cross-posted from : https://lemmy.zip/post/60387297
Proton Mail provided Swiss authorities with payment data for defendtheatlantaforest@protonmail.com — the account linked to Stop Cop City protests in Atlanta. The FBI obtained this information through a Mutual Legal Assistance Treaty request on January 25, 2024, identifying the activist behind the anonymous account through their credit card identifier.
Again, they did not “aid” nor “give” that information. They were legally obliged to do so. There was never a choice. This could’ve happened with literally any company, E2EE stops them from being forced to turn over the emails themselves, but basic account metadata (creation date, payment methods, contact details, potentially IP access logs) will always be available. What you can do is limit the amount of information a provider requires/saves (for which Proton is a good choice) or don’t rely on a company at all and roll your own email server.
In fact, knowing that the only thing Proton was able to hand over was the credit card identifier is pretty solid proof that they in fact cannot access (and thus provide access to) your email account and its contents.
If full anonimity is the goal then stick to crypto or cash payments, because credit card always leaves a trail and not a single email provider is above the law in that regard.
This case is entirely the fault of the user’s bad opsec.
In this case, wouldn’t rolling your own email server make it even easier to find you, since they’ll just have to look up who registered the domain you used for your email address?
Depending on how you register the domain, there are some registrars that require no info at all. One of those paid with Monero creates no links to your identity.
But yes, self-hosting does not shield you from court orders. If they find you they can still access your shit, depending on how much your country’s infosec police gives a shit and/or how closely they cooperate with US agencies.
Furthermore, you can pay with bitcoin or even cash (sent to their HQ by mail). That way they’d have even less on you.
With the caveat that in some of their procedures they (seem to?) require to append account information in the mail, so if the postage can be traced back to you that’s an issue.
Yeah, not sure how it’d work with return addresses and whatnot. But if the letter itself is intercepted there’s probably more that can be used to trace back to you, unless you only handled the money and paper in a clean room.
Well, the entire procedure requires you to first trust the snail mail chain in the first place, so it’s a different category of trust that “trust a CC provider”. Snail mail used to be sacred, but it’s been known not-to for a long while now. And at the point that you can expect the acabs are willing to inkdust and laser your mail for biological traces, that means you are facing a nation-state adversary with nation-state power, so you should be looking into nation-state level defenses instead.
Yeah. Bitcoin is probably safer and easier.
I’m just saying the option exists, and that I think it’s neat.
Yeah, it’s the distinction between “anonymous” and “private”.
They litterally gave information they were legally required to
Except it doesn’t, E2EE in browser is pointless, they send your browser the code that does the dycription, they can just as easily send your browser code that does decyption & uploads the contents to themselves.
Yes doing actual E2EE emails is harder because both ends need to use an email client and configure it to do encryption, but for amost all scenarios protonmail is no more technically secure than any other webmail provider.
I think offering per-user encryption that makes it harder for the company to data mine your emails is good, I just wish people would stop believing companies selling you “secure solutions”.
In this case defendtheatlantaforest would have been more secure if they used any free email provider and GPG, yet there’s a cult-of-produce around protonmail as if it’s offering you a level of security that it can’t.
Except you don’t have to use their browser version and can instead use their apps or their bridge or even a 3rd-party bridge like hydroxide, which makes injections quite a bit harder. They can still get incoming and outgoing plaintext (i.e. not pmail ←→ pmail) emails, tho