• vexikron@lemmy.zip
    link
    fedilink
    arrow-up
    7
    arrow-down
    6
    ·
    edit-2
    1 year ago

    Everyone just memory hole and forget about how they complied with a subpoena to turn over the IP and phone number of a French protestor to EUROPOL, leading to their arrest.

    Yep, that happened while they were telling their users they do not log IPs and are secure and will protect your privacy, as they still are.

    https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/

    And yes, this is unambiguous, they admitted to doing it.

    • TWeaK@lemm.ee
      link
      fedilink
      English
      arrow-up
      16
      arrow-down
      1
      ·
      1 year ago

      They don’t log IP addresses, but some governments have laws where the court can compel them to start logging, which is what they did here. It was also a unique situation between France and Switzerland where the two countries have specific agreements when laws between them are the same, such that if you commit a crime in one country the other will help to catch you. With ProtonMail being based in Switzerland, where the court order was issued, there was far less room for them to do anything about it.

      What they did was in line with what their terms and conditions stated at the time. Afterwards, they reworded the terms to make it more clear.

      All businesses have to comply with court orders, and unfortunately a single user isn’t a hill worth dying on. All users and fundamentally undermining encryption is, though.

      • DacoTaco@lemmy.world
        link
        fedilink
        arrow-up
        10
        ·
        1 year ago

        This, pretty much. A tl;dr for anyone needing it : they, a swiss company, were forced to start logging the one user by a swiss court/law

      • vexikron@lemmy.zip
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        1 year ago

        They advertised that they dont log IP addresses while they were logging the IP address of at least one user.

        Then they got caught doing this and did a PR campaign to explain why.

        This is duplicitous, false advertising, and lying until they got caught.

        Further, due to the nature of warrants, the tech involved, how investigations work, relevant laws blah blah… this means that potentially any user could be subpoenaed by the Swiss gov, and ProtonMail would give out their IP without ProtonMail telling said user. This means any user based in a country that has roughly friendly relations with the Swiss gov is at risk.

        I thought a whole point of safe and secure email services is that they are also safe and secure from governments? Most of them are marketed that way.

        I dont know about yall, but if they even have the organizational and technical capacity to provide the info they did, they are a piss poor ‘private and secure’ email provider.

        • TWeaK@lemm.ee
          link
          fedilink
          English
          arrow-up
          4
          arrow-down
          1
          ·
          1 year ago

          It wasn’t a PR campaign, they literally just posted an explanation in a single blog post.

          They don’t log IP addresses in normal operation. However, when they’re issued with a lawful court order they have to comply. Swiss law states that they can be compelled to start logging IP addresses with such a court order. Their terms stated the first 2 sentences, but didn’t explicitly clarify the 3rd.

          This means any user based in a country that has roughly friendly relations with the Swiss gov is at risk.

          It absolutely doesn’t. France and Switzerland have a special agreement between law enforcement that only covers laws they both have - eg, if you commit a crime in one country that is also a crime in the other, the other country’s law enforcement will help. They committed a “crime” (not getting into the merits of the crime and whether it should be one) in France and then went to Switzerland, what they did is also a crime in Switzerland, so Swiss law enforcement got involved.

          In any other country Swiss law enforcement would not have been involved in the investigation. Maybe there could be an extradition claim, but that would require significant evidence in advance. In this special circumstance, which is unique to these two countries, Switzerland took part in the investigation to collect the evidence.

          Any service provider has to follow the law. Your issue isn’t with the service provider, it’s with the laws they have to operate under.

    • AnonStoleMyPants@sopuli.xyz
      link
      fedilink
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      Yes, a company was legally obligated to turn over the data it is legally obligated to collect. I am shocked I tell you.