Open Menu
AllLocalCommunitiesAbout
lotide
AllLocalCommunitiesAbout
Login

ProtonMail Logged IP Address of French Activist; Should You Be Worried About Your Privacy?

⁨500⁩ ⁨likes⁩

Submitted ⁨⁨2⁩ ⁨weeks⁩ ago⁩ by ⁨themachinestops@lemmy.dbzer0.com⁩ to ⁨technology@lemmy.world⁩

https://beebom.com/protonmail-logged-ip-address-should-you-worry-privacy/

source

Comments

Sort:hotnewtop
  • talentedkiwi@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    It’s also worth clarifying that ProtonMail doesn’t collect IP addresses by default. Instead, the monitoring/ logging starts after ProtonMail gets a legal request.

    They still have to adhere to legal requests.

    source
    • reksas@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago

      they should inform the victim about it

      source
      • talentedkiwi@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

        Under Swiss law, ProtonMail should notify the user if a third party makes a request for their private data and if the data is for a criminal proceeding. However, there’s a big catch/ loophole here. On its law enforcement page, ProtonMail highlights that the notification can be delayed in the following cases:

        Where providing notice is temporarily prohibited by the Swiss legal process itself, by Swiss court order, or applicable Swiss law;
Where, based on information supplied by law enforcement, we, in our absolute discretion, believe that providing notice could create a risk of injury, death, or irreparable damage to an identifiable individual or group of individuals;
As a general rule though, targeted users will eventually be informed and afforded the opportunity to object to the data request, either by ProtonMail or by Swiss authorities.

        This incident seems to fall under the first case, and that’s why ProtonMail didn’t notify the user. “Some orders are final and cannot be appealed, that’s just how the legal system works, not everything can be appealed. The user wasn’t notified for the same reason that you don’t notify a suspect before arresting them,” says ProtonMail founder Andy Yen.

        source
      • ook@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

        Proooobably part of the request that they are not allowed to do that.

        source
    • Nyxias@fedia.io ⁨2⁩ ⁨weeks⁩ ago

      Yes, exactly.

      Privacy is and should be a right, absolutely.

      But it doesn't absolve anyone from the right to shroud from any crime committed, period.

      source
      • rumba@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        if you’ve done nothing wrong

        Through who’s lens?

        When a person is raped and seeking an abortion from Texas, do they deserve to be stripped of privacy? What about countries that see being gay a crime?

        I don’t particularly care about proton outing people, but they should absolutely be restricted from advertising that they’re more private or secure than any other provider out there.

        source
        • -> View More Comments
      • corsicanguppy@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

        should be a right, absolutely if you’ve done nothing wrong.

        The loss of privacy happens before the determination whether that person has done anything wrong. If the person’s criminal case goes well, do you have a time machine to go back and not invade privacy?

        source
        • -> View More Comments
  • Ulrich@feddit.org ⁨2⁩ ⁨weeks⁩ ago

    The police gained access to the IP address because Swiss authorities chose to cooperate with the French government

    We’ve seen this several times now. Proton is subject to Swiss law, just like every company in their respective countries. You choose Proton because Switzerland has the most privacy protections of any country on the planet (for now).

    If you want private communications, don’t use email. In fact, if we could all stop using email entirely, that’d be wonderful. There are hundreds of truly-secure alternatives, many with no company involved at all.

    source
    • holomorphic@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      This is absolute nonsense. I would prefer most of Europe over Switzerland. The swiss government was always bad with privacy. See Fichenaffäre for example. Not to mention the new büpf and similar laws. I’m swiss. I would never store sensitive data in Switzerland on a public server. Well. Except taxdata, I guess. Can’t really get around that.

      source
    • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

      There are hundreds of truly-private alternatives, many with no company involved at all.

      Such as…? I bet some ISPs or hardware maker companies are involved at some point.

      source
      • Ulrich@feddit.org ⁨2⁩ ⁨weeks⁩ ago

        Cwtch. XMPP. Matrix. SimpleX. Quiet. Delta Chat. Arcane Chat. Revolt. Briar. Meshtastic. etc. etc. etc.

        source
        • -> View More Comments
  • ShotDonkey@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Apart from it’s an old story, discussed already back and forth, Proton’s claims regarding privacy are really weak. Especially when it comes to presenting Switzerlamd as a privacy safehaven. Switzerland is a tax evasion savehaven, not a privacy safehaven, Proton. How Proton puts it: we provide world class privacy (but have to break our claims and comply with Swiss law immediately once there is a legitimate or not request from law enforcement, oepsie sorreyy!)

    source
  • unexposedhazard@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

    Oh ffs. We have known for years that Proton is just a for profit company like any other. They dont give a fuck about you or your privacy. They never have and they never will.

    source
    • _cryptagion@anarchist.nexus ⁨2⁩ ⁨weeks⁩ ago

      For profit or FOSS, they can’t ignore the Swiss government. It’s fucking stupid that people put this ridiculous standard on them like they’re able to just tell the Swiss no and face no consequences.

      If you were in their position, you would roll over too, and if you claim otherwise you’re just straight up lying.

      source
    • TuxEnthusiast@sopuli.xyz ⁨2⁩ ⁨weeks⁩ ago

      They complied with laws. Where is the issue?

      source
      • Dojan@pawb.social ⁨2⁩ ⁨weeks⁩ ago
        1. Authoritarian regime decides that being critical of the regime is illegal and makes laws to support this.
        2. Activists use Proton for privacy.
        3. Regime demands that they give up data on activists.
        4. Proton complies with the laws.

        That’s the issue.

        source
        • -> View More Comments
      • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        They said things that led the unwary to trust they wouldn’t. Remember, this isn’t some terrorist mass-murderer they handed over, but apparently an anti-gentrification youth activist linked to Greta Thunberg’s campaign groups.

        source
        • -> View More Comments
    • rozodru@pie.andmc.ca ⁨2⁩ ⁨weeks⁩ ago

      it’s always disappointing when people all about FOSS and shit suggest Proton to people looking to switch from google. no, don’t do that. use Tuta or self host or ANYTHING other than Proton. it’s such a shit company that does not deserve the praise they receive.

      source
      • _cryptagion@anarchist.nexus ⁨2⁩ ⁨weeks⁩ ago

        So Tuta would refuse a legal order from the Swiss government?

        source
        • -> View More Comments
      • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        Tuta are also a for-profit company, aren’t they? Just one that currently has better published positions than most. Use them, but make sure you keep a path to the exit door in view.

        source
    • Goodlucksil@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Please tell me a mail client that doesn’t comply with national laws.

      source
      • unexposedhazard@discuss.tchncs.de ⁨2⁩ ⁨weeks⁩ ago

        I never said anything about complying with laws, people just interpreted it that way. Of course everyone will comply with local laws or secret government orders that come with threats of imprisonment. I dont know if Proton was required to log this data in the first place, but if they were then this specific situations is not their fault.

        The issue with Proton isnt that they follow laws, but that they portray themselves like they are better or more private than others when they are just not. Bigger = worse in the tech world. Whenever too many people are using services of a single company, it becomes an attractive surveillance target.

        What im also annoyed about is people being surprised by this and these headlines that make it look like its some sort of betrayal. You should always be worried about your privacy when you put data on a computer that isnt in your physical possession. Proton isnt trustworthy because nobody is trustworthy except yourself.

        source
  • mp3@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    The lesson here is despite what a service says, don’t trust it and take the appropriate measures to cover your tracks.

    You can create an access the inbox through Tor at protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion

    The important thing is to always access it through Tor.

    source
    • EncryptKeeper@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Also pay attention to what the service says and what it doesn’t. We get into this spot regularly because of things people assumed about Protonmail without being told.

      source
      • _cryptagion@anarchist.nexus ⁨2⁩ ⁨weeks⁩ ago

        A big problem is people see the word “privacy” and think that means anonymous. Neither Tuta nor Proton claim to be anonymous.

        source
        • -> View More Comments
    • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

      You can create an access the inbox through Tor at protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion

      That’s just such an easy link to memorise, isn’t it? Just like the New Emergency Number

      source
      • NuXCOM_90Percent@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        Onion TLDs are inherently not human readable for many well documented reasons of varying levels of legitimacy.

        The idea is that you write it down ahead of time (bookmarks and password managers are a thing) and paste it into your TOR browser or bake it into your privacy oriented live USB.

        source
      • lmmarsano@lemmynsfw.com ⁨2⁩ ⁨weeks⁩ ago

        That’s just such an easy link to memorise, isn’t it?

        You memorize your links & type them out like a boomer?

        source
  • ohshit604@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

    Why is this a surprise? IP Logging is pretty normal.

    **2.5 IP logging: by default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our Terms of Service (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against non-compliant or fraudulent activities. If you enable authentication logging for your Account or voluntarily participate in Proton’s advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.

    source
    • jaybone@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

      That’s some funny language around “May be obtained permanently” though. Is this minority report? Do they know ahead of time that someone is going to violate their TOS?

      That said, I’m not totally against proton mail. It’s a lot better than other free alternatives. Of which there are few left. I’m sure Gmail tracks the IP of your rectum.

      source
      • xthexder@l.sw0.com ⁨2⁩ ⁨weeks⁩ ago

        This seems necessary if they’re to maintain an IP ban list. You shouldn’t just be able to unban yourself by submitting an information deletion request.

        source
        • -> View More Comments
      • ohshit604@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago

        I would rather they have funny language in their privacy policy opposed to mandatory logging, they have to cover themselves legally as well so they got to utilize legal-ise so they aren’t sued into the dirt.

        I’m sure Gmail tracks the IP of your rectum.

        I bet Google predicted you would say that!

        source
  • BroBot9000@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Proton needs to get its head out of its ass and fire Andy already, grow a pair and get off Reddit and back onto Mastodon and face the backlash like actual adults.

    source
  • NuXCOM_90Percent@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

    Proton are very open about what they do and don’t provide.

    They’re not going to protect you and they will turn on you the second they get a letter in the mail or a text from the cops.

    But what they DO provide is the ability to register an email address (with a domain that isn’t blocked by most services) without providing any other information. And, from there, you can encrypt it yourself if it is a particularly sensitive message.

    As for IP logging? if only there were tools like VPNs and Tor to negate that.

    source
    • vector@no.lastname.nz ⁨2⁩ ⁨weeks⁩ ago

      IMO if proton can change their stance and their policies (like their website no longer says emails are anonymous), then I don’t think they are a good private service provider. The only thing going for proton now is that their emails are encrypted and can’t be read by them.

      Who knows if a request came from a specific channel of the government that deals with crime, may be they will decrypt the content for them?

      source
      • NuXCOM_90Percent@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        No.

        The “only thing going for” them is the ability to sign up with zero personal information.

        Do not trust a third party to encrypt your sensitive communications for you. Do not trust a third party to protect you. Instead, look at what the the third party actually offers you and figure out how you can take advantage of that.

        source
        • -> View More Comments
    • pineapplelover@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      In most cases, they fight tooth and nail and use their own lawyers if necessary

      source
      • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        Did they in this case?

        source
  • Nyxias@fedia.io ⁨2⁩ ⁨weeks⁩ ago

    Okay so I do remember this issue being brought up a long time ago so it's not exactly news and the author has a poor time lapse of events.

    ProtonMail is not like a safe haven for any criminal operation, that would make Proton incredibly liable. Just like Telegram became with what's been happening with trafficking and children-related incidents.

    Secondly, an IP address is like stupidly easy to get anyways on someone unless VPN.

    There is just so many things wrong that people are not taking into account but I guess let others go on self-virtuous parades to demonize Proton. If you understand laws, this is not a problem. If you understand tech, you'd realize the same. If you understand both, then hooray! You get it.

    source
    • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

      There seems to be no suggestion yet that any crime was committed on/using ProtonMail itself. Just that it was a tool to track someone accused of offline crimes. So this comment feels like misdirection because there are probably options between being liable and effectively telling the cops where users are.

      source
  • infinitesunrise@slrpnk.net ⁨2⁩ ⁨weeks⁩ ago

    So Protonmail was required to log the IP of the user after being ordered to via the proper international Swiss legal channeks, per Swiss/Europol law. And at some point recently, Protonmail thus removed the copy from their frontpage that advertised never tracking IPs.

    What the article doesn’t really explain, is what exactly changed about Swiss or euro law? And when? What rules or acts have sprung up that made this possible? Or, was this always something that was possible that has only just now made precedent?

    source
    • vector@no.lastname.nz ⁨2⁩ ⁨weeks⁩ ago

      Then what makes a privacy oriented service different from others when they can open a backdoor for government? The thing is government wants control and they will change laws for exactly that. What Proton should have done was to eliminate the chance of this happening in the first place. Why are they having a logging mechanism? Why don’t they use RAM only servers or something like that? Privacy services should have the infrastructure and legal power to say “No”, or they are lying.

      source
      • infinitesunrise@slrpnk.net ⁨2⁩ ⁨weeks⁩ ago

        You need to read the article. It explicitly and IMO satisfactorily answers your questions.

        source
  • cupcakezealot@piefed.blahaj.zone ⁨2⁩ ⁨weeks⁩ ago

    proton is arm in arm with the us government and republicans, so it should be expected that they’ll track and sell you out.

    source
  • veniasilente@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    Nothing unexpected from a company that openly espouses fascism.

    source
    • JoshuaFalken@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      Could you elaborate on this comment?

      source
      • foremanguy92_@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

        Surely recent CEOs actions

        source
      • Pechente@feddit.org ⁨2⁩ ⁨weeks⁩ ago

        A few months ago the CEO tweeted that he supported Trump and his policies. The most ironic part was that he’s an immigrant himself but lives in Switzerland.

        Not sure if anything else happened since.

        source
        • -> View More Comments
  • bookmeat@lemmynsfw.com ⁨2⁩ ⁨weeks⁩ ago

    The IP isn’t even that important. They straight gave up that person’s phone number and identified them.

    source
  • betanumerus@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago

    “climate activists have been taking over commercial apartments” So … trespassing? They breached privacy for apparent trespassing? Is that it?

    source
  • empireOfLove2@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    I dont really blame Proton for this. Accessing anything on the internet on a clear connection and not through a VPN or TOR makes it your own damn fault when you get identified.

    source
    • kami@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Victim blaming at its finest!

      source
      • ArcaneSlime@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

        I mean, I understand where you’re coming from, they absolutely shouldn’t log IPs. BUT, if you’re committing crimes or even doing legal things the government doesn’t like, it would behoove you to put in the absolute bare minimum of OPSEC at least.

        Like, some people know they have STDs and don’t warn people and spread them, right? And while the spreader is obviously the problem there, some commonly accepted advice to the victim is “you should have worn a condom anyway.” And they should have worn a condom to protect themselves (and also the spreader should be held liable.)

        Like the previous example, anyone using any online service (for secrety things) should know to put a VPN condom on before they put their data inside that sexy, slutty server rack. And like how contraceptives were that knowledge needs to be spread.

        source
        • -> View More Comments
  • kami@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

    WHAAAAATTT???

    The same company that supports Trump and that closed the account of two journalists???

    Who would’ve EVER EVER EVER expect that???

    I AM IN SHOCK!!!

    source
    • pineapplelover@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

      Stop spreading misinformation.

      You can look it up for yourself but the tldr is that the company donates to leftist organizations that promote freedom, privacy, and open source.

      They temporarily suspended 2 journalist accounts in order to verify if they were nation state hackers which was flagged by a CERT, which they reinstated.

      source
      • kami@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

        Time will tell…``

        source
  • solomonschuler@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

    I unironically said this in my group chat, “proton mail is becoming more and more sketchy as being a privacy focused mail service” just like how signal is becoming more sketchy as a instant message service. There are things proton mail does such as logging activity that shouldn’t be the case as a paying customer, and yet here we are. When I request privacy I want it to be private, as in don’t give my data to anyone. it seems for that to happen it must be community driven and decentralized.

    source
    • goatinspace@feddit.org ⁨2⁩ ⁨weeks⁩ ago

      Internet becoming more and more unusable

      source
      • solomonschuler@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        My god, yes. Just yesterday I stopped using duckduckgo since even that has now become increasingly infuriating with AI. I’m using this search engine with no AI it’s based on database queries and to go to a specific website there is a small tab you can use. I love it because now I get to appreciate and use textbooks (whereas i would have chatGPT’d it) because of how limited the queries are and the limited selection. It’s not like google where it dumps the most relevant information at the top, you have to search for it. Anyways, if you were wondering it’s called marginalia search.

        source
    • Arcka@midwest.social ⁨2⁩ ⁨weeks⁩ ago

      Email has been a decentralized federated system from the start, though I’m not aware of any community I’d trust to be a more privacy-respecting host than the available commercial offerings.

      source
      • solomonschuler@lemmy.zip ⁨2⁩ ⁨weeks⁩ ago

        Yea I’m trying out tuta it supposidly is end to end encrypted. My hope is that I’ll take a look at it, and see if I like it. It does have RSA encryption so from my preliminary testing it is believable.

        source
  • DarrinBrunner@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Those who used it imagined Swiss law to be less intrusive? I suppose it sounds like a good idea to anyone, which is mostly everyone, who doesn’t know Swiss law.

    Yeah, they rolled over to the authority, as expected. But, they sold themselves as “private”, not “private up to the extent of Swiss law, and our laws here are very intrusive, so really the private part isn’t going to get anyone very far if they use this service for anything slightly questionable, let alone outright illegal. You might as well be using GMail for how ‘private’ this thing is.”

    source
    • _cryptagion@anarchist.nexus ⁨2⁩ ⁨weeks⁩ ago

      Their service IS private. Their service is not anonymous, and they never claim it is. Privacy does not equal anonymity, and I wish you people would get that through your thick skulls and stop criticizing someone for doing the exact same thing you would do, in their position.

      source
      • Doomsider@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        Nice, this proton apologist knows what everyone would do in their position.

        source
        • -> View More Comments
    • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

      The popular myth is that Swiss privacy law is so strong that banks can hide gold and profits for major criminals. It wasn’t to Proton’s benefit to correct that.

      source
      • Doomsider@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

        It is called deception. All email providers in Switzerland have to follow Swiss Privacy laws.

        This is no different than companies advertising licensed and bonded when every company legally has been licensed and bonded. Note that this practice of advertising what is required by law is actually illegal in a lot of places.

        They sold a convenient lie and got rich doing so. Now we get to sit here on Lemmy and watch them try to justify another corporations shiting on them while giving them more money. The Proton defenders are a special kind of stupid.

        source
    • EncryptKeeper@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

      they sold themselves as “private”, not "private up to the extent of Swiss law

      No, they sold themselves as “private up to the extent of Swiss law”.

      source
      • mjr@infosec.pub ⁨2⁩ ⁨weeks⁩ ago

        Please show any Wayback Machine link for that quote on Proton’s site. I can find ‘your privacy comes first’. I didn’t find ‘up to the extent of Swiss law’ yet.

        source
        • -> View More Comments
  • SkunkWorkz@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    Journalists, activists and even lawyers on the side of activists should always use something like Tails. No matter what companies like Proton promise or in what the law in the country they operate in says.

    source
  • Doomsider@lemmy.world ⁨2⁩ ⁨weeks⁩ ago

    All these people relying on a private corporation for privacy have a serious screw loose.

    Proton fully cooperates with all government requests. They are just another tech company selling “privacy” to make a buck. The only people who care are those foolish enough to give them their money.

    source
  • umbrella@lemmy.ml ⁨2⁩ ⁨weeks⁩ ago

    yes. proton ceo is a fascist.

    source
  • architect@thelemmy.club ⁨2⁩ ⁨weeks⁩ ago

    Oh hey I’m not shocked at all by this.

    source