It seems there is some mental conflict going in readers between the reality of what ProtonMail does for its customers and their expectations of what kinds of protections a legitimate business can provide.
Both ProtonMail and Apple will challenge subpoenas when they believe they are not valid, however neither company has the final say in the matter and can be compelled to provide access to data that they reasonably have access to. It is up to the user to plan what information they provide to service provides in order to not leave a trail of crumbs, and also evaluate what kind of man-in-the-middle weaknesses a service might have for the possibility of wiretapping. It should go without saying that linking a phone number or back-up email address can be a pretty large crumb.
The learning here is to recognise that these services can be compelled to provide whatever small information that they have reasonable access to, and that this information may be useful in unmasking an identity.
I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
I don't think this is solely the issue that users don't understand that the companies are obliged to provide the data requested by the authorities.
The whole controversy surrounding Proton started when they marketed themselves as "secure and private email", promising they would NEVER give away their users' data, until they did. I had a similar discussion with my friends today about this topic and the issue I have with it is that Proton tries to market itself as an email which will never snitch your data to the authorities. And we've seen countless times (they have provided data to almost 6k requests last year) that this isn't the case.
The problem as I see it is that Proton is not even trying to challenge the requests anymore. It's not like Tuta, who you can read on the news that they keep challenging almost every order they get from the authorities, even if they lose the battle in court: https://techcrunch.com/2020/12/08/german-secure-email-provid...
As I read on a website comparing "private email services", the question here is not whether a service provider will or will not abide by the court requests. It's whether it will do anything to challenge it or just giveaway the data without questions asked.
I disagree, while the marketing is carefully worded, it doesn't say that and both Proton's privacy policy and their transparency report detail what kinds of information they gather and how often they hand over that data.
But didn't this prove the opposite? An optional email recovery.. I think other companies would have been obligated to provide far more information, including emails etc..
Tangent: Been looking to switch email providers for a while, and hadn’t heard of Tuta. Looked good enough I just went ahead and signed up… only to find out apparently they provide no real data portability whatsoever.
The only option for getting your email _out_ of their systems is to select small batches of them one-by-one in their app and export them.
There have been many requests for something similar to Proton’s bridge functionality that haven’t gone anywhere. A more useful export function has been near the top of their public roadmap[0] for half a decade now it looks like.[1]
Guess I’ll go find out what their refund process is like.
The one good way forward I can see for any such privacy-conscious service provider is to let the user see exactly what data is stored about them (and purge it where feasible).
You store my access times and IP addresses? I should see that.
And therein lies the problem. We on HN may have a few ideas about how to do this, but the typical user of a secure email/VPN/tor unfortunately doesn’t and realistically can’t understand the corner cases and tricks.
Realistically, even HN users would make enough mistakes.
This is why I’m dubious of these types of products marketing to average consumers
If your threat model is "utilize secure email/VPN/tor to evade organizations on the spectrum of [law enforcement...intelligence services]" you are not a typical user even of those services and saying that it's on you to understand all the corner cases and tricks to avoid persecution, prosecution, execution, etc. seems pretty reasonable.
>I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.
Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.
The order itself might be unreasonable and should be challenged if so, but the procedure and ability to do so is not and will never be.
> Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.
Its unreasonable if the standards for issuing the court order (as applied, even if not in theory) are unreasonable.
And that is often now, and has often been, and will often be (likely until the end of human history), unreasonable.
Yeah. This stuff is all about putting an end to the global mass surveilance dragnets. Police and government should still be able to operate of course, with checks and balances.
They should not be able to push a button and learn everything about a person. If they want to learn about an individual's private life, they should have to get a warrant then put people to work on the guy's case. They should have to literally follow their targets, photograph them, put hardware keyloggers into their keyboards. That sort of hardship imposes natural limits on the scale of their operations: there are only so many police officers you can assign. With computerized dragnet surveillance, the scale of their operations is essentially limitless.
These encrypted communications services aren't generally in the business of going to jail in their customer's place. They gotta comply with the government laws. When a court orders them to do something, they either obey or they are held in contempt of court if not worse. It can't be helped. It's still helping reduce global surveillance by forcing them to target their attacks.
>Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.
You're conflating what's written in the law and the sad reality of how a lot of that is simply ignored by law enforcement, while they are standing on your neck, searching your car.
I would argue that the second learning is to make it impossible to comply with these subpoenas where possible by making it so the company itself is unable to decrypt it.
Admittedly this is not really an easy solution with something as open as emails, it's possible within corporations but I don't know of a solution between "random" people.
But outside of email and things that have to be unencrypted for interoperability, everything should be encrypted and inaccessible to the company so this situation is impossible.
I think the ship has sailed on the idea of electing people who will actually care about privacy of their citizens.
If Protonmail, and Apple, and Google, and Microsoft and Phone companies, etc., all, in concert, give some parts of the identity -- the total identity can fairly easily be found.
Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?
While an IP address is not an identity, it can still zero in on a location. I suspect governments and ISPs all keep historical logs of who was assigned what address.
An IP address in itself is not an identity, but it can be easily resolved to one. This is why IP address are considered PII, and are handled like such by any competent security organization.
It can be used to identify a location, but not an individual.
I assume it could be easily challenged in court (network was compromised, “i give out my WiFi to anyone who visits my home”) without other supporting evidence.
> 2.5 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities. If you enable authentication logging for your Account or voluntarily participate in Proton's advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.
> Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
Irrelevant to the point. Proton Mail provided authorities with user data.
I dislike that a website with privacy in the name collides privacy and anonymity. Privacy does not protect you from the state. Privacy is good enough to protect you from the public.
If you are doing battle with or an enemy of the state, much less an agent of the state acting in bad faith simple privacy will do nothing for you. Worse your misunderstanding of it is actually a vector, like in this case. The measures for anonymity you require will not incorporate fancy UIs, nice features, or even reasonable reliability at times because they will be sacrificed in the name of leaving no trace.
Privacy is also meant to protect you from the state, or more specifically state abuse. It's an essential aspect of privacy.
Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.
Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).
Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.
They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.
Which doesn't mean their service is useless.
Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.
Some interesting facts about Proton Mail. It generates OpenPGP keys on their own servers, and if you want to use your own keys their instructions show users how to upload upload their entire OpenPGP secret keychain to Proton Mail. Not just encryption/signing subkeys, the master key also needs to be included.
I've emailed them to ask that they fix this. I also created a post on their user voice thing about it.
> Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anonymity is simply people not knowing who you are, not necessarily what you say. It's not privacy of communication, but privacy of identity.
I can post on the internet as Anonymous Coward, and those posts are public even though my identity is private.
I can encrypt an email and send it, and it will be picked up by all the relays. They can look up the source and identify me, but hopefully not read the email contents.
You state this distinction as if it's established, but it's not a definition I've personally heard explicitly stated before. If I read the introduction of the Wikipedia article on "privacy", I find the following:
>The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries' privacy laws, and in some cases, constitutions.
So according to Wikipedia, at least in some cases, privacy is protection against the state. Where does your definition come from?
Their breakdown is what’s parroted up and down comment chains on this site when it comes to privacy/anonymity, so I’m frankly not sure how you’ve missed it over the years.
Privacy protects some things from the state, which is why the western world has the concepts of warrants and such.
But the concept certainly doesn't mean that a business is going to help you cover your tracks in regards to data you've already shared. (in this case, the recovery email address)
If you give out your personal information, commit a crime, and ask that person to help you hide, you're not asking for anonymity, you're asking for an accomplice.
I think that is the GP's point. Privacy means the data is reasonably hidden, though it still exists somewhere in a readable state. Anonymity means the information of who did what really doesn't exist anywhere.
In the case of governments, private data is only hidden until the government decides that it needs to look for it (or ask for it). Anonymity means the data isn't there, regardless of whether the government decides it needs to, and has legal justification to, demand access to the data.
Anyone providing anonymity is only an accomplice if they know your intent. Simply not collecting data doesn't make you an accomplice, not collecting data with the intent of hiding someone else's illegal behavior does.
You seem to be confusing privacy with practicality. In practice, nothing is ever secure, nothing is ever private and nothing is ever safe.
What matters here is what Proton promises and advertises to users/potential users vs. what it can actually deliver. I don’t know if Proton is more open about this, but hopefully this isn’t just buried in some long Terms of Service that almost nobody reads.
> Proton is incorporated and headquartered in Switzerland, meaning your data is protected by some of the world's strictest privacy laws.
This is the main statement from Proton about their privacy protection. They say they obey Swiss privacy laws. So if one has a problem with Protonmail complying with Swiss law, maybe one should complain to Switzerland.
With all "security" cameras and face recognition software and big data mining, which links many sources together, real world in developed world is not a place for revolution too.
Welcome do dystopia and hope that governments in developed world will not become too nasty (CCP-level nasty) too soon due to inertia.
Your take is just about the opposite of what anybody I know would mean by privacy, which is to protect your information from government actors primarily, for obvious reasons since the government is an actor that seeks out to harm the public.
> Privacy does not protect you from the state. Privacy is good enough to protect you from the public.
While I get what you are saying, that is a little too black and white for the entire field. Privacy can be used to shield whistle blowers from the state.
Yes it's a strangely skewed article focusing on proton, when:
> Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number. Afterwards, the Civil Guard also asked the telephone company responsible for the telephone number who was the owner of the line, which matches the name provided by Apple. Also, they say they have found that this person is registered at the same address provided by Apple.
> Use a good VPN service to hide your IP address whenever possible. (Failure to do this is what compromised a Proton Mail user in France who was arrested after after police obtained IP logs.)
If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.
If you're doing low-bandwidth stuff like sending e-mails, TOR (which is of course free) should be your first choice.
But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.
nah tor is not trustworthy, as it also exposes you as a tor user; in a less developed countries, where not many people know how to use Tor, you'll stick out real bad. It is much better to use shady random proxy servers you'll find online, before connecting to Tor; it is extremely slow, but much safer, as the authoritarian state monitors won't be able to see that subpoenaed ip adresses come from tor exit nodes, conveniently at the same time period you (and basically no one else) were using Tor.
I don't know one way or the other how easy it is, but if I were an activist in an oppressive regime I wouldn't want to use a VPN that is connected to my identity in any way. I wouldn't trust zero-log policies to keep me safe, there are too many unknowns about the way they run these services and what metadata they have to turn over.
I assume they won't bother unless you're a pedo or terrorist. In that case, what you are you using the email address for? Request your info from all of those sites. Wait for you to get sloppy once.
You are totally wrong. You are assuming that every single VPN is logging everything you do online, every IP address, and every website, and then saving this information for every user. Completely false. Show me a single reputable VPN that does. Show me the real life cases where this has happened. Any good VPN, including Mullvad, is a no-logs VPN, which means activity through the VPN is not recorded and cannot be connected with users. There have been numerous VPNs that have not only been audited to verify this, they have been proven correct in court or real-life tests. Mullvad is a perfect example of this:
Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.
> Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
They can claim all the privacy guarantees they want, but unless the privacy is guaranteed by cryptography, it's an empty gesture. Nobody is willing to do prison time to protect your privacy.
> The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
and
> Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
Expeacting a lawful corporation to shield you from the law is absurd. The state has the right to obtain this information - so, if you want it hidden, you need to find a provider that doesn't operate under the bounds of the law. You'll soon find out that A LOT of niceties go away once you're not dealing with legal matters: you can't guarantee that you'll get the service you payed for, you can't re-gain access if you lost your main security, etc.
This does not stop the host from being compelled to wiretap future communications.
Just don't try to make encrypted email happen. It can't, and we don't need it to be. We have better solutions for encrypted communications, for those that need it.
or at least their favorite youtuber with the paid ads and zero domain knowledge of network topology
serious question I have is whether “internet reseller” is a compelling service. because that's all that VPNs are, and I dont mind paying to use them for that purpose.
I mean it's clear, the governments of the world are colluding to ensure that all companies and users must incriminate themselves by collecting logs. They're trying to do the same with cryptography.
There’s a reasonable chance that they already had this info (possibly even cleartext email via an ISP lawful intercept), and the proton/apple jig whilst bad, wasn’t as bad as the real source
Proton Mail can give email content, however, it is encrypted and they do not have the encryption keys.
Anything that is stored by anyone can be handed over. That information may be useful, may be useless or may be useless now and useful tomorrow when they have the key.
Readit News
Both ProtonMail and Apple will challenge subpoenas when they believe they are not valid, however neither company has the final say in the matter and can be compelled to provide access to data that they reasonably have access to. It is up to the user to plan what information they provide to service provides in order to not leave a trail of crumbs, and also evaluate what kind of man-in-the-middle weaknesses a service might have for the possibility of wiretapping. It should go without saying that linking a phone number or back-up email address can be a pretty large crumb.
The learning here is to recognise that these services can be compelled to provide whatever small information that they have reasonable access to, and that this information may be useful in unmasking an identity.
I suppose the second learning is to elect governments which respect democratic freedoms, even if that puts them on the back foot.
The whole controversy surrounding Proton started when they marketed themselves as "secure and private email", promising they would NEVER give away their users' data, until they did. I had a similar discussion with my friends today about this topic and the issue I have with it is that Proton tries to market itself as an email which will never snitch your data to the authorities. And we've seen countless times (they have provided data to almost 6k requests last year) that this isn't the case.
The problem as I see it is that Proton is not even trying to challenge the requests anymore. It's not like Tuta, who you can read on the news that they keep challenging almost every order they get from the authorities, even if they lose the battle in court: https://techcrunch.com/2020/12/08/german-secure-email-provid...
As I read on a website comparing "private email services", the question here is not whether a service provider will or will not abide by the court requests. It's whether it will do anything to challenge it or just giveaway the data without questions asked.
https://proton.me/legal/privacy
https://proton.me/legal/transparency
I standby the assertion that people will believe what they want to, despite there being easily accessible information that contradicts those ideas.
The only option for getting your email _out_ of their systems is to select small batches of them one-by-one in their app and export them.
There have been many requests for something similar to Proton’s bridge functionality that haven’t gone anywhere. A more useful export function has been near the top of their public roadmap[0] for half a decade now it looks like.[1]
Guess I’ll go find out what their refund process is like.
Don’t mind me. Just yelling into the void.
[0] https://tuta.com/roadmap/ [1] https://github.com/tutao/tutanota/issues/1292
You store my access times and IP addresses? I should see that.
I think this would align well with GDPR, too.
And therein lies the problem. We on HN may have a few ideas about how to do this, but the typical user of a secure email/VPN/tor unfortunately doesn’t and realistically can’t understand the corner cases and tricks.
Realistically, even HN users would make enough mistakes.
This is why I’m dubious of these types of products marketing to average consumers
Democratic freedoms, in the United States at least, protect people from UNREASONABLE search and seizure.
Compelling a third party to reveal information about a customer via a court order is not now, has never been, and will never be until the end of time and space, unreasonable.
The order itself might be unreasonable and should be challenged if so, but the procedure and ability to do so is not and will never be.
Its unreasonable if the standards for issuing the court order (as applied, even if not in theory) are unreasonable.
And that is often now, and has often been, and will often be (likely until the end of human history), unreasonable.
They should not be able to push a button and learn everything about a person. If they want to learn about an individual's private life, they should have to get a warrant then put people to work on the guy's case. They should have to literally follow their targets, photograph them, put hardware keyloggers into their keyboards. That sort of hardship imposes natural limits on the scale of their operations: there are only so many police officers you can assign. With computerized dragnet surveillance, the scale of their operations is essentially limitless.
These encrypted communications services aren't generally in the business of going to jail in their customer's place. They gotta comply with the government laws. When a court orders them to do something, they either obey or they are held in contempt of court if not worse. It can't be helped. It's still helping reduce global surveillance by forcing them to target their attacks.
You're conflating what's written in the law and the sad reality of how a lot of that is simply ignored by law enforcement, while they are standing on your neck, searching your car.
This will _never_ happen. It's the human condition....
Admittedly this is not really an easy solution with something as open as emails, it's possible within corporations but I don't know of a solution between "random" people.
But outside of email and things that have to be unencrypted for interoperability, everything should be encrypted and inaccessible to the company so this situation is impossible.
I think the ship has sailed on the idea of electing people who will actually care about privacy of their citizens.
Deleted Comment
Deleted Comment
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?
They do. It's often required by law.
I assume it could be easily challenged in court (network was compromised, “i give out my WiFi to anyone who visits my home”) without other supporting evidence.
Dead Comment
> 2.5 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities. If you enable authentication logging for your Account or voluntarily participate in Proton's advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.
Irrelevant to the point. Proton Mail provided authorities with user data.
If you are doing battle with or an enemy of the state, much less an agent of the state acting in bad faith simple privacy will do nothing for you. Worse your misunderstanding of it is actually a vector, like in this case. The measures for anonymity you require will not incorporate fancy UIs, nice features, or even reasonable reliability at times because they will be sacrificed in the name of leaving no trace.
Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.
Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).
Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.
They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.
Which doesn't mean their service is useless.
Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.
I've emailed them to ask that they fix this. I also created a post on their user voice thing about it.
https://protonmail.uservoice.com/forums/284483-proton-mail/s...
TLDR; Proton Mail tells users to do this:
They should support this instead: First one leaks the user's master key to them.Anonymity is simply people not knowing who you are, not necessarily what you say. It's not privacy of communication, but privacy of identity.
I can post on the internet as Anonymous Coward, and those posts are public even though my identity is private.
I can encrypt an email and send it, and it will be picked up by all the relays. They can look up the source and identify me, but hopefully not read the email contents.
>The right not to be subjected to unsanctioned invasions of privacy by the government, corporations, or individuals is part of many countries' privacy laws, and in some cases, constitutions.
So according to Wikipedia, at least in some cases, privacy is protection against the state. Where does your definition come from?
GPs definition might as well come from wikipedia.
Deleted Comment
But the concept certainly doesn't mean that a business is going to help you cover your tracks in regards to data you've already shared. (in this case, the recovery email address)
If you give out your personal information, commit a crime, and ask that person to help you hide, you're not asking for anonymity, you're asking for an accomplice.
In the case of governments, private data is only hidden until the government decides that it needs to look for it (or ask for it). Anonymity means the data isn't there, regardless of whether the government decides it needs to, and has legal justification to, demand access to the data.
Anyone providing anonymity is only an accomplice if they know your intent. Simply not collecting data doesn't make you an accomplice, not collecting data with the intent of hiding someone else's illegal behavior does.
What matters here is what Proton promises and advertises to users/potential users vs. what it can actually deliver. I don’t know if Proton is more open about this, but hopefully this isn’t just buried in some long Terms of Service that almost nobody reads.
This is the main statement from Proton about their privacy protection. They say they obey Swiss privacy laws. So if one has a problem with Protonmail complying with Swiss law, maybe one should complain to Switzerland.
Well that's clearly not true.
Public doesn't care mostly. Governments on the other hand...
You got a few days of Tor on each device; then they need to burn.
I really don't know what more you can do beyond making your own chat client. Internet is not a place for revolution.
Welcome do dystopia and hope that governments in developed world will not become too nasty (CCP-level nasty) too soon due to inertia.
While I get what you are saying, that is a little too black and white for the entire field. Privacy can be used to shield whistle blowers from the state.
> Once he got it, he asked Apple for information about this second email address, and got its name, home address, and phone number. Afterwards, the Civil Guard also asked the telephone company responsible for the telephone number who was the owner of the line, which matches the name provided by Apple. Also, they say they have found that this person is registered at the same address provided by Apple.
If your VPN is tied to a payment method then all you've done is give police one extra hop to follow to get at you, which wouldn't have saved this activist. Their list of VPNs only includes Mullvad in position 9 of 10, but as far as I'm aware it's the only one that offers payment methods that preserve your anonymity.
But you have to absolutely "air-gap" that from the rest of your identity, such as not making a proton e-mail address over TOR and then using your usual email address as the recovery one.
Most claim they don't, PIA even was subpoenad at least once and responded they don't have logs.
How are police going to find me behind that hop?
https://restoreprivacy.com/mullvad-vpn-says-customer-data-is...
Paying for a VPN account does not mean the VPN is going to start logging user activity. Keeping payment records does not equal logging user activity through VPN servers. And most of the big name VPNs allow for crypto payments.
Deleted Comment
> Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.
They can claim all the privacy guarantees they want, but unless the privacy is guaranteed by cryptography, it's an empty gesture. Nobody is willing to do prison time to protect your privacy.
No, that was last year's issue.
This time it's:
> The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
and
> Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
Just don't try to make encrypted email happen. It can't, and we don't need it to be. We have better solutions for encrypted communications, for those that need it.
or at least their favorite youtuber with the paid ads and zero domain knowledge of network topology
serious question I have is whether “internet reseller” is a compelling service. because that's all that VPNs are, and I dont mind paying to use them for that purpose.
Email content is encrypted and Proton Mail has no access
There’s a reasonable chance that they already had this info (possibly even cleartext email via an ISP lawful intercept), and the proton/apple jig whilst bad, wasn’t as bad as the real source
That's the strictest privacy policy any company can hope.
Proton Mail can't give email content, only things like email address, ip adressese etc.
Anything that is stored by anyone can be handed over. That information may be useful, may be useless or may be useless now and useful tomorrow when they have the key.
True, but they can trivially obtain them given they control everything in the browser.
The question then becomes, does the law allow compelling to that degree? Apple fought back in the San Bruno case, but they’re very well lawyered up