It feels like Proton are being intentionally misleading in their statements.
-
@malwaretech The thing that gets me is - is the company being requested by the MLAT allowed to challenge their local government on the legality of the request?
Like how Apple famously refused to make a program to automatically decrypt their iPhones to federal, state, or municipal authorities to be able to decrypt a terrorist's phone, and as I recall, that actually went to court on that?
Could Proton not do the same with the request made of them?
@AT1ST Depends what remedies exist under both the MLAT and Swiss law. I'm not sure if they could challenge in US court, Swiss court, or both.
In US court, companies can move to quash a subpoena, but if a magistrate judge found probable cause, that would probably be a difficult battle. Not to mention the grounds for quashing a subpoena in the first place are very limited, and I don't think that any remedy is even available here but am not an expert (https://www.law.cornell.edu/rules/frcp/rule_45).Once the case gets the court - and it doesn't seem it ever did here - there could be motions to suppress the evidence on the grounds it was illegally obtained. That seems unlikely to prevail here, especially given that analysis would probably be under US law, not Swiss law.
There could also be other challenges to the case, i.e. first amendment challenges, but without knowing the facts its hard to know how successful those challenges would be. All of that is so far down the road that it wouldn't be in Proton's calculus.
I am not a lawyer, take everything I said with a lot of skepticism.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech They are also leaving out the fact that they only had to hand out that data because they had decided earlier to store it - because someone decided that kind of data on their users is a monetizable asset, not toxic waste.
Other email providers have a better separation of payment data and email accounts, and thus can't betray their customers to adversaries via hacks or MLAT.
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech also the screenshotted response reads like AI
-
@AT1ST Depends what remedies exist under both the MLAT and Swiss law. I'm not sure if they could challenge in US court, Swiss court, or both.
In US court, companies can move to quash a subpoena, but if a magistrate judge found probable cause, that would probably be a difficult battle. Not to mention the grounds for quashing a subpoena in the first place are very limited, and I don't think that any remedy is even available here but am not an expert (https://www.law.cornell.edu/rules/frcp/rule_45).Once the case gets the court - and it doesn't seem it ever did here - there could be motions to suppress the evidence on the grounds it was illegally obtained. That seems unlikely to prevail here, especially given that analysis would probably be under US law, not Swiss law.
There could also be other challenges to the case, i.e. first amendment challenges, but without knowing the facts its hard to know how successful those challenges would be. All of that is so far down the road that it wouldn't be in Proton's calculus.
I am not a lawyer, take everything I said with a lot of skepticism.
@iampytest1 Ah, so the caveat to the "Swiss privacy law is the strictest" part for Proton is that, if the Swiss judicial system thinks the MLAT request is above board, companies or related persons *can't* challenge it because the judge already ruled "Probable cause" on it, and they don't want to re-litigate it?
-
@silhouette @malwaretech
I wonder if ocean floor datacenters could take advantage of laws on international waters@kallisti @silhouette @malwaretech
LOL. Datacenters on the ocean floor seems wildly impractical, but still far more realistic than datacenters in space.
As far as legalities go, unless the datacenter's owners are also on the ocean floor, they'll have to comply with their country's law enforcement regardless of where the data resides.
-
lol, this post really brought out all the insufferable fanboys. I'm not gonna pretend like I didn't know which of the 3 platforms I posted this on would have a bunch of people deeply personally offended by criticism of a corporation
@malwaretech The huge problem in tech is the “all government is bad” libertarian attitude. OF COURSE a hosting provider of anything is going to be bound by laws in the place they are physically located, and that includes MLATs. Fight for good local laws and local governance, and stop this insane idea that you can run away from it all. We built democracy and the rule of law over centuries to deal with abuses of power. Use those tools, instead of foolishly throwing them away.
-
@kallisti @silhouette @malwaretech I mean you could just use an ol' boring ship if you want to have a lot of computers in international waters. The hardest part would be to transfer energy and data, but cooling would be easy af.
@jnk @kallisti @silhouette @malwaretech
All of this talk about safe havens in international waters reminds me of Pirate Bay's attempt to buy Sealand then HavenCo's shenanigans there.
https://en.wikipedia.org/wiki/Principality_of_Sealand -
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
@malwaretech What do you suggest they should do?
-
It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.
Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.
The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.
Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.
Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.
Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.
There is, however, some useful (but more nuanced) information here:
Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.
Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).
But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.
People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.
It's surprising to me how many people don't get this.
"[W]e do not respond to legal requests from anywhere other than the Swiss authorities." is misleading because it implies the existence -- and ever-so-brave denial -- of legal requests from the FBI made directly to Proton, when that **never** actually happens because all requests go through the MLAT. They're boasting about denying a class of requests that has zero members. While neglecting to mention that the class of requests that they obey constitutes 100% of requests.
And this matters because it reflects poorly on Proton's honesty and candor. Users need clear information about what threats Proton's service protects against, and what threats it doesn't. If they aren't telling is the full truth in this matter, what else aren't they telling us?
More fundamentally, it casts doubt on their motives, values, and principles. Companies that would go to the mat for their users, even in the face of existential risk, Lavabit-style, are vanishingly rare. Few people expect that of Proton. So what are they then? Is Proton a company that at least *wants* to go to that mat for their users, but backs down in the face of existential risk? Or is it a company that's indifferent and disinclined to go to the mat for their users anyway? Their disingenuity here suggests their motives are mercenary and their values insincere.
On that topic, it would be interesting to know if Proton fought this subpoena before complying. Did they at least attempt the Swiss equivalent to a motion to quash? Or did they just roll over immediately?
(Here Proton tells us "Swiss authorities determined that the legal threshold was met because...," but doesn't tell us the context. Was that determination made in the course of a proceeding objecting to the subpoena, or in the course of the standard MLAT processing procedure? Was anyone present to argue the position that the standard was not met? And specifically which "authorities" made this determination?)
No, Proton isn't responsible for the Swiss MLAT regime. But they **are** responsible for telling the full, unvarnished truth about how they interact with that regime. And they did not.
-
@LukefromDC @malwaretech your risk profile is yours to decide on. I'm sure many ppl feel the same as you.
My recommendation is bc you are unlikely to have any real standing in another jurisdiction.
-
R relay@relay.infosec.exchange shared this topic
