trash
84
@k_o_t
mod
link
fedilink
188M

this sucks, but I also can’t blame them too much

most people seem to have an unrealistic expectation for protonmail to function as an underground criminal organisation, providing email services to drug dealers, and wiping their asses with subpoenas, which runs contrary to their goal of providing user-friendly private email to as many people as possible, not only the ones that would go to extremes no matter what

Halce
link
fedilink
128M

The CEO of ProtonMail previously: https://threatpost.com/protonvpn-ceo-blasts-apple-myanmar/165022, and https://protonmail.com/blog/protesters-free-speech is pretty hypocritical now, but you can spot a pattern, that he only opposes the systems and governments the West opposes too. In that way, I consider him to be nothing more, than the willing tool of propaganda, for his own enrichement.

@k_o_t
mod
link
fedilink
148M

from their comment on reddit, it seems there wasn’t much they could do

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

what did you expect them to do?

Halce
link
fedilink
18M

Clearly state the difference between ProtonMail and ProtonVPN differences in the kinds of data that are being collected. The issue is not compliance, the issue is that they’d provide enough data for it to be useful, defeating the purpose of their privacy marketing.

poVoq
link
fedilink
08M

Try a little harder at least. Just the surrounding publicity even for a lost court-case would have been a net benefit.

Their explanation sound like “we couldn’t do anything against this legal over-reach because the entity that did the legal over-reach said that it was all legal and fine”, which when you think about it longer than 3 seconds is true for each and every case where the authorities request something. An internal “review” by a biased party involved in one side is not the same as a real test in court.

@k_o_t
mod
link
fedilink
48M

from my understanding it’s a legally binding order that they legally literally can’t appeal

poVoq
link
fedilink
0
edit-2
8M

Yes that is what they claim, but in most jurisdictions there is no such thing as an unappealable order (only after it has been already once dismissed in court can the judge rule-out further appeals) and there usually is some official legal recourse despite what the authorities like to claim in their own self-interest.

If there was a similar precedence case, which would have made chances in court extremely low, then they could have said so. But they basically admit by omission that they didn’t even try.

@k_o_t
mod
link
fedilink
48M

it’s not helpful to compare to the way this works in the rest of the world, because it doesn’t determine what’s exactly true in this case; I’m not an expert on swiss law by any means (lol), but I suspect that protonmail does have a lawyer proficient in swiss law, probably more than one, and i really doubt that what they tell is a lie

if we are operating off of the assumption that they are bad guys only interested in money (which i personally don’t think is the case), they would very much care about pr, and to not fight the case and then lie about it is pretty much the worst pr they think of

and if even if they did this foolish move, wouldn’t there be at least a few people who understand swiss law who would point out that this is a lie?

poVoq
link
fedilink
28M

I didn’t say it is blatant lie, but probably one by omission. There probably really isn’t a strait-forward way to appeal it (legal authorities like to do that in cases they know they would get a lot of appeals otherwise), but what do you think would have happened if they had not complied? Usually that then forces a court case, during which they can lay out their reasons why they think this was legal over-reach on the side of the Swiss authorities and a judge would be forced to make a ruling on that.

@k_o_t
mod
link
fedilink
38M

hmm, i see your point, maybe we should ask pm themselves at /r/protonmail what would happen in that case 🤔

@shortcakefediverse
link
fedilink
2
edit-2
8M

deleted by creator

https://www.techdirt.com/articles/20131002/17443624734/lavabit-tried-giving-feds-its-ssl-key-11-pages-4-point-type-feds-complained-that-it-was-illegible.shtml

No they didn’t actually, they turned over the SSL keys in a printed document which would give them access to all users’ data, but the FBI complained that they would have to input it all by hand which could lead to errors and re trials so they forced him to provide with a digital copy, after which he got fined and then decided to close the service.

@shortcakefediverse
link
fedilink
2
edit-2
8M

deleted by creator

Did you ever attempt to host an email server for activists?

@shortcakefediverse
link
fedilink
1
edit-2
8M

deleted by creator

@jedrax
link
fedilink
3
edit-2
5M

deleted by creator

@TheAnonymouseJoker
mod
link
fedilink
16
edit-2
8M

As always, comments get piled on while nobody understands the real issue. I expect far better quality than Reddit here.

  • ProtonMail has been exposed multiple times for not being activist friendly.
  • You are not supposed to use emails for high threat models without referring to this guide https://digdeeper.neocities.org/ghost/email.html
  • This is not a question of ProtonMail vs Gmail.
  • This is not a question of self hosting or not.
  • This is not a question about legalese crap, but what ProtonMail really stands for.
  • Everybody needs to understand the difference between privacy, security and anonymity and how this is achieved.

Ey, thanks for the comment. Really good one. Really useful resource

@bluetoucan
link
fedilink
2
edit-2
8M

This is not a question of ProtonMail vs Gmail.

What do you mean by this?
Presumably for a lot of people that is going to be the main, perhaps only, question.

And that is the problem here. ProtonMail is not going to keep you safe. Gmail is not going to keep you safe. Who is going to keep you safe? Your OPSEC. You possessing the knowledge about how email works, and how privacy, security and anonymity work, and how you will control these elements. These are the things that should be debated, not X vs Y email brand.

@shortcakefediverse
link
fedilink
9
edit-2
8M

deleted by creator

@jedrax
link
fedilink
5
edit-2
5M

deleted by creator

@TheAnonymouseJoker
mod
link
fedilink
2
edit-2
8M

My privacy community c/privatelife is in the sidebar of c/privacy ;)

Besides, I have provided massive amounts of content in the form of comments on Lemmy, on this year old account of mine. I am also on Reddit, where my r/privatelife exists.

@jedrax
link
fedilink
1
edit-2
5M

deleted by creator

That is a big Oof. But yeah, PM is far from being perfect. I use it bc:

  1. Better tan Gmail & etc
  2. Unable to selfhost email :c

But one thing, how secure will be to selfhost your own eMail? If I selfhost one, which will be the most secure & private teaks that I can apply?

@blank_sl8
link
fedilink
68M

If you selfhost the email on your own hardware, then the IP will be apparent to anyone. If you selfhost it on somebody else’s hardware, they can be legally compelled to log your IP as happened here with proton. But if you aren’t committing any crimes, selfhosting either way is probably more private than proton, since you are more confident in what software is running, while with proton you have to trust that the frontend being served is actually the e2e encrypted one

Lessgoo
link
fedilink
58M

Have you considered disroot mail? It’s what I use and it’s awesome

I personally use migadu. Don’t know about how private it is but I is cheap and allows for loads of addresses and domains.

@Canard
link
fedilink
28M

I red that reverse DNS is needed to not be considered as spammer, but my internet provider does not allow it yet. So in the meantime, I use Protonmail because of the first point you stated.

@tomtom
link
fedilink
18M

I use a vps. pretty cheap like 60 euros a year. you can pay in monero which I like.

poVoq
link
fedilink
13
edit-2
8M

Not a huge surprise, but the apparent total lack of legal resistance by ProtonMail to what looks like legal over-reach by the French & Swiss authorities is going to be a PR disaster for them, and rightly so.

@N0b3d
link
fedilink
28M

“Over-reach” in what way?

poVoq
link
fedilink
9
edit-2
8M

I did not look very deeply into that, but from what I read it was the French authorities that utilized anti-terror laws against some climate protesters that were squatting buildings in Paris, and because “terrorism” is a crime in Switzerland too the Swiss authorities just complied with the French request without questioning if the application of such laws was appropriate in relation to the “crime” committed.

IANAL, but if ProtonMail had legally challenged this there would have been at least a chance that a judge would have ruled in favor of ProtonMail because of this unjustified use of anti-terror legislation.

Yeah, but this helps exposing that you can’t trust nobody.

@tomtom
link
fedilink
18M

or better yet you can only trust nobody

poVoq
link
fedilink
118M

I wish they would go into more detail why this specific case could not be legally challenged. Their response sounds good otherwise (especially also that they recommend Tor for such cases), but this deliberate omission makes me think that the case was maybe not so clear cut after all.

@Gmork
link
fedilink
88M

I am assuming they were not using proton VPN?

@blank_sl8
link
fedilink
8
edit-2
8M

Even if their were, proton company would have been legally required to trace their connection through proton VPN. Using tor would have been the better move.

EDIT: apparently swiss laws exempt VPNs from these sorts of legal issues.

riccardo
link
fedilink
3
edit-2
8M

Would they? According to their recent blogpost about the controversy:

  1. Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data.

…just pasting their claims. If this is true, using a Swiss based, no-logging VPN would be enough to avoid your IP being revealed

@blank_sl8
link
fedilink
28M

That’s very interesting. I’ve updated my coment.

down daemon
link
fedilink
58M

Fuck I pay for them!

@Zalamander
link
fedilink
3
edit-2
8M

I have looked a bit into it. In case anyone is curious, I believe that the authorities found the e-mail in question (jmm18@protonmail.com) here:

https://paris-luttes.info/occupation-d-un-local-du-petit-14575?lang=fr

And/or here:

https://radar.squat.net/fr/event/paris/local-du-h/2021-02-24/ag-publique

@punctual
banned
link
fedilink
38M

Crazy

Really what is the average person suppose to do to have a private email? I heard Edward Snowden say that email is fundamentally flawed and will never be secure. I’ve thought about hosting my own email server, but even then i need to buy a domain name likely with my own card, buy a VPS with my own card and it traces back to me.

@Ferk
link
fedilink
4
edit-2
8M

“Private” and “Anonymous” are different things.

You can protect privacy with encryption, and I believe ProtonMail does work for that, but trying to protect anonymity is an entirely different beast. I’m not convienced it’s possible at all in any way that’s reliable (not just email but also even simple web browsing) unless there’s a change in how routing works in the internet, or a new layer is developed (like I2P, but even that’s not really a warranty).

Tor Browser works decently for web browsing. It’s a trade off in convenience, but its anonymity is pretty strong. If you need even stronger security, you can go with Tails or Whonix.

You can create a ProtonMail account over Tor, bur you need to verify it with a phone number or a small payment that you again need to get anonymously. It’s a lot of effort, but it’s possible to operate a ProtonMail account anonymously. Whether you really need this is up to your threat model. Also in this case a simple VPN would have probably been enough.

@Ferk
link
fedilink
1
edit-2
8M

Yes, Tor is another example of a “new layer” on internet routing (I2P functions the same, you can also use it to access the clearnet if you know an exit node). VPN would be fine if you could trust the provider, but imho that’s just shifting the trust to some other company, more of a patch rather than a proper solution to online anonymity.

@shortcakefediverse
link
fedilink
1
edit-2
8M

deleted by creator

@Ferk
link
fedilink
1
edit-2
8M

Sure, someone can have high standard for privacy and at the same time have no desire for anonymity. But what was compromised in this case is the identity of the person who owns the email. The email remains private, just not anonymous.

@shortcakefediverse
link
fedilink
1
edit-2
8M

deleted by creator

@Ferk
link
fedilink
1
edit-2
8M

What the email provider snitched is the IP address (which wasn’t “tori-fied”). So it was anonymity what was compromised in this case.

The email was openly used for activism so the police was already investigating it, they only wanted to know the identity of the physical person behind it, and that’s what ProtonMail helped with, since the activist didn’t use anonymizers. The police didn’t need to decrypt the contents of the account or compromise its privacy (which is what using ProtonMail would have protected against), just its anonymity.

@tomtom
link
fedilink
18M

rent a VPS with monero

the content emails could easily deanonymize you to whoever runs the VPS place.

@je_vv
creator
link
fedilink
4
edit-2
6M

deleted by creator

@LemonWedge
link
fedilink
18M

I like the idea of self hosting email - it just seems to be a total pain however. I’ve done it a few times but the process is so fragmented and I just don’t have the time to dedicate to maintaining it.

@Lunacy
banned
link
fedilink
1
edit-2
3M

deleted by creator

@Echedenyan
admin
link
fedilink
-28M

It is just propietary software in the server side and some parts of the client side.

It is also a company.

Just use something like Disroot.org

@juh
link
fedilink
48M

You can also use Briar.

Disroot.org is not an activist organization, they will do the same thing.

@Echedenyan
admin
link
fedilink
18M

I think there is a common misread here, I never said the issue could not happen, I mean that for helping or supporting this kind of company which runs services over propietary software during and without these issues, it is preferable to support Disroot on it.

Not centric on that part of the news but the simply fact that is just Protonmail.

@Echedenyan@lemmy.ml yes, but there are few caveats with disroot. What is special about companies like Protonmail and the like is that they store encrypted emails on their servers. According to disroot’s privacy policy: “All emails, unless encrypted by the user (with GnuPG/PGP, for example) are stored unencrypted on our servers.”, so in theory there is more data that can be forced to handover. Another concern about disroot is that they don’t have the budget for expensive security audits, their mail server is NextCloud, and their web-mail client is Rainloop web-mail, the later doesn’t seem to be very actively maintained, so how secure is it? I don’t know.

@_here_there_
link
fedilink
1
edit-2
8M

deleted by creator

@Echedenyan
admin
link
fedilink
1
edit-2
8M

Nextcloud is not a mail-server, don’t confuse it. Nextcloud has an Email app which can be connected to your account. They use LDAP for most services with few exceptions (f.e. Gitea).

If you have questions about the Email server and the webmail use you can ask them directly about it. The email stack I tell you that is one very known and is actively maintained.

The case with Rainloop is quite different because have been subject of controversy in the past regarding to its security, you can always ask about it.

About the security audit: most tasks at Disroot are SysAdmin/DevOps tasks can be checked in different repositories as they are deployed with different DevOps tools like Ansible ( https://git.disroot.org ). If there is something non-Standard/custom that should be audited (as this is the source of audits, not configurations that have been already audited commonly or are recommended already by security teams) you can always ask to the maintainers by email to support[AT]disroot[DOT]org. Sometimes they work close with maintainers of different software for bugfixes, etc (Nextcloud and different apps of it as example).

If you think there is something to be doubt, just start reporting to it to improve it instead of putting this as a supermarket of products which should be chosen exclusively and to which you cannot do anything. Protonmail is by source something that is not going to change in the same way that Disroot could by the base of it.

Disroot isn’t security oriented.

@Echedenyan
admin
link
fedilink
18M

https://disroot.org/en/blog/news01-2021-03

I spoke to Fede, a Disroot maintainer, already about inbox encryption.

@shortcakefediverse
link
fedilink
4
edit-2
8M

deleted by creator

poVoq
link
fedilink
9
edit-2
8M

The exact same IP logging could have happened with Signal under US law (Tor would have probably helped though).

@shortcakefediverse
link
fedilink
2
edit-2
8M

deleted by creator

poVoq
link
fedilink
5
edit-2
8M

Same as what ProtonMail claims. Here they were specifically ordered to start logging IP for an specific account and I am 100% sure the same could happen with Signal (and probably already did, but under US law Signal isn’t even allowed to talk about it).

@shortcakefediverse
link
fedilink
2
edit-2
8M

deleted by creator

SudoDnfDashY
link
fedilink
68M

Not signal. Its not open sourced and the new crypto shit is very bad. Use Matrix or Tox.

What part of Signal is not open source? Both the signal clients and server-side code is licensed under GPL and AGPL respectively.

They hadn’t published the server-side code (which we can’t verify they’re running on their AWS/Azure servers anyway) for a long period of time, however, it’s now being released to the public again.

@DnuOLp0
link
fedilink
58M

The problem with Signal is that you have to trust them instead of choosing a host that you trust or hosting a server yourself.

I agree. But it’s worse than what you’ve said here; Signal is only accessible on Android/iOS and not on the Pinephone and its myriad OSes, for example. People have to develop their own clients for Signal, but Signal has said that they will deny these clients access to the server. But there’s no way they’re going to develop Signal for these obscure platforms.

Now, whether they’d actually do that is another thing altogether, but they’ve said they would, and they’ve done it before.

As I mentioned before, Signal’s servers are hosted on AWS and Azure, which, even if that doesn’t concern you from a personal privacy perspective, Signal is funding these anti-privacy actors, and continued use of Signal increases its popularity, which increases the number of servers it needs to support users, which increases the amount of money it has to pay to these companies. So, by using Signal, you are indirectly financially supporting Amazon.

That makes me a little uncomfortable.

While you could make the argument that Signal’s servers can’t access your message content because it’s E2EE, metadata is still accessible, and probably accessible to Amazon and Azure, as they host the servers.

And Signal is also making weird moves lately with MobileCoin, which seems directly related to withholding their server source code for over a year.

Worst of all, you need a phone number to get Signal working. You could use a landline, or a free phone number, or a VOIP number, but you still need to do this to use Signal. Thankfully, it’s not limited to mobile numbers, because SIM cards are tied to your identity in some countries, but you need a phone number. This barrier to entry exists for no good reason. It exists for a reason (Signal was meant to replace SMS), but it’s not a good reason. Being given the option to link Signal to your phone is a good idea. Being forced to link Signal to a phone is dumb and annoying.

Signal might be open source, but they’re doing everything they can to close it off, which really annoys me.

But Signal isn’t proprietary, like @SudoDnfDashY suggested.

Good comment exposing all. I agree with you, what signal has been doing sucks. But I heard somewhere that there was a signal based app that was a bit better (not requiring phone number etc) I will research a bit about it.

@ethicallypulmonary
link
fedilink
1
edit-2
8M

That would be Session, the Australian Signal fork that uses a Tor-based network to route traffic and requires no information to setup. You don’t have to give any of your personal information to anyone you want to communicate with; you give them a randomised hash, which represents your address instead of a phone number. It’s even easier to setup than Signal because you don’t really have to do anything after you download it. I like it as a simple method to send encrypted messages between computers, because I don’t have to register a phone number every time I want another account. There’s no arbitrary 5 linked devices limit like Signal. Works on Windows/macOS/Linux.

I can’t imagine getting any of the people I know to use it, though.

The app is incredibly buggy and takes a long time to send and receive messages because of the onionized network. Also, it’s in Australia, a country that’s openly against end-to-end encryption and has been passing (and is still trying to pass) laws that mandate backdoors in encryption protocols. You can read about that here, under “Does the Australian government’s anti-encryption stance pose a risk to Session?”: https://getsession.org/faq

Session is developed by a non-profit foundation like Signal, and they also have their own cryptocurrency token, OXEN.

I think it’s definitely interesting, but there are probably too many annoyances for the people I know to use it on a daily basis.

Lessgoo
link
fedilink
18M

Can you give the name of the app?

Matrix is a metadata centralization network, I mean although it is decentralized, the level of metadata that is shared between servers is not good. Also checkout Matrix? No, thanks.

Better use good old XMPP there are many public servers. Realistically though, any server host would probably do exactly what Protonmail did here. This organization’s XMPP service seems like a good option though.

poVoq
link
fedilink
28M

Do you know if 5july.net offers a .onion address for use use with Tor?

I don’t think so, but XMPP servers in general don’t block tor exit nodes. There are some XMPP servers that have .onion addresses, checkout this list for example, I would recommend to always enable OMEMO end to end encryption and delete your account once you are done with it, you can always create a new account.

If you have trouble using some XMPP client you should join their XMPP chat group and ask for assistance.

@_here_there_
link
fedilink
1
edit-2
8M

deleted by creator

@shortcakefediverse
link
fedilink
4
edit-2
8M

deleted by creator

poVoq
link
fedilink
48M

OMEMO used in XMPP is the same encryption protocol as used in Signal and OLM used in Matrix is derived from Signal’s. So from that perspective at least that isn’t an advantage of Signal.

@shortcakefediverse
link
fedilink
2
edit-2
8M

deleted by creator

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 2 users / day
  • 38 users / week
  • 154 users / month
  • 539 users / 6 months
  • 4.89K subscribers
  • 2.4K Posts
  • 11.8K Comments
  • Modlog