Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

Proton Mail Discloses User Data Leading to Arrest in Spain

⁨225⁩ ⁨likes⁩

Submitted ⁨⁨6⁩ ⁨months⁩ ago⁩ by ⁨throws_lemy@lemmy.nz⁩ to ⁨privacyguides@lemmy.one⁩

https://restoreprivacy.com/protonmail-discloses-user-data-leading-to-arrest-in-spain/

source

Comments

Sort:hotnewtop
  • imkali@lemmy.dbzer0.com ⁨6⁩ ⁨months⁩ ago

    Sounds like an avoidable problem, that Proton didn’t have a whole lot to fight it with. Obviously they could/should have fought it in court, but this could have been avoided if the individual simply didn’t link a recovery email and/or didn’t share the same email across Apple products + protesting. Although, the article does point out that if you sign up over Tor or a VPN it requires a verification email, which sucks- though you could just use a temporary email address to get around it.

    Key information:

    The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual

    individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

    Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

    This case is particularly noteworthy because […] complex interplay between technology firms, user privacy, and law enforcement.

    requests were made under the guise of anti-terrorism laws

    primary activities of the Democratic Tsunami involving protests and roadblocks

    Proton Mail’s compliance with these requests is bound by Swiss law

    Comment from Proton:

    We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.

    source
    • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

      The reporter noted that disposable verification addresses are rejected by Proton.

      source
      • AlteredStateBlob@kbin.social ⁨6⁩ ⁨months⁩ ago

        You can simply use either: a different protonmail address or a similar service like tutanota.

        source
        • -> View More Comments
      • imkali@lemmy.dbzer0.com ⁨6⁩ ⁨months⁩ ago

        Ah, my bad, I’ll edit my comment.

        source
        • -> View More Comments
    • OnePhoenix@lemmy.world ⁨6⁩ ⁨months⁩ ago

      I don’t know if what I do is the right way around this but, as stated Proton will reject disposable verification emails and you cannot use another proton account to verify a new one.

      My workaround for this is to verify proton with a Tutanota account which is also created with as little to no identifiable information as possible.

      TLDR: Proton accepts Tuta emails for verification and Tuta emails can be created anonymously.

      source
      • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

        Which leads to the next logical question: Why not just use Tuta in the first place?

        source
        • -> View More Comments
    • Beaver@lemmy.ca ⁨6⁩ ⁨months⁩ ago

      Sounds pretty messed up.

      source
  • chalk46@kbin.social ⁨6⁩ ⁨months⁩ ago

    nothing I read about this group on Wikipedia points to terrorism, it repeatedly says they advocate nonviolence
    I guess these days though it's become some kind of magic password to get whatever the hell you want

    source
    • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

      It always has been in Spain. I adore the people and culture, but they’ve always overreacted to Basque and now Catalan independence movements.

      source
      • testingtesting123@discuss.tchncs.de ⁨6⁩ ⁨months⁩ ago

        Well, basque indepence movement involved several deaths, including “civilians”, non politics or police related until 2000s, and people react quite pacific always.

        Whereas catalan movement is basically pacifist with some roadblocks and protests and even riots. In front, the typical anti riot police, not fun… but kind of expected.

        Honestly, I will be not surprised if this case ends in nothing as it is not clear it can hold in court …

        source
    • helenslunch@feddit.nl ⁨6⁩ ⁨months⁩ ago

      Terrorism is a label terrorists slap on freedom fighters.

      source
      • Amazed@lemmy.world ⁨6⁩ ⁨months⁩ ago

        This is a very stupid sentiment. Are you familiar with Iran?

        source
        • -> View More Comments
    • guillem@aussie.zone ⁨6⁩ ⁨months⁩ ago

      “Everything is ETA” is a running joke when talking about politics in Spain.

      They even sent some puppetteers to prison on accounts of terrorism for making such a joke publicly.

      source
  • reverendsteveii@lemm.ee ⁨6⁩ ⁨months⁩ ago

    The requests were made under the guise of anti-terrorism laws

    Remember this the next time someone in government says “We need tough anti-terrorism laws”. They also get to define what counts as terrorism, so anyone inconvenient can be destroyed and the public told “We’re just keeping you safe from terrorism.”

    source
  • Mikufan@ani.social ⁨6⁩ ⁨months⁩ ago

    Nothing they can do about that.

    source
    • GenderNeutralBro@lemmy.sdf.org ⁨6⁩ ⁨months⁩ ago

      They could avoid storing the recovery email in plaintext. A hash would be sufficient if they require the user to enter their recovery email for confirmation when they really need to recover the account.

      For an ostensibly privacy-oriented service, Proton makes some weird architectural choices.

      source
      • Mikufan@ani.social ⁨6⁩ ⁨months⁩ ago

        I’ve had to use the recovery, they need plaintext because they send you a recovery code or a support ticket (depends) nobody knows all their emails.

        source
        • -> View More Comments
    • veniasilente@lemm.ee ⁨5⁩ ⁨months⁩ ago

      They could host themselves in a different place with better privacy laws. I’ve always wondered why, for example, don’t privacy services establish themselves in international waters or in micronations such as Sealand.

      source
  • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

    I do not understand why people continue to trust Proton. They seem no better than Gmail from where I sit.

    source
    • Jako301@feddit.de ⁨6⁩ ⁨months⁩ ago

      Proton upheld their claim of privacy, no Emails were disclosed. But they never promised anonymity cause that’s something they simply can’t do under the Swiss law. If you willingly give them your other mail addresses or contact details, they have to comply. Sure they could have denied the Spanish authorities, but it takes less than a week to get a court order for things like this.

      source
      • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

        And if they didn’t require that secondary email address or would allow a temporary, they would have had nothing to give in the first place.

        Proton aren’t the victim here.

        source
        • -> View More Comments
    • helenslunch@feddit.nl ⁨6⁩ ⁨months⁩ ago

      Then you are ignorant.

      source
    • Ilandar@aussie.zone ⁨6⁩ ⁨months⁩ ago

      Comments like this are why no one takes privacy advocates seriously. Really? No better than Google? You guys are fucking delusional.

      source
    • requiem@lemmy.world ⁨6⁩ ⁨months⁩ ago

      Depends in what field. Proton, at least, doesn’t scan your email contents and metadata to sell it on to advertisers.

      source
      • something_random_tho@lemmy.world ⁨6⁩ ⁨months⁩ ago

        FWIW Gmail no longer sells your email data to advertisers either. That changed years back.

        source
        • -> View More Comments
    • summerof69@lemm.ee ⁨6⁩ ⁨months⁩ ago

      I don’t think that Proton sells my data to advertisers or trains AI using my emails and documents. As of laws, unfortunately any service in any reputable country has to obey them. You can always buy a server in some banana republic and set up an email service there, but even then there are some risks.

      source
      • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

        All good unrelated points.

        With Proton’s anti-privacy requirements for establishing service, they don’t deserve anyone’s trust. They’re just a LEO honeypot that charges you to get in. Again, in that regard, you may as well stick with free Google. At least they’re (mostly) honest about what they are.

        source
        • -> View More Comments
    • Rogers@lemmy.ml ⁨6⁩ ⁨months⁩ ago

      Way way better than gmail IMO. One simple reason is if you have something wrong with your account you can get in contact with a real human. And still better data protection than anything in the US. I’m not a journalist or freedom fighter so for my use case it’s ideal.

      source
      • CaptObvious@literature.cafe ⁨6⁩ ⁨months⁩ ago

        Fair point. And if whatever you want to keep private isn’t likely to get you killed, then Proton is probably as good as any.

        source
    • EncryptKeeper@lemmy.world ⁨6⁩ ⁨months⁩ ago

      Because we can see through the clickbait to what actually happened.

      source
  • Cyberjin@lemmy.world ⁨6⁩ ⁨months⁩ ago

    Obviously they have user data that be shared. I can’t even remove my card details (burner) when everything is paid for.

    But I wonder They got the recovery email and requested a new password for proton… another remember to set 2FA

    source