It’s also worth clarifying that ProtonMail doesn’t collect IP addresses by default. Instead, the monitoring/ logging starts after ProtonMail gets a legal request.
They still have to adhere to legal requests.
they should inform the victim about it
Under Swiss law, ProtonMail should notify the user if a third party makes a request for their private data and if the data is for a criminal proceeding. However, there’s a big catch/ loophole here. On its law enforcement page, ProtonMail highlights that the notification can be delayed in the following cases:
Where providing notice is temporarily prohibited by the Swiss legal process itself, by Swiss court order, or applicable Swiss law;
Where, based on information supplied by law enforcement, we, in our absolute discretion, believe that providing notice could create a risk of injury, death, or irreparable damage to an identifiable individual or group of individuals;
As a general rule though, targeted users will eventually be informed and afforded the opportunity to object to the data request, either by ProtonMail or by Swiss authorities.
This incident seems to fall under the first case, and that’s why ProtonMail didn’t notify the user. “Some orders are final and cannot be appealed, that’s just how the legal system works, not everything can be appealed. The user wasn’t notified for the same reason that you don’t notify a suspect before arresting them,” says ProtonMail founder Andy Yen.
Proooobably part of the request that they are not allowed to do that.
The IP isn’t even that important. They straight gave up that person’s phone number and identified them.
Oh hey I’m not shocked at all by this.
Nothing unexpected from a company that openly espouses fascism.
Could you elaborate on this comment?
A few months ago the CEO tweeted that he supported Trump and his policies. The most ironic part was that he’s an immigrant himself but lives in Switzerland.
Not sure if anything else happened since.
Unless I’m missing some recent news that sounds like a really misleading interpretation of what happened. I thought he tweeted that he thought republicans were better than dems on big tech legislation.
That was an insanely stupid statement but its far from supporting trump and all his policy.
So Protonmail was required to log the IP of the user after being ordered to via the proper international Swiss legal channeks, per Swiss/Europol law. And at some point recently, Protonmail thus removed the copy from their frontpage that advertised never tracking IPs.
What the article doesn’t really explain, is what exactly changed about Swiss or euro law? And when? What rules or acts have sprung up that made this possible? Or, was this always something that was possible that has only just now made precedent?
It’s important to hold accountable the named individuals who are harming individual security, safety, and trust in this manner so that they can be prevented from continuing to do so.
Why is this a surprise? IP Logging is pretty normal for any service.
2.5 IP logging: by default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our Terms of Service (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against non-compliant or fraudulent activities. If you enable authentication logging for your Account or voluntarily participate in Proton’s advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.
Source: Their privacy policy.
That’s some funny language around “May be obtained permanently” though. Is this minority report? Do they know ahead of time that someone is going to violate their TOS?
That said, I’m not totally against proton mail. It’s a lot better than other free alternatives. Of which there are few left. I’m sure Gmail tracks the IP of your rectum.
This seems necessary if they’re to maintain an IP ban list. You shouldn’t just be able to unban yourself by submitting an information deletion request.
This is stupid though. IP addresses in many homes rotate, so IP ban lists are utterly ineffective and could very well ban the wrong people.
“climate activists have been taking over commercial apartments” So … trespassing? They breached privacy for apparent trespassing? Is that it?
Apart from it’s an old story, discussed already back and forth, Proton’s claims regarding privacy are really weak. Especially when it comes to presenting Switzerlamd as a privacy safehaven. Switzerland is a tax evasion savehaven, not a privacy safehaven, Proton. How Proton puts it: we provide world class privacy (but have to break our claims and comply with Swiss law immediately once there is a legitimate or not request from law enforcement, oepsie sorreyy!)
The lesson here is despite what a service says, don’t trust it and take the appropriate measures to cover your tracks.
You can create an access the inbox through Tor at
protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onionThe important thing is to always access it through Tor.
Also pay attention to what the service says and what it doesn’t. We get into this spot regularly because of things people assumed about Protonmail without being told.
A big problem is people see the word “privacy” and think that means anonymous. Neither Tuta nor Proton claim to be anonymous.
Yeah it’s getting really annoying at this point.
I unironically said this in my group chat, “proton mail is becoming more and more sketchy as being a privacy focused mail service” just like how signal is becoming more sketchy as a instant message service. There are things proton mail does such as logging activity that shouldn’t be the case as a paying customer, and yet here we are. When I request privacy I want it to be private, as in don’t give my data to anyone. it seems for that to happen it must be community driven and decentralized.
Oh ffs. We have known for years that Proton is just a for profit company like any other. They dont give a fuck about you or your privacy. They never have and they never will.
Please tell me a mail client that doesn’t comply with national laws.
I never said anything about complying with laws, people just interpreted it that way. Of course everyone will comply with local laws or secret government orders that come with threats of imprisonment. I dont know if Proton was required to log this data in the first place, but if they were then this specific situations is not their fault.
The issue with Proton isnt that they follow laws, but that they portray themselves like they are better or more private than others when they are just not. Bigger = worse in the tech world. Whenever too many people are using services of a single company, it becomes an attractive surveillance target.
What im also annoyed about is people being surprised by this and these headlines that make it look like its some sort of betrayal. You should always be worried about your privacy when you put data on a computer that isnt in your physical possession. Proton isnt trustworthy because nobody is trustworthy except yourself.
it’s always disappointing when people all about FOSS and shit suggest Proton to people looking to switch from google. no, don’t do that. use Tuta or self host or ANYTHING other than Proton. it’s such a shit company that does not deserve the praise they receive.
For profit or FOSS, they can’t ignore the Swiss government. It’s fucking stupid that people put this ridiculous standard on them like they’re able to just tell the Swiss no and face no consequences.
If you were in their position, you would roll over too, and if you claim otherwise you’re just straight up lying.
They complied with laws. Where is the issue?
- Authoritarian regime decides that being critical of the regime is illegal and makes laws to support this.
- Activists use Proton for privacy.
- Regime demands that they give up data on activists.
- Proton complies with the laws.
That’s the issue.
What data? Here it is the IP address and only under order by authorities.
I feel ever since the social media shitstorm people love to pile on Proton for anything. They never said they won’t comply with law enforcment, did they?
What data? Here it is the IP address and only under order by authorities.
Whatever they gather. It says as much in the article; they started recording IPs once a request by the Swiss government came through.
ProtonMail can’t directly share data with foreign governments. In fact, doing so is illegal under Article 271 of the Swiss Criminal code. The police gained access to the IP address because Swiss authorities chose to cooperate with the French government. ProtonMail also points out how Swiss authorities will only approve requests that meet Swiss legal standards.
Under Swiss law, ProtonMail should notify the user if a third party makes a request for their private data and if the data is for a criminal proceeding. However, there’s a big catch/ loophole here. On its law enforcement page, ProtonMail highlights that the notification can be delayed in the following cases:
That’s based on the currently available laws. So if a law gets drafted that says “if we suspect someone to be complicit in criminal activity we want you to gather more data” we should just be fine with that because the authorities say so? Because the authorities are always infallible and incorruptible, right?
The details of this individual case isn’t the problem, it’s the precedent it sets that is. When Mullvad got raided for their logs there was nothing recovered because they don’t store anything. Proton stores things based on if the authorities ask them to, and when they find out that it wasn’t a terrorist or child-trafficker they go “woops we had no idea the account belonged to a climate activist.”
The authorities aren’t infallible. Some years back here in Sweden we had police raid, physically abuse, and kidnap a guy they suspected was a pedophile because he’d sent images of him and his 30 year old boyfriend having sex via Yahoo Mail. There’s no reality where this man should’ve been fucking beaten up and traumatised the way he was, but it happened, and there was no recourse for him. Nowhere down the chain of responsibility did anyone get reprimanded or investigated for misconduct.
Complying with the law is such a bullshit fucking excuse.
When Mullvad got raided for their logs there was nothing recovered because they don’t store anything.
Mullvad is not a mail provider…?
They both have no-log policies. One is “we never log” and the other is “we log sometimes” do you see the difference?
The difference is that they’re different products with different technical requirements.
Complying with the law is such a bullshit fucking excuse.
Yeah, they should just go to prison for someone they don’t know and had nothing to do with, that’s the only answer we should be ok with!
Do you hear how stupid that sounds?
Right, because corporations are widely known for going to prison when they break the law. Where exactly did they imprison Facebook for interfering in elections? Running illegal experiments on people? Pirating books and pornography? Surveilling children and selling their data?
Look at Mullvad. They’ve denied access to their data multiple times, they got raided, and nothing of use was recoverable. That’s what respect for privacy looks like. Proton could set their infrastructure up in this fashion, but instead they’ve chosen to just hand out user data freely.
The police gained access to the IP address because Swiss authorities chose to cooperate with the French government
We’ve seen this several times now. Proton is subject to Swiss law, just like every company in their respective countries. You choose Proton because Switzerland has the most privacy protections of any country on the planet (for now).
If you want private communications, don’t use email. In fact, if we could all stop using email entirely, that’d be wonderful. There are hundreds of truly-private alternatives, many with no company involved at all.
This is absolute nonsense. I would prefer most of Europe over Switzerland. The swiss government was always bad with privacy. See Fichenaffäre for example. Not to mention the new büpf and similar laws. I’m swiss. I would never store sensitive data in Switzerland on a public server. Well. Except taxdata, I guess. Can’t really get around that.
Those who used it imagined Swiss law to be less intrusive? I suppose it sounds like a good idea to anyone, which is mostly everyone, who doesn’t know Swiss law.
Yeah, they rolled over to the authority, as expected. But, they sold themselves as “private”, not “private up to the extent of Swiss law, and our laws here are very intrusive, so really the private part isn’t going to get anyone very far if they use this service for anything slightly questionable, let alone outright illegal. You might as well be using GMail for how ‘private’ this thing is.”
The popular myth is that Swiss privacy law is so strong that banks can hide gold and profits for major criminals. It wasn’t to Proton’s benefit to correct that.
It is called deception. All email providers in Switzerland have to follow Swiss Privacy laws.
This is no different than companies advertising licensed and bonded when every company legally has been licensed and bonded. Note that this practice of advertising what is required by law is actually illegal in a lot of places.
They sold a convenient lie and got rich doing so. Now we get to sit here on Lemmy and watch them try to justify another corporation shiting on them while they give them more money. The Proton defenders are a special kind of stupid.
Proton are very open about what they do and don’t provide.
They’re not going to protect you and they will turn on you the second they get a letter in the mail or a text from the cops.
But what they DO provide is the ability to register an email address (with a domain that isn’t blocked by most services) without providing any other information. And, from there, you can encrypt it yourself if it is a particularly sensitive message.
As for IP logging? if only there were tools like VPNs and Tor to negate that.
yes. proton ceo is a fascist.
why are yall constantly surprised?
