Um…obviously, yeah? The alternative to complying with the authorities is to challenge it in court, which is extremely expensive. The important question is not how much information they do hand over, but how much information they have themselves. For example, if your keys are private, proton has nothing useful to share. This is why end-to-end encryption matters, the only avenue to real privacy is to make sure Proton has nothing useful to share. They’re not going to host their servers on international waters.
Yeah this isn’t good at all especially when they market themselves as secure but just have full access to all the data.
There’s gotta be something out there better than these crappy systems ready to throw you under a bus under barely any pressure.
I’ve been pretty happy self-hosting Peergos for cloud storage
Then you go to jail. If you refuse to give out the password. Law changed…
Oh, interesting. Where can I read more about this?
Why should I even respond when everything gets downvoted anyway…
§ 70 Absatz 2 StPO
Herausgabepflicht nach § 95 StPO
§ 184b StGB, § 184c StGB
And more…
Look for the sources yourself… I’m sick of this thread.Are those just Swiss laws? I don’t run my Peergos instance there, so maybe I’m safe.
🤔 I guess I should still do some research though, to familiarize myself with the legal landscape of the region in which I run my insurance.
Also, I wouldn’t worry too much about downvotes. I get them fairly regularly, and almost never understand why, lol. AFAICT, they don’t really seem to matter much on Lemmy (though maybe someone can correct me if I’m wrong about that).
Then why bring it up?
Yea go f*** *******
Lmao 🤡
I using proton more as a middle finger to google than anything else and at that it works fine.
The best middle finger is not relying on commercial platforms, go libre and self host
If you want encrypted mail, go the GnuPG route, everything else is only cosplaying security.
This holds true for any kind of secure communication you want to do.
Manually handling keys and encryption with GPG is the core of good opsec, and also a reason why 99% of “crime prevention” backdoors are probably not going to do much. But people are lazy, been a while since I saw a drug dealer hand out public GPG keys, ever since Telegram and the like got popular.
Proton threads are where the leftists equivalents to sovereign citizens pop up. Learn the technology a bit and about legal systems. That’s what you have to operate within. If you want to feel more in control, encrypt everything yourself and only communicate/share in encrypted channels. At least then the primary sources of leaks is you and the receiver. If not, you’re whining about streamlined performant services that will never be perfect enough for your standards because they operate legally rather than the user unfriendly solutions that you aren’t willing to operate yourself for your life (maybe to be passed on) and/or won’t run/can’t afford to operate the illegal operation
However, if it is protected by law… and the law changes over time and then, mysteriously, logs appear in the past, then it has absolutely nothing to do with the law. Rather, it means that lies were told for years beforehand.
Once again - Proton is legally obligated to comply with the laws of the country in which they are based. This isn’t specific to Proton, and they are not going behind your back to do this. In case it’s not clear, this data is directly from Proton.
Lemme put it this way:
If Greta Thunberg uses Proton, she’s fucked.
Yeah, this is not really an own against Proton… There’s other actual issues with the services and leadership that are more serious
The one comment by one person on the 5-person board who was supportive of one singular person that Trump had picked? That one?
I’m not a fanboy here. I just hate misinformation.
And thanked Trump for their effort against BigTech.
You hate misinformation but you sure know how to cherry pick.
If this government deregulated big tech any harder we’d be living in Cyberpunk
What’s your motivation to downplay it, fanboyism?
Who said anything about downplaying? This is how law works. If you are a company operating in any particular country, you have a legal obligation to follow the laws of said country. And if that means handing over data because you were subpoenaed? Tough titties, cough it up. Or get arrested for failing to comply. And this includes your own data if you choose to self-host your own email.
Don’t mistake me understanding the law for agreeing with the law.
You downplayed the positive remarks towards Trump by claiming it was “one of five” instead of a co-founder and CEO.
To give the full X post that you seemed to not be aware of when claiming “misinformation” through others;
(First sentence is what you’ve claimed people pull out of context) Great pick by @realDonaldTrump
The rest of his post was:
. 10 years ago, Republicans were the party of big business and Dems stood for the little guys, but today the tables have completely turned. People forget that the current antitrust actions against Big Tech were started under the first Trump admin.
Now if this is enough to dislike proton is up to debate, especially after their announcement back and forth afterwards. Claiming. Like you did, that it’s “just praising the choice for one role by one of five board members” though … Sounds like “downplaying” to me.
Whatever floats your boat, man.
It contradicts all of Proton’s advertising… They continue to convey a different impression; even though they provide such data, they still advertise with certainty, etc…
Edit: I almost forgot… Back when this kind of thing was leaked (yes, leaked, not shared by them), I exchanged a few words with them (I am a customer, after all), and they denied everything and demanded proof… Nevertheless, I’m still with them because they’re still among the least bad.
No it doesn’t contradict their advertising. They’ve been completely open about this the entire time.
And they’re not providing anything other than account details per the infographic. Account data remains encrypted
It’s on you if you thought a business would break the law for you.
No, they weren’t ALWAYS open about the issue (changed 2021). Aren’t they advertising themselves as safe? That contradicts it! The right advertising would have been to say it’s safe until the government comes… That would have been honest.
I’ll go through my emails later and hope I didn’t delete them back then. But now I’m going to lie down for a bit.
It is safe; your data is still encrypted. They only provide account metadata.
You’re confusing privacy with anonymity.
Edit: and furthermore, Proton does have the ability for you to set up your account anonymously. You can use a burner recovery email and pay with Bitcoin.
Funnily enough, the answer is no longer available. I wasn’t arguing against encryption. Rather, I was arguing against its occurrence. Although I don’t trust Proton 100% not to have a key.
So, BTC is not anonymous, and buying it is linked to data. BTC is also nice in the blockchain. I always preferred Paysafe card, but you can’t get that anonymously anymore either.
But now I’m particularly concerned that their response has disappeared.
But it was sometime around June 21, 2019, when it came out (I think because a US citizen was arrested.) that they were working with states. To date, they have not published this themselves.
Incidentally, I’m not saying that you shouldn’t use Proton. It’s still one of the best on the market, but you shouldn’t blindly trust them.
At that time (begin of proton ), Switzerland was also still a haven for tax evaders, etc. Back then, they worked secretly with the government… There was no obligation yet.
ProtonMail removed “we do not keep any IP logs” from its privacy policy 2021 (at this time cause a french activist) 😊
READ THE THREAT MODEL FFS
I just want a low cost VPN to get around in-state censorship and the occasional bit of piracy. I’m not running a Wikileaks fork or trying to do OpSec for The Revolution.
If you’re spinning up your own version of Silk Road, maybe consider a home lab instead of relying on untrusted third parties.
Mullvad
Imagine the Orange government demanding some delicate data for some political or p
retty reason - should provider still comply? What if Chinese government does the same? Also I might be mistaken, but doesn’t US force providers not to disclose the request to affected party, at least they can?Imagine the Orange government demanding some delicate data for some political or pretty reason - should provider still comply?
Believe it or not - when legally obligated, even providers like Google and Apple can and do comply.
What if Chinese government does the same?
See above. If a company is operating in China, that company (or branch) has to comply with the local laws. There are no ifs, ands, or buts about it.
Also I might be mistaken, but doesn’t US force providers not to disclose the request to affected party, at least they can?
I wouldn’t be surprised in the slightest if that was the case.
Proton is only required to provide the data if Swiss authorities request it.
Don’t cry…
Cry about what, exactly?
That’s the spirit!
I don’t think that’s bad on Proton’s part. They are obeying the law they are obliged to obey.
If you think all 30k plus were for legitimate reasons and not government control, I have a bridge to sell you in Brooklyn.
I didn’t say that. I said they’re obeying the law they are obliged to obey. In other words, they’re not defying the courts. In a perfect world, they could defy the courts and get away with it in the interest of user privacy, but this is not a perfect world.
You are right, they can argue that the government does not have sufficient reason. Many companies push back, but Proton is not one of them. I.e. Proton will not fight for you at all and they will follow court orders from other countries that are often questionable at best because “Interpol”.
I think my original point stands which should make most people seriously reconsider using them as they are not in the business of protecting their customers. In other words it is bad on their part and hand waving that away is pretty gross.
Well I’m certainly not a fan.
Yeah, more important is what data was it
Most data is encrypted, so the government wouldn’t be able to use it anyway.
There is some metadata though. I believe in the past they used Proton to be able to link a criminal to a back-up e-mail address he entered.
Privacy is not anonymity. In this case they were required to supply IP addresses of users logging into a certain account in an active investigation.
As usual, the devil is in the details—ProtonMail’s original policy simply said that the service does not keep IP logs “by default.” However, as a Swiss company itself, ProtonMail was obliged to comply with a Swiss court’s injunction demanding that it begin logging IP address and browser fingerprint information for a particular ProtonMail account.
Yes, talk about it as nicely as you want. Ignore the facts and view them as lies. Feel free to trust that they don’t have a key. I don’t care. As a customer, I’ve been following what’s been happening at Proton for long enough. What they say, what they promise, and what they actually do.
Feel free to vote me down because you don’t like the reality. There’s more to Proton’s history, but I’m not going to look into it anymore because you don’t want to know and instead punish those who give you sources. I’ll laugh about it heartily in a few years.
"From time to time, Proton may be legally compelled to disclose certain user information to Swiss authorities, as detailed in our Privacy Policy. This can happen if Swiss law is broken. As stated in our Privacy Policy, all emails, files and invites are encrypted and we have no means to decrypt them. "
If they (proton) have the keys, doesn’t matter if they encrypted your data. They must have the keys because I can log into mail from different clients and read all emails without having to insert my key.
Proton stores your encrypted private key . An encrypted private key does not allow them to read your email or files.
When you log into a new device:
Proton sends the encrypted private key to your device.
You type your password.
** Your device** (not Proton’s server) uses the password to decrypt the private key locally in your browser or app memory.That decrypted key is then used to decrypt your emails on your device. Proton mail sends you just the encrypted text.
There is one potential security issue:
Since Proton serves the website code (HTML/JavaScript) that performs the encryption, you have to trust that they serve you honest code. Proton could theoretically alter their website code to capture your password the next time you log in, which theoretically a government can force them to do.
However, this is a different threat than “they have the keys.” Currently, they possess the keys only in a form they mathematically cannot unlock.
If the key is the same password you use to login, then they already have the key. They may not store it unhashed, but you transmit it to them every time you login. If law enforcement forces Proton, or if Proton turns evil (or gets infiltrated by a three letter agency), they can use it from the auth to decrypt your key and your data.
Plus, a bad actor having access to the encrypted key is free to brute force it. It may be hard but not guaranteed to stay hard forever.You don’t send them the password. The password never leaves your device. The password is the decryption key to decrypt your encrypted private key, which is what they send to your device. This is why, for Proton Mail, and others that use this technique, it is imperative to have a strong password to protect your private key.
How do they authenticate* you? They just send the encrypted key and if you can decrypt it then it’s you?
If so I can request any account encrypted key and try to brute force it offline
Yeah, that’s a bit of a weird thing to claim by them.
Before 2021, it was claimed that there were no logs, no IP addresses, etc. So can you trust them they not able decrypt your mails…? Use pgp…
it was claimed that there were no logs, no IP addresses, etc.
…by default. They never claimed that they would defy court orders.
That doesn’t mean anything.
If you “by default” don’t log, then when receiving a court order, there is nothing to hand over which is the entire point. If,magically, logs from the past 5 years when they said there were “no logs” show up, that means they were lying about no logs.
Just like they now advertise that your data is fully end to end encrypted and even they can’t see it.
If, with a court order, they are able to decrypt and hand over your data, then they were lying in the first place that they couldn’t read your data and it isn’t end to end encrypted
Court orders aren’t some magical thing that go back in time and redo history. The entire point of these heavily advertised precautions is exactly against court orders by corrupt, tyrannical governments using the law as a political or fascist blunt weapon against citizens.
“Allegedly” no means.
Granted, it’s been awhile since I read this, but don’t their subpoenas driven info essentially say yes, this is so and so’s email account with no discourse content due to encryption?
This is just a case of having to follow Swiss law for the most part. However, they’re moving to Germany I think, considering that Switzerland is considering worse surveillance than us Americans are getting.
Bullshit… Laws changed later…
Have they also handed over private keys?
Honestly person users deserve whatever they get for supporting that weirdo ceo
A great Medium article on the topic that analyzes the entire situation: (coming to the conclusion that no, Proton does not really seem to be in favor of Trump/MAGA at all given their actual actions, and how the original statement was misinterpreted)
Comment reposted from https://piefed.social/comment/8747739
What if maga align with you instead?
Because this what happen to proton ceo. Proton appreciate anti big tech, trump start some anti big tech stuff, now elect anti big tech ftc person.
Proton need to be pro big tech or are nazi?
The fact that this article had to be written in the first place is the dealbreaker for me
So fact that people misinterpret and misinform other dealbreaker for correct information?
You definitely antivax and probably flat earther.
Definitely not, but ok. You seem very upset about this. Hope you feel better
The fact you need correct this is dealbreaker to me.
He’s weirdly a MAGA Trump supporter and publicly supporting them from the official Proton account, despite not being an American citizen. It’s a crazy take, but he is a CEO, so those kind of people stick together.
Stop misinformation https://piefed.social/comment/8747739
I’m not saying that Proton is MAGA. I’m saying its CEO and founder is. He was literally quote-boosting and giving his support to a tweet that said “Make America Great Again.”
Read the article. He promote election of anti big tech person to ftc by trump. And then say that trump start anti big tech thing in last office time, which just a fact.
Not because trump good, but because trump do something against big tech.
Is this referring to anything beside his tweet in Jan?
I believe the tweet was from December, but this article has the timeline.
Yeah, let’s wait till we find out that they actually can and do unencrypt our data.
What could go wrong?
Aaaand there it is.
Dang! So what’s the preferred email app? The preferred email provider?
There is no known way to participate in email communication without at least some metadata leaking. Its not a privacy preserving system
For all questions: your own.
Every company has to comply with the laws of the country in which they operate, and no company is going to go to jail for you. There’s other encrypted email providers, but they will still have to abide by their local laws. The best you can hope for is that they have minimal data on you and that anything potentially incriminating is encrypted and can only be decrypted by you.
, and no company is going to go to jail for you.
Assnuts. They’d not go to jail anyway. Companies pay fines at most, you might arrest a specific legal representative (one of 123456789 employees of the company) for three days while the lawyer comes up with better papers, but companies never, meaningfully go to jail.
Right. The point is that they’re not going to do you any favors with regard to the law. They have zero incentive to fight the law on your behalf, because your relationship is purely transactional.
Another way to say it is, “No company is going to break the law for you.”
My nose keeps pointing towards selfhosting. TY!
I mean, you need to abide by laws even when you self host. I’m not saying it’s likely, but if you self host and the authorities legally demand records from you, are you prepared to go to court or prison over it?
Lol what?
If I am in control of the data and I have a reason to don’t disclose said data, guess what’s gonna happen as soon as they demand it?
Destruction of evidence is also a crime in most places.
What evidence?
Evidence: “We know you had this data based on emails between you and X entity, who already gave us emails and confirmed it was with you who they were communicating. We know you destroyed hard drives based on the fact that we found hard drive remains in your trash within 24 hours of receiving the subpoena. Cough up the data or face prison time.”
It’s not hard to solve for X when you know the rest of the equation.
The !selfhosted@lemmy.world community has lots of info and helpful people!
Any legal service has too give away what they save to the authorities by law. So you need to find an email service that saves nothing about you.
My nose keeps pointing towards selfhosting. TY!
If anything, self-hosting puts you more at risk, since in that case the government will know exactly who to lock up, or $5 wrench, until they get the information they want
Hmm, suggestions?
IP over Avian Carriers, though, the CIA likely will have intercepting hawks. So do be careful.
That includes you, my dude.
