| ▲ | pogue 3 hours ago |
| After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow. I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it.
https://talk.brave.com/ For document collaboration, I'm not aware of much else that's private/encrypted (etc) however.
https://www.privacyguides.org/en/document-collaboration/ |
|
| ▲ | mastermage 3 hours ago | parent | next [-] |
| Privacy and anonymity are not the same. I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it. On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant. This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them. |
| |
| ▲ | k__ 3 hours ago | parent | next [-] | | Sadly this is not binary. | | | |
| ▲ | readthenotes1 3 hours ago | parent | prev [-] | | Perhaps you may not remember the US government's tendency to invade privacy for suspicious reasons (that is, at the very least extra-legal and sometimes downright unconstitutional). You mentioned a warrant. I do not believe that has been a required threshold. E.g.,
https://judiciary.house.gov/media/in-the-news/jordan-biggs-d... | | |
| ▲ | mastermage 2 hours ago | parent | next [-] | | I am not American so my lense may be a different one.
What I am coming from is basically an extension of the German Laws that Govern the Mail Secret (Briefgeheimnis) which actually is constitutionally enshrined in the German constitution. But has notable exceptions that can be made uppon federal law. The burden for these is supposed to be pretty high. I think this should not happen willy nilly. And if thats the case in the US I am obviously against it. It is a complex multi layered subject because it has to weigh the rights of multiple people against each other. | |
| ▲ | mdhen 2 hours ago | parent | prev [-] | | It's absolutely a required threshold in Switzerland |
|
|
|
| ▲ | Subdivide8452 3 hours ago | parent | prev | next [-] |
| I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more. Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order. |
|
| ▲ | niam 3 hours ago | parent | prev | next [-] |
| When have Proton turned their data over to law enforcement without a Swiss court order? |
|
| ▲ | wallaBBB 2 hours ago | parent | prev | next [-] |
| I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is.
French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data.
Problem is - under French law, their police would not be able to get that data from local providers. Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy".
For a company that is selling essencially trust, they sure are shady as f... |
| |
|
| ▲ | 0x3f 3 hours ago | parent | prev | next [-] |
| I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia? |
| |
| ▲ | woutervdb 3 hours ago | parent | next [-] | | I think the key difference is the amount of data the service can offer when it is asked to do so by some legal entity. Signal famously claims to barely have any useful data to turn over when ordered to do so [1]. If some provider states they are pricacy-focused and protect your data from governments, but can still offer loads of your private data when ordered to, that damages their privacy claim. EDIT: "some provider like Proton" -> "some provider", never wanted to imply Proton specifically did or does this. [1] https://signal.org/blog/looking-back-as-the-world-moves-forw... | | |
| ▲ | neobrain 3 hours ago | parent | next [-] | | > If some provider like Proton states they are pricacy-focused and protect your data from governments, but can still offer loads of your private data when ordered to, that damages their privacy claim. "Loads" of private data? When has this allegedly happened or how would it technically even be possible? | | |
| ▲ | streetfighter64 2 hours ago | parent [-] | | Well, Proton themselves say they will provide information about who has contacted a randsomware attacker to law enforcement. https://proton.me/legal/law-enforcement So that probably has happened. Whether they've even provided other private data I don't know, but > how would it technically even be possible Well, it's not possible if you trust their claims about E2EE, but that is just a claim. How's that any different from a non-encrypted email provider saying they won't provide your emails to others? It all comes down to trust in the end. | | |
| ▲ | 0x3f 2 hours ago | parent [-] | | They don't claim email is E2EE. Of course they need to know email metadata to route messages. That's unavoidable if you are using email. It's not encapsulated like that. | | |
| ▲ | streetfighter64 2 hours ago | parent [-] | | Yes they do (the storage of your emails on their servers, that is). See this comment for a summary of their claims and reality https://news.ycombinator.com/item?id=47625229 Edit: A reply to your misunderstanding and accusation below: What do you mean? By "provide your emails to others" I obviously mean the email *contents*, not the email *address*. (Which I also clarified with "the storage of your emails on their servers"). You know, the very thing that is almost the whole selling point of Proton: that they keep the contents of your emails encrypted so "only you" can access them. > Proton Mail protects the contents of all your messages with zero-access encryption, meaning no one can read them except you and your recipients. Messages you send to other Proton Mail accounts are always end-to-end encrypted, as are emails sent to non-Proton Mail accounts when you use Password-protected Emails. https://proton.me/security/end-to-end-encryption Also, what in the SMTP protocol requires Proton to *store* that metadata? Could they not simply delete it after using it (or, crazy idea, encrypt it in the same way the message contents are encrypted in storage), so they would be unable to respond to law enforcement requests the next week, say? They did also previously claim that they didn't log user's IP addresses. Why would they claim something like that, if it's "obvious to anyone who knows" that it's a false claim? Marketing aimed towards their not so technically savvy userbase? https://www.theregister.com/2021/09/07/protonmail_hands_user... Let me also remind you that I was replying to a question about "how would it technically even be possible" to "offer loads of your private data when ordered". My reply was, it's easily possible for them to offer your metadata, and you still need to trust their claims about heir implementation of E2EE to believe they won't offer your message contents. You're very quick to accuse people of spreading misinformation. Let me hit back with an accusation of my own, which is that Proton's PR team have a habit of regularly trying to discredit any critique as "misinformation". Perhaps you've just read too many of their rebuttals? | | |
| ▲ | 0x3f 2 hours ago | parent [-] | | They simply don't. Please stop spreading misinformation. https://proton.me/mail/privacy-policy > Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times. This would be obvious to anyone knows how email works. It would be very silly for them to claim otherwise. |
|
|
|
| |
| ▲ | kunley 2 hours ago | parent | prev | next [-] | | Thank you for bringing back the Signal's statement, btw. | |
| ▲ | Yiin 3 hours ago | parent | prev [-] | | can you expand on the "loads" part? ip and payment option? | | |
| ▲ | woutervdb 3 hours ago | parent [-] | | Keyword is "like": a service like Proton. No idea if and what data they have offered to their government. I was merely trying to offer an explanation to the parent commenter, who was wondering how people can critique pricacy-focused services offering data when required by law. | | |
| ▲ | Yiin 2 hours ago | parent | next [-] | | Fair enough, I agree. In Proton case, I'm biased because I used to work there ~2019-2022 and the company was basically printing money from subscriptions alone (covid likely helped with that), while fighting (pretty successfully) every request to avoid providing even that limited metadata, because alternative of ruining your core strength - privacy - meant the death of the business. I don't know if anything changed, but I'd bet the goals remain largely the same - providing good-enough privacy any commercial company can realistically give you. Unencrypted user data in this business is poison, and they're well aware fwiw. | | |
| ▲ | Scarblac 2 hours ago | parent [-] | | But don't they have both the encrypted data and the decryption keys? I don't remember giving them my keys to use, and I can look at my stuff from multiple devices so the keys aren't stored on my device. So they must have the ability to look at all that encrypted data anyway? | | |
| ▲ | 0x3f an hour ago | parent [-] | | Did you not notice that you have to type in a password? |
|
| |
| ▲ | izacus 2 hours ago | parent | prev [-] | | You seem to be hiding behind this "like" while writing into comments about Proton - making accusations and theories that imply it's Proton that actually does that. |
|
|
| |
| ▲ | streetfighter64 3 hours ago | parent | prev | next [-] | | I mean, is it really a conspiracy theory to want or believe that there are services (based in Europe) that don't hand over any and all user data to the USA government when asked? It's probably wrong to believe it to be the case, but just because it's wrong doesn't make it "conspiratorial". It's quite hypocritical of Proton to claim that they protect against government surveillance when they do things like this though [0]. Their legal team has probably ensured they don't claim anything strictly false, but the implication and the reality are wildly different. [0] https://freedom.press/digisec/blog/proton-mail-is-not-for-an... | | |
| ▲ | pogue 2 hours ago | parent [-] | | Proton's marketing definitely makes it sound like they are fully anonymous and wouldn't even have anything to hand over to law enforcement. Look at the wording they use to describe the product. Proton has always-on end-to-end encryption and zero‑access encryption, meaning even we do not have access to your data. [...] Based in Europe, Proton ensures your data is protected by some of the world’s strongest privacy laws. Because Proton isn’t a US‑based company, we can’t be compelled by laws such as the US CLOUD Act to hand over your data to the US government or terminate your services. [1] [1] https://proton.me/business/blog/proton-workspace Obviously as we have seen, they 100% can and will hand over your data to the US government. Yes, it's in the privacy policy/ToS & they're compiling with local laws. But that's clearly not how that reads. [In 2021, the Switzerland-based vendor provided local police with the IP address and device details of a netizen the cops were trying to identify. That individual – a French climate activist who was already known to police – was later arrested. Shortly after that kerfuffle, Proton removed the claim that it didn't track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities.] [2] [2] https://www.theregister.com/2024/05/13/infosec_in_brief/ See also:
ProtonMail filters this into its junk folder: New claim it goes out of its way to help cops spy
https://www.theregister.com/2019/05/29/protonmail_dismisses_... A search on your favorite search engine of 'instances where proton has turned over user info to the government' will provide further reading. |
| |
| ▲ | g6506jjjss 3 hours ago | parent | prev [-] | | [dead] |
|
|
| ▲ | izacus 3 hours ago | parent | prev | next [-] |
| What do you mean by "excuse"? What kind of excuse would a company need to comply with the law of it's government?! |
|
| ▲ | 3 hours ago | parent | prev | next [-] |
| [deleted] |
|
| ▲ | cromka an hour ago | parent | prev [-] |
| Proton takes privacy so seriously that they even took the GitHub Issues section of proton-bridge offline /s |
