ProtonMail filters this into its junk folder: New claim it goes out of its way to help cops spy ProtonMail, a provider of encrypted email, has denied claims that it voluntarily provides real-time surveillance to authorities. Earlier this month, Martin Steiger, a lawyer based in Zurich, Switzerland, attended a presentation in which public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in Zurich, …
Sure they say they only reveal information when compelled by a court order, but are they bothering to check that the order itself is valid?
This is something that has always bothered me about corporations: They never bother to actually challenge the order. They see a piece of paper with a judge's signature on it and will do whatever the hell it says without question. A judge could tell them to punch themselves in the face and 5 minutes later every employee is sporting a couple of black-eyes.
I'm not sure that's really true.
Microsoft (and I'm no fan of Microshaft) and Apple have been very vocal about their attempts to challenge court orders purporting to compel them to provide private customer information.
Corporations see a lot of martketing mileage in being seen to sticking it to the "man" in this regard.
The numbers are in the transparency report, 3 requests are claimed to be contested in 2017 and 4 requests in 2018, with the overall number of requests increasing twentyfold in 2018. The transparency report examples clearly state that in certain cases Protonmail assisted the law enforcement agencies without the court order, expecting the court order to be provided retroactively. It did claim for some examples that only limited assistance was possible due to cryptography.
To the best of my judgement, Mr. Steiger is making a point in his article that Switzerland is a surveillance state and that Protonmail is misleading customers about their data being protected by Swiss privacy laws since they do not apply to criminal investigations. He is also claiming that Protonmail is not exempt from SPTA (Swiss federal act on surveillance of telecommunications) requirements and is either acting as Provider of Communication Services or Provider of Derived Communication Services. In the former case (PCS) Protonmail would have to assist with surveillance, remove any encryption applied, provide real-time communication data and metadata, keep and provide metadata for 6 months; in the latter case (PDCS) Protonmail would have to assist with surveillance and provide available metadata.
Mr. Steiger is then speculating about the status of Protonmail under SPTA and concludes that Protonmail would not be obliged to provide real-time metadata; he concludes that providing such real-time metadata is incompatible with claiming to be a trustworthy email service provider with data protection and encryption. I think this is where he is making mistakes.
Protonmail claims that it does not store metadata (" By default, we do not record metadata such as the IP addresses used to log into accounts."), which means that if requested to provide such metadata (e.g. by being PDCS) they will _enable_ recording for the account under surveillance. Since they decided to assist with the request and just enabled the recording, providing the authorities with a real-time metadata stream does not seem to be going too far. Otherwise they could not provide any metadata, at least without delay, and end up like Lavabit (e.g. promoted to PCS, required to remove encryption and keep metadata for 6 months). Protonmail has been clear that they will work with authorities and provide metadata when issued with a valid request.
It's a real world after all. Mr. Steiger did not genuinely seem to mean harm (however somehow he clearly managed to) and and makes some valid points but imho he's crying wolf.
Are you concerned about the lack of regularity of the reports or the infrequency thereof?
How often something happens and how regularly it happens are not necessarily the same thing.
Halley's comet comes regularly but not often — regular but not frequent.
It rains in April frequently but not regularly — not regular but frequent.
Sure they say they only reveal information when compelled by a court order, but are they bothering to check that the order itself is valid?
That's the advantage of Switzerland: it's small enough that the "creative" acquisition or issue of a warrant would have dear consequences, so in general you get very few warrants not issued without serious due process, also because Swiss laws treat privacy as a very serious matter (if you can read German, French or Italian it's definitely worth reading up on it). Given their business, I also doubt very much that ProtonMail doesn't have either inhouse counsel or a lawyer on speed dial so I reckon someone will do the checking.
I'm with ProtonMail on this: as any business, they have a duty to comply with the law and I don't buy that ProtonMail would do anything voluntarily because they would be breaking the very same laws that protect them.
Switzerland is not the privacy haven that it used to be.
.. but on the other hand you should also not believe the loud US propaganda. Switzerland still has better privacy laws (and, let's not forget, actual proper enforcement of them) than even Europe.
The only problem is that you have to be able to read law in French, Italian or German to understand how it works and to avoid the few tripwires in matters involving multiple jurisdiction.
Yup, sorry, that's what I get when I post late. I did indeed mean EU rather than geographic Europe.
Swiss privacy laws differ in significant areas from EU imposed law, if for no other reason that privacy in Switzerland is part of federal constitutional law, in other words so deeply embedded in the legal system that it'll be nigh impossible to change it (and that would be assuming that a population enjoying direct democracy would actually permit that, which is not going to happen).
If you're interested, it's Article 13 of SR 101 (German version). As this law is relatively new (April 1999) it also incorporates a reference to long distance communication ("Fernmeldeverkehrs") which neatly incorporated more modern communication such as email without any change in law.
There is an important addendum to the article in question:
Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).
Source in the blog post mentioned at the bottom of the article.
I've been using Proton Mail for a while now and I seem to remember the Proton mail team explaining this when the Swiss changed the law regarding this particular subject some time ago.
As was pointed out in the article, PM give you the option to use Tor to access the site specifically to guard against this.
Personally I use an anonymous VPN (paid for) ALL the time, purely because I intend to screw the snoops any chance I get, but if I was really paranoid I'd just use tor over my VPN as well.
(Pointless in my case really, I can't imagine there's anything remotely of interest to the snoops in my mail)
But fuck 'em anyway, I consider it my duty to make life as difficult as possible for them no matter who they work for.
(I've found PM to be an excellent service BTW)
Tor is a bit different, but with a paid-for VPN provider, even if you pay with Bitcoin, they have full access to all your browsing activities, and full access to details of all the places where you browse from.
It is not impossible for the police to put this together from other sources, but a VPN makes it so much easier for them.
What I'm saying is, if you want to hide something, you need to make it look normal so it doesn't stand out.
Just like, if you want to burgle an office building, you turn up with a dirty white van and a hi-viz jacket.
Most people using a VPN are using it to access services which are only available on a location-specific basis. This is the electronic version of grey imports.
I live in the Channel Islands. Windows 10 accepts Guernsey as a valid location but the Microsoft Store does not. The only solution is to lie and say I'm in the UK.
The same applies to eBay. I can give my address and postcode but I need to claim that it's in the UK or there's no way to buy even from sites that offer worldwide shipping.
Hi, I just want to correct your post....
It signposts you in big neon lights as somebody who has something to hide..
Errr, no it doesn't.
It provides a single easily identifiable place where they can get all your details and activities
And... err, again... no it doesn't.
Thanks.
I use Proton Mail too. So far so good but i still PGP encrypt first on my pc before I send it anyway. Proton Mail gives you a false sense of security only because the vast majority of your emails come from outside Proton Mail over unencrypted port 23. So if necessary, all one has to do is a minor change to their server to collect all your incoming and outgoing SMTP as it arrives or leaves before it gets encrypted with your private key.
So far they have been very reliable.
Protonmail have never been all the way there on doing what they say.
For example, its all very well saying "your emails are stored encrypted".
But it's not much good if you add and store un-necessary email plaintext headers which have things like filenames of attachments in them.
The only reason to store a copy of all the filenames in plaintext is to make life easier for the authorities when they want to go on a fishing expedition.
But at some point you have to accept responsibility for your own actions, or in this case, inactions.
If you will send attachments with file names like "secret government cables.doc" or "nudie donald trump.png" you only have yourself to blame when someone takes an interest.
And remember, even if they aren't secure at the destination, any or all of the nodes between the sender and recipient may have logged it, don't assume anything is just passively passing on the data.
You remind me of doing an audit of an unspecified government department. The printers had SNMP enabled, it wasn't blocked, and you could read all the print jobs that had gone through the HP printers. The print file names often contained potentially sensitive information.
SNMPV3 is a pain to implement but it's a very good idea.
All use of communication is balancing risk.
You may be using a provider interface: who says it's actually safe? How safe is your own machine/browser? Can you risk not getting hold of email if you don't store it locally? If you do, can you afford to be exposed to a locally issued warrant? How sure are of you the SSL certificate involved in transport?
Providers have to balance the same risks. Key, however, is that they are honest towards their users about their choices. If I were a service provider I would, for instance, never allow the use of Tor for services because I would also like to make sure that I wasn't helping a group of criminals, but that decision may falls differently for others. I know of a German outfit that offers "privacy services" that explicitly involves running a Tor node, and I know of them because their IP address showed up repeatedly in logged hacking attempts on one of my websites until I banned their entire IP range.
If you are not running end to end encryption there is not much point. Lets see where is half the mail coming from? Google servers, outlook servers, which pretty much feed directly in to the NSA.
If you want secure email then don't trust server side encryption. Encrypt the entire handshake to the domain and verify the client cert. eg. if you own domain example.com and you are sending email from example.co.uk then you mandate that example.com present a cert signed for example.co.uk, preferably in DNS using TLSA - NSA best practise.
Well, If you're sending sensitive information via any of the usual suspect providers such as you mention without PGP encrypting the contents first you can't expect any security,
(as is fully explained by the FAQs on Proton Mail's site).
If you can't work that out for yourself you probably shouldn't be trying to use an encrypted service anyway, (I'm using YOU in the general sense).
However, mail sent between two Proton Mail accounts IS about as secure as can reasonably be expected.
Personally if I was sending the kind of data that could cause me problems I'd PGP encrypt it anyway, but then I don't trust ANYONE.
E-mail, by design, leaves a lot of metadata behind.
Yes, you can hide the contents themselves if you really take encryption seriously and do that before it ever touches anything outside of your direct control.
But to protect metadata people need to take extra steps like using "ricochet im" that doesn't even exist to mobile operating systems and probably can't exist... but it uses Onion ("Tor") network to generate the identity and to send and receive messages. And is already dated since is using the old less secure format to generate ID's and receive and send messages.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
