All those who stop using ProtonMail after this incident - could you please describe what PM should've done differently? From what I know they received a valid/legal request from authorities in Switzerland. Since they operate under swiss jurisdiction - they had only two options: comply or cease to exist. I doubt anyone would be happier if _all_ PM equipment got seized.
So it seems that they should've placed themselves (servers _and_ personnel) outside EU. Also outside USA, UK, Australia, Canada, India, Russia, China, Latin America, Saudi Arabia... There are not so many countries left. And operating in "dark web" is not helping really - physical HW has to be operated by physical people, both of which can be found by state authorities.
There seem to be two groups of ProtonMail users. Those offended by warrantless dragnet surveillance. And those opposed to legal demands for information.
ProtonMail is effective at thwarting the first. It sees headers and IP addresses, so the risk is theoretically there. But their technology, policies and the strength of Swiss privacy law [1] make them a less-ideal coöperator for the NSA than e.g. Google or Comcast.
With respect to the second, I feel like ProtonMail went out of their way to communicate their limits. They will comply with Swiss warrants. These are signed off on by a Swiss court and made pursuant to Swiss law. (They still don’t get to hand over your emails, which is an improvement over most other providers.)
Disclaimer: I used to use ProtonMail. I switched to Microsoft 365 because I need integrated calendaring and delegation.
[1] Third-partly doctrine doesn’t exist for e-mails in Switzerland. If the FBI asks ProtonMail for information, ProtonMail would be breaking Swiss law if they handed it over without a Swiss court signing a warrant.
I agree. The fact ProtonMail exists in a world that's pretty hostile to individual privacy is hardly their fault, I think they were pretty good at explaining what their limits are compared to a lot of companies out there. It'd be churlish to leave ProtonMail for say, Gmail or another mainstream offering that makes far less of an effort to be private and transparent in my opinion.
I feel there's a lot of people who are absolutists about privacy without realising the legal and technical realities of that absolutism. I don't agree for one minute with governments and corporations compromising people's privacy, but whatever we like to tell ourselves about liberal democracy all authority amounts to "might makes right" in the end, and ProtonMail doesn't have the mightiest club to swing around in this situation.
- a service which would blindly accept money/crypto-money,
- in exchange of a worldwide legal shield which would take all of the heat resulting from the user's anonymous actions.
This service is not going to exist for $100/year. It would not even be safe to offer such a service for a million dollars per year, because the responsibility could be huge (terrorist attacks, human trafficking, etc.). Nobody in their right mind would be ready to bear this kind of legal responsibility without trusting (and thus knowing) their customers.
Why would protonmail be responsible for human traffic that happens unbeknownst to them? They don't need to "shield" merely just don't keep any logs so there is nothing to seize. If I go to walmart and buy a trailer with cash while wearing a mask (which walmart blindly accepts) to cram a bunch of illegals in to cross the border, why would that be walmart's fault if they don't have any log of who I am? Are you demanding walmart keep KYC of anyone buying knives, trailers, and anything else that could be used for illegal purposes.
> demanding walmart keep KYC of anyone buying knives, trailers, and anything else that could be used for illegal purposes
Nobody is. But if you buy a trailer every week, it wouldn’t be unreasonable for law enforcement to ask Walmart to let them organise a sting outside or even just leave a video camera on premises. They could do that without a warrant in the U.S., Walmart willing, something that is illegal with ProtonMail in Switzerland.
I just can’t get over how their billing model works. Making bills and locking account suddenly without a warning. It felt so big scam that I’m not coming back regardless of whatever the privacy is.
> But their technology, policies and the strength of Swiss privacy law [1] make them a less-ideal coöperator for the NSA than e.g. Google or Comcast.
There is also another viewpoint. Since ProtonMail is non-USA company, any internet activity associated with non-US citizens isn't protected by the US Constitution when CIA et al. are in action. They can do whatever they please.
Also, the background of the ProtonMail is not so clear.
Many might not know as they have tried to hide it, but MIT guys have been in big part of originally writing the ProtonMail, which can be linked to CIA/NSA oversight[1].
Also, major part from the equity ownership belongs to U.S (Charles River Ventures was one of the first big funders, and this naturally happens)
I also leave this interesting link here[2] (The Truth About Protonmail).
Second, all of ProtonMail's code that runs on your device is open source and independently audited. It would be nearly impossible to hide a backdoor in there.
> Second, all of ProtonMail's code that runs on your device is open source and independently audited.
When will you support reproducible builds, or are you supporting it already? Because only then we can be 100% that same code is actually running in there without reverse-engineering between every update.
This gets at the key tech question: what's the most they could do? (either in response to a legal order or for any other reason)
ProtonMails answer here is "not much"; they can log IPs and access times. Signal has a great write up about how they respond to warrants, and it's similar: just IP and last access time.
But is that really all?
Protonmail has a web app. This time, a court said "you must add server side logging for these specific accounts". Could a court also say "you must add client side logging for this specific account"? If so, could that come w a gag order such that only that one user gets served different code, almost impossible to detect?
That would let a user read their mail.
I am very curious whether the App Stores have ever served modified versions of apps to specific users in order to, for example, extract Signal messages.
Software update is a key problem, closely related to the
Ken Thompson "Reflections on Trusting Trust" thought experiment. I'm using a tool: how can I know for sure that I'm using the same copy everyone else has, not one that's been compromised?
The scenario you describe with the apps, is not actually possible under Swiss law. Swiss laws are very clear about this, they do not allow the authorities to order something like this.
Are you talking about the Bridge? That appears to run locally on your computer and wouldn't provide their servers any further access than their custom clients.
Waiting on someone inspired to build something better. I spend $50/year with Protonmail.
I expect Proton to communicate differently about what they offer.
And to educate users about what surveillance is, and what Proton can and cannot protect from. Train the future generation to expect trustless, adversarial systems but still thrive.
Promote Tor. Don't just put up with Tor. Educate users about Tor. Defend Tor.
I appreciate that Protonmail specifically addressed this in the headline of their response "Important clarifications regarding arrest of climate activist". Rather than "Updates on our privacy policy" or some bs.
I don't expect Proton to behave differently to law enforcement or warrants. I believe they did whatever here. No company can resist the law.
I don't generally like to be the one to blithely trumpet about personal responsibility, in part because I tend to be more of a "civic responsibility" kid of person. This, though, seems to me to be pretty unambiguously a situation where personal responsibility needs to take over. There must be a limit to how much responsibility we try to foist off on others.
As someone who's been using Proton for years, I've continuously been quite impressed about how open they are about the limits of what they can offer. As a company selling me a product, they do a great job. But they are still, at the end of the day, a company selling a product, and not my life coach or personal attorney. It is not their responsibility to anticipate and enumerate every possible way the legal obligations under which they operate could play out in real life. At some point, it's on the customer to have enough of a grasp of civics to understand what court orders are and how they happen.
> It is not their responsibility to anticipate and enumerate every possible way the legal obligations under which they operate could play out in real life.
They don't need to enumerate every possible ways. They were misleading in their previous marketing material. They since changed it, but here is what they had on their Security Feature page:
> Anonymous
> No tracking or logging of personally identifiable information
> Unlike competing services, we do not save any tracking information. By default, we do not record metadata such as the IP addresses used to log into accounts. As we have no way to read encrypted emails, we do not serve targeted advertisements. To protect user privacy, ProtonMail does not require any personally identifiable information to register.
They do log IP addresses and do offer them to law enforcement.
Now they only say this:
> Opt out of tracking or logging of personally identifiable information
This is still misleading, as the IP address is definitely an identifiable information, as shown in this case, but also because the section is still called "Anonymous".
> This, though, seems to me to be pretty unambiguously a situation where personal responsibility needs to take over.
I disagree so hard on that. ProtonMail is used in extreme cases. In cases where they have no technology knowledge, even the existence of IP address, in situations where they may not know Swiss laws, nor are aware of some first world countries laws and are only aware of their own countries more fascist laws. They are selling an anonymous service, which isn't...
The biggest issue is that there's way to actually be anonymous (or at least, closer to be), using TOR, and that's how they should sell their service.
So yeah I disagree that it's fine that they are selling a service that they can't sell in theses conditions...
So, to me, that "by default" is all you need to know. Plus, perhaps, enough awareness of how society works to realize that literally any default configuration can be overruled by a court order.
In other jurisdictions, such as the USA, it doesn't even require that.
And, while I am not the kind of person who saves these things for later, so perhaps it was different 4 years ago, but the current version has the bog-standard - and therefore completely forgettable - disclaimer about complying with legal obligations that you see in every such policy. And since it is such a bog-standard thing, I would assume it was always there, though, of course, it's not the kind of thing I would have noticed and remarked upon, let alone remembered, when I originally read it.
Which has me wondering, what exactly is the ask here? That they include a full copy of the privacy policy on every single marketing page, so that nobody can get up in arms about how they didn't mention every single detail on whatever subset of pages they happened to read while signing up whenever something they didn't anticipate happens?
The ask here is I'm paying $50/year for what amounts to a simple service. I expect Protonmail to lead when it comes to privacy and anti-surveillance online.
I've commented elsewhere in this thread with specifics.
I hear you. But in that case, why not just use Gmail?
For $50/year I do expect Protonmail to be more like a life coach for privacy and surveillance. Not for me personally, but for the people who really need protection. It's just email, I can get it cheap anywhere.
For example, their one and only blog post about Tor is from 2017.
I expect better. Promote Tor on the homepage. Publish about what percentage of your users use Tor. Fight to change norms not just pass the buck.
Get with the times, Protonmail. Or someone else will do it for you.
Well, just for starters, GMail is hosted in a different and more authoritarian jurisdiction where you don't even need a court order and due process of law to be compelled to share information with the authorities.
I think that sitting in the frying pan and whatabouting the fire is self-evidently a better course of action than jumping into it. But it's still not a good one, and risks inspiring others to jump into it.
You’re paying 50 per year? Judging by the amount of complaining in this and the other thread I would have guessed you must be paying at least a few thousands per month and/or were are one or more of a) an activist from Afghanistan b) a whistleblower from the US c) a human rights activist from China.
> You’re paying 50 per year? Judging by the amount of complaining in this and the other thread I would have guessed you must be paying at least a few thousands per month and/or were are one or more of a) an activist from Afghanistan b) a whistleblower from the US c) a human rights activist from China.
d) building the proverbial nuclear submarine in your basement :-p
> All those who stop using ProtonMail after this incident - could you please describe what PM should've done differently?
Somebody no longer valuing what ProtonMail provides is not mutually exclusive with thinking ProtonMail could have done differently. I expect many ex-ProtonMail customers realize ProtonMail could not have done differently, but nevertheless no longer value the service ProtonMail provides. How could this be? It's simple: They previously had mistaken beliefs (namely, that ProtonMail could have done differently), and decided to no longer be customers of ProtonMail when the truth became clear to them.
If you sell me electricity from your cold fusion power plant, I am going to cancel my subscription as soon as I figure out that cold fusion isn't possible and you were selling me coal power all along. That I now realize it was impossible for you to sell me cold fusion power in the first place doesn't change the fact that I no longer see any value in doing business with your power company.
For starters, disclose prominently that they could be forced - and have been in the past, and will be in the future - to disclose all the information about the client that comes into their possession, including IP connection information, and they can provide no protection at all from the point the police took interest in you forward.
We understand where you are coming from, but this information is disclosed in our privacy policy, threat model, and transparency report (updated annually since 2015). All 3 pages are linked from every single page on our website. They are also included in the welcome/onboarding email sent to every single Proton user. At the end of the day, we cannot force people to read, but we do take your comment to heart and will try to be even more explicit.
Looks like the user may have done more on their part…
> However, we understand this is concerning for individuals with certain threat models, which is why since 2017, we also provide an onion site for anonymous access (we are one of the only email providers that supports this).
Thanks for asking. Your suggestion seems rather extreme, but I'm open to it if you make a good case. I'm curious to see more Tor-first service launch.
1. More blog posts about Tor, how Proton is supporting Tor
2. Updating their Onion link. Their original blog post still refers to a v2 address, which are being retired
3. Supporting Tor broadly for other uses
4. Support anonymous account creation through Tor. I get it, it's hard. Find a solution that doesn't require de-anonymizing users.
I would challenge you to find a jurisdiction where the government doesn't reserve the power to compel people to do things, or where that power exists but is never used in a way that permits criticism.
I don't know the details of Swiss law, and I don't know the details of this particular case or what real or purported crimes they're investigating. It's entirely possible that this is an overzealous application of state power.
But, even if we accept for the sake of argument that this is a government overreach, I would still suggest that harsh criticism of ProtonMail is misdirected. Switzerland may not be perfect, but we shouldn't expect them to be perfect. Life is messy, there are no utopias, and humanity has yet to find a way to structure civil society in a way that comes even close to achieving perfect justice. I would guess, though, that, for all the country's doubtlessly countless shortcomings, when it comes to quality of checks and balances in legal investigations, a company based in Switzerland doesn't really have anywhere to go but down.
Disclaimer: Protonmail customer and considering switching
Wtf are you talking about here? No one expects a service to not be able to take logs or change their host country.
I do expect Protonmail to explain how they have to obey the law and what that looks like. That despite the picture of the Swiss Alps they can be compelled by the Swiss govt.
I do expect Protonmail to tell users about Tor, support Tor, and talk about limitations of Protonmail and Tor.
Sure, you could say this would be bad for business but this whole "security fortress" marketing scheme is unsustainable.
The thing is: can you run an actual company with paying customers and do this, from an operational perspective? Do you know <<any>> commercial company doing this?
I think it's pretty much impossible. How do you debug issues? How do you track and prevent abuse?
Lavabit was (and is, they're back in business as of 2017) physically located at imperial dead center, in a state where most people were fully supportive of their country's imperial ambitions. It was naive for its founder (or its customers) to expect a different result. They paid a high price for that. I think it's similarly naive to expect a different result in the case of ProtonMail. CH isn't an island. It's at least as tightly coupled with the global economy as TX. It has longstanding treaty obligations that come with that, including some covering criminal law enforcement (e.g. an extradition treaty with the US). See this Forbes piece about what Lavabit's founder said about email some time ago: Kashmir Hill. "Lavabit's Ladar Levison: 'If You Knew What I Know About Email, You Might Not Use It'". _Forbes_, 9 August 2013, https://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits....
I've never used PM, but just ran through sign-up for their free service. What could they do differently with regards to this issue? Simple. Make the legal limitations of their service -- or at least their understanding of them -- explicit, transparent, and above all, utterly conspicuous to anyone looking to use their service.
Also something else they could have done, from a technical perspective: they could have designed Protonmail as a free-software suite for existing non-profits and coops to run to provide more-secure email. Centralizing everything with them is what made this situation possible in the first place.
PM's marketing has long said they're special because they're Swiss. That's been their main marketing push every time I looked into them. Turns out that's BS.
So I don't believe we should criticize PM for their handling of this situation. We should criticize PM for lying to their customers.
> We should criticize PM for lying to their customers.
Lying about what exactly? They chose switzerland because it has excellent civil and privacy protection, not because it’s a lawless hellscape, and they never hid that and that they were under swiss law.
> They chose switzerland because it has excellent civil and privacy protection
Source for Switzerland being any better than other countries when it comes to human rights? A few examples come to mind that would suggest otherwise...
> not because it’s a lawless hellscape
How is protecting activists who try to change society for the better "a lawless hellscape"?
While there may be examples of activists being oppressed by Swiss law, in this particular incident activists where messing with others' property which is hardly changing society for the better.
1) We're talking about Protonmail cooperating with a random foreign police (via request from their local police) without any form of judicial oversight. As a hosting provider with big money like Protonmail, the only fair thing to go is to go to court to have a judge examine the legality of the request in detail (not just as a friendly police request) before you collaborate at all with them.
2) We're talking about a bunch of anti-gentrification activists who requisitionned/squatted empty buildings to house homeless people and serve food for the neighborhood. Those buildings were owned by a landowning mafia which, as you can see, has long-reaching arms: when was the last time you heard of Europol/Interpol being involved in the repression of a squat that lasted a few months? This is a clear case of political repression, not any ordinary criminal case.
While I have no data to discuss the second item, regarding the first item you seem to be misinformed. PM did _not_ cooperate with a random foreign police. PM had to execute on _their local authorities_ order, and judicial oversight was present - three authoritative entities in two countries had to approve the order. If this is not judicial oversight then my imagination fails to suggest what could serve as such oversight. And in their clarification PM state that there was no possibility to challenge the order in court (maybe because the order came from a court already?).
The key point is that any country could make a request through Interpol or the Europol. Proton mail bragged about their great fortune to be under Swiss law but it turns out it's subject to the lowest common denominator, a request through Interpol or Europol. What if Poland starts wanting to find out who whistleblowers are who have protonmail email addresses? Or China inevitably wants to unmask some democratic leader from Hong Kong?
> three authoritative entities in two countries had to approve the order
What's that worth when your entire judicial apparatus is corrupt (doesn't respect separation of executive/judicial branches) and all it takes is asking nicely to get a request granted?
> my imagination fails to suggest what could serve as such oversight
Protonmail did not have a chance to defend itself before the judge, to face the alleged lies of the prosecution. You may consider that's still a form of judicial oversight, i don't.
> no possibility to challenge the order in court
Yes there is. Don't collaborate. Send a notification that you're waiting for a judge hearing. Wait for news. Either case is closed and you're good, or you get summoned to court and you can argue you have no criminal intent but strongly doubted the legality of the request.
This may well be the case, as most police requests do. However, you're probably aware that these requests are somewhat-automatically approved by judges who have no time to examine them all, want to stay cozy with law enforcement (have very friendly relationships with prosecutors, despite that being against the separation of powers), and are counting on hosts to protest illegal requests.
> these requests are somewhat-automatically approved by judges
You said there was no judicial oversight. That is false. The claim that Swiss judges want to stay cozy with law enforcement requires a lot more support.
To me, being forced to compel with an order you had no chance to hear justification for, and/or had not chance to defend yourself against, is not "judicial oversight". It's an order signed by a judge alright, that doesn't make it "rule of law"-compliant.
> The claim that Swiss judges want to stay cozy with law enforcement requires a lot more support.
Unfortunately, there's very little serious studies of the corruption of the judicial system in the global north. There's massive scandals, but never wide anti-corruption schemes. You may be interested to read Michel Foucault's Discipline and Punish, which is a very serious examination of why "Justice is an independent power" is a gross misrepresentation at best.
What did you expect from their "swiss-ness"? Because to me being swiss means nothing more than having to obey swiss law (which is still better than having to obey EU laws or US laws).
>could you please describe what PM should've done differently
There is a thing called civil disobedience [1]
I think that in this instance, it was justified to take such a stance and basically fight the injunction tooth and nail, even if that meant taking fine, going to jail, whatever.
In a case like this, if you really believe in your core values, you must be willing to take the hit.
The whole "the law says X" isn't the highest moral standard in this case.
I think PM should seize to exist: it is not what it says it is. But on ther hand they will not be allowed to seize to exist because govs need a way to capture “stupid criminals” (basically activists and similars)
But real online criminals live in Russia… it is known who they are and they do not even hide themselves.
"sorry we don't have IP logging. Requiring us to do so is an undue burden in costs and would threaten our customer base, costing us far more money. If you want to log addresses that's the states responsibility."
They may very well lose, the problem is how much they willfully comply, and then lie or ommit the truth.
Refuse to comply with unfair laws? That's precisely what those activists that Protonmail ratted on were doing, and that's precisely what Protonmail should have done.
It's funny how some fancy cryptographers from their ivory towers will stand for privacy rights... as long as they don't actually take any risks for themselves. Unlike the actual activists who were house searched and arrested and now risk jail time for an arguably-noble cause, it's not like security researchers actually risk anything beyond a few fines (which they could crowdfund for) if they don't comply with law enforcement.
This is exactly the point: never expect that the people running a service are going to go to prison or pay a significant fine to protect you. It's not going to happen. You need good OPSEC, yourself, because you don't want to go to prison.
I partially agree, and partially disagree. No i don't expect volunteer sysadmins to take huge risks for me. However, i expect huge organizations like Protonmail who claim to care for privacy to do just that.
Moreover, the risks in this case are not big because this is a clear case of political repression and any form of judicial scrutiny would have raised considerable eyebrows.
haha thanks for explaining. I'm personally not in favor of drug criminalization, i was referring to the fact that by law that is considered a criminal conspiracy.
but also i'm not exactly super fan of defending Silk Road, since there was some "hitman hiring" scheme involved at some point in the operation
You can't stand a chance against 5 dollar wrench attack suggested by xkcd.
Hey, that gives me an idea. Cryptographers should arm with the nuclear weapon. Owning the nukes and declare to detonate it when they detected a threat of 5 dollar wrench attack.
Are anti-squatting laws unfair? And do note we're talking about squatting to make a point in one of the most valuable cities in the world, Paris, not squatting to have a roof over your head in the middle of nowhere.
Yes. But France doesn't have anti squatting laws (contrary to UK/Netherlands), and for good reasons. Squatting was common practice (even encouraged) after WWII ended to rebuild communities, and there's even "requisition" provisions in the law so that people don't have to squat but the mayor/préfet can seize unused dwellings to house people (although this law is rarely applied).
Now, there are laws against home theft, which is a good thing. Nobody can just come into your residence while you're away for a week and squat it; only far-right media invent (from the void) cases like this but in practice, as a squatter you have exactly 0 legal protection if you do this, and you will be evicted instantly and thrown in jail.
On the other hand, if you squat an abandoned building and make it your primary residence, you have all the "residence" protections any tenant enjoys, including the right to a "fair" (coughcough) trial to determine your fate, the right to the trêve hivernale (evictions are suspended in winter, except in special cases like home theft), as well as the right to a minimum 2-month delay before eviction to find yourself a new accomodation.
I'd be happy to continue elaborating on why your argument is misinformed (and why people usually squat in the big cities not on the countryside) but this comment would be too long. Let me know if you have questions.
Simply using any web search engine for that address would have given them clues that this could be a case of political repression and demands more consideration than collaboration-by-default.
Their homepage says "By default, we do not keep any IP logs"
In 2021, any soft language like this should be a red flag for anyone who is against surveillance. Maybe in 2018 it was good enough. But in 2021 it's not.
Come on, Protonmail, you're supposed to be leading the way -- don't make me figure it out myself.
Replace immediately with "By default we don't log IP, but may be required to by local law enforcement. We recommend everyone connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
> Their homepage says "By default, we do not keep any IP logs"
To have a true zero knowledge email service it should not connect to the public facing Internet at all. It needs to reside in a darknet exclusively for IPs Not to be public knowledge.
Or, just disable all kinds of access that compromises privacy. So for example, only allow connections through tor. Dont expect users to be educated. Build a product that makes it extremely hard to do the wrong thing. So privacy and security by default.
Yes! Finally someone who gets it. Looking for Tor-first paid services to start up. At the end of the day, what Protonmail does just doesn't seem hard. I paid for their service with the mindset that it was temporary to invite better vendors to come along. Looking forward to what's next.
"Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders."
I hate this type of grandstanding. If the swiss authorities make a legal order demanding that protonmail include a rogue JS file when a specific IP address requests their inbox, they will have to do it. It reminds me of XKCD #538, All this advanced tech to make it so everyone trusts their email is encrypted no-matter-what and it all falls apart with one subpoena.
Oh, and apparently (According to this blog post) they 'wouldnt be able to fight or appeal' that type of order either. This is basically how PRISM was implemented back in the day, The NSA mandated various providers comply with code changes.
> If the swiss authorities make a legal order demanding that protonmail include a rogue JS file when a specific IP address requests their inbox, they will have to do it.
Didn't Apple successfully resist doing similar when the FBI asked Apple to crack into the San Bernadino terrorists' phones by pushing special code just to those phones? Hypothetically, would Swiss law have allowed Swiss-FBI to compel Swiss-Apple to comply with this demand?
This is not true however, as under Swiss law, Swiss authorities don't have the legal power to issue such an order. Swiss law is very clear on this point.
Im not trying to say that what happened isn’t so bad , I just don’t see how with today international justice cooperation someone could truly expect « privacy ».
Wether this is a from a service provider or directly from your ISP, it’s not possible to get privacy unless your rely on private peer to peer network.
It seems that people were not just expecting privacy but anonymity based on the fact that Protonmail does not generally keep IP addresses.
That seems to be an unrealistic expectation. General anonymity is not something you can just buy. It only lasts for a limited time and takes considerable work on the part of the user. It was obvious to me when I encountered the claim in question that it was about preventing the commercial exploitation of personal data and not some fundamental discovery that changed the normal exceptions of what was achievable in terms of anonymity.
I believe Apple's private relay do not work with WebRTC protocol by design; it is intended for HTTP(S).
As proof of concept it shows that there may be a viable commercial privacy-centric communication mechanism which works by not letting the service providers know their clients IPs.
They could have refused to comply with an unfair request granted through back channels via the french political police and a landowner's mafia.
Go to court as a host, let the prosecutor present "proofs" that this person deserves to be prosecuted under international law, which they don't have because this is a clear case of political repression. Let the judge laugh at the ridicule of the case, or worst case scenario comply with the judge's order, which would hopefully give enough time to the targeted person to know they're a target by now and stop using Protonmail altogether (or do it via tor).
That's what a responsible host does. I don't have the same standard for smaller, non-profit hosts. But for a big organization with vast sums of money like Protonmail i would expect no less.
What's next, cooperating with chinese political police?
The "request" came in the form of a legally binding order from the Swiss Federal Department of Justice.
They have stated that there was not a legal possiblity to challenge in this case after the Swiss DOJ made their determination.
You suggest "go to court" but there was apparently not a means to do so. Judges aren't private arbiters and don't hear random cases at the request of companies
For those criticising ProtonMail, what else could they have done? When the law for the country the company is based in says they must do a thing, they can't just say "no".
It's unfortunate that it happened, but the fact that this could happen shouldn't come as a surprise.
Shut down(sabotage) the entire service immediately. No working service, no new log. They still can implement IP logging to comply with the government, but alas, service is not working right now.
At least, Lavabit did that when they were demanded by US government for the TLS private key to spy on Edward Snowden.
Destroy the server equipment, then seek political asylum to the Non-EU countries.
Their selling point is they never log IP address. Fulfill that promise or they lose the trust. They chose break the promise. The only unique selling point they have compared to the competitors.
That's not true at all? Their selling point is also that they have end-to-end encryption that they can't breach - so your emails can't be grabbed by a government actor.
> Their selling point is also that they have end-to-end encryption that they can't breach
They technically could, by serving you malicious JavaScript. And they have proven that they are willing to do that in order to get cozy with law enforcement, even for a very obvious case of unfair political repression.
That's a fair statement - I think it then comes down to: Can you by law in Switzerland order someone to serve malicious JavaScript, or only to e.g. deliver information you already have?
In the present case, ProtonMail was compelled to backdoor its system to log an IP it did not log previously, so it's arguably closer to the former situation you presented.
Thanks for the clarification, and for making your homepage much more honest in regards to your privacy policy.
May i ask what's the difference in regards to the law between being compelled to modify your systems to record an IP address (which i heard was the fact in this case) and to backdoor OpenPGPJS? From my technical perspective it sounds exactly the same, but i'm unfamiliar with swiss law.
I know nothing about this case. But it seems to me, the content of the mails are successfully protected by the encryption. The authority seized the IP addresses of the user of that mail address by ordering the ProtonMail to implement the IP logging.
If they were shutting down their service every time police requests logs then their servers wouldn't have time to even boot properly. In their "clarification" they claim they received 700 orders in 2020. It is ~2 orders/day.
I really don't know the situation but it sounds like for these 700 orders in 2020, they can legally challenge the validity of order in the court. But this one particular order, their excuse sounds like it comes from other channel, something akin to the order of Roman dictator so they have no veto power.
Sabotaging and seek political asylum to Non-EU countries is the best action they could take in order to keep their face, and resist the dictator.
So you suggest them to drop their business (which took years to build), abandon their families and run because their local court (or police) issued an order, one of several hundreds they have to process each year? Also - in which country could they seek political asylum exactly? Surely not the Commonwealth, not EU, not Russia (PM is banned there because they did not comply with Russian FSB orders), not China, not Saudi Arabia... Not so many places left, it seems.
Whether you like it or not, ProtonMail's business model conflict with most of the jurisdictions. In that sense, they are no better than PirateBay, Wikileaks or Sci-Hub.
Hi, I would just like to add to this, I have been under a police investigation for some time, and although they are wasting their time. I do take every precaution to preserve my privacy. Which just seems to make them more angry. I have a proton main account, and and cant be specific. But I can say with a degree of certainty that not only can the police gain access to the contents of your proton main account with little effort, they also have the ability to remove login instances from history. As I saw a IP login from a certain location, when I got back from work that instance of the successful login was missing. I know what that morning I entered the IP into a IP lookup website, I even saw what area it come from. I hope this helps people make a informed decision about using proton mail. Because if the police have got it in for you, they will just lie and make up reasons and make the Swiss police feel bad for not acting or helping.
Or just use email for stuff that isn't sensitive. "Let's meet at my house" to your brother on where to celebrate your kid's high school graduation, versus to local activists on where to form up before going over to an antiwar protest.
"Per ProtonMail’s privacy policy, the information it can provide on a user account in response to a valid request under Swiss law may include account information provided by the user ... and unencrypted messages sent from external providers to ProtonMail"
Well that's a bummer. I went with ProtonMail because I didn't want piles of card usage notifications and other financially related emails being available in bulk to anybody, but seems like that's not part of Proton's offering.
As an aside, I wish more email notifications allowed GPG encryption so there's an actual barrier to privacy in the system.
Tor should've have been the default and definitely no ip logs.
I understand its not that simple, this probably hurts UX and increases costs but the whole point of the product is privacy.
There are plenty of gmail alternatives with cool features out there, people don't use pm just because its cool.
I'm a paying user, I really like the product and I understand you guys are being held to very high standard but we need you to live up to your promise of privacy more than ever.
> The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.
Does this mean that IP addresses are not logged by default (assuming the account settings are also set to not log IP addresses - it can be enabled) but are logged only one a specific account after a LE request? Does this mean they could add a per-account warrant canary?
First, assuming that refusing to comply with counter-insurgency enforcement would lead to closing down the service: to my knowledge this can only result in machines seized (riseup.net seizure) or fines for the hosting provider (altern.org), not to the service actually closing down and the admins being jailed (unless they are found to be part of a broader criminal conspiracy, which is definitely not the case of Protonmail).
As long as you have backups and you're not rich, all in all there's nothing to be afraid of. Of course litigation is stressful, but nobody's going to physically torture you for that in the Global North.
Second, assuming that refusing to collaborate with authorities will necessarily escalate to hardware seizure and litigation. There's a long way to go for that, and many ways an investigation can be closed (succesfully or not) without sysadmin collaboration.
Third, assuming that going on a political trial to defend activists will necessarily result in being condemned. A political trial, along with a political (not legal) defense can go many ways, and it's very often that refusing to comply with such obvious abuses of power (eg. using Europol to track down anti-gentrification activists) will result in complete acquittal.
Only when you play by the rules of an unfair system, you're sure to loose at every turn.
So I guess you should be using Tor or protonVPN if you don't want to hide your access logs from swiss authorities.
They could have done a better job at explaining the threat model to the wider public, but I wouldn't say they are useless. I think it's advisable to not have a knee jerk reaction.
While the incident is really a bit worrying, I'm personally not paying PM to protect me from state-agents - I'm paying them to protect me from Joe working in marketing.
If a state agent wants my data and brings the necessary paperwork to get it - I'm not expecting anyone to put up a hopeless fight for me, or at least not for the 100 bucks or so that I'm paying yearly for PM.
I just expect them to not sell out my data altogether, which PM doesn't seem to be doing, and this is all (or at least, most) that I care about.
Even when that's a foreign state agent making a clear case of political repression against activists? Would you expect protonmail to collaborate with Russian/Chinese intelligence and rat out on you because you criticized Putin and maybe put up anti-FSB posters on the streets?
That a corrupt judge/government incited you to collaborate with another corrupt government's political police doesn't change the fact that this collaboration took place.
Without abiding by Godwin's law, "i was merely operating under local regulations" is a well-known defense of nazi collaborators during WWII and was considered an invalid argument then and now.
If you ever receive a court order ordering you to kill someone, will you do it without even giving it second thoughts just because it's a local law?!
See also: milgram experiment, stanford experiment, and in general social studies on the authoratitive/fascist mindset.
If expressing a political opinion is all that takes, I don't see any difference between using Proton and Gmail. Of course, they only logged it after the request but they did it.
You would be much better off by using a non-European/USA/Western provider.
That article is the TechCrunch article with a bunch of words swapped out for synonyms to the point that it doesn't even make sense.
First sentence from TechCrunch:
> ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service.
First sentence from Mexicana Post:
> ProtonMail, a hosted email provider with a target on finish-to-stop encrypted communications, has been going through criticism just after a police report confirmed that French authorities managed to get hold of the IP tackle of a French activist who was using the on the web assistance.
