If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide@hachyderm.io Fuck me, I've been trusting Proton to keep their heart and soul.
Not that I'm in the US or doing anything criminal, but it still sucks to lose trust.
I'm deeply locked in with Passmail and stuff tho, so it's not trivial to change providers.
-
Proton alternatives, for everyone's consideration:
️ Email: Tuta (free) or Proton (free tier)
VPN: Mullvad or IVPN (pay with Monero)
Password manager: Bitwarden (free)🥷
Email aliasing: Addy.io (pay with Monero) or SimpleLogin (belongs to Proton, but still, and Monero is an option apparently)Of course, those services and Monero might be honeypots, who knows. They're all FOSS as far as I'm tracking, but I didn't audit any of them personally. That's probably the best we've got I guess. And I believe some take cash payments too, if Monero isn't an option.
@victor_mori@infosec.exchange @evacide@hachyderm.io speaking of #Bitwarden, you could self-host #Vaultwarden
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide never understood why people liked them. I thought they were clowns ever since their first trivial reflected XSS when they initially launched
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide Anyone who thinks Proton, Tuta or any other company is going to disobey a court order to protect a user is delusional. Proton states upfront that for absolute anonymity, use a free account (or pay with cash or whatever) and only connect using their onion site. They've never given up the content of emails (cause its encrypted in such a way that they can't access). They've never given any log info for VPN use (cause they have a strict no logs policy). Its as simple as that.
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide This...seems perfectly normal? Like, what was Proton's alternative here?
-
-
@Tekchip Feel free to reply to them while leaving me out of it.
-
@evacide This...seems perfectly normal? Like, what was Proton's alternative here?
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide Yes, that's following the law. All reputable companies follow the law.
I'm not a big fan of 404 media for the way they try and hype things that people might need info on or be ignorant of, but use terms of sensationalism.
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide use cyberfear and their related mailum
-
@evacide so the only real solution is to run your own mail server, because corporations will always do this if pressured?
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide aren't their servers based in Switzerland
-
@private_brewing @evacide I guess? It's definitely nontrivial because they have to deal with recurring payments (so they need _some_ way to charge the card even if someone isn't logged in, since paid accounts are not subject to auto-deletion).
The rhetoric around this has been pretty shitty too because *of course* Proton is going to comply by sharing whatever little info they have if ordered by a Swiss court - they make that exceptionally clear.
-
@private_brewing @evacide I guess? It's definitely nontrivial because they have to deal with recurring payments (so they need _some_ way to charge the card even if someone isn't logged in, since paid accounts are not subject to auto-deletion).
The rhetoric around this has been pretty shitty too because *of course* Proton is going to comply by sharing whatever little info they have if ordered by a Swiss court - they make that exceptionally clear.
@private_brewing @evacide And like, most alternatives would do *exactly* the same thing when ordered by courts in their jurisdiction. Other than Tutanota and perhaps a few others, most have access to *more* information, and some of the big ones *proactively* share information.
The fact that some people have the gall to sit here saying that Proton, a company, should refuse to share info after being ordered by a Swiss court is ludicrous.
-
@private_brewing @evacide And like, most alternatives would do *exactly* the same thing when ordered by courts in their jurisdiction. Other than Tutanota and perhaps a few others, most have access to *more* information, and some of the big ones *proactively* share information.
The fact that some people have the gall to sit here saying that Proton, a company, should refuse to share info after being ordered by a Swiss court is ludicrous.
@private_brewing @evacide And I agree with you that the best option perhaps would be designing a payments system that allows all of their usecases without storing payment tokens or whatever in "plaintext" (meaning accessible to the company). Given the care they put into literally every single one of their products, I find it hard to believe that they would not have implemented this if it were trivial.
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide
I don't know why people are so surprised by this. Few people bother to read it but Proton do spell out about data disclosure and law enforcement in their privacy agreements etc.
https://proton.me/legal/privacy -
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@protonprivacy would you please comment on this?
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide I’m no fan of ProtonMail, or its trumpy ceo “andy88”, but I don’t think they should be expected to put themselves in legal danger for the sake of their customers. Maybe their marketing should make that clear, but no sane person should expect a for-profit company to go to jail for you.
The law is wrong here, as it usually is with stuff like this. But they have to obey one way or another.
-
If you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
@evacide I get Proton had little choice here complying with a legal Swiss court order and recording the data… my big question here is why the Swiss authorities complied with the FBI request on what looks like a (not across the details) legit protest group?
Surely the fault here is at the feet of the Swiss government for cooperating with the FBI request?
Sorry… much as I am not a big fan of Proton, this looks like they direct they were forced to, legally and only after court order.
-
All email providers that operate legally - including Tuta - must provide this info if they have it upon court request. If your threat model includes this risk, then having owners in a different country does not protect you at all.
To be clear, I like Tuta, but I haven't seen any evidence yet that they wouldn't be forced to do the same if they operate there.@schroedingerspossum @maya_b @cliffle This is exactly it. It's bad opsec to leave data your provider can hand over. Any company must and will comply with local law. It's your responsibility to not leave a paper trail. Proton, like a few other service providers like Mullvad, offers cash payments via mail. If you don't use that or stick to a free plan, that's on you.
️
