It feels like Proton are being intentionally misleading in their statements.
-
@malwaretech Oh, you’re someone who responds to feedback by giving personal insults.
That’s a shame.
-
@silhouette @malwaretech
I wonder if ocean floor datacenters could take advantage of laws on international waters@kallisti @silhouette @malwaretech depends how much cement they're encased in, i'd wager
-
@malwaretech The MLAT request may originate from a country other than Switzerland, but it is still brought to Proton from the Swiss authorities in accordance to Swiss law, which makes it a legal request from Swiss authorities. Proton is not misleading in this.
@RandamuMaki @malwaretech I have similar thoughts. I don’t see how this is misleading.
Now if we found out the request was flawed and that Proton could/should have contested it but didn’t then by all means they should get big heapings of criticisms. But so far at least that doesn’t seem to be the case here.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech
> It feels like Proton are being intentionally misleading in their statements [...] so are happy to spread half-truths.Yes, misleading sentence. I can not even ascribe this to ignorance, as MLATs are mentioned below it. It does not matter *who* is requesting the data on customer. Across whole EU targeted business deals with *local* law enforcement presenting the warrant. You do know no details. All you see is a valid warrant what data to hand over. No crime-story on it.
Then get back to the MLATs: in most there are "imminent threat" speed lanes, up to the point you have to act on law officer order, you can file a complaint later. Likely a case here.
> So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied.
This seems very intentionally worded to give the impression that the company can decide. It can not.
> misleading statements to make it sounds like they don't cooperate with law enforcement
I have not been mislead. Could be I have read their site before signig up.
> customers aren't familiar with how legal process actually works
PS. Any data of non-citizen kept on US soil is handed on a whim of US authorities. FISA warrant kicks-in only if a US citizen appears to the party.
-
@malwaretech that's not misleading it's actual thruth. Italia the Switz authoroties that are collaborating with the foreign authorities under the MLAT.
Someone can be absolutely correct and still be misleading. That’s sort of the difference between “misleading” and “lying”
-
@malwaretech The MLAT request may originate from a country other than Switzerland, but it is still brought to Proton from the Swiss authorities in accordance to Swiss law, which makes it a legal request from Swiss authorities. Proton is not misleading in this.
Someone can be absolutely correct and still be misleading. That’s sort of the difference between “misleading” and “lying”
-
@malwaretech I think they should be more upfront about what they're selling. They sell security. They don't really sell anonymity. People think Proton is "I create an account and everything I do is anonymous." It isn't, Proton never said it was, but people make assumptions.
But let's not pretend that any other similar service (Tuta, etc.) wouldn't do the same thing.
@stinerman @malwaretech
Yes. This is! For masses fleeing FB "encrypted"=="anonymous". And I have a hard time to explain to such persons, usually just born as activists, that there is no anonymity on teh nets. -
@silhouette @malwaretech
I wonder if ocean floor datacenters could take advantage of laws on international waters@kallisti @silhouette @malwaretech I mean you could just use an ol' boring ship if you want to have a lot of computers in international waters. The hardest part would be to transfer energy and data, but cooling would be easy af.
-
@malwaretech the trick is to not have that data accessible in the first place. Like Mullvad back when they were forced to give out data.
@can @malwaretech Thus the need for "private by design" systems: people don't need to trust on "we are not logging your data" or "we will not give governments your data" if we first make sure they don't have this data.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech Proton has given me the ick for quite some time. Mostly when they started trying to be Google.
-
@RandamuMaki @malwaretech I have similar thoughts. I don’t see how this is misleading.
Now if we found out the request was flawed and that Proton could/should have contested it but didn’t then by all means they should get big heapings of criticisms. But so far at least that doesn’t seem to be the case here.
@derekheld they should content all requests, didn’t they even say so on the package?
-
@malwaretech The thing that gets me is - is the company being requested by the MLAT allowed to challenge their local government on the legality of the request?
Like how Apple famously refused to make a program to automatically decrypt their iPhones to federal, state, or municipal authorities to be able to decrypt a terrorist's phone, and as I recall, that actually went to court on that?
Could Proton not do the same with the request made of them?
@AT1ST @malwaretech
> Like how Apple famously refused ...
Apple refused protecting their bottom line. Then this iPhone was soon "decrypted by a group of hackers" IIRC. Good PR and not a penny wasted for the 3mo coverage all over the nets.
> Could Proton not do the same with the request made of them?
1. There is no crime-story on the warrant
2. Check prices of legal representation in the Switzerland first. For "ultimate plan"/yr sum you can buy a few microseconds of lawyer time. -
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech IMHO ppl should nearly always prefer services with a legal presence in the jurisdiction they reside in.
I've made the same recommendation for domain ownership decisions. In particular the info supplied for nexus requirements.
TLDR: There's no magic invisibility cloak, just risk reduction.
Secure Practices for Domain Owners
The recommendations contained within this document attempt to provide easy to audit points that any domain owner, regardless of technical capability, can …
(kalfeher.com)
-
@silhouette @malwaretech
I wonder if ocean floor datacenters could take advantage of laws on international waters@kallisti @silhouette @malwaretech
Nice piracy target.
-
Someone can be absolutely correct and still be misleading. That’s sort of the difference between “misleading” and “lying”
@amd Or people could just admit they fail at reading comprehension. Proton is not the bad guy in this scenario. They have to acquiesce to lawfully made requests like this.
-
@amd Or people could just admit they fail at reading comprehension. Proton is not the bad guy in this scenario. They have to acquiesce to lawfully made requests like this.
@RandamuMaki not sure who would need to admit that.
Malwaretech acknowledged they have to follow a legal request… that’s basically the whole point of his post.
Maybe you didn’t read his post??
-
@RandamuMaki not sure who would need to admit that.
Malwaretech acknowledged they have to follow a legal request… that’s basically the whole point of his post.
Maybe you didn’t read his post??
@amd No, I can read just fine. He makes a distinction between them saying they have to follow local laws and them following those same laws when the order came from abroad. Just because the initial request might have come from abroad does not mean it invalidates the local Swiss law nor is Proton misleading in saying they follow it. The Swiss authorities deemed the request valid and that's the end of it. Proton is saying the correct thing but for some reason it's held against them.
-
@AT1ST @malwaretech
> Like how Apple famously refused ...
Apple refused protecting their bottom line. Then this iPhone was soon "decrypted by a group of hackers" IIRC. Good PR and not a penny wasted for the 3mo coverage all over the nets.
> Could Proton not do the same with the request made of them?
1. There is no crime-story on the warrant
2. Check prices of legal representation in the Switzerland first. For "ultimate plan"/yr sum you can buy a few microseconds of lawyer time.@ohir @malwaretech I mean, the first link I found indicated that it is negotiable [ https://www.getyourlawyer.ch/en/lawyer/fees/ ], but I find it surprising that ProtonMail isn't paying for lawyers just as a cost of business. Maybe they don't have trial lawyers that are more expensive, but they couldn't as a Non-Profit find a lawyer to do it pro bono? This would be an amazing case for them, whether they won or not.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
How is this misleading/half-truth? Mastodon witch hunts don't care about reality again:
> Under Article 271 of the Swiss Criminal Code, Proton may not transmit any data to foreign authorities directly, and therefore rejects all requests from foreign authorities. Swiss authorities may from time to time assist foreign authorities with requests, provided they are valid under international legal assistance procedures and determined to be in compliance with Swiss law. In these cases, the standard of legality is based on Swiss law.
Transparency report | Proton
Proton's transparency report with aggregate statistics of legal orders from the Swiss authorities, covering Proton Mail, Proton Drive, and Proton Calendar.
Proton (proton.me)
You'd have to be in violation of Swiss law for MLATs to hold up in front of a judge, which this particular user was.
Even so, after the MLAT, Proton did not hand over emails or metadata, and the only piece of information disclosed was the payment method chosen by the user. Soooo... bad OPSEC on user side sorry.
-
@amd No, I can read just fine. He makes a distinction between them saying they have to follow local laws and them following those same laws when the order came from abroad. Just because the initial request might have come from abroad does not mean it invalidates the local Swiss law nor is Proton misleading in saying they follow it. The Swiss authorities deemed the request valid and that's the end of it. Proton is saying the correct thing but for some reason it's held against them.
@amd tl;dr; people should blame the Swiss government, not Proton.
