I don’t think that’s bad on Proton’s part. They are obeying the law they are obliged to obey.
Yeah, more important is what data was it
Privacy is not anonymity. In this case they were required to supply IP addresses of users logging into a certain account in an active investigation.
As usual, the devil is in the details—ProtonMail’s original policy simply said that the service does not keep IP logs “by default.” However, as a Swiss company itself, ProtonMail was obliged to comply with a Swiss court’s injunction demanding that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.
Yes, talk about it as nicely as you want. Ignore the facts and view them as lies. Feel free to trust that they don’t have a key. I don’t care. As a customer, I’ve been following what’s been happening at Proton for long enough. What they say, what they promise, and what they actually do.
Feel free to vote me down because you don’t like the reality. There’s more to Proton’s history, but I’m not going to look into it anymore because you don’t want to know and instead punish those who give you sources. I’ll laugh about it heartily in a few years.
If you think all 30k plus were for legitimate reasons and not government control, I have a bridge to sell you in Brooklyn.
I didn’t say that. I said they’re obeying the law they are obliged to obey. In other words, they’re not defying the courts. In a perfect world, they could defy the courts and get away with it in the interest of user privacy, but this is not a perfect world.
You are right, they can argue that the government does not have sufficient reason. Many companies push back, but Proton is not one of them. I.e. Proton will not fight for you at all and they will follow court orders from other countries that are often questionable at best because “Interpol”.
I think my original point stands which should make most people seriously reconsider using them as they are not in the business of protecting their customers. In other words it is bad on their part and hand waving that away is pretty gross.
"From time to time, Proton may be legally compelled to disclose certain user information to Swiss authorities, as detailed in our Privacy Policy. This can happen if Swiss law is broken. As stated in our Privacy Policy, all emails, files and invites are encrypted and we have no means to decrypt them. "
Before 2021, it was claimed that there were no logs, no IP addresses, etc. So can you trust them they not able decrypt your mails…? Use pgp…
it was claimed that there were no logs, no IP addresses, etc.
…by default. They never claimed that they would defy court orders.
That doesn’t mean anything.
If you “by default” don’t log, then when receiving a court order, there is nothing to hand over which is the entire point. If,magically, logs from the past 5 years when they said there were “no logs” show up, that means they were lying about no logs.
Just like they now advertise that your data is fully end to end encrypted and even they can’t see it.
If, with a court order, they are able to decrypt and hand over your data, then they were lying in the first place that they couldn’t read your data and it isn’t end to end encrypted
Court orders aren’t some magical thing that go back in time and redo history. The entire point of these heavily advertised precautions is exactly against court orders by corrupt, tyrannical governments using the law as a political or fascist blunt weapon against citizens.
If they (proton) have the keys, doesn’t matter if they encrypted your data. They must have the keys because I can log into mail from different clients and read all emails without having to insert my key.
Proton stores your encrypted private key . An encrypted private key does not allow them to read your email or files.
When you log into a new device:
Proton sends the encrypted private key to your device.
You type your password.
** Your device** (not Proton’s server) uses the password to decrypt the private key locally in your browser or app memory.That decrypted key is then used to decrypt your emails on your device. Proton mail sends you just the encrypted text.
There is one potential security issue:
Since Proton serves the website code (HTML/JavaScript) that performs the encryption, you have to trust that they serve you honest code. Proton could theoretically alter their website code to capture your password the next time you log in, which theoretically a government can force them to do.
However, this is a different threat than “they have the keys.” Currently, they possess the keys only in a form they mathematically cannot unlock.
If the key is the same password you use to login, then they already have the key. They may not store it unhashed, but you transmit it to them every time you login. If law enforcement forces Proton, or if Proton turns evil (or gets infiltrated by a three letter agency), they can use it from the auth to decrypt your key and your data.
Plus, a bad actor having access to the encrypted key is free to brute force it. It may be hard but not guaranteed to stay hard forever.Edit: didn’t realize I was in a Proton fanboy community where you can’t criticize or ponder the service security…
You don’t send them the password. The password never leaves your device. The password is the decryption key to decrypt your encrypted private key, which is what they send to your device. This is why, for Proton Mail, and others that use this technique, it is imperative to have a strong password to protect your private key.
How do they authenticate* you? They just send the encrypted key and if you can decrypt it then it’s you?
If so I can request any account encrypted key and try to brute force it offlineHow do they authenticate* you?
I’m also interested in that, but
I can request any account encrypted key and try to brute force it offline
This is likely wrong, any password would allow you to produce a valid key from an encrypted key, it will not be a correct key, so you will fail during decryption, but it will take a lot of time to check and may not be easy to automate.
Regarding the auth, they may provide you with a challenge that is encrypted with your public key, and if you have decrypted it correctly, authenticate you, but I don’t know how it’s done or should be done.
it will not be a correct key, so you will fail during decryption, but it will take a lot of time to check and may not be easy to automate.
If you have any way to check the key validity offline (for example, you subpoena the encrypted data) then it’s trivial to check and automate.
Of course not everybody is capable of this, but it’s becoming less and less difficult to brute force it, and renting a few hours of GPU time to do it is within the means of small bad actors.
Yeah, that’s a bit of a weird thing to claim by them.
Um…obviously, yeah? The alternative to complying with the authorities is to challenge it in court, which is extremely expensive. The important question is not how much information they do hand over, but how much information they have themselves. For example, if your keys are private, proton has nothing useful to share. This is why end-to-end encryption matters, the only avenue to real privacy is to make sure Proton has nothing useful to share. They’re not going to host their servers on international waters.
Proton threads are where the leftists equivalents to sovereign citizens pop up. Learn the technology a bit and about legal systems. That’s what you have to operate within. If you want to feel more in control, encrypt everything yourself and only communicate/share in encrypted channels. At least then the primary sources of leaks is you and the receiver. If not, you’re whining about streamlined performant services that will never be perfect enough for your standards because they operate legally rather than the user unfriendly solutions that you aren’t willing to operate yourself for your life (maybe to be passed on) and/or won’t run/can’t afford to operate the illegal operation
However, if it is protected by law… and the law changes over time and then, mysteriously, logs appear in the past, then it has absolutely nothing to do with the law. Rather, it means that lies were told for years beforehand.
I using proton more as a middle finger to google than anything else and at that it works fine.
deleted by creator
The best middle finger is not relying on commercial platforms, go libre and self host
Self hosting email is impractical. The tech titans already ruined that.
There are much better and cheaper email hosts than Proton, and they give you better control.
But you’re not entirely right. Self hosting email is very possible, there are a few details to learn, but its not dead.
They have a point, you have one chance to get your self-hosted emails config correct. If you fail or mess up somewhere your domain will get added to a bunch of anti-spam lists that major providors use and cross-reference. If that happens your domain will just be branded as spam and will never be able to effectivly use your fancy service email.
That’s true, but getting the config right is not that hard nowadays. At least not harder than setting up a Jellyfin server for the first time.
I used to do custom email solutions for outreach agencies, people who needed to send 500 emails a day without getting flagged as spam. That’s was difficult. Your personal email? Not even an afternoon and its done and warmed.
Honestly, something I would like to take a crack at, but fearing getting my domain black-listed has prevented me from attempting it.
If the wizard wishes to share their wisdom, im all ears.
Ill add it to the goals for 2026.
Self hosting email is impractical. The tech titans already ruined that.
…when was that memo released? Looking back at the last quarter-century-plus of self-hosting, and it’s damn obvious I missed it.
Cory Doctorow has a writeup:
Depressing reading.
Agreed.
I’m not experiencing any of that, mainly because I don’t run eMail lists.
E-mail providers and companies providing online services whitelist domains anymore.
Granted, it’s been awhile since I read this, but don’t their subpoenas driven info essentially say yes, this is so and so’s email account with no discourse content due to encryption?
Yeah this isn’t good at all especially when they market themselves as secure but just have full access to all the data.
There’s gotta be something out there better than these crappy systems ready to throw you under a bus under barely any pressure.
I’ve been pretty happy self-hosting Peergos for cloud storage
Then you go to jail. If you refuse to give out the password. Law changed…
Oh, interesting. Where can I read more about this?
Why should I even respond when everything gets downvoted anyway…
§ 70 Absatz 2 StPO
Herausgabepflicht nach § 95 StPO
§ 184b StGB, § 184c StGB
And more…
Look for the sources yourself… I’m sick of this thread.Are those just Swiss laws? I don’t run my Peergos instance there, so maybe I’m safe.
🤔 I guess I should still do some research though, to familiarize myself with the legal landscape of the region in which I run my instance.
Also, I wouldn’t worry too much about downvotes. I get them fairly regularly, and almost never understand why, lol. AFAICT, they don’t really seem to matter much on Lemmy (though maybe someone can correct me if I’m wrong about that).
Uhh, I didn’t know that Switzerland alone was without Europe, etc… Oh, change doesn’t come from just one thing… Push everything far away, yes, ignore everything, yes. But as I said, I’m not going to bother anymore with you hypocrites who ridicule the whole community, yes, with blind trust, etc. Of course, there is nothing about Switzerland and coercive detention… Oh, wait, there is.
My server is not in Europe. Also, I have not ridiculed any community. I really don’t know what has prompted this tone. Regardless, thanks for the info.
Then why bring it up?
Yea go f*** *******
Lmao 🤡
This is just a case of having to follow Swiss law for the most part. However, they’re moving to Germany I think, considering that Switzerland is considering worse surveillance than us Americans are getting.
Bullshit… Laws changed later…
Have they also handed over private keys?
Dang! So what’s the preferred email app? The preferred email provider?
There is no known way to participate in email communication without at least some metadata leaking. Its not a privacy preserving system
This view might be controversial but here goes. If someone is suspected of a major crime (rape, serious assault, murder, major theft), maybe it’s okay for law enforcement to gain access to that person’s online accounts.
People might say “but if the government has the power to do that, one day they could do it to you, or they could use those powers to oppress anybody who criticises the government”. But isn’t that like saying “if you build prisons then one day an authoritarian government might put any critic of the government in those prisons”?
deleted by creator
It should be at the companies discretion. Convince a company, that can be held liable, that you actually got something worth breaking the rules for.
Honestly person users deserve whatever they get for supporting that weirdo ceo
He’s weirdly a MAGA Trump supporter and publicly supporting them from the official Proton account, despite not being an American citizen. It’s a crazy take, but he is a CEO, so those kind of people stick together.
Is this referring to anything beside his tweet in Jan?
I believe the tweet was from December, but this article has the timeline.
