evacideIf you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
cliffle@evacide I've been following the articles on this, and was curious -- you would know this better than I -- does it sound like they were in a position where they had a legal alternative?
Bill, organizer of stuff
Nathan A. Stine@wcbdata @cliffle @evacide cash is a supported payment method:
https://proton.me/support/payment-options#cash
https://proton.me/support/payment-options#cash
private_brewing@cliffle This is exactly what they have already said they would do, but it is very common for me to encounter people who use Proton Mail who do not expect this.
Dj PorCus - Will@evacide @cliffle @stinerman There is a thin line on logging stuff for user debug (being an isp/supplier for friends, i have some clue, not pretending it's expertise), therefor where is that line. also, i might understand that proton needs to comply with swiss law (which isn't up to date vs data retention and digital data, because totally f*ing legacy.) my short swiss citizen view : we're in deep shit with this and local politics dont care. ( i'm geneva's former pirate party founder and lost)
maya_b 🇨🇦and with owners in the US, there's even more legal jeopardy potential. where the servers are located is less relevant than who owns them.
contrast that with Tuta, sure it's EU owned but you have to go through more layers to get to account details, and not as easily strong-armed.
though the French MS email saga from a while back makes it all muddier. French authorities will comply with requests made through the proper channels, a US judge said she didn't have to and demanded compliance - putting MS-France in non-compliance with the US court order, or non-compliance with French law.
Schroedinger's PossumAll email providers that operate legally - including Tuta - must provide this info if they have it upon court request. If your threat model includes this risk, then having owners in a different country does not protect you at all.
To be clear, I like Tuta, but I haven't seen any evidence yet that they wouldn't be forced to do the same if they operate there.
agreed. however the reach of US courts is limited by entities that have no US ties. Tuta is still bound, and I expect that a properly processed request through German officials would result in a disclosure, but that requires a bit more rigour than I'd expect from an entity with US ties.
choomba@schroedingerspossum @maya_b @cliffle This is exactly it. It's bad opsec to leave data your provider can hand over. Any company must and will comply with local law. It's your responsibility to not leave a paper trail. Proton, like a few other service providers like Mullvad, offers cash payments via mail. If you don't use that or stick to a free plan, that's on you.
Robot
Bro
James@cliffle @evacide All companies have to comply with the jurisdiction in which they are registered. In this case they complied with Swiss law, not the FBI directly, so the headline seems a bit misleading.
The takeaway is: If you pay for any service in a traceable way, you are not anonymous. If you want to be anonymous, consider cash or Monero.
Mikalai@cliffle @evacide
They had no alternative because mail uses classical style federation, in which provider always has metadata to perform service.
In contrast, there is a web style federation, in which vendor isn't given communication metadata.
From HOPE16 conference: at 37:10 https://www.youtube.com/watch?v=JRP0dW_zy_c&t=2230s
#hope16 #PrivacySafe
They had no alternative because mail uses classical style federation, in which provider always has metadata to perform service.
In contrast, there is a web style federation, in which vendor isn't given communication metadata.
From HOPE16 conference: at 37:10 https://www.youtube.com/watch?v=JRP0dW_zy_c&t=2230s
#hope16 #PrivacySafe
