In just so many countries (including those many people never know are in too) the state-led war on privacy and communication freedom is getting hotter and hotter. Some countries do it openly, some manage to look liberal until you look closer. Just try to start marketing a proprietary privacy-oriented messenger app or something like that and the intelligence guys will emerge promptly at your doorstep, demanding you to bake a backdoor in. Sad but true. I don't really know how are we (the people, who value privacy of themselves and of the others) going to win this war while keeping legal, it's an open challenge so far...
"the intelligence guys will emerge promptly at your doorstep" - for the US, I'm emotionally inclined to agree with you.
ProtonMail was developed in Geneva, where I grew up. It was a spin-off from people who worked at CERN, like the World Wide Web itself.
Geneva is also a United Nations base, and many other NGOs are headquartered/have offices in the area for that reason (the Red Cross, WWF, Amnesty, Greenpeace). There's a lot of local community support for the operators of ProtonMail.
Switzerland is not EU, although it is Schengen. International incidents occur all the time, such as the time I forgot to take my passport when going to school (my parents live in France, but I went to the International School of Geneva in Switzerland). Because people don't need a visa to cross the border, it would be easy for an intimidated web developer to flee the country. Attempting to get an extradition would then require an arrest warrant, which would require a criminal case to be brought against that person in absentia. Although intelligence services can try to threaten ProtonMail (and probably already have), there are a lot of options available in that area to keep individual staff safe.
"Just try to start marketing a proprietary privacy-oriented messenger app or something like that and the intelligence guys will emerge promptly at your doorstep, demanding you to bake a backdoor in"
Nope...Been making one for 3+ years, worked on high risk human rights type stuff for over a decade and never happened.
Surprisingly most people doing things in this space don't have g-men kicking in the door. Live in UK, Ireland and many other countries and hasn't been an issue.
Might not seem real to a lot of people who are affected by certain biases but most Western government type people we meet at conferences etc are actually quietly supportive and respectly agree/disagree with what we are all trying to do. Not eveything is a black or white echo chamber - we are all citizens who understand nuance (for those of us fortunate to live on free countries - of course Turkey is no longer anything near that.)
FWIW Protonmail is very useful for a large chunk of threat models were security is pretty high but implementing PGP in all its various forms is a pain the ass.
Protonmail routinely hands over information to the authorities. They also determine themselves what cases should be allowed to bypass the requirements for a search warrant.
> Technolgoists need to remember that tech is nothing without law.
It works both ways. A law can be almost nothing without technical means to enforce it efficiently. There can be cases that make a law [almost] futile so the governments give it up. E.g. many governments tried to ban alcohol but it's so easy (yet dangerous as it can blow up and set the house on fire, especially if the cook is drunk and/or the hardware is amateur) to produce at home that fighting it seriously just doesn't seem to make any sense. Some governments have tried to ban the phalaris grass as it may contain tiny amounts of dimethyltryptamines but it just grows all over everywhere so they have given up the ban as it was almost as ridiculous as it would be to ban sand, flies or whatever this common. The problem is to invent a medium for exchanging messages that is easy to establish independently (no need for uncommon devices, no special requirements to the underlying ISP) yet very hard to detect, compromise or disrupt. This sounds like a serious challenge yet not like an entirely impossible thing provided breakthroughs in mathematics/cryptography, physics and the telecom tech still happen from time to time. Some political/economical factors may also play on our side occasionally. My hope is for the whole Internet to morph into a fully-decentralized distributed network employing DIY P2P links as its organic and vital part. Perhaps this may happen once if something is going to make classic ISPs unprofitable and stimulate growth of MESH networks with something like i2P serving as a layer connecting them in one secure and reliable global network.
It's not entirely nothing. Even if gov. thugs are there to beat you, if you communicated with others safely, at least those people are still protected as long as you will not reveal their identity or whatever you've communicated about.
If the gov. just murders you and gets to your stuff, they can't analyze it to get at more people in your circle.
It just doesn't solve the problem of violent government. But there are still benefits.
Politicians need to remember that The Law is nothing in the face of technology. (You can't block fundamental math, you can't block decentralized apps that hide their traffic as something else, you can't prevent knowledge from leaking out, from anywhere, etc.)
> the people, who value privacy of themselves and of the others
The problem is that privacy is not the only thing we care about, and the balance between different needs is a complicated political problem - which is exactly the kind of "soft", people problem which complexity a typical software engineer would underestimate.
Turkey is becoming more and more authoritatian, indeed. However, they're also sharing a border with ISIS and there's a lot of terror activities in the region. Fighting such threats always leads to increasing influence of the military and secret services, and their new capabilities will be used both to fight terror and suppress citizens.
These things are a double-edged sword; any simplistic view on this is inadequate, regardless of whether it's positive or negative.
(x) Don't use public DNS such as google (or the DNS provided by your ISP such as Vodafone). Look for an anonymous non-logging service preferably outside Turkey
(x) Tor is is one of many layers for anonymity to circumvent blocking. Don't "just" install the tor-browser or tor-proxy on your system but run tails from a clean machine. If you know what you're doing you might want to help others by isolating whole networks using PORTALofPi to guarantee no DNS-leaks. Pro-Tip: build a LEDE based device and share your design with the community so others can benefit and give you input (because you will make mistakes).
(x) Don't use mobile internet if you don't know what you're doing (those who know what they're doing don't use mobile phones for critical comms)
(x) Use burner phones with anonymous SIM cards and aggressive hardware based compartmentalization. Check this article for good OpSec/compartmentalization tips (second half of the article after the discussion on browsers that looks dated).
(x) Despite popular claim VPNs don't give you anonymity. They shift the trust from your ISP to the VPN. If you pay for a VPN service by credit card consider what the payment provider knows about you.
A totalitarian government blocking a service is a good sign they are unable to break its security and thus use it as a surveillance tool. It's a great advertisement for ProtonMail.
Vizzini: ... they block it because they can break it and want all of their adversaries to think it's unbreakable... Now, a clever man would put the poison into his own goblet, because he would know that only a great fool would reach for what he was given. I’m not a great fool, so I can clearly not choose the wine in front of you.
A small note (though it may be unrelated), some ip address ranges are not accessible from Vodafone TR (3G/4G) connections.
216.239.36.219 <- For example this address returns "HTTP 504" from Vodafone. There are some other addresses like this which happen to be around, randomly.
So it may be a misconfiguration on Vodafone TR Network, routers or such thing. Sample curl output below.
$ time curl -vki 216.239.36.219
* rebuilt url to: 216.239.36.219/
* trying 216.239.36.219...
* connected to 216.239.36.219 (216.239.36.219) port 80 (#0)
> get / http/1.1
> host: 216.239.36.219
> user-agent: curl/7.47.0
> accept: */*
>
< http/1.1 504 gateway time-out
http/1.1 504 gateway time-out
< server: webproxy/1.0 pre-alpha
server: webproxy/1.0 pre-alpha
< date: mon, 08 may 2017 07:04:23 gmt
date: mon, 08 may 2017 07:04:23 gmt
< content-length: 0
content-length: 0
< connection: keep-alive
connection: keep-alive
<
* connection #0 to host 216.239.36.219 left intact
real 0m10.909s
user 0m0.012s
sys 0m0.004s
$ curl -vki http://84.19.190.203/
* trying 84.19.190.203...
* connected to 84.19.190.203 (84.19.190.203) port 80 (#0)
> get / http/1.1
> host: 84.19.190.203
> user-agent: curl/7.47.0
> accept: */*
>
< http/1.1 504 gateway time-out
http/1.1 504 gateway time-out
< server: webproxy/1.0 pre-alpha
server: webproxy/1.0 pre-alpha
< date: mon, 08 may 2017 07:56:58 gmt
date: mon, 08 may 2017 07:56:58 gmt
< content-length: 0
content-length: 0
< connection: keep-alive
connection: keep-alive
<
* connection #0 to host 84.19.190.203 left intact
$
They recommend ProtonVPN. Does anyone know the legal ramifications of using a vpn with shared exit nodes? EG: A 'crack' squad of computer crime investigators in Jackson Mississippi track illegally uploaded content to a forum originating from ip address [39.21.2.32] (which is a VPN exit node). Unbeknownst to you that is YOUR exit node now.
Why would that be any different to getting assigned somebody's previous IP address by DHCP? It's non-incriminating because it can be demonstrated you didn't control that IP during the time illegal content was uploaded.
True. But my general ISP dhcp'ed ip address doesn't change much AND when it does I have decent odds someone (who would do illegal uploads) wouldn't be dumb enough to do it over a non-VPNed line.
In these cases, a request for the identity of the account associated with $IP at $timestamp would typically receive a response such as "$IP is a shared IP address used by many different accounts simultaneously. As we do not log individual sessions at layer 4, it is impossible for us to provide you with this account information."
I lived in Izmir in the 90's, and the vibe was actually fairly liberal. The locals seemed to feel pretty free, optimistic, and not overly worried about their government. Sad to see things regressing so much.
This is why the rest of Turkey calls İzmir "kâfir". They are the most secular bunch. They are also very pro-ataturk. AKP's projects for that region include bringing migrants to dilute the voter population.
This is nothing to do with the current issue at hand. Istanbul was just as liberal and nice of a city as anywhere else, but then the last decade happened.
Maybe if as a people we stopped thinking in terms of funny plots like "they are trying to dilute the peeps" and opened our eyes to the facts before our eyes, we'd be in a better shape.
Everywhere is regressing at the moment. Brexit, US protectionism, China's a dictatorship again.
It's like none of the 'leaders of the world' have read any history. Or they have, and are arrogant enough to think 'that won't happen now that I'M in charge'.
Turkey is special. They openly arrest Journalists opposing the government. Prisons in Turkey currently have the highest literacy rates in the country. People outside of Turkey who oppose Erdogan are threatened by either turkish accounts or even locals (I've seen this happening in a private whatsapp group from a school class I graduate a while ago where someone was threatened bodily harm if they did not retract statements about Erdogan)
It is an authoritarian, Orwellian government out of the book.
Sure, but Turkey is a little different. It's going from, for some people "no issues, I'm influential and popular, if perhaps a little controversial", to suddenly "I'm in jail now, for probably months".
>"No tracking and logging Google records literally every action done by its users. This includes your IP address, every search that you do, which emails you open, which websites you visit, and much more. ProtonMail takes the opposite approach and by default, does not monitor or record user activity, not even IP addresses."
Has this been verified by an independent third party?
Also how do you determine there's an issue with with IP prefixes in AS 15897 Vodaphone Turkey[1], if you don't log IP addresses?
I am neither a ProtonMail nor a Gmail user so this might be completely wrong, but as far as I understand it, the short answer to your question is:
ProtonMail offers an easy access to a client which supports End-To-End encryption for your emails.
So nobody besides the sender and the receiver can read the content of the email. Traditional emails are more or less plain text files which (usually) get encrypted for transfers between mail servers, but every mail server involved in the transmission can read the content.
Encryption between protonmail accounts and when sending to non proton mail accounts:
When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email.
Readit News
ProtonMail was developed in Geneva, where I grew up. It was a spin-off from people who worked at CERN, like the World Wide Web itself.
Geneva is also a United Nations base, and many other NGOs are headquartered/have offices in the area for that reason (the Red Cross, WWF, Amnesty, Greenpeace). There's a lot of local community support for the operators of ProtonMail.
Switzerland is not EU, although it is Schengen. International incidents occur all the time, such as the time I forgot to take my passport when going to school (my parents live in France, but I went to the International School of Geneva in Switzerland). Because people don't need a visa to cross the border, it would be easy for an intimidated web developer to flee the country. Attempting to get an extradition would then require an arrest warrant, which would require a criminal case to be brought against that person in absentia. Although intelligence services can try to threaten ProtonMail (and probably already have), there are a lot of options available in that area to keep individual staff safe.
Nope...Been making one for 3+ years, worked on high risk human rights type stuff for over a decade and never happened.
Surprisingly most people doing things in this space don't have g-men kicking in the door. Live in UK, Ireland and many other countries and hasn't been an issue.
Might not seem real to a lot of people who are affected by certain biases but most Western government type people we meet at conferences etc are actually quietly supportive and respectly agree/disagree with what we are all trying to do. Not eveything is a black or white echo chamber - we are all citizens who understand nuance (for those of us fortunate to live on free countries - of course Turkey is no longer anything near that.)
FWIW Protonmail is very useful for a large chunk of threat models were security is pretty high but implementing PGP in all its various forms is a pain the ass.
https://protonmail.com/blog/transparency-report/
It works both ways. A law can be almost nothing without technical means to enforce it efficiently. There can be cases that make a law [almost] futile so the governments give it up. E.g. many governments tried to ban alcohol but it's so easy (yet dangerous as it can blow up and set the house on fire, especially if the cook is drunk and/or the hardware is amateur) to produce at home that fighting it seriously just doesn't seem to make any sense. Some governments have tried to ban the phalaris grass as it may contain tiny amounts of dimethyltryptamines but it just grows all over everywhere so they have given up the ban as it was almost as ridiculous as it would be to ban sand, flies or whatever this common. The problem is to invent a medium for exchanging messages that is easy to establish independently (no need for uncommon devices, no special requirements to the underlying ISP) yet very hard to detect, compromise or disrupt. This sounds like a serious challenge yet not like an entirely impossible thing provided breakthroughs in mathematics/cryptography, physics and the telecom tech still happen from time to time. Some political/economical factors may also play on our side occasionally. My hope is for the whole Internet to morph into a fully-decentralized distributed network employing DIY P2P links as its organic and vital part. Perhaps this may happen once if something is going to make classic ISPs unprofitable and stimulate growth of MESH networks with something like i2P serving as a layer connecting them in one secure and reliable global network.
If the gov. just murders you and gets to your stuff, they can't analyze it to get at more people in your circle.
It just doesn't solve the problem of violent government. But there are still benefits.
The problem is that privacy is not the only thing we care about, and the balance between different needs is a complicated political problem - which is exactly the kind of "soft", people problem which complexity a typical software engineer would underestimate.
Turkey is becoming more and more authoritatian, indeed. However, they're also sharing a border with ISIS and there's a lot of terror activities in the region. Fighting such threats always leads to increasing influence of the military and secret services, and their new capabilities will be used both to fight terror and suppress citizens.
These things are a double-edged sword; any simplistic view on this is inadequate, regardless of whether it's positive or negative.
(x) Tor is is one of many layers for anonymity to circumvent blocking. Don't "just" install the tor-browser or tor-proxy on your system but run tails from a clean machine. If you know what you're doing you might want to help others by isolating whole networks using PORTALofPi to guarantee no DNS-leaks. Pro-Tip: build a LEDE based device and share your design with the community so others can benefit and give you input (because you will make mistakes).
(x) Don't use mobile internet if you don't know what you're doing (those who know what they're doing don't use mobile phones for critical comms)
(x) Use burner phones with anonymous SIM cards and aggressive hardware based compartmentalization. Check this article for good OpSec/compartmentalization tips (second half of the article after the discussion on browsers that looks dated).
(x) Despite popular claim VPNs don't give you anonymity. They shift the trust from your ISP to the VPN. If you pay for a VPN service by credit card consider what the payment provider knows about you.
see https://www.linkedin.com/pulse/vodafone-blocks-protonmail-tu...
what's the point? DNS isn't encrypted, so it's trivial to log/intercept your queries.
https://servers.opennic.org/
216.239.36.219 <- For example this address returns "HTTP 504" from Vodafone. There are some other addresses like this which happen to be around, randomly.
So it may be a misconfiguration on Vodafone TR Network, routers or such thing. Sample curl output below.
https://www.eff.org/deeplinks/2016/09/digital-equivalent-rum...
Not endorsing PIA in any way, though do use the services.
Maybe if as a people we stopped thinking in terms of funny plots like "they are trying to dilute the peeps" and opened our eyes to the facts before our eyes, we'd be in a better shape.
It's like none of the 'leaders of the world' have read any history. Or they have, and are arrogant enough to think 'that won't happen now that I'M in charge'.
It is an authoritarian, Orwellian government out of the book.
Has this been verified by an independent third party?
Also how do you determine there's an issue with with IP prefixes in AS 15897 Vodaphone Turkey[1], if you don't log IP addresses?
[1] https://bgpview.io/asn/15897
ProtonMail offers an easy access to a client which supports End-To-End encryption for your emails.
So nobody besides the sender and the receiver can read the content of the email. Traditional emails are more or less plain text files which (usually) get encrypted for transfers between mail servers, but every mail server involved in the transmission can read the content.
When you send an encrypted message to a non-ProtonMail user, they receive a link which loads the encrypted message onto their browser, which they can decrypt using a passphrase that you have shared with them. You can also send unencrypted messages to Gmail, Yahoo, Outlook and others, just like regular email.