so if you want to subscribe to a vpn, and you were considering proton, maybe dont
-
-
@floriann and you would go to those lengths to pay them even though they'd turn over your logs still? tsk tsk
@Viss i can't access the article so I don't know to which logs you are referring to.
In general proton has a no logs policy but I guess they might be forced logging access to specific accounts on demand.
To mitigate this they offer Tor access. I personally don't use Proton and I think if some state actor is after you probably can't stay anonymous using convenient services.
I don't trust any VPN providers because it is the best Crypto AG like business appliance I can think of.
It's easy to tell the people to avoid Proton VPN because they might track you down when authorities walk in their offices and pull the business files out of the folders - but I can't think of any VPN this is better protected in that regard.
-
@Viss i can't access the article so I don't know to which logs you are referring to.
In general proton has a no logs policy but I guess they might be forced logging access to specific accounts on demand.
To mitigate this they offer Tor access. I personally don't use Proton and I think if some state actor is after you probably can't stay anonymous using convenient services.
I don't trust any VPN providers because it is the best Crypto AG like business appliance I can think of.
It's easy to tell the people to avoid Proton VPN because they might track you down when authorities walk in their offices and pull the business files out of the folders - but I can't think of any VPN this is better protected in that regard.
@floriann they turned over payment and subscriber details, and the person using the email used their personal bank/credit card to pay, and that data exposed their identity.
-
-
@Viss @bhhaskin I don't know if the user was a us citizen and I would like to hope that for an eu citizen it would be any different.
But the problem is that were completely dependent from the us. Let's think of Nicolas Guillou (https://www.heise.de/en/news/How-a-French-judge-was-digitally-cut-off-by-the-USA-11087561.html) and this was just a single pointed act of revenge.
-
@Viss @bhhaskin I don't know if the user was a us citizen and I would like to hope that for an eu citizen it would be any different.
But the problem is that were completely dependent from the us. Let's think of Nicolas Guillou (https://www.heise.de/en/news/How-a-French-judge-was-digitally-cut-off-by-the-USA-11087561.html) and this was just a single pointed act of revenge.
@floriann @bhhaskin based on the topic of the article, it would be surprising if the owner of the account was not a us citizen. but yeah, your point still is an important one - if the fbi can 'just get stuff' from switzerland, and the guy in charge is... ugh. ... just fucking look at him
then yeah, its a problem for literally everyone
-
@floriann they turned over payment and subscriber details, and the person using the email used their personal bank/credit card to pay, and that data exposed their identity.
Mystified as to why Proton did it. That was a major business-limiting action. Really dumb. Kompromat maybe? Truckload of money? Been on the wrong side for years but let it slip this time?
Whatever the reason, it's useful to know that they're worse than the obvious ones like Google and MS--because Proton lies about their standards and practices.
-
Mystified as to why Proton did it. That was a major business-limiting action. Really dumb. Kompromat maybe? Truckload of money? Been on the wrong side for years but let it slip this time?
Whatever the reason, it's useful to know that they're worse than the obvious ones like Google and MS--because Proton lies about their standards and practices.
@jakebrake @floriann so turns out theres this MLAT thing between the us and switzerland, and the fbi was able to get swiss authorities to pressure proton into turning over subscriber data
-
-
@jakebrake @floriann so turns out theres this MLAT thing between the us and switzerland, and the fbi was able to get swiss authorities to pressure proton into turning over subscriber data
@Viss @jakebrake @floriann I've got to say "not complying with legal instructions in your own jurisdiction" seems like an even worse business-limiting decision.
-
so if you want to subscribe to a vpn, and you were considering proton, maybe dont
Joseph Cox (@josephcox@infosec.exchange)
New from 404 Media: Proton Mail, the privacy-focused email service, gave authorities data that let the FBI unmask an anonymous 'Stop Cop City' protester. It was payment data linked to the anonymous email account. From that, FBI ID'd them, then tracked their movements https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
Infosec Exchange (infosec.exchange)
@Viss I'm more inclined to recommend people not to pay for 404 Media. That headline is not only horribly inflammatory and biased - it's flat out wrong.
Proton followed what's stated in their ToS by complying with Swiss law. All companies, everywhere, do.
If you need anonymity and not just privacy, account holders should use the options provided for that OPSEC. Proton has such as well.
-
R relay@relay.infosec.exchange shared this topic
-
@bhhaskin @floriann the best examples of these sorts of things are when american law enforcement goes after csam peddlers in another country. they'll usually mention that it was like, interpol or whoever they worked with, and that'll be clearly written about as such.
but this article only mentions proton, and the fbi
which, again, says they worked directly.
and if thats the caseproton turned over logs without any "legal pressure to". willingly.
@Viss @bhhaskin @floriann "subscriber information received from the Swiss Mutual Legal Assistance Treaty Unit" - so the FBI basically asked the Swiss police, that got the data and forwarded it back under the umbrella of a long standing treaty between the countries/authrities. This should not be surprising at all btw, but somehow for many VPN customers it is. -
@krypt3ia yeah but then theres the lavabit way. just dont log. or log in such a short timeframe that the bureaucracy makes it impossible to get shit done in time
@Viss that won't prevent your datacenter operator from turning over your payment information.
Some people never miss a chance to get mad at Proton for doing the exact thing Proton say they'd do in this situation, which is also the exact same thing any other lawful provider would do under the same circumstances.
-
@Viss I'm more inclined to recommend people not to pay for 404 Media. That headline is not only horribly inflammatory and biased - it's flat out wrong.
Proton followed what's stated in their ToS by complying with Swiss law. All companies, everywhere, do.
If you need anonymity and not just privacy, account holders should use the options provided for that OPSEC. Proton has such as well.
-
@Viss @bhhaskin @floriann "subscriber information received from the Swiss Mutual Legal Assistance Treaty Unit" - so the FBI basically asked the Swiss police, that got the data and forwarded it back under the umbrella of a long standing treaty between the countries/authrities. This should not be surprising at all btw, but somehow for many VPN customers it is.
@buherator @floriann @Viss @bhhaskin mull *cough* vad
-
I think all of this stems from the "Proton helped FBI" headline. They didn't. "Switzerland helped the USA" wouldn't get as many reactions.
There's OPSEC failure here, but trying to pin this on Proton is to look in the wrong place. It would not be any different were it any other privacy focused provider.
-
I think all of this stems from the "Proton helped FBI" headline. They didn't. "Switzerland helped the USA" wouldn't get as many reactions.
There's OPSEC failure here, but trying to pin this on Proton is to look in the wrong place. It would not be any different were it any other privacy focused provider.
@troed @Viss I disagree. Proton convinced US people that their comms will be safe at a foreign provider (them). Were users naive to believe this? Yes, but this is victim blaming.
I agree that Proton is not the only bad provider in the market. Actually, the whole market exists because all the providers communicate dishonestly. -
@troed @Viss I disagree. Proton convinced US people that their comms will be safe at a foreign provider (them). Were users naive to believe this? Yes, but this is victim blaming.
I agree that Proton is not the only bad provider in the market. Actually, the whole market exists because all the providers communicate dishonestly.They're comms are safe. Proton handed out what little information they have - which in this specific case included payment details which could've been avoided had the payment been done through other available means.
I don't see this as anyone being a bad provider. If you need protection from state actors you need a whole different level of OPSEC than to go sign up with someone who clearly state they will obey any lawful request for data.
-
They're comms are safe. Proton handed out what little information they have - which in this specific case included payment details which could've been avoided had the payment been done through other available means.
I don't see this as anyone being a bad provider. If you need protection from state actors you need a whole different level of OPSEC than to go sign up with someone who clearly state they will obey any lawful request for data.
@troed @Viss Let's put it this way: the acc owner is in the same situation as if they used Gmail for free (if they were smart authorities would even have a harder time connecting the person to IPs and other metadata). This is speculation, but I'd bet that the relevant comms is already collected from the users or the recipients devices/e-mail accounts too.
So what is exactly the value Proton provided here that the user paid for? -
@troed @Viss Let's put it this way: the acc owner is in the same situation as if they used Gmail for free (if they were smart authorities would even have a harder time connecting the person to IPs and other metadata). This is speculation, but I'd bet that the relevant comms is already collected from the users or the recipients devices/e-mail accounts too.
So what is exactly the value Proton provided here that the user paid for?That a proper legal request had to be made instead of Gmail just handing out everything because someone asked. Additionally, Proton cannot decrypt your email content so the contents of the communication is still secure (unless the account owner made the choice to communicate with less secure providers which, again, would be their choice).
