back to article ProtonMail filters this into its junk folder: New claim it goes out of its way to help cops spy

ProtonMail, a provider of encrypted email, has denied claims that it voluntarily provides real-time surveillance to authorities. Earlier this month, Martin Steiger, a lawyer based in Zurich, Switzerland, attended a presentation in which public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in Zurich, …

  1. Crazy Operations Guy Silver badge

    But who is pulling the strings of the courts?

    Sure they say they only reveal information when compelled by a court order, but are they bothering to check that the order itself is valid?

    This is something that has always bothered me about corporations: They never bother to actually challenge the order. They see a piece of paper with a judge's signature on it and will do whatever the hell it says without question. A judge could tell them to punch themselves in the face and 5 minutes later every employee is sporting a couple of black-eyes.

    1. cornetman Bronze badge

      Re: But who is pulling the strings of the courts?

      I'm not sure that's really true.

      Microsoft (and I'm no fan of Microshaft) and Apple have been very vocal about their attempts to challenge court orders purporting to compel them to provide private customer information.

      Corporations see a lot of martketing mileage in being seen to sticking it to the "man" in this regard.

      1. Muppet Boss
        Coffee/keyboard

        Crying wolf

        The numbers are in the transparency report, 3 requests are claimed to be contested in 2017 and 4 requests in 2018, with the overall number of requests increasing twentyfold in 2018. The transparency report examples clearly state that in certain cases Protonmail assisted the law enforcement agencies without the court order, expecting the court order to be provided retroactively. It did claim for some examples that only limited assistance was possible due to cryptography.

        To the best of my judgement, Mr. Steiger is making a point in his article that Switzerland is a surveillance state and that Protonmail is misleading customers about their data being protected by Swiss privacy laws since they do not apply to criminal investigations. He is also claiming that Protonmail is not exempt from SPTA (Swiss federal act on surveillance of telecommunications) requirements and is either acting as Provider of Communication Services or Provider of Derived Communication Services. In the former case (PCS) Protonmail would have to assist with surveillance, remove any encryption applied, provide real-time communication data and metadata, keep and provide metadata for 6 months; in the latter case (PDCS) Protonmail would have to assist with surveillance and provide available metadata.

        Mr. Steiger is then speculating about the status of Protonmail under SPTA and concludes that Protonmail would not be obliged to provide real-time metadata; he concludes that providing such real-time metadata is incompatible with claiming to be a trustworthy email service provider with data protection and encryption. I think this is where he is making mistakes.

        Protonmail claims that it does not store metadata (" By default, we do not record metadata such as the IP addresses used to log into accounts."), which means that if requested to provide such metadata (e.g. by being PDCS) they will _enable_ recording for the account under surveillance. Since they decided to assist with the request and just enabled the recording, providing the authorities with a real-time metadata stream does not seem to be going too far. Otherwise they could not provide any metadata, at least without delay, and end up like Lavabit (e.g. promoted to PCS, required to remove encryption and keep metadata for 6 months). Protonmail has been clear that they will work with authorities and provide metadata when issued with a valid request.

        It's a real world after all. Mr. Steiger did not genuinely seem to mean harm (however somehow he clearly managed to) and and makes some valid points but imho he's crying wolf.

    2. notamole

      Re: But who is pulling the strings of the courts?

      Tutanota puts out biannual reports of orders they've received and how many of those they've complied with. Protonmail, not so much.

      1. IGotOut

        Re: But who is pulling the strings of the courts?

        "Tutanota puts out biannual reports of orders they've received and how many of those they've complied with. Protonmail, not so much."

        https://protonmail.com/blog/transparency-report/

        Tricky things to master those search engines.

        1. notamole

          Re: But who is pulling the strings of the courts?

          Fair enough, but you do have to use a search engine to find it (would you have thought to search for it if I hadn't question its existence?). They don't promote it at all, it's just updated in a 5 year old article.

        2. Anonymous Coward
          Anonymous Coward

          Re: But who is pulling the strings of the courts?

          "https://protonmail.com/blog/transparency-report/"

          Yes but have you actually looked at the dates ?

          Protonmail used to issue regular transparency reports but now they are very irregular.

          1. deadlockvictim Silver badge

            Re: But who is pulling the strings of the courts?

            Are you concerned about the lack of regularity of the reports or the infrequency thereof?

            How often something happens and how regularly it happens are not necessarily the same thing.

            Halley's comet comes regularly but not often — regular but not frequent.

            It rains in April frequently but not regularly — not regular but frequent.

    3. Anonymous Coward
      Anonymous Coward

      Re: But who is pulling the strings of the courts?

      Sure they say they only reveal information when compelled by a court order, but are they bothering to check that the order itself is valid?

      That's the advantage of Switzerland: it's small enough that the "creative" acquisition or issue of a warrant would have dear consequences, so in general you get very few warrants not issued without serious due process, also because Swiss laws treat privacy as a very serious matter (if you can read German, French or Italian it's definitely worth reading up on it). Given their business, I also doubt very much that ProtonMail doesn't have either inhouse counsel or a lawyer on speed dial so I reckon someone will do the checking.

      I'm with ProtonMail on this: as any business, they have a duty to comply with the law and I don't buy that ProtonMail would do anything voluntarily because they would be breaking the very same laws that protect them.

      1. katrinab Silver badge

        Re: But who is pulling the strings of the courts?

        Switzerland is not the privacy haven that it used to be.

        1. Anonymous Coward
          Anonymous Coward

          Re: But who is pulling the strings of the courts?

          Switzerland is not the privacy haven that it used to be.

          .. but on the other hand you should also not believe the loud US propaganda. Switzerland still has better privacy laws (and, let's not forget, actual proper enforcement of them) than even Europe.

          The only problem is that you have to be able to read law in French, Italian or German to understand how it works and to avoid the few tripwires in matters involving multiple jurisdiction.

          1. aks Bronze badge

            Re: But who is pulling the strings of the courts?

            I'm in agreement with your point but would argue that Switzerland is in Europe (but not in the EU).

            1. Anonymous Coward
              Anonymous Coward

              Re: But who is pulling the strings of the courts?

              Yup, sorry, that's what I get when I post late. I did indeed mean EU rather than geographic Europe.

              Swiss privacy laws differ in significant areas from EU imposed law, if for no other reason that privacy in Switzerland is part of federal constitutional law, in other words so deeply embedded in the legal system that it'll be nigh impossible to change it (and that would be assuming that a population enjoying direct democracy would actually permit that, which is not going to happen).

              If you're interested, it's Article 13 of SR 101 (German version). As this law is relatively new (April 1999) it also incorporates a reference to long distance communication ("Fernmeldeverkehrs") which neatly incorporated more modern communication such as email without any change in law.

  2. Bronek Kozicki Silver badge
    Alert

    There is an important addendum to the article in question:

    Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).

    Source in the blog post mentioned at the bottom of the article.

  3. Anonymous Coward
    Anonymous Coward

    This seems a little bit hearsay to me, that being said - it would be naive to think anything is completely secure, but I would certainly be more comfortable using a provider like these compared to others, given the choice.

    1. notamole

      There have been a number of claims made against Protonmail over the last year, most of them pretty flimsy. I wouldn't be surprised if this was a disinformation campaign by the NSA/GCHQ. They've gone after Tails and Tor before, calling them both "extremist".

  4. Anonymous Coward
    Anonymous Coward

    Snoops

    I've been using Proton Mail for a while now and I seem to remember the Proton mail team explaining this when the Swiss changed the law regarding this particular subject some time ago.

    As was pointed out in the article, PM give you the option to use Tor to access the site specifically to guard against this.

    Personally I use an anonymous VPN (paid for) ALL the time, purely because I intend to screw the snoops any chance I get, but if I was really paranoid I'd just use tor over my VPN as well.

    (Pointless in my case really, I can't imagine there's anything remotely of interest to the snoops in my mail)

    But fuck 'em anyway, I consider it my duty to make life as difficult as possible for them no matter who they work for.

    (I've found PM to be an excellent service BTW)

    1. katrinab Silver badge
      Black Helicopters

      Re: Snoops

      Using a VPN does two things :-

      It signposts you in big neon lights as somebody who has something to hide

      It provides a single easily identifiable place where they can get all your details and activities

      1. Anonymous Coward
        Anonymous Coward

        you're right

        "It signposts you in big neon lights as somebody who has something to hide"

        correct, mine signposts me as working for DXC

      2. The Central Scrutinizer

        Re: Snoops

        And as the Tor people say, the more people who use services like these, the LESS we will all stick out. What you're effectively saying is "don't rock the boat".

        1. katrinab Silver badge

          Re: Snoops

          Tor is a bit different, but with a paid-for VPN provider, even if you pay with Bitcoin, they have full access to all your browsing activities, and full access to details of all the places where you browse from.

          It is not impossible for the police to put this together from other sources, but a VPN makes it so much easier for them.

          What I'm saying is, if you want to hide something, you need to make it look normal so it doesn't stand out.

          Just like, if you want to burgle an office building, you turn up with a dirty white van and a hi-viz jacket.

          1. Claptrap314 Bronze badge

            Re: Snoops

            Easier than your ISP if you don't?

            1. katrinab Silver badge

              Re: Snoops

              Yes, because you probably use more than one ISP.

              Your home ISP, your mobile provider, your work ISP, public wifi, etc.

              Google, Facebook, etc, can help them tie those together. But it is another step they have to take.

      3. mr-slappy

        Re: Snoops

        There are lots of other reasons to use a VPN, other than being a spy: I often use mine when I'm logged into a wifi hotspot or other untrusted network, for example. So far the authorities have shown no interest in me whatsoe

        1. Bogle

          Re: Snoops

          Are you _sure_? Strange how the last word of your post is ... strangled.

        2. aks Bronze badge

          Re: Snoops

          Most people using a VPN are using it to access services which are only available on a location-specific basis. This is the electronic version of grey imports.

          I live in the Channel Islands. Windows 10 accepts Guernsey as a valid location but the Microsoft Store does not. The only solution is to lie and say I'm in the UK.

          The same applies to eBay. I can give my address and postcode but I need to claim that it's in the UK or there's no way to buy even from sites that offer worldwide shipping.

          1. katrinab Silver badge

            Re: Snoops

            Yes, that is a good use case for VPN services. Privacy is not.

      4. Aristotles slow and dimwitted horse Silver badge

        Re: Snoops

        Hi, I just want to correct your post....

        It signposts you in big neon lights as somebody who has something to hide..

        Errr, no it doesn't.

        It provides a single easily identifiable place where they can get all your details and activities

        And... err, again... no it doesn't.

        Thanks.

      5. notamole

        Re: Snoops

        That may have been true 3-4 years ago, but VPNs are incredibly common (arguably mainstream) now.

  5. YetAnotherJoeBlow

    I use Proton Mail too. So far so good but i still PGP encrypt first on my pc before I send it anyway. Proton Mail gives you a false sense of security only because the vast majority of your emails come from outside Proton Mail over unencrypted port 23. So if necessary, all one has to do is a minor change to their server to collect all your incoming and outgoing SMTP as it arrives or leaves before it gets encrypted with your private key.

    So far they have been very reliable.

    1. ortunk

      So your mail comes over telnet (port 23)?

      Guess smtp and submission are blocked in CH..

    2. katrinab Silver badge

      That's pretty weird.

      My email comes in on port 25. Most of it is probably encrypted when it arrives, but there is no way of knowing for sure when you hit the send button, and you certainly shouldn't rely on it.

      1. jtaylor

        "My email comes in on port 25."

        I imagine YAJB mixed up client and server there. We use the telnet client to send emails.

  6. Anonymous Coward
    Anonymous Coward

    Protonmail have always been a bit of a 3/4 house

    Protonmail have never been all the way there on doing what they say.

    For example, its all very well saying "your emails are stored encrypted".

    But it's not much good if you add and store un-necessary email plaintext headers which have things like filenames of attachments in them.

    The only reason to store a copy of all the filenames in plaintext is to make life easier for the authorities when they want to go on a fishing expedition.

    1. Anonymous Coward
      Anonymous Coward

      Re: Protonmail have always been a bit of a 3/4 house

      But at some point you have to accept responsibility for your own actions, or in this case, inactions.

      If you will send attachments with file names like "secret government cables.doc" or "nudie donald trump.png" you only have yourself to blame when someone takes an interest.

      And remember, even if they aren't secure at the destination, any or all of the nodes between the sender and recipient may have logged it, don't assume anything is just passively passing on the data.

      1. Anonymous Coward
        Anonymous Coward

        Re: Protonmail have always been a bit of a 3/4 house

        You remind me of doing an audit of an unspecified government department. The printers had SNMP enabled, it wasn't blocked, and you could read all the print jobs that had gone through the HP printers. The print file names often contained potentially sensitive information.

        SNMPV3 is a pain to implement but it's a very good idea.

    2. Anonymous Coward
      Anonymous Coward

      Re: Protonmail have always been a bit of a 3/4 house

      All use of communication is balancing risk.

      You may be using a provider interface: who says it's actually safe? How safe is your own machine/browser? Can you risk not getting hold of email if you don't store it locally? If you do, can you afford to be exposed to a locally issued warrant? How sure are of you the SSL certificate involved in transport?

      Providers have to balance the same risks. Key, however, is that they are honest towards their users about their choices. If I were a service provider I would, for instance, never allow the use of Tor for services because I would also like to make sure that I wasn't helping a group of criminals, but that decision may falls differently for others. I know of a German outfit that offers "privacy services" that explicitly involves running a Tor node, and I know of them because their IP address showed up repeatedly in logged hacking attempts on one of my websites until I banned their entire IP range.

  7. rbaba

    Whats the point of Protonmail?

    If you are not running end to end encryption there is not much point. Lets see where is half the mail coming from? Google servers, outlook servers, which pretty much feed directly in to the NSA.

    If you want secure email then don't trust server side encryption. Encrypt the entire handshake to the domain and verify the client cert. eg. if you own domain example.com and you are sending email from example.co.uk then you mandate that example.com present a cert signed for example.co.uk, preferably in DNS using TLSA - NSA best practise.

    1. Anonymous Coward
      Anonymous Coward

      Re: Whats the point of Protonmail?

      Well, If you're sending sensitive information via any of the usual suspect providers such as you mention without PGP encrypting the contents first you can't expect any security,

      (as is fully explained by the FAQs on Proton Mail's site).

      If you can't work that out for yourself you probably shouldn't be trying to use an encrypted service anyway, (I'm using YOU in the general sense).

      However, mail sent between two Proton Mail accounts IS about as secure as can reasonably be expected.

      Personally if I was sending the kind of data that could cause me problems I'd PGP encrypt it anyway, but then I don't trust ANYONE.

  8. Anonymous Coward
    Anonymous Coward

    Cybercrime Competence Center in Zurich, mentioned the company

    the kiss of death?

  9. Anonymous Coward
    Anonymous Coward

    E-mail, by design, leaves a lot of metadata behind.

    Yes, you can hide the contents themselves if you really take encryption seriously and do that before it ever touches anything outside of your direct control.

    But to protect metadata people need to take extra steps like using "ricochet im" that doesn't even exist to mobile operating systems and probably can't exist... but it uses Onion ("Tor") network to generate the identity and to send and receive messages. And is already dated since is using the old less secure format to generate ID's and receive and send messages.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019