Doesn’t look like Proton did anything wrong, they can’t fight these requests and he was caught by identifying information he linked to his account.
They could disclose the fact that they might need to give that info to authorities and warn users of that.
They never mention it here for example https://proton.me/blog/protonmail-threat-model
This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
deleted by creator
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
The user specifically requested that Proton retain this PII for account recovery.
Speaking of which, how do they implement recovery emails? Do they save your private keys only if account recovery is enabled?
But if you use their service for free, you do not have to provide any identifying info. As far as I am aware there is no check what you enter is legit and there is no requirement to supply a backup address. So the whole solution for a user to stay anonymous as much as they can with Protonmail is simply to not enter any identifying info.
They provided the backup e-mail address
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
Just in case anyone thinks they decrypted mails and handed them over, nope. I hadn’t thought about that “settings” are not encrypted. Guess if you want to stay anonymous you shouldn’t add your private mail address in there as a backup.
Yeah. Even if they couldn’t hand over recovery emails, having a personal email as a backup to a “private and sensitive” email account is bad practice.
But what do you do if that field is needed? A throwaway address won’t work as it’s easy to recreate. Buy your own domain and run a server?
I put the Simplelogin email alias as my backup mail. Which forwards mail to my proton, so I guess it isn’t really a backup. Even more so if you realize I need to sign into simplelogin with my protonmail account and protonmail owns Simplelogin.
Ah yes the email ouroboros
“Privacy” means two different things depending on the audience. For me privacy means that my information is not being used to advance some organizations commercial interest. For others it means that my information will never be shared with a government.
Don’t advertise to me
Or
Don’t narc on me
I guess I don’t really expect a company to resist pressure from government agencies on my behalf. Especially if I have been using their service to commit crimes in my country. If you are doing things your government would prefer you didn’t, hire a good lawyer and consult with them about what should be sent via email (spoiler, it’s nothing). The mafia doesn’t send emails, or put anything in writing, if you do crimes, you shouldn’t either.
I guess I don’t really expect a company to resist pressure from government agencies on my behalf.
Personally, I expect them to resist to the extent possible by law. The cops need to follow a lot of rules to make legally binding requests for data. I understand that if they do, there’s not much a company can do other than hand out the info, but if there’s a legal way to deny such a request, I expect the company to pursue it.
Pretty much. I’m not expecting a company to spend millions of dollars in court costs and lawyer fees on my behalf. But if it’s clear that the government is overreaching, the company should at least go “hey uhh judge, wtf?”
I don’t know much about the case beyond some very lazy peripheral searching, but it strikes me that Proton’s compliance isn’t an issue, but the requests themselves are totally unjustifiable and based on malicious prosecutions to nab some separatists on ridiculous terrorism charges for their nonviolent action and protests.
This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.
The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
If you use ANYTHING other than face to face meetings when discussing something illegal, you get what you deserve.
Although I like the idea of a drug smuggler typing “as per my previous email…”
Or use WhatsApp like most of criminals
it’s compromised (explicitly part of PRISM). nice try FBI shill
