so if you want to subscribe to a vpn, and you were considering proton, maybe dont

https://infosec.exchange/@josephcox/116178496048136287

@Viss No vpn is safe, really.

@krypt3ia i run my own, on my own hardware, in a datacenter :D

@Viss you can pay Proton by cash via mail to stay anonymous.

@floriann and you would go to those lengths to pay them even though they'd turn over your logs still? tsk tsk

@Viss Even so.

@Viss You get on the naughty list, they will just access it with warrant.

@krypt3ia yeah but then theres the lavabit way. just dont log. or log in such a short timeframe that the bureaucracy makes it impossible to get shit done in time

@Viss @floriann that's any business though right?

@bhhaskin @floriann in america - but proton isnt american. so why are they complying with a foreign law enforcement agency?

@bhhaskin @floriann like, the fbi cant issue a warrant to like, austria or switzerland or wherever. they have zero jurisdiction. so if proton isnt american, and they handed logs over to the fbi, it means they did it willingly

@Viss @floriann I mean this isn't the 90s anymore, most countries have legal mechanics in place for that kind of thing.

@bhhaskin @floriann yes - and having had to partake in some of them, those mechanics are:
- folks here try to figure out who the folks on the other side are they need to get ahold of
- one agency here tries to talk to another agency there
- they basically have to do puppydog eyes and beg
- the other agency can tell them to get fucked if they want

and that entire exchange makes it into the news articles, cuz both agencies get credit

@bhhaskin @floriann the best examples of these sorts of things are when american law enforcement goes after csam peddlers in another country. they'll usually mention that it was like, interpol or whoever they worked with, and that'll be clearly written about as such.

but this article only mentions proton, and the fbi

which, again, says they worked directly.
and if thats the case

proton turned over logs without any "legal pressure to". willingly.

@Viss @floriann hard to say without knowing the details. It could just be a poorly written article, or an article that is trying to push a narrative. (Can't actually read it behind the paywall)

A hypothetical could be that the FBI reached out to visa and asked them to have a business comply or lose access to payment services. Not saying that is what happened, but just that there could be a ton of reasons why it happened.

It wouldn't surprise me in the least if Proton willingly handed over, though. Just pointing out that really in this day and age that is any business.

@bhhaskin @floriann

@bhhaskin @floriann so it looks like america and switzerland have a deal where the cops here can get the cops there to comply.

sigh

@Viss i can't access the article so I don't know to which logs you are referring to.

In general proton has a no logs policy but I guess they might be forced logging access to specific accounts on demand.

To mitigate this they offer Tor access. I personally don't use Proton and I think if some state actor is after you probably can't stay anonymous using convenient services.

I don't trust any VPN providers because it is the best Crypto AG like business appliance I can think of.

It's easy to tell the people to avoid Proton VPN because they might track you down when authorities walk in their offices and pull the business files out of the folders - but I can't think of any VPN this is better protected in that regard.

@floriann they turned over payment and subscriber details, and the person using the email used their personal bank/credit card to pay, and that data exposed their identity.

@Viss @bhhaskin well I guess it's not that easy - there are mutual legal agreements to speed things up. And as far as I can tell european won't easily reject a request from us authorities because they fear punishment.

@Viss @bhhaskin I don't know if the user was a us citizen and I would like to hope that for an eu citizen it would be any different.

But the problem is that were completely dependent from the us. Let's think of Nicolas Guillou (https://www.heise.de/en/news/How-a-French-judge-was-digitally-cut-off-by-the-USA-11087561.html) and this was just a single pointed act of revenge.

@floriann @bhhaskin based on the topic of the article, it would be surprising if the owner of the account was not a us citizen. but yeah, your point still is an important one - if the fbi can 'just get stuff' from switzerland, and the guy in charge is... ugh. ... just fucking look at him

then yeah, its a problem for literally everyone

@Viss @floriann

Mystified as to why Proton did it. That was a major business-limiting action. Really dumb. Kompromat maybe? Truckload of money? Been on the wrong side for years but let it slip this time?

Whatever the reason, it's useful to know that they're worse than the obvious ones like Google and MS--because Proton lies about their standards and practices.

@jakebrake @floriann so turns out theres this MLAT thing between the us and switzerland, and the fbi was able to get swiss authorities to pressure proton into turning over subscriber data

@Viss @bhhaskin @floriann they are not, they are dealing with Swiss law enforcement. They received a legally binding request by Swiss LE. That it was caused by an MLAT from the US is not relevant.

@Viss I'm more inclined to recommend people not to pay for 404 Media. That headline is not only horribly inflammatory and biased - it's flat out wrong.

Proton followed what's stated in their ToS by complying with Swiss law. All companies, everywhere, do.

If you need anonymity and not just privacy, account holders should use the options provided for that OPSEC. Proton has such as well.

@Viss @bhhaskin @floriann "subscriber information received from the Swiss Mutual Legal Assistance Treaty Unit" - so the FBI basically asked the Swiss police, that got the data and forwarded it back under the umbrella of a long standing treaty between the countries/authrities. This should not be surprising at all btw, but somehow for many VPN customers it is.

@troed @Viss The ToS will obviously point out these caveats so they won't have troubles in court. What matters is the companies communication (marketing, PR aka. "oUr sERvErz aRe In SwiTZeRlAnd") because that is what people actually see and base their decisions on.

@buherator @floriann @Viss @bhhaskin mull *cough* vad

@buherator

I think all of this stems from the "Proton helped FBI" headline. They didn't. "Switzerland helped the USA" wouldn't get as many reactions.

There's OPSEC failure here, but trying to pin this on Proton is to look in the wrong place. It would not be any different were it any other privacy focused provider.

@Viss

@troed @Viss I disagree. Proton convinced US people that their comms will be safe at a foreign provider (them). Were users naive to believe this? Yes, but this is victim blaming.

I agree that Proton is not the only bad provider in the market. Actually, the whole market exists because all the providers communicate dishonestly.

@buherator

They're comms are safe. Proton handed out what little information they have - which in this specific case included payment details which could've been avoided had the payment been done through other available means.

I don't see this as anyone being a bad provider. If you need protection from state actors you need a whole different level of OPSEC than to go sign up with someone who clearly state they will obey any lawful request for data.

@Viss

@troed @Viss Let's put it this way: the acc owner is in the same situation as if they used Gmail for free (if they were smart authorities would even have a harder time connecting the person to IPs and other metadata). This is speculation, but I'd bet that the relevant comms is already collected from the users or the recipients devices/e-mail accounts too.

So what is exactly the value Proton provided here that the user paid for?

@buherator

That a proper legal request had to be made instead of Gmail just handing out everything because someone asked. Additionally, Proton cannot decrypt your email content so the contents of the communication is still secure (unless the account owner made the choice to communicate with less secure providers which, again, would be their choice).

@Viss

@dey @buherator @Viss @bhhaskin

This probably wouldn't have changed anything because the victim paid using credit card details finally leading to de-anonymization. In that regard mullvad offers the same as proton.

@floriann @buherator @Viss @bhhaskin this is indeed a nuanced and age old discussion based on your own threat model. How deep someone willing to go. If you are up against nation state no amount of "protection" is enough. You want vpn exit node with tor entry for a decent anonimity. VPNs that offer anonymous payment are close enough. Still you can be outed with browser fingerprint or any other leaks in OS. Oh well.

@troed @Viss " Gmail just handing out everything because someone asked" This was a headline exactly because this was likely illegal. Let's assume that providers abide the law.

"unless the account owner made the choice to communicate with less secure providers" - which is exactly why the claimed e-mail privacy claimed by Proton et. al. is an oxymoron.

@buherator

Gmail does not seem to require that requests are made lawfully: https://newrepublic.com/post/206088/homeland-security-67-year-old-us-citizen-criticized-email

Additionally, Gmail _can_ and will hand out the contents of emails which Proton cannot.

Regarding believing your email contents would be safe because you use Proton and send emails to Gmail I'm sorry - it's not victim blaming to point out bad OPSEC. It's like crashing a car because you didn't take the time to learn how brakes work.

@Viss

@troed @Viss "hand out the contents of emails which Proton cannot" - OK let's not dive into if G should have obeyed a subponea... In both cases the accounts came under scrutiny because authorities _already knew_ email contents. Gmail would even have the benefit of not having payment info (also, cheaper).

(Btw. Proton can absolutely leak all your e-mails e.g. from the frontend they serve to you.)

"it's not victim blaming to point out bad OPSEC" - by this logic we shouldn't criticize charlatan doctors, because their patients should know medicine better?

@buherator @floriann @Viss @bhhaskin well crypto is also supported, here is their response from LI:

@obivan @floriann @Viss @bhhaskin Cool, so offering credit card as payment option is basically a footgun they provide.

@buherator

You can have a free Proton account. You can also pay through other means not directly connected to you. Yeah - if you're getting an email account because you're on a mission to fsck with your government it's on you to learn OPSEC.

I don't get the need to throw shade at Proton. I've been a customer since close to 9 years now - at Visionary level. They've provided above and beyond all my expectations when I first signed up.

They're not promising anything they're not delivering. Charlatan doctors do.

The headlines "Unauthorized backdoor" and "Not recommended" under the threat model documentation is good reading.

https://proton.me/blog/protonmail-threat-model

@Viss

@obivan @buherator @floriann @Viss @bhhaskin

Yes, that's exactly what I would expect. I don't understand those who are outraged. Companies have to follow legislations.

@troed @Viss It's not hard to tell you are personally invested in this service, that's OK. As I stated, this is not a Proton problem, but unfortunately the market they are operating in shouldn't exist in the first place, because the whole thing is built on illusions. As we say around here, they don't necessarily _lie_, they just don't elaborate on all aspects of truth...

There may be some users who fully understand the tradeoffs, but they would certainly not be a viable business if they were the majority customers.

Thanks for the Threat Model link, I read that a couple years ago, but I'll do a refresher sometime.

@buherator

I'm invested in the concept that everyone should always prioritize privacy, even if they don't see the need themselves. Otherwise, only those who really need it will stand out and be easy targets.

Thus my family chats using Matrix, our personal accounts are with Proton (even for our business) etc. Telling people that a privacy focused provider (and as you say, this is not Proton specific) would be "no better than Gmail" defeats that whole purpose.

@Viss

@CravateRouge @buherator @floriann @Viss @bhhaskin right, I don't see how this is different from any other privacy focused company. What else is there, gift card payment suport?

@obivan @CravateRouge @floriann @Viss @bhhaskin Yes, the donation page of Anna's Archive is quite educational.

My point is exactly that these businesses couldn't exist if they actually lived up their users expectations (that are mostly set by the same providers via marketing).

@troed @Viss I only suggested Gmail as an extreme example for this particular case. I have no problem with e.g. Fastmail, as they don't oversell what they do.

@buherator @CravateRouge @floriann @Viss @bhhaskin a company can comply with the law or not, but everything else is user issue.

@buherator @CravateRouge @obivan @Viss @bhhaskin though crypto currency is probably the exact opposite of anonymity.

@troed @buherator @Viss Well, #ProtonMail have been caught snitching multiple times so I'd not trust them at all…

• I'd rather go with @monocles and pay them the €2 p.m. for proper IMAP+SMTP and use that over @torproject using @tails_live / @tails / #Tails & @thunderbird …
  • Espechally since they support #CashByMail and #Monero for payment!

To me #Proton have the same stench as #CryptoAG [which everyone who wasn't blind, deaf and stupid KNEW to be a #CIA (+#BND) - owned #HoneyPot *way before #CryptoLeaks went public] since #Büehler was arrested and tortured by #Iran…

• At least #monocles and even cock.li (unlike #Proton and @signalapp [which is also inseucre, cuz #CloudAct!]) don't lie to their users re: #Security!

If you engage in any banking transaction with a "legal entity" anonymity went out the window. Isn't Proton having huge offices in Bay-Area/SF-USA ..?

If you trust any application running over android it is not their fault. Basically anonymity (if at all possible) is a luxury for the very few who understand it.

A simple bank reference code may link your email to bank account .. over!

Freedom in capitalism

@kkarhan @troed @buherator @Viss @monocles @torproject @tails @thunderbird @signalapp

@troed @buherator @Viss Ordinary Americans should be forgiven, being new to this whole 'One Battle After Another' thing for not having perfect opsec, and not understanding the fine-print of 'Privacy By Default' from a technical point of view or even a jurisdictional one given the whole Nazi gold deal. Whether Proton sufficiently resisted under Art 1 IMAC (this clearly is political) is as unknownable as what exactly Proton are promising here is different about their service to any other provider.

@kkarhan - your thoughts on Posteo?

@wavesculptor similar, tho I don't have stuff on hand about them.

I'd recommend to go with @monocles because they are sound and encourage #SelfCustody of all the keys!