@Thann
link
93M

so they lied about what they log…

@Jeffrey
link
11
edit-2
3M

Sort of. My understanding is that they do not start keeping logs until they’re formally compelled to. So, they can’t go back and see everything a user has done up to that point, but they can start tracking the user from that point forward.

@Thann
link
43M

True, but they didnt say, “we don’t preemptively log your IP”

@ProfessorYakkington
link
13M

I think this is probably true for most providers. They could add logs if they were legally required but don’t actively keep them. I think there is way too much stock put in the ‘we don’t log’ comments that are common amongst privacy tools. Most VPN providers can log if they have to and often do log some data for service abuse and load monitoring but quibble over the definition of what ‘we don’t log’ means. I used to work for a VPN provider where we kept statements in our privacy policies about some logging and users ripped us apart despite these comments being truthful + other providers being dishonest ( or at least confusing ); but since so many providers provided false confidence via slamming all over their site that they don’t log the user base buys into these statements as 100% true ( and unchangeable ) and providers that try and provide a realistic view of what can happen get slammed. I am happy to see that proton put the statement up. I would have preferred they had statements up already but just because another provider says they don’t log I wouldn’t trust these statements. For me, I am not too worried if the provider can log some data like ip when they receive a non-avoidable court order ( https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court ) as I generally expect this to be true for all services and my threat model isn’t to avoid three letter agencies. If your threat model requires avoiding three letter agencies then trusting almost any service provider is going to be difficult. Obviously you should be using tor to connect to anything but you would have to assume almost everything with a server is either compromised or can be given certain court orders. Using services like briar seem like your best bet ( https://briarproject.org/ ).

@johnsmith444
link
83M

Seems legit.

poudlardo
link
53M

yeah well they built their entire credibility on that basically. Now let’s watch this company falling down…

@blank_sl8
link
53M

They never claimed to be immune to legal orders.

@Ninmi@sopuli.xyz
link
33M

Do I actually have to worry about my email provider disappearing here?

@TheAnonymouseJoker
mod
link
63M

No. ProtonMail will stay better than GMail or Outlook no matter how this plays out.

RED Vulpix
link
3
edit-2
13d

Interesting how it was a climate activist that they used this on first. Not a sexual predator, bomber terrorist, human trafficker, or drug kingpin, the genuinely undoubtedly horrible kinds of people that the State tries to convince the public these surveillance legislation are targeting.

poVoq
link
13M

I don’t think it is a first at all… just the first time it has caused sufficient outrage that we get to hear about it.

Which is precisely why I think ProtonMail should actively fight those requests even if they are likely to lose. By staying quiet and complying the majority of people will never hear of such legal over-reach and just think all is fine.

@LemonWedge
link
13M

I was pretty shocked at this. They seemed to be the most privacy focused (And the most expensive).

Graveyard Leprechaun
link
13M

As an alternative to Protonmail, I can enthusiastically recommend Posteo as a privacy-centric and ethical email service. Well worth checking out!

@blank_sl8
link
2
edit-2
3M

But without the key feature of Protonmail, e2e encryption at rest. Almost all protonmail alternatives (tutanota being the exception) talk about “privacy” but don’t actually take this critical step.

If posteo is served a warrant or whatnot in whichever country it’s based, do you really think they’ll do anything differently than Protonmail anyway?

EDIT: I stand corrected. Posteo does in fact support encryption at rest (though I think it’s disabled by default): https://posteo.de/en/site/encryption#cryptomailstorage

ysu
link
13M

Protonmail only has e2e if you email another protonmail email. It’s impossible to have it across domains, if you actually care about security just use pgp.

@blank_sl8
link
03M

Correct me if I’m wrong, but I believe Protonmail stores emails encrypted on disk. So yes, Protonmail could store the unencrypted messages as they arrive, but as long as they don’t have a warrant at the time the message is received, they can’t access it later.

Graveyard Leprechaun
link
13M

I cannot ask any mail service to break the law (and jeopardize their own families, businesses, etc) just to protect my data. If Posteo is legally served a warrant, I expect them to comply with the legally authorized authorities. HOWEVER, all they can turn over is my encrypted data, because my account is set to automatically encrypt all saved data. Period. If the authorities want to waste their time and energy trying to decrypt that data (of which, only I posses the encryption keys), then have at it - they’ll be super disappointed (and really bored) by whatever they find, but whatever.

@carbon_dated
link
13M

I’m also a posteo user and recommend their service. They are paid however, but it’s ony 1 € per month, cash payments being accepted.

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 22 users / day
  • 48 users / week
  • 171 users / month
  • 574 users / 6 months
  • 3.93K subscribers
  • 2.04K Posts
  • 9.65K Comments
  • Modlog