirement that the private party has been ID'd by another other entity.

Kbelicius
0 replies
13h36m

unsanctioned invasions of privacy

GPs definition might as well come from wikipedia.

newscracker
5 replies
18h2m

You seem to be confusing privacy with practicality. In practice, nothing is ever secure, nothing is ever private and nothing is ever safe.

What matters here is what Proton promises and advertises to users/potential users vs. what it can actually deliver. I don’t know if Proton is more open about this, but hopefully this isn’t just buried in some long Terms of Service that almost nobody reads.

DEADMINCE
3 replies
17h16m

In practice, nothing is ever secure,

Well that's clearly not true.

alexey-salmin
2 replies
12h16m

Ever heard of thermorectal cryptanalysis?

As long as your secure world is not fully isolated but has any interactions with the physical world at all (e.g a human being somewhere receiving and reading your message with his eyes), then it's only a matter of resources allocated to trace you. You can pile up layers of "hops" through uncooperative jurisdictions -- this certainly helps to raise the bar but doesn't give you a mathematical proof of security.

DEADMINCE
1 replies
11h57m

That's technically and theoretically true but also largely practically irrelevant.

Consider a building or a server. You can absolutely make them secure. Sure, eventually, everything can be broken/bypassed/hacked/cracked whatever, but if there is no chance of that happening for the duration that the security has to persist, then it is secure.

alexey-salmin
0 replies
11h35m

Consider a building or a server. You can absolutely make them secure.

I'm not sure it's a good example. A server that you build from off-the-shelf components will likely come with the IME, providing direct tcp-to-ram access. Motherboard manufacturers probably add their own backdoors on top. We know about Gigabyte because they were caught red-handed, but how many we don't know about? How many rootkits in the SSD firmware? In hundreds of other firmware blobs installed on your Linux server right now?

I'm not even talking about Open Source backdoors which are hard as they have to be done in the open. Hardware/firmware backdoors are not in the open, they have been around for decades, they have been found and confirmed numerous times and god only know how many were NOT found.

Building a secure server nowadays is an extremely complex task, only solvable at the government level perhaps and only an a few select countries, if solvable at all. You need full control over the whole supply chain that includes tens or hundreds of thousands of corruptible employees.

behringer
0 replies
17h48m

Proton is incorporated and headquartered in Switzerland, meaning your data is protected by some of the world's strictest privacy laws.

This is the main statement from Proton about their privacy protection. They say they obey Swiss privacy laws. So if one has a problem with Protonmail complying with Swiss law, maybe one should complain to Switzerland.

kube-system
4 replies
18h22m

Privacy protects some things from the state, which is why the western world has the concepts of warrants and such.

But the concept certainly doesn't mean that a business is going to help you cover your tracks in regards to data you've already shared. (in this case, the recovery email address)

If you give out your personal information, commit a crime, and ask that person to help you hide, you're not asking for anonymity, you're asking for an accomplice.

_heimdall
3 replies
18h5m

I think that is the GP's point. Privacy means the data is reasonably hidden, though it still exists somewhere in a readable state. Anonymity means the information of who did what really doesn't exist anywhere.

In the case of governments, private data is only hidden until the government decides that it needs to look for it (or ask for it). Anonymity means the data isn't there, regardless of whether the government decides it needs to, and has legal justification to, demand access to the data.

Anyone providing anonymity is only an accomplice if they know your intent. Simply not collecting data doesn't make you an accomplice, not collecting data with the intent of hiding someone else's illegal behavior does.

agile-gift0262
1 replies
15h53m

I slightly disagree with your distinction. Privacy is about minimising the amount of data collected that's visible to anyone but you. Your data stays with you and/or only you can see your data, therefore, private. Anonymity isn't about the amount of data collected, but that the data collected or accessible by others can't be linked to you.

_heimdall
0 replies
10h22m

I could have been more clear there. I was specifically thinking about data that can identify you, not just data in general.

If I'm the only one in possession with data I don't really consider it data collection at all, at least in the context of privacy and anonymity. Other than that I agree with your clarifications here though.

kube-system
0 replies
18h0m

It is, I am agreeing.

The bottom line is that if you told someone who you are, you're not anonymous.

betaby
3 replies
18h34m

Privacy does not protect you from the state. Privacy is good enough to protect you from the public.

Public doesn't care mostly. Governments on the other hand...

littlestymaar
0 replies
16h50m

The “public” also means the private industrial sector, and nowadays they are by far the biggest threat for people living in the Western world.

habitue
0 replies
16h46m

The public includes online mobs who send you death threats. It definitely matters to protect your identity from the public

dheera
0 replies
18h29m

The public might care if you are rich, influential, or conventionally highly attractive, in which case privacy is a good thing to have.

mogiddy55
1 replies
9h41m

Buying used phones and laptops with cash at a bazaar whilst wearing a wig, one at a time.

You got a few days of Tor on each device; then they need to burn.

I really don't know what more you can do beyond making your own chat client. Internet is not a place for revolution.

blacklion
0 replies
9h18m

With all "security" cameras and face recognition software and big data mining, which links many sources together, real world in developed world is not a place for revolution too.

Welcome do dystopia and hope that governments in developed world will not become too nasty (CCP-level nasty) too soon due to inertia.

deadbabe
0 replies
9h52m

If you are a true enemy of the state, why communicate by digital means at all? You could pass written notes or swap USB sticks around.

carlosjobim
0 replies
12h42m

Your take is just about the opposite of what anybody I know would mean by privacy, which is to protect your information from government actors primarily, for obvious reasons since the government is an actor that seeks out to harm the public.

baby
0 replies
13h13m

Thank you for making up a definition

VelesDude
0 replies
15h34m

Privacy does not protect you from the state. Privacy is good enough to protect you from the public.

While I get what you are saying, that is a little too black and white for the entire field. Privacy can be used to shield whistle blowers from the state.

lordofgibbons
23 replies
19h39m

The heart of the issue is this:

Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.

They can claim all the privacy guarantees they want, but unless the privacy is guaranteed by cryptography, it's an empty gesture. Nobody is willing to do prison time to protect your privacy.

fbdab103
15 replies
19h37m

I think they should do like Mullvad claims and keep zero logs. You cannot share what you do not have.

GGO
8 replies
19h23m

you can be required to keep logs - they need to design a system that cannot collect logs - You cannot share what you cannot have.

binary132
7 replies
18h36m

I’d be more interested in a system that can prove to me that it’s not collecting logs. Hard, but not impossible.

dheera
6 replies
18h21m

As long as we are talking about classical communication (and not quantum) it is impossible to prove that it isn't collecting at least ciphertext logs.

lordofgibbons
3 replies
14h53m

Not really. Tor, I2P, and Monero manage this just fine. Building on these technologies should allow one to have privacy and anonymity without any exotic quantum technology.

EraYaN
1 replies
12h51m

Well they don't actually, Tor especially has enormous amounts of government nodes so they can trace and log exactly what and who. And all of those still rely on the IP network which always will allow logging without you ever knowing, it's just math really, the proof of not-logged is just impossible.

beardog
0 replies
8h10m

Interesting, do you have a source? All fully p2p networks are vulnerable to sybil attacks to some extent, but specifically a source that Tor actively has enough "government nodes" to de-anonymize everything.

dheera
0 replies
3h7m

These technologies give privacy and anonymity under normal conditions, but they do not prevent anyone from logging ciphertexts. If someone has logged ciphertext, and the government subponies someone to divulge their private key and subponies whoever has the ciphertext, those ciphertexts as good as plain text.

binary132
1 replies
4h12m

Consider a certified tamper-resistant operating system which cryptographically certifies the versions of software it operates, and prohibits uncertified processes from running. The certificate of authenticity verifying the software is made available to the clients which connect to the remote application. This cert specifies all of the program transforms which were required in order to produce the compiled software, and they specify the capabilities required for the transform.

It is certainly a very hard and complex problem but I wouldn’t necessarily go as far as “impossible”. Maybe you know something I don’t know, though.

dheera
0 replies
3h11m

Consider a certified tamper-resistant operating system which cryptographically certifies the versions of software it operates, and prohibits uncertified processes from running.

If I own the hardware, I can decide how the software is executed, including containerizing your certification processes to make them feel warm and fuzzy and happy but in reality they are running inside a simulation.

If push comes to shove I could theoretically manufacture my own RAM sticks that copy everything and your OS wouldn't even know, but there's a 99% chance I could successfully pull it off at the kernel virtualization level.

yieldcrv
1 replies
19h11m

gullible vpn fans believe anything

or at least their favorite youtuber with the paid ads and zero domain knowledge of network topology

serious question I have is whether “internet reseller” is a compelling service. because that's all that VPNs are, and I dont mind paying to use them for that purpose.

noodlesUK
0 replies
18h11m

I would say that Mullvad seems to be the exception - they know their stuff. You can even pay with cash for even more anonymity.

srockets
1 replies
19h24m

This does not stop the host from being compelled to wiretap future communications.

Just don't try to make encrypted email happen. It can't, and we don't need it to be. We have better solutions for encrypted communications, for those that need it.

noname120
0 replies
12h24m

It's harder and requires more red tape.

kaliqt
0 replies
19h22m

I mean it's clear, the governments of the world are colluding to ensure that all companies and users must incriminate themselves by collecting logs. They're trying to do the same with cryptography.

TheCoelacanth
0 replies
9h32m

How would a recovery email feature be possible without them knowing what your recovery email is?

kube-system
2 replies
18h16m

You could encrypt the source IP on all your outbound TCP packets, but it might not work very well.

mmcallister
1 replies
14h44m

a minor point but you can't _encrypt_ source IPs, you can only obfuscate or more accurately, proxy.

kube-system
0 replies
6h11m

I was being sarcastic. The suggestion above that the privacy of an IP address could be "guaranteed by cryptography" is silly. Cryptography is not a hammer that can be used for all problems. At some point you have to transmit your IP over the internet if you want a reply.

weikju
0 replies
18h35m

The heart of the issue is this:

No, that was last year's issue.

This time it's:

The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

and

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
tsimionescu
0 replies
16h16m

Expeacting a lawful corporation to shield you from the law is absurd. The state has the right to obtain this information - so, if you want it hidden, you need to find a provider that doesn't operate under the bounds of the law. You'll soon find out that A LOT of niceties go away once you're not dealing with legal matters: you can't guarantee that you'll get the service you payed for, you can't re-gain access if you lost your main security, etc.

nabla9
0 replies
11h36m

Proton Mail can't give email content, only things like email address, ip adressese etc.

Email content is encrypted and Proton Mail has no access

blackeyeblitzar
0 replies
17h51m

Is the implication that you should use a VPN from a different provider? Like so you’re not getting email and VPN and whatever from the same place?

makeitdouble
21 replies
19h36m

Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.

In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?

Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?

fbdab103
8 replies
19h34m

While an IP address is not an identity, it can still zero in on a location. I suspect governments and ISPs all keep historical logs of who was assigned what address.

refurb
2 replies
11h16m

It can be used to identify a location, but not an individual.

I assume it could be easily challenged in court (network was compromised, “i give out my WiFi to anyone who visits my home”) without other supporting evidence.

BodyCulture
0 replies
10h38m

It would be great to have the discussion open for people with actual knowledge and experience of the issues.

To keep the discussion interesting, please do not assume or guess, thanks!

Adrox
0 replies
10h5m

Not in Germany, where you are responsible for the Wifi access, see hundreds of copyrights fines each year...

Anyway, it puts the persons living in that location on the radar of the police, and other evidence can be collected (For example by getting a warrant and taking all electronics out of the "location").

matheusmoreira
2 replies
17h49m

I suspect governments and ISPs all keep historical logs of who was assigned what address.

They do. It's often required by law.

VelesDude
1 replies
15h31m

1 maybe 2KB of storage for the IP addresses of an individual for a year. Of course they are doing it even if accidentally.

Sayrus
0 replies
13h7m

You may need a bit more than that. Especially for shared IPs or when using CGNAT as you need which IP and Port-range was used and during what time-range.

srockets
1 replies
19h23m

An IP address in itself is not an identity, but it can be easily resolved to one. This is why IP address are considered PII, and are handled like such by any competent security organization.

fiso64
0 replies
6h9m

but it can be easily resolved to one

Do you have any source to back that up? Last I heard a random person or company won't have a way to find out the real identity given just an IP in general.

RachelF
8 replies
16h57m

Why are ProtonMail keeping this IP and email information in their logs?

samjmck
5 replies
16h51m

The identification came from the recovery email.

AnonC
4 replies
14h45m

In a previous case some years ago, a French activist’s IP address was provided by Proton on court order. Proton does store IP address and does provide it when legally demanded to.

haakon
3 replies
13h47m

They were legally compelled to add IP logging for that specific user. After this incidence, they went on to obtain a court ruling in Switzerland, where they operate, so that this specific attack cannot happen again. In their blog post about it [1], they instruct concerned users to access their account over Tor.

Of course when Proton say they don't log, we just have to take their word for it. People who don't want that element of trust can use Tor. Personally I believe their story in this case.

[1] https://proton.me/blog/climate-activist-arrest

BodyCulture
2 replies
10h34m

Is it possible now to sign up using TOR? It didn’t work a few years ago when I tried and never visited this website ever again.

thinkerswell
0 replies
7h55m

Yes please report back if it works

tephra
0 replies
7h59m

They say quite clearly why in their privacy policy: https://proton.me/legal/privacy (section 2.5: IP Logging).

2.5 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities. If you enable authentication logging for your Account or voluntarily participate in Proton's advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.
datadeft
0 replies
11h58m

Because of legal requirements?

lkdfjlkdfjlg
2 replies
10h28m

Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.

Irrelevant to the point. Proton Mail provided authorities with user data.

pc86
1 replies
8h18m

Please quote from the linked article where it says that (it doesn't).

EclipseMantis
0 replies
2m

Are you sure?

The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’
lolinder
19 replies
19h37m

Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)

If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.

Dylan16807
13 replies
19h19m

Let's say I buy Mullvad access with a credit card, then access my otherwise-unrelated Proton Mail account via Mullvad.

How are police going to find me behind that hop?

lolinder
9 replies
19h9m

I don't know one way or the other how easy it is, but if I were an activist in an oppressive regime I wouldn't want to use a VPN that is connected to my identity in any way. I wouldn't trust zero-log policies to keep me safe, there are too many unknowns about the way they run these services and what metadata they have to turn over.

peanut-walrus
3 replies
14h20m

In this case an activist in the oppressive regime of...Spain?!

Opsec is hard and most activists in western countries don't take it seriously. It's not like we live in PRC or DPRK right?

Ironically, it is likely far harder for PRC or DPRK to get data from Proton than it is for Spanish police.

alexey-salmin
1 replies
12h38m

Well Spain probably never got over the Franco legacy.

https://www.wired.com/story/europe-break-encryption-leaked-d...

“Ideally, in our view, it would be desirable to legislatively prevent EU-based service providers from implementing end-to-end encryption,” Spanish representatives said in the document.

spookie
0 replies
8h17m

Spain had to deal with homegrown terrorism not that long ago. Not excusing them, but it should be pointed out for more context.

TaylorAlexander
0 replies
14h5m

It's not like we live in PRC or DPRK right?

Right. Western governments are much, much better at mass covert surveillance.

it is likely far harder for PRC or DPRK to get data from Proton than it is for Spanish police

You balk at the idea of a western government being oppressive while pointing out that our “secure” email services can be easily compromised by government action.

godelski
2 replies
18h41m

but if I were an activist in an oppressive regime

Then mail them your money

I think most people are considering less serious threat models

Repulsion9513
1 replies
18h36m

I assume by "less serious threat models" you mean non-governmental, in which case just signing up for ProtonMail without a VPN is perfectly safe.

godelski
0 replies
4h33m

you mean non-governmental

I would say most people are concerned with dragnets, not targeted attacks. There's quite a lot you can hide from the government in terms of dragnets, in the same way you'd hide from big tech.

"Hide" isn't the right word. "Defend from" I think is probably better. Defending our constitutional rights from government and defending our privacy from big tech.

I'm actually perfectly okay with governments in targeted attacks (where a warrant is reasonably given). I'm just not okay with police being lazy.

chefkd
1 replies
18h37m

How could one go off grid without going off grid do you think? Cash, bitcoin, prepaid cards, VPNs they all seem traceable if truly needed

Ferret7446
0 replies
13h41m

Speaking absolutely, you can't. Reality is public. You have to choose your risk tolerance level.

timeon
1 replies
12h58m

They can find you if they are lucky with choosing your ISP, and there are not many people connecting to VPN you have used at specific time.

stanac
0 replies
12h49m

So they would have guess which ISP you are using and hope no one else was connected from that ISP to VPN at the same time. I don't think it could be used as evidence (in any country).

2OEH8eoCRo0
0 replies
19h11m

I assume they won't bother unless you're a pedo or terrorist. In that case, what you are you using the email address for? Request your info from all of those sites. Wait for you to get sloppy once.

red_admiral
1 replies
11h21m

If you're doing low-bandwidth stuff like sending e-mails, TOR (which is of course free) should be your first choice.

But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.

SomeoneFromCA
0 replies
7h59m

nah tor is not trustworthy, as it also exposes you as a tor user; in a less developed countries, where not many people know how to use Tor, you'll stick out real bad. It is much better to use shady random proxy servers you'll find online, before connecting to Tor; it is extremely slow, but much safer, as the authoritarian state monitors won't be able to see that subpoenaed ip adresses come from tor exit nodes, conveniently at the same time period you (and basically no one else) were using Tor.

ApolloFortyNine
1 replies
18h53m

Only if the vpn provider had logs.

Most claim they don't, PIA even was subpoenad at least once and responded they don't have logs.

ThrowawayTestr
0 replies
7h28m

Keep in mind that was years and at least one owner ago.

detlef64
0 replies
19h8m

You are totally wrong. You are assuming that every single VPN is logging everything you do online, every IP address, and every website, and then saving this information for every user. Completely false. Show me a single reputable VPN that does. Show me the real life cases where this has happened. Any good VPN, including Mullvad, is a no-logs VPN, which means activity through the VPN is not recorded and cannot be connected with users. There have been numerous VPNs that have not only been audited to verify this, they have been proven correct in court or real-life tests. Mullvad is a perfect example of this:

https://restoreprivacy.com/mullvad-vpn-says-customer-data-is...

Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.

IAmGraydon
16 replies
19h13m

Go try to create a ProtonMail account with Tor. It will ask you to confirm your account with a phone number. It skips this if you’re using a non-proxy IP. They want to know who you are, and it’s been this way for years. I think they’ve long been a honeypot.

protonmail
3 replies
12h7m

This is not true - most of the time all you need to do is fill out the captcha. In some cases (when our systems detect something suspicious about your network), we would request an additional email address. Even in those cases, the email addresses are not tied to your account - we only save a cryptographic hash of your email. Due to the hash functions being one-way, we cannot derive your data back from the hash: https://proton.me/support/human-verification

While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.

Retr0id
1 replies
5h23m

Due to the hash functions being one-way, we cannot derive your data back from the hash

This isn't true in practice. It's not hard to build a big list of ~every email address (give or take), and have a GPU churn through them all until you get a match.

If you've ever received a spam email, your email address is on such a list.

alexey-salmin
0 replies
3h4m

argon2id with dynamic salt should effectively prevent this, but it will also not allow to tell if two users have the same e-mail or not -- which I suspect is the main reason for hashing in the first place.

If equality-check is required to prevent e-mail reuse by spammers then argon2id with static salt rotated every few months will be reasonably strong too.

Of course I have no idea if any of this is implemented or it's just sha256(email). Just replying to the question of general feasibility.

happypumpkin
0 replies
4h32m

While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.

I've no reason to doubt this but brute-force cracking a hash known to be from a phone number would likely be pretty trivial.

Fwiw, I use protonmail and trust it more than most other services. But my threat model doesn't involve technically capable adversaries directly targeting me, certainly not ones that could compel protonmail to divulge phone number hashes.

immibis
2 replies
18h57m

This is different each time you try it. They may use the exit node's country (I doubt they'd be so naive), some other fingerprinting, or just have a limited number of anonymous accounts to give out each day, which is what cockli does. Sometimes you need a phone number, other times an email address, other times just a CAPTCHA.

crtasm
1 replies
18h55m

Yes, I just tested it and was able to register by giving a (disposable) email.

It did then prompt me to add an email and/or phone number as recovery methods, but that step was skippable.

mttpgn
0 replies
18h9m

I have never found protonmail's signup step asking for phone number verification or a recovery email to be unskippable.

Protonmail can still be the best choice for a pseudonymous mail service so long as it's combined with diligent, consistent IP address obfuscation. Protonmail will continue to allow logins and new account creations over Tor. All the major free email providers have long since disallowed new signups over Tor, and most have some form of degraded user experience when logging in over Tor, if they allow it at all. Small, niche email providers appear and disappear so often that relying on them still to exist even a few months into the future is a big gamble. Hosting one's own email requires payment of some type to the hosting provider, so it is not anonymous. Other privacy-oriented free email providers, such as riseup, will do exactly what protonmail did, because if they refuse, their only option is to go the way of lavabit.

BobFromEnzyte
2 replies
16h8m

You can create anonymous accounts with Tuta through Tor and they don't ask for a phone number or contact email address. They even made a tutorial video on YouTube a few weeks ago for how to do it: https://youtu.be/oXv3llPIfvo

If you continued using the account only through Tor, there wouldn't be any traceable info.

sintax
1 replies
14h25m

I'm not a lawyer, but doesn't GDPR and No-Log contradict each other.

fullspectrumdev
0 replies
14h16m

Nope. What’s funny is it’s actually easier to be GDPR compliant if you keep no logs.

dheera
1 replies
18h27m

It skips this if you’re using a non-proxy IP

Get one from your neighborhood coffee shop Wi-Fi, and pay cash for your coffee.

netsharc
0 replies
17h39m

Terrible advice, being that "neighborhood" means you live close by. Go to a coffee shop in another city, state or country and do so! (Although flights leave paper trails too)

Also make sure to avoid CCTV...

tremarley
0 replies
18h20m

They are a huge target for spam. The reason why they do this is to prevent spam.

Unfortunately, it can and has been abused.

moosemess
0 replies
7h34m

No shit. People actually do not apprend intelligence agencies have the capability, desire and resources to operate legitimate "privacy" services. Why not just roll out the red carpet and let all the sus people walk in?

arp242
0 replies
16h27m

Try setting up an email service without these protections and report back to me how well that went. Oh no you can't, as you won't be able to email anyone as everyone will mark your emails as spam as you'll be a humongous source of it. Running an email service is like being flypaper for dickheads. Evidence-free accusations of being a "honeypot" is ridiculous.

VelesDude
0 replies
15h21m

Not surprised at all. Even if it did not start with this intention, one has to suspect that with enough time it will become compromised.

About the only way to even vaguely keep your email private is to use a self hosted server with GPG keys. And any lapse on security updates for that thing and you could be compromised almost immediately.

Beyond that I cannot think of anything more one could do.

I have always treated email as something to travels in the clear. My current provider (Fastmail) is compromised by authority. The Australian Privacy Act 1988 by being based in Australia and it gets caught up by PRISM as the servers are run out of New York.

gertop
11 replies
19h39m

Proton provided us with an explanation that inbox contents remain secure.

Yup, until they receive a court order asking them to mitm an inbox, if they haven't already...

This entire system of "receive email in clear text but store it encrypted at rest" is smokes and shadows, really.

amatecha
5 replies
19h5m

Yeah, they can just deliver an alternate version of the web client (assuming the target user uses the web interface) -- probably the easiest (or least-detectable) way for ProtonMail to read a user's encrypted email contents.

binary132
4 replies
18h31m

This is where the security stuff starts going down the rabbit-hole into Wonderland. I’m still trying to figure out how to write a compiler that won’t be subject to the “what if my ur-compiler was infected with a virus that only infects compilers” problem....

schoen
3 replies
18h22m

There's lots of work on that problem!

https://dwheeler.com/trusting-trust/

There are also a number of people making minimal OSes, interpreters, and compilers that you can, for example, assemble by hand and type in "from scratch".

There was a nice list of those that I can't find right now, but you could look at

https://bootstrappable.org/projects/mes.html

as one example in this direction.

kube-system
2 replies
18h1m

The rabbit hole goes further with UEFI, components embedded in PCBs, microcode, HDL synthesizers, etc.

To make a perfectly secure system, the first step is to obtain high purity sand.

schoen
0 replies
16h47m

Yes, you can definitely get very severe attacks from backdoored hardware. Some of them appear almost impossible to defend against with software alone.

On the bright side, it's hard to imagine that many of these attacks will be self-propagating, which is the particularly insidious thing about the Trusting Trust attack. Yes, hardware is used to design hardware, but typically in a more indirect and heterogeneous way than the "compiler compiling itself" scenario. To be concrete, I'd say Microsoft or Canonical has much more to fear from a Trusting Trust sort of attack than Intel does, but the software developers also have better options to contain or detect such an attack.

creole_wither
0 replies
5h56m

There's an idea for hard sci-fi. Silicon backdoored with nanobots in sand.

upofadown
0 replies
19h25m

It depends on the local laws. Not all places can demand that a service provider do an active attack on a user. Of course many countries have passed such laws and others are planning to

It wouldn't technically be a MITM attack, they would just capture the incoming email. Tuta was famously forced to do that once by the German authorities.

protonmail
0 replies
12h3m

This is actually not permitted by the Swiss law, so it's not going to happen.

mynameisnoone
0 replies
18h27m

Better security theater through marketing.

makeitdouble
0 replies
19h7m

I think this is the same distinction as a phone operator providing the metadata (when, between who, for how long did phone calls happen) but not wiretapping the call itself.

The former has distinctly less legal requirements than the latter, and authorities might be OK with keeping it that way, as metadata is already good enough in most cases.

hwbunny
0 replies
18h17m

You can use pgp to send mail to your protonmail acc :D.

quitit
10 replies
11h25m

It seems there is some mental conflict going in readers between the reality of what ProtonMail does for its customers and their expectations of what kinds of protections a legitimate business can provide.

Both ProtonMail and Apple will challenge subpoenas when they believe they are not valid, however neither company has the final say in the matter and can be compelled to provide access to data that they reasonably have access to. It is up to the user to plan what information they provide to service provides in order to not leave a trail of crumbs, and also evaluate what kind of man-in-the-middle weaknesses a service might have for the possibility of wiretapping. It should go without saying that linking a phone number or back-up email address can be a pretty large crumb.

The learning here is to recognise that these services can be compelled to provide whatever small information that they have reasonable access to, and that this information may be useful in unmasking an identity.

I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.

wepple
2 replies
9h29m

It is up to the user

And therein lies the problem. We on HN may have a few ideas about how to do this, but the typical user of a secure email/VPN/tor unfortunately doesn’t and realistically can’t understand the corner cases and tricks.

Realistically, even HN users would make enough mistakes.

This is why I’m dubious of these types of products marketing to average consumers

pc86
1 replies
8h22m

If your threat model is "utilize secure email/VPN/tor to evade organizations on the spectrum of [law enforcement...intelligence services]" you are not a typical user even of those services and saying that it's on you to understand all the corner cases and tricks to avoid persecution, prosecution, execution, etc. seems pretty reasonable.

wepple
0 replies
7h16m

I wouldn’t call it reasonable.

If you’re trying to evade LE because it’s illegal to be gay in your country, and you get caught because you’d listed an Apple address in your ProtonMail account - can’t we design better products to make this less likely?

snakeyjake
2 replies
3h26m

I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.

Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.

Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.

The order itself might be unreasonable and should be challenged if so, but the procedure and ability to do so is not and will never be.

sonicanatidae
0 replies
3h23m

Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.

You're conflating what's written in the law and the sad reality of how a lot of that is simply ignored by law enforcement, while they are standing on your neck, searching your car.

matheusmoreira
0 replies
2h59m

Yeah. This stuff is all about putting an end to the global mass surveilance dragnets. Police and government should still be able to operate of course, with checks and balances.

They should not be able to push a button and learn everything about a person. If they want to learn about an individual's private life, they should have to get a warrant then put people to work on the guy's case. They should have to literally follow their targets, photograph them, put hardware keyloggers into their keyboards. That sort of hardship imposes natural limits on the scale of their operations: there are only so many police officers you can assign. With computerized dragnet surveillance, the scale of their operations is essentially limitless.

These encrypted communications services aren't generally in the business of going to jail in their customer's place. They gotta comply with the government laws. When a court orders them to do something, they either obey or they are held in contempt of court if not worse. It can't be helped. It's still helping reduce global surveillance by forcing them to target their attacks.

xinayder
0 replies
6h16m

I don't think this is solely the issue that users don't understand that the companies are obliged to provide the data requested by the authorities.

The whole controversy surrounding Proton started when they marketed themselves as "secure and private email", promising they would NEVER give away their users' data, until they did. I had a similar discussion with my friends today about this topic and the issue I have with it is that Proton tries to market itself as an email which will never snitch your data to the authorities. And we've seen countless times (they have provided data to almost 6k requests last year) that this isn't the case.

The problem as I see it is that Proton is not even trying to challenge the requests anymore. It's not like Tuta, who you can read on the news that they keep challenging almost every order they get from the authorities, even if they lose the battle in court: https://techcrunch.com/2020/12/08/german-secure-email-provid...

As I read on a website comparing "private email services", the question here is not whether a service provider will or will not abide by the court requests. It's whether it will do anything to challenge it or just giveaway the data without questions asked.

nerdjon
0 replies
7h55m

I would argue that the second learning is to make it impossible to comply with these subpoenas where possible by making it so the company itself is unable to decrypt it.

Admittedly this is not really an easy solution with something as open as emails, it's possible within corporations but I don't know of a solution between "random" people.

But outside of email and things that have to be unencrypted for interoperability, everything should be encrypted and inaccessible to the company so this situation is impossible.

I think the ship has sailed on the idea of electing people who will actually care about privacy of their citizens.

dennis_jeeves2
0 replies
8h17m

I suppose the second learning is to elect governments which respect democratic freedoms,

This will _never_ happen. It's the human condition....

dcist
0 replies
8h23m

Yes, if your information is stored with a third-party, it can be subject to disclosure with a lawful subpoena.

lolmao
6 replies
20h27m

Switzerland has laws? Did Proton lie to us?

BobFromEnzyte
2 replies
16h5m

This is something that I never understood with their "oh you are safe in Switzerland" bs. If the court presents them w/ a warrant they have to comply. There is no magically safe data haven and it isn't honest to pretend that they are one.

WhyNotHugo
1 replies
12h16m

Switzerland does have strict laws on the topic. Data requests are only honoured for cases which are a crime both under the foreign country's law and under Swiss law.

If you live in a country where homosexuality is illegal, and your local government is chasing you because of this, a Swiss company won't comply with data requests, and a Swiss judge has no reason to honour any data request.

If your local government is chasing you because of something that is recognised as a crime in Switzerland, then they will disclose data to foreign authorities.

afroboy
0 replies
11h0m

Funny thing this is how Algeria try to get info from Facebook about dissidents and journalists they label them as terrorists and Facebook will comply.

Havoc
1 replies
19h43m

Lawless wasteland!

pas
0 replies
17h37m

Switzerland famously known for anarchism, utter chaos, irresponsible tinkering with time, space (disregarding mountains, tunnels everywhere) and spacetime (at CERN)!

RachelF
0 replies
16h55m

Swiss laws protect Swiss banks and their clients. No big money, no privacy laws.

Shacklz
5 replies
11h26m

There are some serious anti-proton-vibes in this thread, so just my 2 cents as a paying customer: I'm rather happy with their service. I pay them money, they make sure that Joe in Marketing won't be able to harvest data from my emails. I'm also fairly optimistic that they take security serious enough that the blast radius of some dataleak is hopefully very limited.

I have zero delusions however that they can protect me from state agents, let alone state agents with malicious intent. And I don't think it's realistic to expect that for the amount of money they cost. But that's fine with me - it's Joe from Marketing I'm scared about, and so far they seem to do a good job keeping Joe at bay :)

sevagh
2 replies
11h16m

Seconded, happy Proton customer for years since de-Googling my life.

Par for the course at HN to have a "vaguely dislike-ish" relationship with Protonmail. Fastmail is the poster child of HN on the other hand.

I would guess the gist of it is that if you promise _any_ amount of security (or whatever feature), HN will nitpick you to death on not going 100% (despite the general improvement to your security). If you don't promise security at all, it doesn't matter that you're less secure than Proton. Something like that.

fifteen1506
1 replies
9h6m

It's normal. Dropbox was derided on HN because it wasn't much more than a glorified FTP.

brongondwana
0 replies
8h12m

I've just been poking around at the Dropbox APIs recently when I got so frustrated by the fact that the Fastmail "attach from Dropbox" feature has been loading directly into my personal files space rather than showing the shared team folders since we switched over to using those last year - and I now have to download and re-upload files from those folders.

It's more than a glorified FTP. FTP does some heinous things with a separate control channel and stuff (let me tell you about adding encryption support to the Perl FTP server some other day), but this is next level!

https://developers.dropbox.com/dbx-team-files-guide

It's not even as simple as just sending a fixed string in the "Dropbox-API-Path-Root" header for every API request (and they're all path based, so you have to make sure you always send that header or the paths won't parse right) - you have to get an ID for the real root, with a separate request, with a scope that we weren't requesting on refresh tokens.

So I hacked together something that worked on my testbed on the train ride home, but making it good is going to include adding a caching layer to the token refresh code, and suddenly it's not just a casual project. I'm still going to do it though, because dammit I have a file to attach to an email on Friday and I'm happy to spend hours on this to save myself 30 seconds.

xinayder
1 replies
6h10m

I'm a free customer and I am always annoyed by ads in my inbox about other services provided by Proton. I signed up for an email box, I don't care about Proton Drive nor ProtonVPN. I chose Proton specifically because it supposedly had less or no ads at all, but it seems like Gmail continues to be the better choice.

Shacklz
0 replies
2h21m

Maybe this is disabled for free customers but at least for me there are settings to enable/disables what I kind of informations I'd like to receive from them.

Gmail in that regard I've always perceived as worse - every few months or so they update their policy, linking to some gargantuan document that I can't be bothered to read, each time wondering how much of my soul I've sold this time around...

RedComet
5 replies
19h40m

Protonmail gave up the recovery address. Apple gave up the name, physical address, and phone number associated with it.

politelemon
4 replies
16h4m

Yes it's a strangely skewed article focusing on proton, when:

Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number. Afterwards, the Civil Guard also asked the telephone company responsible for the telephone number who was the owner of the line, which matches the name provided by Apple. Also, they say they have found that this person is registered at the same address provided by Apple.
denton-scratch
3 replies
11h55m

It focuses on Proton because Proton is the link that purports to be secure. Nobody expects Apple or telcos to guard your identity.

BSDobelix
2 replies
11h44m

I can think of one country in the whole world (Iceland) where a company can tell the country it operates from, NO.

However in this case (an operating police officer who gave information to a group who wants to split away from the country) i make a bold assumption that even Iceland would order the company to give the data out (since it has nothing to do with protecting journalists/whistleblowers, but espionage)

trogdor
1 replies
1h33m

I can think of one country in the whole world (Iceland) where a company can tell the country it operates from, NO.

Are you claiming that businesses in Iceland are not required to comply with court orders? On what basis do you believe that to be true?

denton-scratch
0 replies
41m

Doh. I read it as "a company can tell the country it operates from, Norway."

I thought "Huh? Why would an Icelandic company operate from Norway?" Well, I thought, I suppose there must be quite a few. But why's he mentioning it here?

Thanks for inadvertently clarifying.

nabla9
3 replies
11h38m

Proton Mail gives info only when the Swiss law mandates it and Swiss law enforcement requires it. Swiss privacy laws are quite good.

That's the strictest privacy policy any company can hope.

Proton Mail can't give email content, only things like email address, ip adressese etc.

blitzar
2 replies
10h42m

Proton Mail can give email content, however, it is encrypted and they do not have the encryption keys.

Anything that is stored by anyone can be handed over. That information may be useful, may be useless or may be useless now and useful tomorrow when they have the key.

wepple
1 replies
9h26m

they do not have the encryption keys.

True, but they can trivially obtain them given they control everything in the browser.

The question then becomes, does the law allow compelling to that degree? Apple fought back in the San Bruno case, but they’re very well lawyered up

kobalsky
0 replies
7h32m

True, but they can trivially obtain them given they control everything in the browser.

Open source clients that you can self-host are available. I mean of course you still have to trust the code if you can't audit it. But hijacking your keys won't be as easy as visiting their webmail.

felsokning
3 replies
12h18m

This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

...and...

The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.

As I understand it, Catalonia has long desired for independence[1]. Is the Democratic Tsunami movement something different, entirely? If not, can someone fill-in the blanks of how vying for independence (in this case) gets umbrella'ed under terrorism?

[1] - https://en.wikipedia.org/wiki/Catalan_independence_movement

Edit: Accidental caps-lock on a word. My bad.

yorwba
0 replies
12h4m

Independence is a political goal. Terrorism is a means to achieve political goals. (Though I don't think it has a good track record of being successful at that.) It's not that unusual for people to combine the two and plan terrorist attacks against the state they want to be independent from. (In this case it appears the investigation concerns a suspected attack plot targeting the Spanish king.)

wolfhumble
0 replies
7h50m

The Democratic Tsunami was/is(?) more of a pure action based protest group lead by an anonymous leader structure. The leaders were/are probably certain leader figures within the independence seeking community; but that is just a speculation on my part.

Its biggest action was probably at the Barcelona Airport in October 2019, a protest a couple of years after the Catalan independence election in October 2017. The election itself was deemed unconstitutional by the Spanish government. The registered voters/turnout of this election was 43.03%; where 92.01% voted for separation from Spain and 7.99% voted to stay within Spain –– see: https://en.wikipedia.org/wiki/2017_Catalan_independence_refe... –– but this was not a normal election by any means (read the link for more).

Typically the ANC –– see: https://en.wikipedia.org/wiki/Assemblea_Nacional_Catalana –– has been the leading organization in the independence movement. They have been organizing big independence rallies etc. and the actions has been peaceful (from what I've read and seen). The Democratic Tsunami based protests were different in this regard, where more direct confrontation was more the norm. From what I have read Democratic Tsunami is not particularly active at the moment, but of course this might change.

GardenLetter27
0 replies
8h18m

They did extreme protests like road blockages, and some other stuff which the government considered sabotage and so pursued them with anti-terrorist legislation.

Also some members were arrested apparently planning even more extreme things.

The IRA and ETA were vying for independence too...

That said, I think it's crazy how much time the government wastes on this when the cities are full of petty criminals acting with impunity. Someone was stabbed to death outside my apartment just in a robbery and yet nothing changes.

submeta
2 replies
13h32m

Is there any real private email service? Honest question.

denton-scratch
0 replies
11h45m

Email is not private, and can't be made so. Email is my preferred communications channel, but I treat it as I would a mailing list or comment forum; it's almost completely unlike whispering to someone in the middle of an empty field.

contextnavidad
0 replies
10h13m

Take a look at Posteo. Seem to have a similar philosophy as Mullvad.

mrmetanoia
0 replies
15h30m

I hope Princess has some mad computer skills.

onhacker
1 replies
12h55m

I hate when companies mislead, they claim email encryption. but the question is how they know the email is suspicious. it means they monitor emails and obviously, Proton Mail is (not) the trusted choice for secure and private communication.

NicuCalcea
0 replies
12h48m

What email was suspicious? From what I can read. Proton provided the Spanish authorities with a recovery email address, which the latter then used to find an associated Apple account.

While I agree this makes Proton unreliable for many things, there's no indication they were reading any emails.

newscracker
0 replies
17h58m

That blog post was last updated in November 2022, and does not mention recovery email address as something Proton would disclose.

barbariangrunge
1 replies
20h25m

Never thought of a recovery email as a risk before in this way

kylebenzle
0 replies
19h1m

Why not, seems pretty obvious. If you need an email address and phone number not associated with your real identity it's pretty important the two are totally separate.

wepple
0 replies
9h18m

When thinking about these types of cases, always keep Parallel Construction in mind: https://en.m.wikipedia.org/wiki/Parallel_construction

There’s a reasonable chance that they already had this info (possibly even cleartext email via an ISP lawful intercept), and the proton/apple jig whilst bad, wasn’t as bad as the real source

nairboon
0 replies
8h6m

Quite interesting how the Spanish authorities got the recovery email: (from a link in the article)

In the police cooperation form requesting the information, the Spanish officers indicate to the Swiss authorities that the investigation is for the crime of terrorism.
mrmetanoia
0 replies
15h24m

Proton Mail is pretty good email. I use it since I decided to de-google as much as possible. That said, I don't consider it truly 'private.' Weird key handling in order to make pgp 'easy,' just email being what it is, and courts and governments being what they are.

I'll continue to use it despite some hyperbole on the site, but as long as my mail isn't being fed to an advertising engine it's a step up.

moosemess
0 replies
7h37m

It is 2024 and there are still people who cling to the idea there can be privacy with email, so much so they are willing to be parted with their money for the "privilege". I really cannot imagine a more diametrically opposed schism in privacy threat modeling.

jimmydoe
0 replies
6h28m

If avoiding Europe governments is a priority, would it be better to use mail service from China or Russia?

jamesholden
0 replies
12h40m

This situation is interesting, but the article mentions using a VPN for example, and also the recovery email.

What if my recovery email is to another proton mail account? What if my VPN used is Proton VPN?

fifteen1506
0 replies
9h11m

I never thought of ProtonMail as a secure-from-state-surveillance provider. Only as a secure-from-civil-surveillance-aparatus provider. A replacement for Gmail, no more than that.

If I wanted to conduct illegal activities I would not use my main account on it, at minimum.

Protonmail is a step up from Gmail/Outlook, but no more than that. You need more layers on top of it.

cynicalsecurity
0 replies
10h55m

It's time to grow up and realise we don't need separatists in Europe. Catalonian separatists are sponsored and used by hostile foreign entities such as Russia. Supporting them means digging your own grave, as well as graves for your family and friends. Domestic entities that are tied to Russia must be stopped, they are indeed terrorist groups.

beretguy
0 replies
5h58m

I use Proton to protect myself from Google, Microsoft, advertisements, tracking, terrible, slow, “too much padding everywhere” UI, my emails/data being sold to 3rd parties, etc. I’m not worried about Proton cooperating with law enforcement agencies to catch criminals.

However.

What if say, russia/nk/china wants to catch somebody some journalist for speaking truth about their regimes? Or, like say, Jason Bourne exposing some IronHand in “democratic” country like USA? How can we protect good actors without enabling adversaries to do “bad stuff”? Is it even possible? I still don’t know the answer…

XXxXr
0 replies
12h20m

Qweu

BSDobelix
0 replies
12h3m

Just to make it clear. Proton is a Swiss Company and is not answering to any request from Spain, directly. Spanish authority's ask Swiss authority's and if everything is in order Proton HAS to give the data out (or contest it).

Alfagun74
0 replies
9h30m

ProtonMail itself probably is some GOV honeypot, why should anyone offer such service

0xmohit
0 replies
17h21m

    This case is particularly noteworthy because it involves a series of
    requests across different jurisdictions and companies, highlighting the
    complex interplay between technology firms, user privacy, and law
    enforcement.  The requests were made under the guise of anti-terrorism
    laws, despite the primary activities of the Democratic Tsunami involving
    protests and roadblocks, which raises questions about the proportionality
    and justification of such measures.