by angrymouse on 9/7/21, 11:35 AM with 343 comments
by plater on 9/7/21, 12:19 PM
Sure, it's a more stable country than many other countries in the world, but not much different from most EU countries for example. And privacy wise there is no difference.
Be also aware of the fact that many companies market themselves as Swiss, but all it means is they have a head office in Switzerland due to tax reasons. In one example, it's a cloud storage company, they say on their marketing page and their about page that they are based in Switzerland and under Swiss law, but if you look at the legal pages the company you sign up with are actually based in Bulgaria. Their servers are based in Texas, USA and Luxemburg, Europe and their development team in Bulgaria.
by dsign on 9/7/21, 12:15 PM
What makes me sad is how flimsy their entire premise (not necessarily "promise") turned out to be: all it took was some minor rascal in France to hug the wrong tree (so to speak), and ProtonMail is in the open saying they can't even protect the IP address of their customers. From there, all it takes is for somebody to change a law in Switzerland and end-to-end encryption of the messages themselves will only be "by default."
I think there is a market for datacenters in open seas.
by livinginfear on 9/7/21, 12:27 PM
by shafyy on 9/7/21, 12:24 PM
For example, this paragraph is important:
> Unlike other providers, we do fight on behalf of our users. Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone. Whenever possible, we will fight requests, but it is not always possible.
by rarba786 on 9/7/21, 1:32 PM
My quick take: France tells Switzerland who then compels PM to START tracking account holder(s) and prevented PM (by law from what I've read) from telling account holder. Per PM CEO this type of Swiss order could not be disputed with the way PM has disputed other claims.
To me, it's not logging of the IP; it's when did it start and from my reading they started after being compelled to do so over a period of time between compelled to and this coming to light.
To me, strong pushback (for those who feel passionate about it) should be directed to Switzerland for complying with France for what many think is not a high enough bar to compel all this tracking. Maybe they did scrutinize it and maybe they didn't.
Any meta-data saving isn't secure but sharing that after being compelled to track account holders isn't surprising.
There's a line in their agreement that says " If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over.".
Maybe I'm missing something in my logic.
by 7demons on 9/7/21, 12:07 PM
by dathinab on 9/7/21, 1:15 PM
And it still holds!!
What it didn't stat is that while _by default_ no such information is logged, but if they are legally compelled to they will log such the neseccary information for the email (account?) they are required to log them for.
Its honestly surprising for me that anyone though that a fully legally (in Swiss)operating service would protect their privacy beyond the point they are allowed to by Swiss law. But luckily for us Swiss law is pretty neat wrt. privacy, at least currently.
by notjes on 9/7/21, 12:13 PM
by hasmanean on 9/7/21, 12:43 PM
This tool is turned against the poor and marginalized and used to eliminate opposition but not for making the system work better as it was supposed to.
In a sense society is being hacked by those in power using surveillance.
by ashtonkem on 9/7/21, 12:50 PM
by cpach on 9/7/21, 12:48 PM
I understand that people desire the UX of an e-mail client such as Thunderbird, Mail.app, Gmail or whatever. Nothing wrong with wanting that. But there is currently no good way to send e-mail securely.
by traspler on 9/7/21, 2:53 PM
by 0xdeadb00f on 9/7/21, 12:07 PM
by jcq3 on 9/7/21, 12:43 PM
by dang on 9/7/21, 2:38 PM
Clarifications regarding arrest of climate activist - https://news.ycombinator.com/item?id=28433601 - Sept 2021 (273 comments)
ProtonMail logged IP address of French activist after order by Swiss authorities - https://news.ycombinator.com/item?id=28433131 - Sept 2021 (155 comments)
Climate activist arrested after ProtonMail provided his IP address - https://news.ycombinator.com/item?id=28427259 - Sept 2021 (565 comments)
by rawbot on 9/7/21, 12:18 PM
by Grimm665 on 9/7/21, 4:09 PM
by ddevault on 9/7/21, 12:07 PM
The most important thing a serious privacy-minded service provider can do is be forthright and honest with users about the limitations of their privacy guarantees, particularly with respect to what hinges on math and what hinges on trust. ProtonMail has failed in this respect. It has always been the case, for example, that they could log these IPs, or that any incoming plaintext emails can be recorded before being encrypted at rest - and the fact that they're encrypted at rest is another thing we have to take on faith. Their proprietary components have always been a problem, and we also trust that they won't silently add key exfiltration to their webmail UI on the demands of a court. They don't explain any of this, they just pose themselves as experts on privacy and let vulnerable users stumble into law enforcement's hands because they care about their money more than their security.
Good privacy systems do not rely on trust or faith, they rely on math. Where some trust is required, in the case of a commercial service provider, it is their solemn duty to be honest with users and explain to them what promises they can and cannot make, and to make sure users understand which of these claims are backed up by math, which are backed up by law, and which are backed up with thoughts and prayers, so that these users can make informed decisions about how they use a service they're relying on for their personal liberty.
by Verdex on 9/7/21, 12:57 PM
It always ends up being something like, "Well, I could buy a bunch of raspberry PIs with cash and then go to a coffee shop that I never go to and upload the message to a gmail account that I'll only ever use once. Throw the PI away afterwards in a random trash can in town and make sure to wear gloves every time I touch it. Finally use some sort of encryption scheme or something so I can identify myself for repeated correspondences because each time will be with a different one shot email account."
It turns out that this isn't some fanciful paranoia, but is in fact the bare minimum of what I should be doing if something like that ever came up.
by nicolas_t on 9/7/21, 1:03 PM
If I sign up with protonmail today using a vpn like mullwad, since I'm probably not currently be targeted, I can reasonably be sure that it will be difficult to track things back to me.
However, once I'm targeted and there's a warrant against me, any activity I have on such services is going to be logged going forward.
So, using the service once to receive some data or do something anonymously is reasonably secure... This is very different from services like gmail which will have kept any logs in the past about me and that will always be able to track me without any further logging.
It's imperfect but I think that given the current environment and the current laws, this might be the best we can have.
by CalChris on 9/7/21, 1:06 PM
1) the making of a statement
2) the falsity of the statement
3) an intent to deceive
4) reasonable reliance on the statement by the injured party
5) injury sustained as the result of the reliance
ProtonMail knowingly told this activist 'we don't log your IP' in order to attract their business. ProtonMail did log the IP address. The activist believed this and got arrested.by eth0up on 9/7/21, 3:53 PM
I get a sense to move along, but it still seems interesting. It is, or was, based in Iceland.
by jd3 on 9/7/21, 2:44 PM
https://protonmail.com/blog/protonmail-beta-v1-13-release-no...
by qwerty456127 on 9/7/21, 1:31 PM
I also don't understand why does ProtonMail record the device type - I doubt there is a law requiring this.
by maxo133 on 9/7/21, 12:46 PM
by janmo on 9/7/21, 1:23 PM
by ohgodplsno on 9/7/21, 12:16 PM
Welcome to reality.
by istingray on 9/7/21, 3:21 PM
I for one am now only using Protonmail through Tor. Recommend Brave users enable "Automatically redirect .onion sites". If a site has an onion service, it will automatically redirect in case you forget.
by mark_l_watson on 9/7/21, 2:02 PM
I think their advertising copy about not logging IP addresses was poorly done, but their service is private enough for me. It probably doesn’t much matter or make much difference, but I feel OK with using their service, and tweaking my account settings for Google and Apple to the minimum amount of data retention.
I feel that people who let corporations easily have all of their data put themselves at a disadvantage when it comes to any interaction between yourself and any large company (insurance, retail, etc.). Governments will always have our private information so the real purpose of privacy is economic value.
Imagine playing poker with your friends and you had to have your cards face up on the table and they could keep their cards hidden from you. In this example, your friends are corporations.
EDIT: Carissa Véliz, author of Privacy is Power, was interviewed recently on the ProtonMail blog, and I think the interview does a good job of summarizing her excellent book: https://protonmail.com/blog/carissa-veliz-data-privacy/
by bubblethink on 9/7/21, 12:46 PM
If they route all email over vpn, do they have to disclose the enduser's ip ? If so, how do they avoid that with standalone vpn ?
by nrvn on 9/7/21, 5:31 PM
It has proven multiple times that privacy and security are not something they really care about.
I wonder what else should happen for everyone to completely lose trust in this scam.
by Louno on 9/7/21, 12:09 PM
by lanevorockz on 9/7/21, 1:13 PM
by pluc on 9/7/21, 12:20 PM
by neycoda on 9/8/21, 3:02 AM
by m-p-3 on 9/7/21, 1:06 PM
by atok1 on 9/7/21, 2:50 PM
by Ikatza on 9/7/21, 4:26 PM
by thrownaway561 on 9/7/21, 12:42 PM
by FirstLvR on 9/7/21, 2:55 PM
by bawana on 9/7/21, 1:14 PM
by antocv on 9/7/21, 12:45 PM
by Ginden on 9/8/21, 6:05 PM
by jeffbee on 9/7/21, 1:11 PM
by a3n on 9/7/21, 1:39 PM
by timdaub on 9/7/21, 12:20 PM
All email is shit. Nothing is encrypted and many company's simply try to sell you on better productivity (hey.com). Already having my email be encrypted so that the host can't read it is a step forward, in my opinion.
by 1cvmask on 9/7/21, 1:28 PM
https://en.wikipedia.org/wiki/Crypto_AG
And remember Mark Twain: “History Doesn't Repeat Itself, but It Often Rhymes”
by throwawayswede on 9/7/21, 4:31 PM
After a dude gets arrested, they’re like: oh, we were talking about advertisers! Who did you think?
What a trash team.
Proton mail ==
by eplanit on 9/7/21, 12:54 PM
I don't use PM, but it seems their product is end to end email encryption, not complete web anonymity. Maybe those wanting to add anonymity should access it via tor (if PM allows it).
by avereveard on 9/7/21, 12:04 PM
by anothernewdude on 9/7/21, 12:08 PM
by rvz on 9/7/21, 11:54 AM
So how long have ProtonMail kept this massive lie from its users then?
by ajay-b on 9/7/21, 12:05 PM
by raverbashing on 9/7/21, 12:16 PM
It is naive to imagine companies that have an address and take payments can ignore judicial decisions.
Yes there's a point about fighting decisions, but as people say "we live in a society".