It feels like Proton are being intentionally misleading in their statements.
-
@RandamuMaki not sure who would need to admit that.
Malwaretech acknowledged they have to follow a legal request… that’s basically the whole point of his post.
Maybe you didn’t read his post??
@amd No, I can read just fine. He makes a distinction between them saying they have to follow local laws and them following those same laws when the order came from abroad. Just because the initial request might have come from abroad does not mean it invalidates the local Swiss law nor is Proton misleading in saying they follow it. The Swiss authorities deemed the request valid and that's the end of it. Proton is saying the correct thing but for some reason it's held against them.
-
@AT1ST @malwaretech
> Like how Apple famously refused ...
Apple refused protecting their bottom line. Then this iPhone was soon "decrypted by a group of hackers" IIRC. Good PR and not a penny wasted for the 3mo coverage all over the nets.
> Could Proton not do the same with the request made of them?
1. There is no crime-story on the warrant
2. Check prices of legal representation in the Switzerland first. For "ultimate plan"/yr sum you can buy a few microseconds of lawyer time.@ohir @malwaretech I mean, the first link I found indicated that it is negotiable [ https://www.getyourlawyer.ch/en/lawyer/fees/ ], but I find it surprising that ProtonMail isn't paying for lawyers just as a cost of business. Maybe they don't have trial lawyers that are more expensive, but they couldn't as a Non-Profit find a lawyer to do it pro bono? This would be an amazing case for them, whether they won or not.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
How is this misleading/half-truth? Mastodon witch hunts don't care about reality again:
> Under Article 271 of the Swiss Criminal Code, Proton may not transmit any data to foreign authorities directly, and therefore rejects all requests from foreign authorities. Swiss authorities may from time to time assist foreign authorities with requests, provided they are valid under international legal assistance procedures and determined to be in compliance with Swiss law. In these cases, the standard of legality is based on Swiss law.
Transparency report | Proton
Proton's transparency report with aggregate statistics of legal orders from the Swiss authorities, covering Proton Mail, Proton Drive, and Proton Calendar.
Proton (proton.me)
You'd have to be in violation of Swiss law for MLATs to hold up in front of a judge, which this particular user was.
Even so, after the MLAT, Proton did not hand over emails or metadata, and the only piece of information disclosed was the payment method chosen by the user. Soooo... bad OPSEC on user side sorry.
-
@amd No, I can read just fine. He makes a distinction between them saying they have to follow local laws and them following those same laws when the order came from abroad. Just because the initial request might have come from abroad does not mean it invalidates the local Swiss law nor is Proton misleading in saying they follow it. The Swiss authorities deemed the request valid and that's the end of it. Proton is saying the correct thing but for some reason it's held against them.
@amd tl;dr; people should blame the Swiss government, not Proton.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech so… misleading statements, cooperated and no company will do better? I guess if you can roll your own for the services you’ve been paying them for, time to do it. That’s not me.
-
@ohir @malwaretech I mean, the first link I found indicated that it is negotiable [ https://www.getyourlawyer.ch/en/lawyer/fees/ ], but I find it surprising that ProtonMail isn't paying for lawyers just as a cost of business. Maybe they don't have trial lawyers that are more expensive, but they couldn't as a Non-Profit find a lawyer to do it pro bono? This would be an amazing case for them, whether they won or not.
@AT1ST @malwaretech
They advertise confidentiality of the communication and that _only_ between INTERNAL (Proton) accounts. Nothing more, nothing less. Thats what they sell: c-o-n-f-i-d-e-n-t-i-a-l-i-t-y. For people who do not know how to read gnupg manual. All gui, easy to click.Then using money earned on their email product they provide more services that used properly _allow_ people to stay safe from being targeted way longer than any other service provider – and these they provide free. They explain the possibilities and explain threats. Problem is that many many many way so many people now just does not want to read before they click or tap.
You can stay a bit, for a longer while, anonymous using Proton: you sign up for a free account using their free #vpn built into #vivaldi and never ever log in to this account not using vpn. Very simple.Not that you can use such account for a malicious public posting. When "imminent threat" is detected, esp. to some #EElite member, anyone on your packet way to the service will act to uncover you. Read the silk road story as a primer.
-
@AT1ST @malwaretech
They advertise confidentiality of the communication and that _only_ between INTERNAL (Proton) accounts. Nothing more, nothing less. Thats what they sell: c-o-n-f-i-d-e-n-t-i-a-l-i-t-y. For people who do not know how to read gnupg manual. All gui, easy to click.Then using money earned on their email product they provide more services that used properly _allow_ people to stay safe from being targeted way longer than any other service provider – and these they provide free. They explain the possibilities and explain threats. Problem is that many many many way so many people now just does not want to read before they click or tap.
You can stay a bit, for a longer while, anonymous using Proton: you sign up for a free account using their free #vpn built into #vivaldi and never ever log in to this account not using vpn. Very simple.Not that you can use such account for a malicious public posting. When "imminent threat" is detected, esp. to some #EElite member, anyone on your packet way to the service will act to uncover you. Read the silk road story as a primer.
@ohir @malwaretech "Anyone on your packet way to the service will act to uncover you."
The big detail is that it was the person *closest* the endpoint that did the uncovering that bothers people; had it been ProtonMail's ISP, it would be a different question.
But the issue that people take issue with is that ProtonMail appears to have folded without *any* resistance, over something they claim they would not normally fold over. Hence the "It's not the same as them giving data directly to the FBI if they give it to the Swiss government who then gives it to the FBI." distinction they appear to be trying to make.
-
@malwaretech Ah, and you then respond with even more.
Champ, you need to learn how to interact with other human beings.
-
@malwaretech Ah, and you then respond with even more.
Champ, you need to learn how to interact with other human beings.
@james God, you're insufferable. Enjoy the block list.
-
@ohir @malwaretech "Anyone on your packet way to the service will act to uncover you."
The big detail is that it was the person *closest* the endpoint that did the uncovering that bothers people; had it been ProtonMail's ISP, it would be a different question.
But the issue that people take issue with is that ProtonMail appears to have folded without *any* resistance, over something they claim they would not normally fold over. Hence the "It's not the same as them giving data directly to the FBI if they give it to the Swiss government who then gives it to the FBI." distinction they appear to be trying to make.
@AT1ST @malwaretech
There is no way to *resistance* in many countries. You can complain on merit. Or go to jail for *resistance*. Such resistance to a valid warrant is called "Obstruction of Justice" and penalties vary by country from 3 to 8 years.Then yet again now in simple words: why do you feel entitled to the costly legal representation from the service provider who never advertised "anonymity services"? On what basis? Why mines and over ten thousand other people $80 this year payments should be spent to cover for someone posting explosive threats to the FB. Should Uber "resist" a warrant seeking robber taping Uber services to get the loot from the crime scene?
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech I didn't think it misleading, unless one thinks companies work in vacuums. The Swiss government IS responsible for requesting the info and companies within Switzerland are required to comply with the national laws. A company can't be responsible for agreements between countries.
-
@AT1ST @malwaretech
There is no way to *resistance* in many countries. You can complain on merit. Or go to jail for *resistance*. Such resistance to a valid warrant is called "Obstruction of Justice" and penalties vary by country from 3 to 8 years.Then yet again now in simple words: why do you feel entitled to the costly legal representation from the service provider who never advertised "anonymity services"? On what basis? Why mines and over ten thousand other people $80 this year payments should be spent to cover for someone posting explosive threats to the FB. Should Uber "resist" a warrant seeking robber taping Uber services to get the loot from the crime scene?
@ohir @malwaretech "There is no way to resistance in many countries. You can complain on merit."
...My point is that it seems they relied on the Swiss government to do the resistance and judge the merit. The point of a "Resistance lawsuit" is to complain on merit.
(Also, ProtonMail both makes income, and kind of makes the argument that Swiss companies *cannot* share information with foreign law enforcement under criminal penalty [ https://proton.me/blog/switzerland ]. They're doing this reveal of information as a "Loophole" to their own privacy marketing.
At the minimum, this is a bad look for P.R. purposes.)
-
@ohir @malwaretech "There is no way to resistance in many countries. You can complain on merit."
...My point is that it seems they relied on the Swiss government to do the resistance and judge the merit. The point of a "Resistance lawsuit" is to complain on merit.
(Also, ProtonMail both makes income, and kind of makes the argument that Swiss companies *cannot* share information with foreign law enforcement under criminal penalty [ https://proton.me/blog/switzerland ]. They're doing this reveal of information as a "Loophole" to their own privacy marketing.
At the minimum, this is a bad look for P.R. purposes.)
@ohir @malwaretech Like, Uber doesn't make the claim that you can get privacy in Uber, but Proton *specifically* said this on that web site:
"Strong privacy protections: Switzerland has a constitutional right to privacy and strict data protection laws. Unlike companies in other countries, Proton cannot be compelled by foreign or Swiss authorities to engage in bulk surveillance."
That's a major reason they say "This is why we're Switzerland-based.".
And here? Here they are "Loopholing" that whole statement.
-
@LukefromDC @malwaretech I agree, I don't expect Proton to fall on the sword for my €5/mo (I don't even use Proton but I digress).
There's no unbreakable lock, just locks that deter break-ins by making it not worth it to spend the time/resources.
I doubt this stop cop city guy was a Snowden/Assange level target on the FBI list, mailing cash or doing P2P cash for Monero and using that would've probably be enough for the FBI to drop the Proton lead and try to find other holes in this guy's OpSec.
Anyways, thanks for the insightful lessons in OpSec, much appreciated
-
@ohir @malwaretech Like, Uber doesn't make the claim that you can get privacy in Uber, but Proton *specifically* said this on that web site:
"Strong privacy protections: Switzerland has a constitutional right to privacy and strict data protection laws. Unlike companies in other countries, Proton cannot be compelled by foreign or Swiss authorities to engage in bulk surveillance."
That's a major reason they say "This is why we're Switzerland-based.".
And here? Here they are "Loopholing" that whole statement.
@AT1ST @malwaretech
Proton can not be compelled to provide bulk surveilance.What is to be misunderstood in the "bulk" word? They stated what laws of their incorporation says.
Privacy does not mean anonymity. Encryption does not mean anonymity.
Encryption provides confidentiality, this is a vessel for privacy. Tech can provide your mail can not be read by their staff if both parties use two-key approach. As this was too hard for the masses, one can now turn this on.The problem is so many people can not grasp the details. Then the easy and enough-secure provider is magnitude better for the masses than alternatives feeding the monster siliconiacs.
Were Proton started their message with "dear user, remember we are obliged to help law enforcement to know you" this would be as much misunderstood. And prospect non US user would be inclined to choose eg. Apple mail instead. Because "you know, Apple protects their customers".
Reiterating: Privacy is not anonymity. Encryption is not anonymity. There is no anonymity on current Internet, only are ways to up cost and time to discover. Like hand routed Tor between mail services hosted in separate mafia states.
-
@ohir @malwaretech "There is no way to resistance in many countries. You can complain on merit."
...My point is that it seems they relied on the Swiss government to do the resistance and judge the merit. The point of a "Resistance lawsuit" is to complain on merit.
(Also, ProtonMail both makes income, and kind of makes the argument that Swiss companies *cannot* share information with foreign law enforcement under criminal penalty [ https://proton.me/blog/switzerland ]. They're doing this reveal of information as a "Loophole" to their own privacy marketing.
At the minimum, this is a bad look for P.R. purposes.)
@AT1ST @malwaretech
> Swiss companies *cannot* share information with foreign law enforcement under criminal penalty
True. You can not sell your customer data without a warrant from the Swiss authorities. Thats why Swiss bankers got so insanely rich. They can not be compelled to be customer watchers, then a valid warrant must have had a valid warrant subject. -
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech If you don’t like Proton, there’s always Google! I love how readily people criticize Proton even though it’s likely the best privacy ecosystem we have now. At the same time I wish they zero encrypted the meta data enough to make this a non-issue. More than one thing is true at the same time.
-
@malwaretech So they're skirting the government request *entirely* on money and lack of compliance?
I am not saying that ProtonMail has to *win* their case, but it does feel like ProtonMail is just folding right out of the gate.
Like how it has been pointed out that a Filibuster where you have to keep debating an issue in the House or the Senate to block it became suddenly a "If you threaten to filibuster it, then I guess we don't bother testing that you *can* filibuster this law - it's just dead.".
No, it's a different situation from a technical perspective.
One is a request for data (mail) a company already has stored on its own servers, and that that company can already access at will.
The other is a request for a company to develop and provide a tool to the government, so the government may unlock devices belonging to 3rd parties, and independently access the data therein.
To build a flimsy analogy here, one case is the government coming to your house and saying "give me all the files from the safe in your office".
The other is the government going to the safe company and saying "give me a skeleton key to unlock every safe you've ever made" -
No, it's a different situation from a technical perspective.
One is a request for data (mail) a company already has stored on its own servers, and that that company can already access at will.
The other is a request for a company to develop and provide a tool to the government, so the government may unlock devices belonging to 3rd parties, and independently access the data therein.
To build a flimsy analogy here, one case is the government coming to your house and saying "give me all the files from the safe in your office".
The other is the government going to the safe company and saying "give me a skeleton key to unlock every safe you've ever made"@lackthereof The technical difference is only partially why that stance was taken.
As I understand it, they didn't even give away mail, they gave away the credit card processing token (Or the information outright), so that the credit card processing company could reveal more information. That is, Proton Mail made a point that they still cannot actually retrieve mail from their servers without doing the skeleton thing, and they aren't doing that.
But they did hand over information similar to a journalist not giving away their source, but instead giving away where they met their source and who knew their source, on account of a warrant.
-
@blustoftimes @malwaretech so germany does not have MLAT with u.s.?
