Interesting how it was a climate activist that they used this on first. Not a sexual predator, bomber terrorist, human trafficker, or drug kingpin, the genuinely undoubtedly horrible kinds of people that the State tries to convince the public these surveillance legislation are targeting.
I don’t think it is a first at all… just the first time it has caused sufficient outrage that we get to hear about it.
Which is precisely why I think ProtonMail should actively fight those requests even if they are likely to lose. By staying quiet and complying the majority of people will never hear of such legal over-reach and just think all is fine.
so they lied about what they log…
Sort of. My understanding is that they do not start keeping logs until they’re formally compelled to. So, they can’t go back and see everything a user has done up to that point, but they can start tracking the user from that point forward.
True, but they didnt say, “we don’t preemptively log your IP”
I think this is probably true for most providers. They could add logs if they were legally required but don’t actively keep them. I think there is way too much stock put in the ‘we don’t log’ comments that are common amongst privacy tools. Most VPN providers can log if they have to and often do log some data for service abuse and load monitoring but quibble over the definition of what ‘we don’t log’ means. I used to work for a VPN provider where we kept statements in our privacy policies about some logging and users ripped us apart despite these comments being truthful + other providers being dishonest ( or at least confusing ); but since so many providers provided false confidence via slamming all over their site that they don’t log the user base buys into these statements as 100% true ( and unchangeable ) and providers that try and provide a realistic view of what can happen get slammed. I am happy to see that proton put the statement up. I would have preferred they had statements up already but just because another provider says they don’t log I wouldn’t trust these statements. For me, I am not too worried if the provider can log some data like ip when they receive a non-avoidable court order ( https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court ) as I generally expect this to be true for all services and my threat model isn’t to avoid three letter agencies. If your threat model requires avoiding three letter agencies then trusting almost any service provider is going to be difficult. Obviously you should be using tor to connect to anything but you would have to assume almost everything with a server is either compromised or can be given certain court orders. Using services like briar seem like your best bet ( https://briarproject.org/ ).
Seems legit.
yeah well they built their entire credibility on that basically. Now let’s watch this company falling down…
They never claimed to be immune to legal orders.
Do I actually have to worry about my email provider disappearing here?
No. ProtonMail will stay better than GMail or Outlook no matter how this plays out.
As an alternative to Protonmail, I can enthusiastically recommend Posteo as a privacy-centric and ethical email service. Well worth checking out!
But without the key feature of Protonmail, e2e encryption at rest. Almost all protonmail alternatives (tutanota being the exception) talk about “privacy” but don’t actually take this critical step.
If posteo is served a warrant or whatnot in whichever country it’s based, do you really think they’ll do anything differently than Protonmail anyway?
Protonmail only has e2e if you email another protonmail email. It’s impossible to have it across domains, if you actually care about security just use pgp.
Correct me if I’m wrong, but I believe Protonmail stores emails encrypted on disk. So yes, Protonmail could store the unencrypted messages as they arrive, but as long as they don’t have a warrant at the time the message is received, they can’t access it later.
I cannot ask any mail service to break the law (and jeopardize their own families, businesses, etc) just to protect my data. If Posteo is legally served a warrant, I expect them to comply with the legally authorized authorities. HOWEVER, all they can turn over is my encrypted data, because my account is set to automatically encrypt all saved data. Period. If the authorities want to waste their time and energy trying to decrypt that data (of which, only I posses the encryption keys), then have at it - they’ll be super disappointed (and really bored) by whatever they find, but whatever.
I’m also a posteo user and recommend their service. They are paid however, but it’s ony 1 € per month, cash payments being accepted.
Dam son. You think they confiscated their ravioli?
I was pretty shocked at this. They seemed to be the most privacy focused (And the most expensive).