• imkali@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    70
    ·
    edit-2
    8 months ago

    Sounds like an avoidable problem, that Proton didn’t have a whole lot to fight it with. Obviously they could/should have fought it in court, but this could have been avoided if the individual simply didn’t link a recovery email and/or didn’t share the same email across Apple products + protesting. Although, the article does point out that if you sign up over Tor or a VPN it requires a verification email, which sucks- though you could just use a temporary email address to get around it. As CaptObvious pointed out (literally @CaptObvious@literature.cafe lmfao) the reporter pointed out Proton rejects temporary emails.

    Key information:

    The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual

    individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

    Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

    This case is particularly noteworthy because […] complex interplay between technology firms, user privacy, and law enforcement.

    requests were made under the guise of anti-terrorism laws

    primary activities of the Democratic Tsunami involving protests and roadblocks

    Proton Mail’s compliance with these requests is bound by Swiss law

    Comment from Proton:

    We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.

          • AlteredStateBlob@kbin.social
            link
            fedilink
            arrow-up
            8
            ·
            8 months ago

            I mean, suit yourself if you insist that you can or only want to do it with a throwaway. I’m saying you can do it with similar services like tutanota as the failover address, eliminating the need for a throwaway.

            • CaptObvious@literature.cafe
              link
              fedilink
              English
              arrow-up
              5
              ·
              8 months ago

              My bad. I thought Tuta also required a verification email when I created an account several years ago. Just tried it, and they don’t appear to these days. Good to know. Thanks.

        • CaptObvious@literature.cafe
          link
          fedilink
          English
          arrow-up
          4
          ·
          8 months ago

          It feels a little like we’re playing Whack-a-Mole with threading multiple email providers here. :)

          The handle is a hobby nickname, by the way. My wife started calling me that as a trail name several years ago, and it stuck.

    • OnePhoenix@lemmy.world
      link
      fedilink
      English
      arrow-up
      16
      ·
      8 months ago

      I don’t know if what I do is the right way around this but, as stated Proton will reject disposable verification emails and you cannot use another proton account to verify a new one.

      My workaround for this is to verify proton with a Tutanota account which is also created with as little to no identifiable information as possible.

      TLDR: Proton accepts Tuta emails for verification and Tuta emails can be created anonymously.

  • chalk46@kbin.social
    link
    fedilink
    arrow-up
    58
    ·
    8 months ago

    nothing I read about this group on Wikipedia points to terrorism, it repeatedly says they advocate nonviolence
    I guess these days though it’s become some kind of magic password to get whatever the hell you want

  • Alien Nathan Edward@lemm.ee
    link
    fedilink
    English
    arrow-up
    19
    ·
    7 months ago

    The requests were made under the guise of anti-terrorism laws

    Remember this the next time someone in government says “We need tough anti-terrorism laws”. They also get to define what counts as terrorism, so anyone inconvenient can be destroyed and the public told “We’re just keeping you safe from terrorism.”

    • GenderNeutralBro@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      8
      ·
      8 months ago

      They could avoid storing the recovery email in plaintext. A hash would be sufficient if they require the user to enter their recovery email for confirmation when they really need to recover the account.

      For an ostensibly privacy-oriented service, Proton makes some weird architectural choices.

      • Mikufan@ani.social
        link
        fedilink
        English
        arrow-up
        12
        ·
        8 months ago

        I’ve had to use the recovery, they need plaintext because they send you a recovery code or a support ticket (depends) nobody knows all their emails.

        • GenderNeutralBro@lemmy.sdf.org
          link
          fedilink
          English
          arrow-up
          4
          ·
          8 months ago

          they need plaintext because they send you a recovery code or a support ticket

          Sure, but we’re talking about architectural choices. It is Proton’s choice to use that system; it is not required for the goal of account recovery.

          • Mikufan@ani.social
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            Well yes but you could just set another Proton account as recovery and not your email which you used to sign up to everything…

              • Mikufan@ani.social
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                Well… I did… Idk

                Well on the other hand you can just not be a terrorist (for that case)

                You can also set a temporary mail if another Proton isn’t working. There are enough ways around such restrictions.

    • Venia Silente@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      They could host themselves in a different place with better privacy laws. I’ve always wondered why, for example, don’t privacy services establish themselves in international waters or in micronations such as Sealand.

      • Mikufan@ani.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Because Proton is part of CERN and the privacy laws in Switzerland are very strict. They just have to hand over stuff for very certain cases, terrorism and treason being such cases.

        • Venia Silente@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          , terrorism and treason being such cases.

          but “muh terrorism” is such a wildcard that it can be (and is) used to excuse anything, so that’s pretty much the same as saying that Proton does not offer any guarantee at all.

    • Jako301@feddit.de
      link
      fedilink
      English
      arrow-up
      68
      ·
      8 months ago

      Proton upheld their claim of privacy, no Emails were disclosed. But they never promised anonymity cause that’s something they simply can’t do under the Swiss law. If you willingly give them your other mail addresses or contact details, they have to comply. Sure they could have denied the Spanish authorities, but it takes less than a week to get a court order for things like this.

      • CaptObvious@literature.cafe
        link
        fedilink
        English
        arrow-up
        24
        ·
        8 months ago

        And if they didn’t require that secondary email address or would allow a temporary, they would have had nothing to give in the first place.

        Proton aren’t the victim here.

          • Baku@aussie.zone
            link
            fedilink
            English
            arrow-up
            4
            ·
            8 months ago

            They do in certain cases. If you sign up through a VPN or Tor, they require you to provide a recovery email. They don’t accept temporary email addresses, and even if you don’t sign up work a VPN, they’ll still collect and be obligated to hand over your IP

        • kingster@lemmy.world
          link
          fedilink
          English
          arrow-up
          36
          ·
          8 months ago

          Proton doesn’t require a recovery email.

          Proton isn’t the victim, but they aren’t at fault either.

        • 4am@lemm.ee
          link
          fedilink
          English
          arrow-up
          21
          ·
          8 months ago

          Oh yes because you HAVE to give them your real.name@gmail address. Very cool and privacy focused.

          Suspect knew what info he had put where. Poor OPSEC.

    • requiem@lemmy.world
      link
      fedilink
      English
      arrow-up
      24
      ·
      8 months ago

      Depends in what field. Proton, at least, doesn’t scan your email contents and metadata to sell it on to advertisers.

        • ᗪᗩᗰᑎ@lemmy.ml
          link
          fedilink
          English
          arrow-up
          13
          ·
          8 months ago

          I’m gonna need some evidence before I believe Google isn’t analyzing all the data that passes through it unencrypted.

        • sigmaklimgrindset@sopuli.xyz
          link
          fedilink
          English
          arrow-up
          6
          ·
          8 months ago

          Google doesn’t sell your data because they don’t need to. They take the data and use something called Real Time Bidding that also skirts GDPR and data protection laws/best practices.

          People in this thread are really showing their ass about how little they know about how their data is actually being collected and protected. Sure, Proton isn’t 100% private, but to say Proton and Gmail are on the same levels of consumer protection is hilarious.

      • CaptObvious@literature.cafe
        link
        fedilink
        English
        arrow-up
        4
        ·
        8 months ago

        Clearly, they do collect metadata and share it with police for the asking. Personally, advertising seems the lesser evil.

        • Lileath@lemmy.blahaj.zone
          link
          fedilink
          English
          arrow-up
          14
          ·
          8 months ago

          It wasn’t metadata it was an entirely optional recovery email address that he used for his apple account.

        • Encrypt-Keeper@lemmy.world
          link
          fedilink
          English
          arrow-up
          4
          ·
          8 months ago

          Wrong on both counts. Google on the other hand does everything you’ve accused proton of, and much, much more.

          • CaptObvious@literature.cafe
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Evidence? I’ll stipulate Google’s culpability. I never said that Gmail is better than Proton just that there’s not a lot of difference between them, Proton fanbois’ protestations to the contrary notwithstanding.

            • Encrypt-Keeper@lemmy.world
              link
              fedilink
              English
              arrow-up
              4
              ·
              7 months ago

              The evidence is in the article above. They don’t cooperate with police requests for information, they only comply with legal orders from the Swiss judicial system. Google on the other hand not only works directly with police, but has been known to initiate contact with police, handing over the contents of entire accounts unprompted.

              Then there’s the fact that the metadata supplied by Proton in this case isn’t even required to use the platform. It’s an optional feature a user can opt into for usability, at the expense of a little anonymity.

              The differences between Proton and other providers like Google are immense. Proton can’t hand over the contents of your account because they don’t even have access to it. Google on the other hand has total access to all your data that they regularly abuse for profit, and will gladly hand over the entirety of to law enforcement. After all, the headline as posted to Lemmy here is misleading. The user wasn’t found out due to Proton, they were found out due to Apple. There’s your difference right there. They couldn’t do anything with the information they got from Proton directly, they had to link it to a different service that unlike Proton, handed over all the users information.

              • CaptObvious@literature.cafe
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                So there’s no real evidence of Google doing what you accuse them of?

                Again, I’m no gigantic fan of Google, but they don’t seem any less reliable than Proton.

                • Encrypt-Keeper@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  edit-2
                  7 months ago

                  https://policies.google.com/terms/information-requests

                  Google can and will share not only metadata, but the full content of all data you have stored on Google servers, including emails, files, and photos. Proton on the other hand can’t share your emails, files or photos with anyone, even if they wanted to.

                  https://www.koffellaw.com/blog/google-ai-technology-flags-dad-who-took-photos-o/

                  Here’s one of a few cases where Google’s AI will analyze all photos and files you’ve uploaded to Google photos, google drive, or sent/received via Gmail, and can automatically close your account and will report you to authorities. In this particular case, after being alerted by Google, local authorities investigated and found that no crime had occurred. Yet they never restored access to his account. Proton once again doesn’t even have access to the content of the files you upload to their drive offering.

                  The differences between these two companies are inarguably vast. Suggesting otherwise is absurd. Yet accounts like yours fight tooth and nail to spread misinformation to discredit privacy-centric service companies. Makes me wonder what your real motives are, because privacy is not one of them.

          • CaptObvious@literature.cafe
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            8 months ago

            Spanish police asked for a court order which was apparently easy to get. So yes, for the asking.

            I never said I have nothing to hide. I said I don’t trust any online service to keep it a secret. And if it’s really important, I sure as hell won’t send it on a postcard (email).

    • summerof69@lemm.ee
      link
      fedilink
      English
      arrow-up
      20
      ·
      8 months ago

      I don’t think that Proton sells my data to advertisers or trains AI using my emails and documents. As of laws, unfortunately any service in any reputable country has to obey them. You can always buy a server in some banana republic and set up an email service there, but even then there are some risks.

      • CaptObvious@literature.cafe
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        All good unrelated points.

        With Proton’s anti-privacy requirements for establishing service, they don’t deserve anyone’s trust. They’re just a LEO honeypot that charges you to get in. Again, in that regard, you may as well stick with free Google. At least they’re (mostly) honest about what they are.

        • Pasta Dental@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          7
          ·
          8 months ago

          How is proton being dishonest here? I’d like to read your point. They never pitched themselves as a way to protect yourself from the law, they always clearly said they are a confidential email provider, meaning they don’t know what you are sending and receiving. It works like a doctor meeting, the information is very confidential, but not anonymous, it is tied to you even though nobody except authorized parties should be able to access this info.

    • Rogers@lemmy.ml
      link
      fedilink
      English
      arrow-up
      18
      ·
      8 months ago

      Way way better than gmail IMO. One simple reason is if you have something wrong with your account you can get in contact with a real human. And still better data protection than anything in the US. I’m not a journalist or freedom fighter so for my use case it’s ideal.

      • CaptObvious@literature.cafe
        link
        fedilink
        English
        arrow-up
        3
        ·
        8 months ago

        Fair point. And if whatever you want to keep private isn’t likely to get you killed, then Proton is probably as good as any.

  • Jin@lemmy.world
    link
    fedilink
    English
    arrow-up
    3
    ·
    edit-2
    8 months ago

    Obviously they have user data that be shared. I can’t even remove my card details (burner) when everything is paid for.

    But I wonder They got the recovery email and requested a new password for proton… another reminder to set 2FA