WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2024 Poal.co

1.1K

End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France.

The Switzerland-based company said it received a "legally binding order from the Swiss Federal Department of Justice" related to a collective called Youth for Climate, which it was "obligated to comply with," compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account.

On its website, ProtonMail advertises that: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."

Despite its no IP logs claims, the company acknowledged that while it's illegal for the company to abide by requests from non-Swiss law enforcement authorities, it will be required to do so if Swiss agencies agree to assist foreign services such as Europol in their investigations.

"There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)," the company said in a lengthy response posted on Reddit.

Put simply, ProtonMail will not only have to comply with Swiss government orders, it will be forced to hand over data when individuals use the service to engage in activities that are deemed illegal in the country.

"Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities," ProtonMail founder and CEO Andy Yen tweeted, adding "It's deplorable that legal tools for serious crimes are being used in this way. But by law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced."

If anything, ProtonMail users who are concerned about the visibility of their IP addresses should use a VPN or access the email service over the Tor network for additional anonymity.

"The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used)," the company said.

End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France. The Switzerland-based company said it received a "legally binding order from the Swiss Federal Department of Justice" related to a collective called Youth for Climate, which it was "obligated to comply with," compelling it to handover the IP address and information related to the type of device used by the group to access the ProtonMail account. On its website, ProtonMail advertises that: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first." Despite its no IP logs claims, the company acknowledged that while it's illegal for the company to abide by requests from non-Swiss law enforcement authorities, it will be required to do so if Swiss agencies agree to assist foreign services such as Europol in their investigations. "There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)," the company said in a lengthy response posted on Reddit. Put simply, ProtonMail will not only have to comply with Swiss government orders, it will be forced to hand over data when individuals use the service to engage in activities that are deemed illegal in the country. "Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities," ProtonMail founder and CEO Andy Yen tweeted, adding "It's deplorable that legal tools for serious crimes are being used in this way. But by law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced." If anything, ProtonMail users who are concerned about the visibility of their IP addresses should use a VPN or access the email service over the Tor network for additional anonymity. "The prosecution in this case seems quite aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used)," the company said.

(post is archived)

You are currently inside a comment thread.
Click here to see all the comments (78).
[–] 0 pt

Do you think tutanota is any good or are there no secure email providers and you have to roll your own?

I understand there are too many layers to trust, we didn't make the hardware, write the firmware, OS, etc. but the only alternative seems to be to go neo-luddite.

[–] 3 pts (edited )

I don't think there are any safe alternatives for e-mail. Snail mail is only secure because they need a warrant to open a letter.

Run your own e-mail server at home is about the only secure option but email rolls over public networks.

Exchange PGP keys with those you converse with and run your own server. I still think the NSA can read anything they want.

[–] 0 pt (edited )

Run your own e-mail server at home is about the only secure option

It's not, especially if you're new to this, needless to mention the fact that it points directly at your physical "home"

Let's be serious here, you want some sort of anonymity on the network you access the network through means that aren't directly tied to your bank account at one point or another other for a start. The internet connection you use isn't attached to your credit card (or anyone's credit card/bank account related to you), the machine you use hasn't been bought with your credit card, your name isn't attached to it and you don't use that machine with anything attached to your credit card

From there even if you still can be seen on the network as a connected machine, your IP and MAC addresses and geolocation or whatever, aren't directly pointing at your identity

The hardest part is the connection, until no one can buy anything without a credit card of course

[–] 0 pt

Are you the guy that was always saying he posts using a Starbucks wifi?

I went to the library and holy shit even in the boonies they assign you a single ID'ed slot which you have to sign in for. If you have a laptop and use your phone it kicks you off since it's two devices.

[–] 0 pt

The FBI doing an old fashioned mail cover? No agent has been assigned to do that in 25 years.

[–] 1 pt

The USPS does it.

[–] 0 pt

thats exactly what a glownigger looking for marks would say

[–] -1 pt

thats exactly what a glownigger looking for marks would say

[–] 2 pts

Your best bets are obfuscation by proliferation (simply using normie mass email services like Gmail and keep changing addresses) or use disposable services like Guerrilla Mail that achieve the same result but will self destruct after use. Secure email providers are a meme and Proton Mail was compromised ages ago.

[–] 3 pts

The Gmails all end up getting linked together. The second you sign in from another device or even IP it throws warnings and wants verification. Before you know it your google account has 5 email addresses in it.

[–] 0 pt

why would you use an email address on multiple devices/ips? your just asking to get doxxed.

[–] 0 pt

why would you use an email address across devices? your just asking to get doxxed.

[–] 0 pt

disposable email addresses are frequently blacklisted, and their self destructing nature means their not exactly that good for communication either.

[–] 1 pt

The problem with roll your own is that you will never know if you have been compromised. You lack the sophisticated counter measures and detection systems that a quality commercial operation has. Even they have a hard time of it and they spend all day every day looking for it. You dont have the time for it. So your home brew email system is even more compromised than a commercial system.

[–] 0 pt

Yeah my thoughts exactly, and that's without even mentioning being blacklisted by other email services because blah

[–] 1 pt (edited )

I use several VPNs (one for a group of sites, another for another group, etc) and I looked into starting my own but when I started to look into my requirements I realized none of them were capable of providing those nor am I smart enough to walk through the code of an entire Linux distro to make the code removals.

Assuming Linux as the OS:

For example, no logging. Proton was probably just disabling logging at the daemon level (turn off syslog). My requirement would be to remove the entire code base for syslog and recompile Linux so the OS has no idea how to log anything. Then you have the TCP/IP code, which by design is not secure. That has to be changed to prevent security tools from working. They can use microscopes and physically recreate data from a hard disk. So there's another code base to change. The list of requirements starts growing pretty quick. Even if you manage to run your entire VPN from a CD-ROM with no way of storing logs or data you still have RAM that can be reviewed. RAM chips can be kept alive with low voltage.

[–] [deleted] 0 pt

Smoke signals and encoded clicking noises work the best.