257
Proton Mail Discloses User Data Leading to Arrest in Spain (restoreprivacy.com)
submitted 1 week ago by schizoidman@lemmy.ml to c/privacy@lemmy.ml
64 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] seathru@lemmy.sdf.org 163 points 1 week ago* (last edited 1 week ago)

No company is going to legally go to bat for you for $10/mo. I love how Proton nonchalantly calls out the user's dumb move in the article:

Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order...

[-] leraje@lemmy.blahaj.zone 41 points 1 week ago

It is worth noting though, that Proton doesn't allow you to use certain domains for recovery addresses. Admittedly this was awhile ago and maybe things have changed there but when I first joined Proton they wouldn't allow me to set a duck.com or simplelogin.com or addy.io address as a recovery email.

Obviously using an apple ID is stupid but Proton could make more of an effort too.

[-] Canary9341@lemmy.ml 28 points 1 week ago

They are actually quite aggressive about blocking disposable emails, most free services don't work. I have used protonmail a few times for semi-disposable accounts that used disposable emails to sign up, and some of them were banned later.

[-] pineapplelover@lemm.ee 3 points 1 week ago

I actually set simplelogin as recovery lol

[-] Railcar8095@lemm.ee 3 points 1 week ago

So they will ask proton again for the address where everything is being forwarded... Not a good plan.

It would be fun to daisy chain a bazillion emails, all forwarding to each other in circles and have the cops just call yahoo 20 times.

load more comments (4 replies)
[-] deweydecibel@lemmy.world 13 points 1 week ago* (last edited 1 week ago)

At any point in the process, does it warn you about setting up recovery with personal email addresses?

Feels like with as much as Proton advertises nowadays as a privacy protecting service, they need to be taking into consideration that a lot of their customers now are going to be average users who don't know anything about proper OpSec. They should be much clearer about what things they can't protect you from.

It shouldn't be in a press release like this, they should be explaining the difference between privacy and anonymity to the customer. It's not like their marketing team isn't aware of the fact most people don't know any better.

It's in their best interests, too, because it doesn't matter how many times you say "we provide privacy not anonymity", the headlines are a bad look.

[-] Railcar8095@lemm.ee 4 points 1 week ago

Unless you're targeted by law enforcement, having a recovery email won't be an issue. 99.99% of the userbase world never have a problem with this.

I get what you say, but it's really nitpicking at this point I think.

[-] drwho@beehaw.org 8 points 1 week ago

Thing is, Protonmail has been telling people this from the very beginning. It's like it gets rediscovered every year or so when somebody else gets busted.

[-] classic@fedia.io 7 points 1 week ago

What would be a more appropriate email address to use - or just no recovery email?

[-] seathru@lemmy.sdf.org 17 points 1 week ago

It's best for anonymity to not use one at all. Proton provides a recovery key to allow access to your account if you manage to lock yourself out. Keep that key somewhere safe/secure.

[-] classic@fedia.io 3 points 1 week ago

Thank you. Recovery key seems like a better route for sure

[-] glorious_puffy@lemmy.world 1 points 1 week ago

Ideally no recovery mail or you can create burner gmail account with a vpn

[-] EngineerGaming@feddit.nl 7 points 1 week ago

Doesn't Gmail require a phone number upon registration? One of the worst choices for "burner" mails.

load more comments (3 replies)
[-] azalty@jlai.lu 7 points 1 week ago

Proton does require a recovery email address if you sign up to a mail forwarding service or similar, right after creating the account. In that case the account remains locked if you don’t, so that’s just a lie

[-] Setarkus@lemmy.world 14 points 1 week ago

In the article it says that that's a one-time verification address. Though that leaves the question if/how long it's stored

[-] azalty@jlai.lu 2 points 1 week ago* (last edited 1 week ago)

Still, it wasn’t optional for me, so I’m pretty annoyed that they’re saying it.

You can remove the mail after but indeed, I won’t trust proton with not keeping that info. The mail has to be entered in the recovery email field, and then sends mail to the recovery email when you have unread mail. So it’s not a one-time mail sent with a code.

[-] VerseAndVermin@lemmy.world 62 points 1 week ago

It looks more like multiple companies were needed to pin the individual. I don't expect any company to not comply with legal requests. My understanding is this is why it's important to know what information a company retains.

For my own use, I have used Proton just to mitigate being a source of ad info and to get better service. I'm not interesting enough to overthrow anything.

[-] cyrus@sopuli.xyz 13 points 1 week ago

Most info came from the fact that they made the move to link their personal iCloud Mail as a recovery method.

Infinite wisdom.

[-] Zerush@lemmy.ml 56 points 1 week ago

Logically, any service, whether private or not, is required by law to reveal the user data they have, if there is a court order for a criminal investigation. Proton cannot refuse, if it does not want to face a complaint that could even lead to the closure of its service. That is, in this headline the "Proton Mail" can be replaced by any other email, host, chat, social network, VPN, Lemmy, it can occur in any of them. As said, read TOS and PP of what you use

load more comments (3 replies)
[-] Staraven1@lemmy.blahaj.zone 47 points 1 week ago

Maybe also just consider any email insecure by default ? Like it's fcking email, having privacy, let alone security or anonymity is just like trying to mod a skateboard into a secure highway vehicule imho

[-] possiblylinux127@lemmy.zip 1 points 1 week ago

Its more secure to use physical mail

[-] crispy_kilt@feddit.de 37 points 1 week ago

Not really news. Proton follows the law. If they get a Swiss court order they will comply.

If you want to do illegal (under Swiss law) things, proton won't cover you.

[-] Freuks@lemmy.ml 36 points 1 week ago

I don't understand why people blame Proton, instead of OPSEC. A company complies with law, won't go to jail for you, what they are thinking ?

[-] You999@sh.itjust.works 17 points 1 week ago

Because proton put themselves into this position by making false advertising claims. Let's not forget this isn't the first time proton has given away the IP of an individual and last time was even worse because proton at the time was directly advertising they kept no IP logs which they had to quietly remove after giving the Swiss feds the IP.

load more comments (2 replies)
[-] Imprint9816@lemmy.dbzer0.com 33 points 1 week ago

Another case of a user with terrible opsec that proton will end up being blamed for.

[-] BananaTrifleViolin@lemmy.world 26 points 1 week ago* (last edited 1 week ago)

I'm not sure how I feel about this news story.

On the one side, it's good to make sure people are aware of the limitations of secure email providers. However on the other the article almost reads as of this should be a surprise to people?

I use Proton mail and pay for my account. I don't pay for anonyminity - I pay for privacy. They are two very different things.

The article talks about Opsec (operational security) and they're right - if you need anonyminity then don't use your personal apple email as a recovery address. That is a flaw in the user approach and expectations that unencrypted data held by Proton is also "secure". Your basic details and your IP address are going to be recorded and available to law enforcement. Use a VPN or Tor to access the service and use another untraceable email for recovery, and pay via crypto if you want true anonymity. And even then there are other methods of anonymous or untraceable secure email that may be better than Proton mail (such as self hosted).

But for most users like myself, if you're not looking for anonyminity then Proton is fine as is. My email address is my name and I use it to keep my emails secure and not snooped on by Google etc.

Proton advertises itself as private, secure and encrypted. It does not claim to offer anonymity.

[-] Cataphract@lemmy.ml 5 points 1 week ago

All valid points made in an academic setting. I think the general consensus, and the points other users are trying to make, involve more transparency and proper presenting of the facts in their statements. I have parroted the "oh you should try proton, they're more private and secure" to other people. This is a factual but misleading statement without the nuance of higher OPSEC fundamentals.

Just look at their main landing page for proton mail.

  • Proton Mail's end-to-end encryption and zero-access encryption ensure only you can see your emails. Not even Proton can view the content of your emails and attachments.

  • Proton Mail protects you from these digital spies and prevents companies from monitoring you.

  • your data is protected by some of the world's strictest privacy laws.

  • From newsrooms, activists, and international organizations to academics, Nobel Prize winners, and movie characters, Proton Mail is the trusted choice for secure and private communication. Join over 100 million people worldwide who believe their online privacy is worth protecting.

A common user will look at this and believe that by just having this account, they will be protected. There is no asterisk* beside e-mail recovery explaining the dangers of linking to another e-mail. In fact, a lot of their services promote linking e-mail because you can't use third party verification if you haven't setup your recovery e-mail and/or cell phone verification. I ran into this trying to help an older relative who's paranoid about online accounts, ended up being more hoops and they were dissuaded because it always come down to "enter more information to continue...privately ;)"

The front landing page should have a section explaining everything that's being said here with vpn's, alternative e-mails, and how to really protect yourself with anonymity. To a lot of people, Private+Secure=Anonymous. It's not accurate, but unless you already know the things you have to do to protect your identity, it's not very clear on what the average person should do.

[-] Coasting0942@reddthat.com 3 points 1 week ago

Proton is the only one I know of who takes mailed cash.

This was all an opsec problem. And not even an “exposed my ip address because a software bug leaked it” it was an “here’s my usual email address in case I get locked out”.

The cops didn't need to break into proton email. They just asked the backup email address for that stuff.

[-] lemmyreader@lemmy.ml 6 points 1 week ago

Proton is the only one I know of who takes mailed cash.

Proton accepts payments via postal mail you mean ? Posteo and mailbox.org do that.

[-] lemmyreader@lemmy.ml 16 points 1 week ago* (last edited 1 week ago)

All the commenters suggesting that Proton is just a company and would always give in to legal requests and all other companies and any email provider would do the same, here's some more to add. Yesterday I saw a now invalid toot comment from ProtonPrivacy on Mastodon Social where they wrote that it was Apple who was to blame and that Proton gave the recovery email address only because this was a case of a terrorism suspect suggesting that if that (terrorism) was not the case they would not have given in to the request. Today their comment sadly gives a 404 error. Searching a bit further this article comes up mentioning Proton and Wire :

In the new resolution, the National Audience judge recalls that in January, in a judicial report he issued on the case, he highlighted a conversation from July 12th and 13th, 2020, about the king's visits, which was included in the Tsunami investigative evidence, and of which he admits that until that point he had not made reference in his investigation which extends over the period from 2016 to 2022. Specifically, one of the people under investigation, the Girona businessperson Josep Campmajó, spoke to the figure named Xuxu Rondinaire, with profile @marietadelulllviu, about mobilizations in 2019, using the Wire messenger app. The judge has asked for the identification of this person, information now obtained by the Civil Guard, which details that they used Europol to ask the Swiss authorities for the Wire firm to identify the person behind this pseudonym, with a profile that is also used in Proton Mail, an encrypted email system. In the police cooperation form requesting the information, the Spanish officers indicate to the Swiss authorities that the investigation is for the crime of terrorism.

[-] protonprivacy@mastodon.social 19 points 1 week ago

@lemmyreader Yes, the name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can't decrypt data, but in terror cases Swiss courts can obtain recovery email.

[-] starman2112@sh.itjust.works 12 points 1 week ago

So proton will only give users' information to governments if the government calls the user a terrorist. Good thing governments don't just throw that word around willy-nilly!

[-] pacology@lemmy.world 2 points 1 week ago

Proton is just a company and would always give in to legal requests and all other companies and any email provider would do the same

It’s amazing how people easily forget about lavabit and what a company that is committed to real privacy is about.

[-] ChaoticEntropy@feddit.uk 14 points 1 week ago

Proton is a service provider, not your confederate.

[-] bufalo1973@lemmy.ml 9 points 1 week ago* (last edited 1 week ago)

Proton should look who was asking the disclosure. He's a known far-right judge that opens cases like beer cans. And the "terrorist" group is marked as such because someone had a heart attack the same day there were protests in Catalonia.

[-] AeonFelis@lemmy.world 3 points 1 week ago

Does it matter? He's still a judge with a judge's authority. If their policy is to obey the law then the political views of the judge don't change the fact that his order was lawful.

load more comments (2 replies)
load more comments (3 replies)
[-] KillingTimeItself@lemmy.dbzer0.com 4 points 1 week ago

i fucking knew it.

[-] darkphotonstudio@beehaw.org 2 points 1 week ago

That was a short honeymoon.

load more comments
view more: next ›
this post was submitted on 08 May 2024
257 points (93.9% liked)

Privacy

29157 readers
505 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 4 years ago
MODERATORS
k_o_t@lemmy.ml
tmpod@lemmy.pt
TheAnonymouseJoker@lemmy.ml
Yayannick@lemmy.ml
ranok@sopuli.xyz