| ▲ | fivefives55555 3 days ago |
| I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral. It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter. So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media. |
|
| ▲ | eek2121 3 days ago | parent | next [-] |
| Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this. |
| |
| ▲ | immibis 3 days ago | parent | next [-] | | Their controls are buffed up: all of those accounts are linked due to having been created with the same IP address. If one is blocked, they all are. If you try to circumvent this with a well-known proxy (such as Tor or a V"P""N") you will find that captcha activation will not exist as an option. | | |
| ▲ | crossroadsguy 3 days ago | parent [-] | | That definitely doesn't look good for privacy POV. If they do not want abuse, they ought to use other means. They should not associate IPs with account creation. That is kind of scary. In fact, if what you have said is true, then one's account can be blocked by someone else's mischief on the same IP, which is not very uncommon at all i.e sharing the IP. | | |
| ▲ | RandomBacon 2 days ago | parent | next [-] | | Proton is not a true privacy-advocate in my opinion. I wanted to try Proton out when they were having a sale, but I could not complete the purchase because I was on Mullvad's VPN. I created a ticket, and when they got back to me 5 days later, they told me to disconnect from the VPN to sign up for Proton. | |
| ▲ | estimator7292 2 days ago | parent | prev | next [-] | | They could take government ID, or fingerprint your machine, make you submit a picture of your face, do these options seem better to you? | | |
| ▲ | johnisgood 2 days ago | parent [-] | | Nope. Zero-knowledge proofs seem to be the middle ground, IMO. Prove X without revealing X itself. | | |
| ▲ | immibis 2 days ago | parent [-] | | Nice. I can create 5000 different proofs that I am a human and the site can't tell they're all for the same human. | | |
| ▲ | johnisgood 2 days ago | parent [-] | | Not necessarily. Ever heard of linkable systems? They can detect when multiple proofs come from the same person, even if they can't identify who that person is. The system can also force reuse of the same secret, which stops the "infinite proof factory" problem. Unique secrets can also be tied directly to identity. For example, if the ZKP is about knowledge of a secret key bound to your identity, then you can't just mint 5000 independent proofs unless you also have 5000 identities. There's also the concept of nullifiers, used in privacy-preserving identity protocols. A nullifier is basically a one-time marker derived from your identity secret that prevents double-use of a proof. On top of that, zk-SNARK-based credentials or verifiable credentials can prove "I am a unique registered person" without revealing which one. These systems enforce uniqueness at registration, so you can't magically spawn 5000 ZKPs that all look like 5000 humans. Similar ideas exist with linkable ring signatures and even biometric-based ZK proofs. So there are plenty of ways to counteract your "5000 ZKPs per human" story (what's usually called a Sybil attack). If you're being pedantic, yes: a bare ZKP alone doesn't enforce "one proof = one person", but ZKP + uniqueness enforcement (nullifiers, credentials, commitments, etc.) does, and that's what I had in mind. I thought it was obvious, but then again, nothing is obvious, and I should have specified. My bad. In any case, people ought to know just how powerful and useful these ZKP-based systems can be when designed properly. I think this is the only way forward if we want to preserve our privacy, and at the same time we want to prove we're human without sacrificing anonymity, or verify we know the password without revealing it, or prove we're eligible to vote without revealing our identity, or demonstrate we meet age requirements without showing our birthdate, or verify we have sufficient funds without disclosing our balance, or show we're authorized to access something without revealing our credentials, or verify our qualifications without exposing personal details, and so on. Edit: excuse the technical brain dump, I literally just woke up. I hope this helps to clear up some things, however. Happy to dig deeper if you want. |
|
|
| |
| ▲ | Yoric 3 days ago | parent | prev [-] | | How else? |
|
| |
| ▲ | privatelypublic 2 days ago | parent | prev [-] | | I dropped Proton when a ton of services (all the major A and B tier cloud providers I tried for starters) could not/would not activate an account with a proton email. Email is a critical infrastructure these days. Most people have neither the time nor the will to deal with emails failing to send and/or be delivered. (Send or receive) |
|
|
| ▲ | overfeed 3 days ago | parent | prev | next [-] |
| I'll go out on a limb and say it: it's an American cybersecurity agency. Proton's CEO/Proton[1] loves the current US admin. I wouldn't be surprised if they comply now and ask questions later, if at all. 1. According to the now-deleted Reddit comment from the official Proton account glazing Republicans, so I assume they were speaking on behalf of all of Proton. https://theintercept.com/2025/01/28/proton-mail-andy-yen-tru.... I have zero evidence except for the CEOs questionable public statements, but I wouldn't be surprised if Proton turned out to be the 21st century Crypto AG. |
| |
| ▲ | nerpderp82 3 days ago | parent | next [-] | | Proton is a honey watering hole pot. This has always been clear. | | |
| ▲ | illiac786 3 days ago | parent | next [-] | | Please think a bit before posting. This feels like you didn’t stop to think that this could be seen as cheap and provocative by many. And yes, some quotes, references, or a modicum of argumentation around a divisive point of view is also a good idea. | |
| ▲ | RandomBacon 2 days ago | parent | prev | next [-] | | Makes sense to me. I wanted to try Proton out when they were having a sale, but I could not complete the purchase because I was on Mullvad's VPN. I created a ticket, and when they got back to me 5 days later, they told me to disconnect from the VPN to sign up for Proton. | |
| ▲ | southernplaces7 3 days ago | parent | prev | next [-] | | So clear that you can present the least evidence for it aside from the CEO's saying a thing or two that doesn't automatically spit on the current administration? | |
| ▲ | throw55es468 2 days ago | parent | prev [-] | | Proton has always been political, you see them supporting some protests, but not others. |
| |
| ▲ | Yiin 3 days ago | parent | prev | next [-] | | if I didn't knew better, that would sound plausible, but the truth is much more boring (for the better) | |
| ▲ | halJordan 2 days ago | parent | prev | next [-] | | Don't go out on a limb, RTFA. But then you wouldn't be able to have your cake and eat it too. | |
| ▲ | neobrain 3 days ago | parent | prev | next [-] | | > Proton's CEO/Proton[1] loves the current US admin The CEO once expressed support for Gail Slater as head of antitrust and subsequently criticized lack of effective work towards tech regulation on the Democratic side in the same social media thread. Calling that "love for the current US admin" (which hadn't even taken office when those statements were made) is pure disinformation. | |
| ▲ | southernplaces7 3 days ago | parent | prev [-] | | Half the American tech landscape is either running toward Trumps bed or bending right down and making all the right mating signals in hopes of some interest, but a few pro-republican comments from the Proton CEO should be held as immediately and deeply suspect of this company being a honeypot? People of all kinds can say certain positive things about the Republican Party for different reasons in specific contexts and not be fanatics you know. That's how using actual reasoning and nuanced discourse works in the world of not throwing your brain in the garbage through ideological rigidity. | | |
| ▲ | moogly 3 days ago | parent | next [-] | | For me, at least, it's less about the initial comments than how he handled the fallout from it. | | |
| ▲ | billy99k 3 days ago | parent [-] | | Why should there be fallout from supporting the current admin? Tech companies colluded with the government during the biden administration to censor American citizens. I never saw any outrage. Only memory holing and denial | | |
| ▲ | moogly 2 days ago | parent | next [-] | | > Why should there be fallout from supporting the current admin? Well, why or why not doesn't matter; there _was_ backlash. And to my recollection, he made some rather bizarre defensive posts on Reddit that were later deleted and replaced with a corpo response. | |
| ▲ | overfeed 2 days ago | parent | prev [-] | | > I never saw any outrage You probably aren't looking hard enough. There was plenty of outrage, and congressmen excoriated tech companies for "suppressing right-wing voice" | | |
| ▲ | billy99k 2 days ago | parent [-] | | Not in Liberal/Left leaning communities. They called for more censorship. | | |
| ▲ | overfeed 2 days ago | parent [-] | | Yours is an entirely different argument to what gp was claiming, and undermines the crux of gps position. |
|
|
|
| |
| ▲ | overfeed 2 days ago | parent | prev [-] | | Ideological rigidity or not, I'll bet dollars to donuts that Proton disabled the accounts at the behest of an American agency. All the highfalutin talk is missing my main point. |
|
|
|
| ▲ | a0123 3 days ago | parent | prev | next [-] |
| Which the reddit fanatics on their sub are bending over backwards to defend and explain away when there is no two ways about it tbh. |
|
| ▲ | baxtr 3 days ago | parent | prev | next [-] |
| On a positive note: having reach on social media can solve problems nowadays. |
| |
| ▲ | nicce 3 days ago | parent | next [-] | | The effect is opposite - things get fixed only when you get enough social noise and that is not good. | | |
| ▲ | baxtr 3 days ago | parent [-] | | This has always been true. The difference today is that if you are able to craft a powerful message, distribution isn’t a problem anymore. | | |
| ▲ | nicce a day ago | parent [-] | | Many companies are getting only bigger and more global so it is easier for them to ignore the complaints until it catches the media. Since the scale is getting so big, complaints do not risk the revenue until it hits the media. Ecosystem wasn’t so global and instant in the past. |
|
| |
| ▲ | Dilettante_ 3 days ago | parent | prev | next [-] | | Isn't that like saying "Yay, rich people get to bend the law", certainly useful to some, but kind of a weird thing to cheer for? | |
| ▲ | zapzupnz 3 days ago | parent | prev | next [-] | | So, if you have sufficient influence, you can get things moving. What about those of us nobodies with no influence? | | |
| ▲ | jackstraw42 3 days ago | parent [-] | | well, you can't get the same stuff done that the folks with influence can. like they're working with a better toolbox. | | |
| ▲ | fn-mote 3 days ago | parent [-] | | Which is all cool until Google rug-pulls your influence and you’re back to zero… in which case it doesn’t sound like a tool anymore. Maybe a tool with DRM embedded would be an appropriate analogy? | | |
| ▲ | 8cvor6j844qw_d6 3 days ago | parent [-] | | One of the reasons why I don't use my personal Google accounts for stuff like Firebase. | | |
| ▲ | bigiain 3 days ago | parent [-] | | Sadly, Proton was, until now, a serious and perhaps leading contender for where I might migrate my email as I reduce my dependence on Google. They felt more credible then Tutanova, and less mainstream corporate than Fastmail. Not sure where to look now. | | |
|
|
|
| |
| ▲ | brookst 3 days ago | parent | prev [-] | | And there’s no shortage of people excited to hop on the next outrage train. With good cause, in this case, but the crowds wielding pitchforks don’t much care either way. |
|
|
| ▲ | j-bos 3 days ago | parent | prev [-] |
| > Phrack reached out to Proton in private multiple times, and Proton ghosted them. According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356 They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels." |
| |
| ▲ | commmentator 3 days ago | parent | next [-] | | You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline." Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place. You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article. | | |
| ▲ | j-bos 3 days ago | parent | next [-] | | That's a great point. I guess at this point it'd be ideal for them to treat this an incident and do a proper postmortem with timelines and decision calculus. | | |
| ▲ | commmentator 3 days ago | parent | next [-] | | Definitely agree. A frank postmortem would be a good thing to see. | |
| ▲ | alsetmusic 3 days ago | parent | prev [-] | | But that would be contrary to their clear intention thus far: to sweep this under the rug. /s I had previously liked Proton. I started seeing bits and pieces of info about their security being lackluster over the past year or so, causing doubt about their credibility. I'm definitely done with them after this. | | |
| ▲ | Insanity 3 days ago | parent [-] | | This is honestly sad to see. I use Proton and advocate it to others. This does make me rethink my position somewhat - although I’d argue it’s still better than Google / Microsoft-owned email services. |
|
| |
| ▲ | 3 days ago | parent | prev [-] | | [deleted] |
| |
| ▲ | nsagent 3 days ago | parent | prev | next [-] | | To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time. | |
| ▲ | a0123 3 days ago | parent | prev | next [-] | | Sorry but doubt. The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one. As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed"). Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours. Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions. | | |
| ▲ | KingOfCoders 3 days ago | parent | next [-] | | If you don't have enough people to run your business you're doing it wrong. If you don't have enough money to hire people for your business, it's not a viable business. | |
| ▲ | hulitu 3 days ago | parent | prev [-] | | > having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum I don't know about Switzerland, but in Germany, no company will be available "over the weekend". Almost everything on the internet in DE is Mo-Fr 9-17. | | |
| ▲ | traceroute66 2 days ago | parent [-] | | > I don't know about Switzerland, but in Germany, no company will be available "over the weekend". Before 31 December 2020, the Swiss Airforce famously only operated during office hours.... |
|
| |
| ▲ | BLKNSLVR 3 days ago | parent | prev | next [-] | | > a 48-hour deadline. This is unrealistic for a company the size of Proton and yet suspending the account... | |
| ▲ | crossroadsguy 3 days ago | parent | prev [-] | | [flagged] |
|
