let's kill proton mail - AOS for Lemmy.World - A generic Lemmy server for everyone to use.

-4721

let's kill proton mail

23h 22m ago by lemmy.blahaj.zone/u/not_IO in lemmyshitpost from lemmy.blahaj.zone

https://booping.synth.download/notes/ajhsjg97o2xq03rx

context

https://www.wired.com/story/protonmail-amends-policy-after-giving-up-activists-data/

https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/

I saw a post about this earlier, it is a nothingburger.

The user in question paid for his account with a personal credit card, he didn't use an anonymous payment alternative which are available.

Proton has stated that they will comply with law enforcement requests, but are working to maintain as few logs as possible.

This is an opsec failure on the user's side.

This is not Proton handing IDs of their customers to the government on a silver platter, this is their customer not understanding the service they use.

Agreed - Proton is a tool for security but it isn’t a hired babysitter for your personal info.

Also, proton didn't hand anything to the FBI, they got served by the swiss government and gave it them.... Which might be a technicality, but they do not hand out information to foreign agencies

People shouldnt need to think about opsec to have private emails. False advertising on Protonmails part, and government policy issue in the countries in question.

Arguing about what people should or should not have to do is pointless.

It changes nothing and removes the debate from being practical to being theoretical.

It's not theoretical. Protonmail should not have handed over the personal data for victims of political persecution, but they did.

The system is broken. The practical next step is to solve the problem.

They clearly give you options to avoid this scenario, this is not on Proton, this is simply an opsec fail of the user.

Don't get me wrong, opsec is hard, exhausting and just annoying, it needs discipline and constant focus, you only need to fail once for it to be ineffective.

The customer signed up for Proton, but didn't follow their guidelines for anonymity, that is not a failure of proton, it is a failure of the user.

Maybe they've changed the website, but when I started using Proton, they never gave me any warning about paying with a credit card.

Anyways, my point is that both the government and service here need to be changed. Switzerland should not be responding to subpoenas from a fascist regime, protonmail should not be based in Switzerland, and Protonmail is too captured by capitalists that want to be Google to have the morals to give up instead of giving in.

See Mullvad for example of a service that will just not offer services like port forwarding instead of pretending they're secure. They have the same credit card opsec issue but they actively discourage it, and they don't pretend that unencrypted email is secure.

And that is why you would have failed at opsec.

You can't demand warnings about stuff like that all the time, YOU need to teach yourself these things.

You can't rely on anyone else for your own opsec.

That is the entire argument here.

The guy should have read up on protecting his anonymity before he started his activities.

Opsec fails have brought down many, many people.

From darknet site owners, to government agency operations, to countries at war and more.

Opsec sounds easy at first, but it is extremely difficult, and you can't rely on anyone else doing your job for you.

You need to develop OCD like habits, you need to understand why they are needed, and what you are giving away when breaking them.

You imply that a warning would have prevented the guy from using his credit card, I don't think it would have made any difference, the guy would either not understand at all, or just ignore it

Unless he intuitively understood that Proton was required to retain cc numbers for X years, and that these cc numbers were tied to a specific transaction, his account and his identity, I just don't see him taking a warning serious.

This is the real world, it isn't fair, it doesn't care, you need to care about this for your self preservation.

How do you think it would play out if proton refuses lawful orders from a court in the country they operate in?

I do think proton does a lot of misleading advertising, but its still on the user to research and have good opsec. Paying with a card when crypto is an option, using the same service for both email and a vpn, using that service from a public wifi near where you are known to live while actively doing crimes. A lot of mistakes made on the users part. Proton is running a business not a criminal protection racket, you cant expect them to help you get away with crimes just because they claim to value privacy.

In Switzerland, privacy is not a crime, nor is protesting.

It's not false advertising. They don't log your account usage, they must comply with swiss law, user ignored the anonymous payment methods and used a personal card for an account for illegal acts.

The policy clearly states that they must comply with swiss law enforcement, and never claimed that payment info or metadata is encrypted.

User error

Where on their website does it say that fascists can subpoena your payment information on their website? All I see is false advertising saying that no one can read your emails and that their service is secure.

Oh I'm sorry I didn't realize that the credit card you used = the content of emails... Must be a new slang term I'm not familiar with.

Their policy states they must comply with Federal Swiss law enforcement. They cannot give the content of emails as they are end-to-end encrypted and they are zero logs. They are however required to cooperate and give what isn't encrypted. ie payment info/backup email(if added) if the user had been smart and used one of the anonymous payment methods, they would have told law enforcement. Sorry we don't have anything that can help

It's not false advertising. Just because a company advertises with privacy, it doesn't mean they are bullet prove.

they don't sell your data, they actually have very little data to share at all, but they do follow the swiss law.

They even publish which kind of requests they get: https://proton.me/legal/transparency

The wired link from 2021 is still a nothingburger

Got an archive link for the second article?

No thanks, I don't wanna switch E-Mail provider again

I don't use protonmail, bit the things you posted are not nearly enough to condemn the entire service.

I would say that their support of the trump admin is far more damming, but still not enough for people to drop them outright.

quick question, if I registered for free with no identifier, and I get an email that has my info, like I order something, is that account "compromised"? Can they now link all other emails to me?

The mail is encrypted, so probably not, but they have an extensive privacy policy and some blog entries, against which threats they can protect you, which they can't

Why this sub?