Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
streetfighter64 3 hours ago

"Controlled" is a bit hyperbolic, but there's a collaboration agreement between the USA government and the Swiss government, so Proton has to comply with requests from for example the FBI. Quoting a comment by Proton staff on Reddit

> First, let's correct the headline: Proton did not provide information to the FBI. What happened is that the FBI submitted a Mutual Legal Assistance Treaty (MLAT) request, which was processed by the Swiss Federal Department of Justice and Police. Proton operates exclusively under Swiss law, and we only respond to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is an important distinction.

> [...]

> The only information Proton could provide was a payment identifier because the user chose to pay with a credit card. This is information the user themselves provided to us through their choice of payment method. Proton also accepts cryptocurrency and cash payments, which would not have been linkable to an identity.

So basically, don't trust Proton with information unless you want the FBI to know it.

Yiin 3 hours ago | parent [-]

"So basically", what a weird conclusion to take out of it, just don't pay with your credit card for services you can pay cash or crypto.

streetfighter64 2 hours ago | parent [-]

Sorry, perhaps the takeaway is clearer when you see the full quote [0]. I omitted it for space, here's the relevant part

> Third, let's talk about what was actually disclosed. No emails were handed over. No message content. No metadata about who the user communicated with. The only information Proton could provide [...]

Yes, paying by crypto prevents Proton from disclosing your identity that way. Is there anything preventing Proton from disclosing the email content or metadata? Do they claim they won't disclose that? Clearly they do allow themselves to disclose metadata [1]

> For example, in ransomware cases, we can preserve information about which victims contacted the suspect, so that victims can be notified.

So, "just don't pay with a credit card" comes with the additional caveat of "don't email somebody you don't want the FBI to know you emailed". Whether you also need to "don't write anything you don't want the FBI to know", I haven't investigated further, but you could perhaps look that up yourself. I will just assume that to be the case based on what I've seen.

[0] https://www.reddit.com/r/privacy/comments/1rltej7/comment/o8... [1] https://proton.me/legal/law-enforcement

Yiin 2 hours ago | parent [-]

There are limits of what you can encrypt, in all of the cases of proton being critiqued for its compliance with law I haven't seen any instance of them being able to disclose email content, where metadata is "who we're sending email to", which is, I assume, not encryptable if you want an usable service. That being said, the quote does make your pov clearer, thank you for that.