RamblingPanda@lemmynsfw.com
on 26 Feb 2024 16:23
nextcollapse
I thought proton would fight before they’d comply?
0rg45mlc5uck3r84@lemmy.world
on 26 Feb 2024 16:27
nextcollapse
LoL! One would be insane to trust the Swiss after the Crypto AG business. Wouldn’t be surprised at all if 5/9/14 eyes alliance clandestinely own or even directly run Proton, LoL.
They won’t and supposedly can’t turn over information from or about the account, but they’ll absolutely close the account for engaging in illegal activity since that is a breach of their terms of service (depending on activity, of course. Complaining about the government? Probably won’t get shut down. Hacking someone to steal something valuable? They’re shutting you down).
GenderNeutralBro@lemmy.sdf.org
on 26 Feb 2024 18:11
collapse
They won’t and supposedly can’t turn over information from or about the account
Sort of, but not entirely. They use E2EE for message contents, so they would not be technically able to hand over that data (assuming their E2EE system is not compromised). However, they do NOT use E2EE for email headers, which includes email subject lines, recipients, and other metadata.
subject lines in Proton Mail are not end-to-end encrypted, which means if served with a valid Swiss court order, we do have the ability to turn over the subjects of your messages.
Subject lines and recipient/sender email addresses are encrypted but not end-to-end encrypted
sturlabragason@lemmy.world
on 26 Feb 2024 17:03
nextcollapse
I’d like to know more about the specifics involved. I’ve migrated my whole suite over to Proton and just want to know the specifics here. Guess I won’t know until Proton decides to frame their answer in a blogpost.
You don’t need that: Proton will only surrender accounts/information to local authorities with the appropriate paperwork - and that’s their selling point on privacy, swiss law being pretty protective of privacy ; in this case, a corpus of evidence has been submitted by a recognized foreign entity & considered valid for action in regard to swiss law.
That’s what makes proton secure for journalists, political opponents and such: no swiss judge will enable any random dictator to get a dissident’s info, it won’t fly with swiss law. And if that escalates to bogus criminal charges, it is still up to a swiss judge to decide how and if to proceed.
You put your trust in Switzerland here, not in a nerdy business with an atom-smashing background.
sturlabragason@lemmy.world
on 26 Feb 2024 23:36
collapse
❤️👆🔥
SnotFlickerman@lemmy.blahaj.zone
on 26 Feb 2024 17:30
nextcollapse
They said they would protect your privacy, not facilitate criminal activity.
If the whole reason you want privacy is to facilitate criminal activity, you’re going to have a bad time.
But it also raises the question: Doesn’t political dissent often get categorized as “criminal activity?”
I think the bigger question is if these services will stand up for obviously bogus charges when it comes to political dissidents. I actually don’t really have a problem with them being willing to shut down accounts associated with ransomware. However, I do understand how exceptions made for “criminal activity” can end up being directed at people who simply have a differing political opinion.
Finally, when it comes to political dissidence: If you are under the thumb of an authoritarian government, is violence taken to achieve freedom considered a “criminal act” by these privacy companies?
These companies have potentially put themselves in a very thorny situation in regards to their intended purpose.
snownyte@kbin.social
on 26 Feb 2024 18:25
nextcollapse
I think there was someone who was bitching here at one time, about ProtonMail handing out some user's account by court order. And they were trying to be snarky like "oh, guess ProtonMail doesn't care about your privacy after all!" or some shit.
And your comment here completely clarifies the differences about protecting privacy from enabling you to continue your criminal activity.
I myself cannot be 100% sure my privacy would be protected, if the service I knew, was having their door knocked because they knew I'm up to no good.
Your privacy is ensured from the likes of spam, advertisements and corporate eyes reading your e-mail. Not criminal activity.
IllNess@infosec.pub
on 26 Feb 2024 18:39
nextcollapse
I want to know what happens when something is only a criminal activity in a state.
Is an Alabama resident moving eggs and IVF clinics to a different state considered criminal activity?
How about a Texas resident talking about getting an abortion in a different state?
I’m not sure if state governments can even requests this but it does interest me what Proton’s response would be. What if it was countries instead of states?
SnotFlickerman@lemmy.blahaj.zone
on 26 Feb 2024 18:59
nextcollapse
On the plus side, being that they’re in European countries, they likely have the enviable position of being able to ignore and chastise the worst excesses of USA law. However, that’s my question as well, this is all well and good, but it also puts them in the position of having to have a “scale” of which crimes are “worth” legally complying with, and which ones are “worth” ignoring and fighting.
They don’t have to support the fanatical religious government in Afghanistan, for instance, but surely there are dissidents there who would like to be able to communicate without being monitored in Afghanistan as well. Where’s the line? Is the line different for each country and it’s laws? Are they going to count the absurd “religious crimes” there as the same as more egregious crimes like ransomware?
It actually would behoove these groups to codify and communicate their positions on this wholesale now because the issue isn’t going to go away.
doublejay1999@lemmy.world
on 26 Feb 2024 19:10
collapse
As this thread had shown, there are dozens of serious questions for them to answer. Not least of which is the fact since you are not a criminal until a court has found you guilty , who are they calling criminal?
EncryptKeeper@lemmy.world
on 26 Feb 2024 19:58
nextcollapse
ProtonMail advertises their service by saying they won’t comply with any court orders except by the Swiss.
I’m not sure where this particular court order came from, but if it was from a foreign government, that would be a big deal.
bigMouthCommie@kolektiva.social
on 27 Feb 2024 03:59
collapse
proton mail is known to cooperate with law enforcement.
don't trust them.
blazeknave@lemmy.world
on 26 Feb 2024 19:51
collapse
I definitely agree with you. If a warrant is valid and attained honestly and legally in good faith through real evidence of serious crimes, that’s different than sending dick pics through Prism. In theory that mirrors how IRL should work.
Is there any kind of social contract RFC proposed to set global standards for boundaries? To your point, companies prefer to have clear discreet understanding of the laws, compliance, and generally accepted best practices. Easier, safer, cheaper. Everyone wins.
Imagine variable scoring on different traits per entity, that would make different rules/boundaries applicable! E.g., North Korea’s independent journalism score makes them inapplicable for XYZ activities (email account access, phone unlocks? 🤷)… CSAM 100% inexcusable, tiers of limits on disinfo or hate speech…
Would anyone reading this take something like this seriously? I can’t own this. I’m not at all an expert. But I have friends at places like Mozilla, EFF, and standards bodies, to whom I could reach out and maybe help with intros.
…And then you realize your tl;dr is ‘who wants to play pretend world police with me!!!’… and to what ends is it enforceable? Realistically any major entity can pull out of anything at the cost of their customers (and potential civil damages suits). Microsoft can stop supporting SPF, Schneider can stop supporting standard voltages. It’ll cost them customers, but it’s not regulatory/mandated, correct? If pornhub builds a city in the Pacific and refuses to relinquish emails about human trafficking, does the UN send armed forces? Obviously not. But do they get disconnected from 1.1.1.1, 8.8.8.8 or w3c’s yellow pages?
So what would make someone or some entity, trusted? Just curious for the thought exercise to see what you all think, and the sociological repercussions.
Diotima@kbin.social
on 26 Feb 2024 18:02
nextcollapse
I'd be interested in seeing the number of E2EE enabled accounts used for criminal activity versus the number of regular ol' free Gmail, Yahoo, Outlook etc accounts. Governments absolutely have a hate-on for E2EE, so the police calling out these services specifically raises questions of motive.
Not that we should not be shutting down criminals... but this sort of framing tends to suggest that E2EE services are inherently criminal enabling, and that does not feel like a mistake.
snownyte@kbin.social
on 26 Feb 2024 18:21
nextcollapse
It's an interesting set of priorities, for sure.
ItsComplicated@sh.itjust.works
on 26 Feb 2024 20:38
collapse
Forgive my question, but if the email is encrypted and the service is unable to read it, how are they sure the accounts in question are criminal? How would they know any account was?
This is confusing to me so I am grateful for any insight.
lazynooblet@lazysoci.al
on 26 Feb 2024 21:32
nextcollapse
Email encrypted at rest maybe. Email is awfully insecure whilst in transit.
Pips@lemmy.sdf.org
on 26 Feb 2024 21:34
nextcollapse
There’s typically reason to suspect the account owner first. They’re not trawling through random accounts, law enforcement doesn’t have the time or authority to do that. Note that intelligence agencies are not law enforcement, I’m not talking about what some spy agencies might do.
Since this is law enforcement, typically you don’t have a verdict to rely on, but they’d have a warrant or subpoena to get the necessary evidence to further the case.
If an email address is being used for fraud, they don't need to see the encrypted copy; they can see the copy sent out to other people from that address. So if I send you a message from my Protonmail to your Gmail, the following is true:
Copy @ Protonmail: E2EE.
Copy @ Gmail: NOT E2EE.
There are other, circumstantial ways to tell as well. If you're trying to scam people with DudeBro Cryptocurrency, you necessarily reveal the address you use when you send our your spam or scams. If I send malware from notactuallydiotima@proton.me, the proof that I sent the malware does not require you to see my server stored mail; you can just look at your own copy to see.
Does that make sense?
ItsComplicated@sh.itjust.works
on 27 Feb 2024 00:58
nextcollapse
So any email address is not encrypted even if the message goes to another encrypted account? Is this correct?
baseless_discourse@mander.xyz
on 27 Feb 2024 04:20
collapse
Yes, the “to address” cannot be encrypted as it is necessary to deliver the mail, the “from address” are needed to send a notification when the “to address” doesn’t exist.
Technically, the “from address” probably can be encrypted, like in signal; but I think it is required in the current email standard.
ItsComplicated@sh.itjust.works
on 27 Feb 2024 14:32
collapse
Surely Proton also receives the mails in plaintext? There’s no E2EE about it. You have to take their word that they encrypt it and discard the plaintext data.
SuperSynthia@lemmy.world
on 26 Feb 2024 21:46
nextcollapse
Everyone should ask themselves what is their actual threat model. That will tell you whether not this news truly affects you. Any criminal worth their salt probably wouldn’t roll with Proton or Tuta if they practice good OpSec
MadBigote@lemmy.world
on 26 Feb 2024 22:53
collapse
What’s wrong with both Tuta and Proton? I’m by no means involved in any crime or anything, but I degooglefied and moved to Tuta for mail. Was considering self hosting, but I’ve been procrastinating it.
As you can see from this piece of news, an encrypted email service does nothing for your privacy. But at the same time it limits you and makes you a captive user. Which is ironic considering that’s probably why you left Google.
You don’t have to self host. Just use a regular email service, perhaps hosted in a country with decent privacy laws if you want, but download your email on your PC instead of keeping it online on theirs. This way you get to backup your email too.
The most simple way to do this is to pull your email with a POP connection but set it to only delete messages after a few days not instantly (this way you can still access them over IMAP for a while from mobile or webmail).
Another approach is to pull your incoming email to your server, set up your own private IMAP server and webmail, but use the service’s SMTP. This is a form of email self-hosting that gives you the best parts of privacy and control but you don’t have to deal with the risk of having your SMTP blocked for spam.
MadBigote@lemmy.world
on 26 Feb 2024 23:10
nextcollapse
I mean, I left Google because I hated them tracking me 24/7, and trying to sell me stuff based on my profile, though privacy is indeed a concern. Any option you may recommend i could use while k move to a privet email server? I wanted to get out of Tuta anyway since their platform feels stiff.
Tramort@programming.dev
on 27 Feb 2024 04:43
nextcollapse
Party of the snowden leaks were that the five eyes capture and record everything.
Everything.
Your pop solution with deletion only deletes your copy; not the one the NSA has. Maybe that’s not part of your threat model, which is fine, but it’s part of mine
Then you need to stop using email altogether. Encrypting only one server like Tuta or Proton does nothing if you correspond with people who are not on it.
Tramort@programming.dev
on 27 Feb 2024 13:47
collapse
100% agree
Which is why I am not the one advocating personal hosting and POP + deletion as a privacy solution
threaded - newest
I thought proton would fight before they’d comply?
LoL! One would be insane to trust the Swiss after the Crypto AG business. Wouldn’t be surprised at all if 5/9/14 eyes alliance clandestinely own or even directly run Proton, LoL.
They way how you capitalise the L in “lol” really bothers me. Strange person.
Agreed, I read it as League of Legends
They’re not going to jail for you. Never assume a service provider will put themselves at risk on your behalf.
They won’t and supposedly can’t turn over information from or about the account, but they’ll absolutely close the account for engaging in illegal activity since that is a breach of their terms of service (depending on activity, of course. Complaining about the government? Probably won’t get shut down. Hacking someone to steal something valuable? They’re shutting you down).
Sort of, but not entirely. They use E2EE for message contents, so they would not be technically able to hand over that data (assuming their E2EE system is not compromised). However, they do NOT use E2EE for email headers, which includes email subject lines, recipients, and other metadata.
From proton.me/…/does-protonmail-encrypt-email-subject…:
From proton.me/…/proton-mail-encryption-explained:
I’d like to know more about the specifics involved. I’ve migrated my whole suite over to Proton and just want to know the specifics here. Guess I won’t know until Proton decides to frame their answer in a blogpost.
You don’t need that: Proton will only surrender accounts/information to local authorities with the appropriate paperwork - and that’s their selling point on privacy, swiss law being pretty protective of privacy ; in this case, a corpus of evidence has been submitted by a recognized foreign entity & considered valid for action in regard to swiss law.
That’s what makes proton secure for journalists, political opponents and such: no swiss judge will enable any random dictator to get a dissident’s info, it won’t fly with swiss law. And if that escalates to bogus criminal charges, it is still up to a swiss judge to decide how and if to proceed.
You put your trust in Switzerland here, not in a nerdy business with an atom-smashing background.
❤️👆🔥
They said they would protect your privacy, not facilitate criminal activity.
If the whole reason you want privacy is to facilitate criminal activity, you’re going to have a bad time.
But it also raises the question: Doesn’t political dissent often get categorized as “criminal activity?”
I think the bigger question is if these services will stand up for obviously bogus charges when it comes to political dissidents. I actually don’t really have a problem with them being willing to shut down accounts associated with ransomware. However, I do understand how exceptions made for “criminal activity” can end up being directed at people who simply have a differing political opinion.
Finally, when it comes to political dissidence: If you are under the thumb of an authoritarian government, is violence taken to achieve freedom considered a “criminal act” by these privacy companies?
These companies have potentially put themselves in a very thorny situation in regards to their intended purpose.
I think there was someone who was bitching here at one time, about ProtonMail handing out some user's account by court order. And they were trying to be snarky like "oh, guess ProtonMail doesn't care about your privacy after all!" or some shit.
And your comment here completely clarifies the differences about protecting privacy from enabling you to continue your criminal activity.
I myself cannot be 100% sure my privacy would be protected, if the service I knew, was having their door knocked because they knew I'm up to no good.
Your privacy is ensured from the likes of spam, advertisements and corporate eyes reading your e-mail. Not criminal activity.
I want to know what happens when something is only a criminal activity in a state.
Is an Alabama resident moving eggs and IVF clinics to a different state considered criminal activity?
How about a Texas resident talking about getting an abortion in a different state?
I’m not sure if state governments can even requests this but it does interest me what Proton’s response would be. What if it was countries instead of states?
On the plus side, being that they’re in European countries, they likely have the enviable position of being able to ignore and chastise the worst excesses of USA law. However, that’s my question as well, this is all well and good, but it also puts them in the position of having to have a “scale” of which crimes are “worth” legally complying with, and which ones are “worth” ignoring and fighting.
They don’t have to support the fanatical religious government in Afghanistan, for instance, but surely there are dissidents there who would like to be able to communicate without being monitored in Afghanistan as well. Where’s the line? Is the line different for each country and it’s laws? Are they going to count the absurd “religious crimes” there as the same as more egregious crimes like ransomware?
It actually would behoove these groups to codify and communicate their positions on this wholesale now because the issue isn’t going to go away.
As this thread had shown, there are dozens of serious questions for them to answer. Not least of which is the fact since you are not a criminal until a court has found you guilty , who are they calling criminal?
ProtonMail advertises their service by saying they won’t comply with any court orders except by the Swiss.
I’m not sure where this particular court order came from, but if it was from a foreign government, that would be a big deal.
.
proton mail is known to cooperate with law enforcement.
don't trust them.
I definitely agree with you. If a warrant is valid and attained honestly and legally in good faith through real evidence of serious crimes, that’s different than sending dick pics through Prism. In theory that mirrors how IRL should work.
Is there any kind of social contract RFC proposed to set global standards for boundaries? To your point, companies prefer to have clear discreet understanding of the laws, compliance, and generally accepted best practices. Easier, safer, cheaper. Everyone wins.
Imagine variable scoring on different traits per entity, that would make different rules/boundaries applicable! E.g., North Korea’s independent journalism score makes them inapplicable for XYZ activities (email account access, phone unlocks? 🤷)… CSAM 100% inexcusable, tiers of limits on disinfo or hate speech…
Would anyone reading this take something like this seriously? I can’t own this. I’m not at all an expert. But I have friends at places like Mozilla, EFF, and standards bodies, to whom I could reach out and maybe help with intros.
…And then you realize your tl;dr is ‘who wants to play pretend world police with me!!!’… and to what ends is it enforceable? Realistically any major entity can pull out of anything at the cost of their customers (and potential civil damages suits). Microsoft can stop supporting SPF, Schneider can stop supporting standard voltages. It’ll cost them customers, but it’s not regulatory/mandated, correct? If pornhub builds a city in the Pacific and refuses to relinquish emails about human trafficking, does the UN send armed forces? Obviously not. But do they get disconnected from 1.1.1.1, 8.8.8.8 or w3c’s yellow pages?
So what would make someone or some entity, trusted? Just curious for the thought exercise to see what you all think, and the sociological repercussions.
I'd be interested in seeing the number of E2EE enabled accounts used for criminal activity versus the number of regular ol' free Gmail, Yahoo, Outlook etc accounts. Governments absolutely have a hate-on for E2EE, so the police calling out these services specifically raises questions of motive.
Not that we should not be shutting down criminals... but this sort of framing tends to suggest that E2EE services are inherently criminal enabling, and that does not feel like a mistake.
It's an interesting set of priorities, for sure.
Forgive my question, but if the email is encrypted and the service is unable to read it, how are they sure the accounts in question are criminal? How would they know any account was?
This is confusing to me so I am grateful for any insight.
Email encrypted at rest maybe. Email is awfully insecure whilst in transit.
There’s typically reason to suspect the account owner first. They’re not trawling through random accounts, law enforcement doesn’t have the time or authority to do that. Note that intelligence agencies are not law enforcement, I’m not talking about what some spy agencies might do.
Since this is law enforcement, typically you don’t have a verdict to rely on, but they’d have a warrant or subpoena to get the necessary evidence to further the case.
Fair question!
If an email address is being used for fraud, they don't need to see the encrypted copy; they can see the copy sent out to other people from that address. So if I send you a message from my Protonmail to your Gmail, the following is true:
Copy @ Protonmail: E2EE.
Copy @ Gmail: NOT E2EE.
There are other, circumstantial ways to tell as well. If you're trying to scam people with DudeBro Cryptocurrency, you necessarily reveal the address you use when you send our your spam or scams. If I send malware from notactuallydiotima@proton.me, the proof that I sent the malware does not require you to see my server stored mail; you can just look at your own copy to see.
Does that make sense?
So any email address is not encrypted even if the message goes to another encrypted account? Is this correct?
Yes, the “to address” cannot be encrypted as it is necessary to deliver the mail, the “from address” are needed to send a notification when the “to address” doesn’t exist.
Technically, the “from address” probably can be encrypted, like in signal; but I think it is required in the current email standard.
Thank you. This helped.
Surely Proton also receives the mails in plaintext? There’s no E2EE about it. You have to take their word that they encrypt it and discard the plaintext data.
Everyone should ask themselves what is their actual threat model. That will tell you whether not this news truly affects you. Any criminal worth their salt probably wouldn’t roll with Proton or Tuta if they practice good OpSec
What’s wrong with both Tuta and Proton? I’m by no means involved in any crime or anything, but I degooglefied and moved to Tuta for mail. Was considering self hosting, but I’ve been procrastinating it.
As you can see from this piece of news, an encrypted email service does nothing for your privacy. But at the same time it limits you and makes you a captive user. Which is ironic considering that’s probably why you left Google.
You don’t have to self host. Just use a regular email service, perhaps hosted in a country with decent privacy laws if you want, but download your email on your PC instead of keeping it online on theirs. This way you get to backup your email too.
The most simple way to do this is to pull your email with a POP connection but set it to only delete messages after a few days not instantly (this way you can still access them over IMAP for a while from mobile or webmail).
Another approach is to pull your incoming email to your server, set up your own private IMAP server and webmail, but use the service’s SMTP. This is a form of email self-hosting that gives you the best parts of privacy and control but you don’t have to deal with the risk of having your SMTP blocked for spam.
I mean, I left Google because I hated them tracking me 24/7, and trying to sell me stuff based on my profile, though privacy is indeed a concern. Any option you may recommend i could use while k move to a privet email server? I wanted to get out of Tuta anyway since their platform feels stiff.
Party of the snowden leaks were that the five eyes capture and record everything.
Everything.
Your pop solution with deletion only deletes your copy; not the one the NSA has. Maybe that’s not part of your threat model, which is fine, but it’s part of mine
Then you need to stop using email altogether. Encrypting only one server like Tuta or Proton does nothing if you correspond with people who are not on it.
100% agree
Which is why I am not the one advocating personal hosting and POP + deletion as a privacy solution
I’ve been trying to explain this to people for years, but there’s so much blind love for Proton here that my comments are usually drowned out.
That’s it I’m going back to Juno.
Like TechLore once said: “No company is going to jail for you because of your 5 dollars.”