xorgol
just adrienneSo if you're using Proton thinking it's "privacy-focused", it turns out they're giving data to the Feebs now. https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
Nitin Khanna@adrienne so who's left?
Ángela Stella MatutinaNobody say Tuta, you're gonna jinx it.
Arnel Šarić Sharan 
@angelastella @nitinkhanna @adrienne
@Tutanota are you planning on working with law enforcement agencies? Not that I plan to break any laws, but this is such a defeat
@sharan @nitinkhanna @adrienne @Tutanota
Here waiting for the answer, if any.
Colorado Springs Anti-Fascists@sharan @angelastella @nitinkhanna @adrienne @Tutanota Of course they do. Tuta would be shut down if they did not respond to orders from German courts. They're a business, not a radical project.
@COSAntiFascists I figured so much. There's the same law in Bosnia and Herzegovina, too, or a similar one. Once the court invites you and you're doing business under Bosnian laws...
@angelastella @nitinkhanna @adrienne Tuta complies with orders from law enforcement too.
Don't trust any email provider with your credit card information, IP address, or phone number. Don't expect Tuta to fight government orders on your behalf. All of these companies will comply rather than go out of existence, so you need to make sure they don't have your PII to begin with.
@COSAntiFascists @nitinkhanna @adrienne
Yeah, my access to state services depends either on an email provider (had problems with Tuta until I showed up in person to settle the issue because they're not goddamn Google) or WhatsApp. Guess if I have to route PII via such channels.
@angelastella @nitinkhanna @adrienne You should compartmentalize your emails. Make a personal email and a separate one for radical projects. If you're using the email to access state services, Proton or Tuta giving your credit card data over due to an order from an overseas government is going to be the least of your worries.
The 404 article is about a proton email setup for an anonymous radical project that was investigated for terrorism. The alleged admin of this project made the mistake of paying for the email account with a payment method associated with their personal identity, which is how they were identified from the Proton account.
@angelastella fyi, i don't know anything about Posteo but apparently they might be good? https://furry.engineer/@ysegrim/116181161858800673
Ysegrim (@[email protected])
@[email protected] @[email protected] @[email protected] While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is _that_ you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it. https://posteo.de/en/site/transparency_report
At first sight they look a bit better than Tuta. Thank you.
WesDym@COSAntiFascists Tuta complies with German law, which sometimes -- not always -- requires them to do that. Tuta sometimes disagrees, and sometimes prevails in those disagreements.
@angelastella Germany has the same law. So do nearly all countries.
Everyone here needs to get over the childish fantasy that companies somehow exist outside legal and govt structures and are somehow magically immune to them.
zyxhere💭@nitinkhanna @adrienne the solution is to abandon email itself
Gray Hairs
Arthfach 🐻@nitinkhanna @adrienne If that's a serious question - https://bear-den.org.
It's plain old normal encryption in transit - TLS (plus encryption at rest) - but it's a known, well studied technology and I don't comply with bullshit.
It's plain old normal encryption in transit - TLS (plus encryption at rest) - but it's a known, well studied technology and I don't comply with bullshit.
@nitinkhanna @adrienne I use LVM-on-LUKS and have the header backup stored with my attorney.
@nitinkhanna @adrienne That, unfortunately, is something LUKS doesn't handle. Once the system is online and the passphrase provided to unlock the volume, it stays unlocked until the system is shut down.
I'm working on the basis of "if we're at the point where the government is going to surgically remove the system from the datacenter while keeping it powered on and I get no prior notice that they're attempting that so I can't shut the system down, we're more screwed than I as a small provider can handle," to be honest.
I'm working on the basis of "if we're at the point where the government is going to surgically remove the system from the datacenter while keeping it powered on and I get no prior notice that they're attempting that so I can't shut the system down, we're more screwed than I as a small provider can handle," to be honest.
Andrew Drake@arthfach @nitinkhanna @adrienne fwiw, keeping a computer powered while seizing it is a standard tactic, and tools to do it are commercially available and not particularly expensive, e.g. https://cdsg.com/products/hotplug-field-kit?image=0
No surgery needed most of the time, unless you are connected directly to the wall (no power strip), and your power connector doesn't expose anything hot while slightly removed from the wall.
@nitinkhanna @adrienne There is no email provider that will anonymize your credit card payments to them.
Credit card data is extremely traceable. Don't give it to any company if you don't want it handed over to cops. This is why Proton and other privacy-focused businesses accept cash and crypto as payment methods.
Ysegrim@COSAntiFascists @nitinkhanna @adrienne While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is that you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it.
Eva
Werawelt@smolbrain @adrienne
Maybe #Deltachat
@deltachat is in Fediverse and here is the homepage:
https://delta.chat
And if you want, you can use your own server.
Maybe #Deltachat
@deltachat is in Fediverse and here is the homepage:
https://delta.chat
And if you want, you can use your own server.
@smolbrain
It base on email-protocol
https://delta.chat/de/help#kann-ich-eine-klassische-e-mail-adresse-mit-delta-chat-verwenden ( please choose the english language on the homepage)
@adrienne
It base on email-protocol
https://delta.chat/de/help#kann-ich-eine-klassische-e-mail-adresse-mit-delta-chat-verwenden ( please choose the english language on the homepage)
@adrienne
@smolbrain @werawelt I"m not an infosec/privacy person but i'm asking folks who are what they are recommending.
@smolbrain @werawelt it sounds like if you're not paying them with a credit card there's nothing they can give up on you, at the very least. pay them in cash, i guess?
@smolbrain @werawelt i don't know anything about Posteo but apparently they might be good? https://furry.engineer/@ysegrim/116181161858800673
Ysegrim (@[email protected])
@[email protected] @[email protected] @[email protected] While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is _that_ you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it. https://posteo.de/en/site/transparency_report
@smolbrain
Maybe an other alternative for a classic and secure provider is mailbox.org . You can encrypt your entire mailbox there, including incoming emails automatically. If necessary, you can keep the private key yourself.
https://kb.mailbox.org/en/en/business/encryption/the-encrypted-mailbox-encrypt-incoming-emails/
mailbox.org is in the fediverse: @mailbox_org
and here is the homepage:
https://mailbox.org
@adrienne
Maybe an other alternative for a classic and secure provider is mailbox.org . You can encrypt your entire mailbox there, including incoming emails automatically. If necessary, you can keep the private key yourself.
https://kb.mailbox.org/en/en/business/encryption/the-encrypted-mailbox-encrypt-incoming-emails/
mailbox.org is in the fediverse: @mailbox_org
and here is the homepage:
https://mailbox.org
@adrienne
@werawelt @smolbrain @mailbox_org @adrienne Mailbox has the same vulnerability. It's a legal, above board operation and will also respond to court orders to hand over metadata they have for the account.
The solution is not to trust any of these companies if you need anonymity. Pay them with cash instead of a credit card, don't setup a recovery phone number, and always use a good vpn or Tor to connect. They can't hand over what they don't have.
@smolbrain @adrienne don't give proton your credit card number. That's how the subject was identified and why proton offers cash and crypto payment options.
@COSAntiFascists @adrienne I wish cash were more reliable to send or crypto less ... erratic and more trustworthy a financial method. *sigh* not like debit / credit cards are more than 1% ish better...
@smolbrain @adrienne we haven't had any issues mailing cash for these sorts of service for what it's worth.
@smolbrain i don't know anything about Posteo but apparently they firewall your account data away from your payment data somehow? https://furry.engineer/@ysegrim/116181161858800673
Ysegrim (@[email protected])
@[email protected] @[email protected] @[email protected] While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is _that_ you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it. https://posteo.de/en/site/transparency_report
Azuaron@adrienne The thing about every single company is that if the feds compel the company to give them data, and the company has that data, they will absolutely hand that data over. It's not a choice they're making.
This is why Proton includes payment options such as Bitcoin and mailing them cash. Then, they don't have the data, so they have nothing to hand the feds.
@Azuaron i don't know anything about Posteo but apparently they firewall your account data away from your payment data somehow? https://furry.engineer/@ysegrim/116181161858800673
Ysegrim (@[email protected])
@[email protected] @[email protected] @[email protected] While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is _that_ you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it. https://posteo.de/en/site/transparency_report
@adrienne Interesting. It looks like they generate one-time codes for the account, process the payment with the code, mark the account as paid, and then delete the code.
https://posteo.de/en/site/payment
Certainly better than Proton, but if my threat model required my email to be secret from the police, I still wouldn't trust it. All it would take is a court order that says, "Next time a payment is made for this account, log it," and you'd be just as cooked. This is, after all, exactly how the French authorities got the IP address of a ProtonMail user. Proton doesn't log your IP address... unless someone makes them.
ForrestGrump
the elder sea@adrienne The Proton PR person said "Proton only provides the limited information that we have when issued with a legally binding order from Swiss authorities, which can only happen after all Swiss legal checks are passed. This is an important distinction because Proton operates exclusively under Swiss law.”
I have no idea if this is true, I'm not a lawyer etc etc, but if it is...is this behavior not to be expected if any email provider's locale legally requires it?
Unless they can delete the payment info after it goes through, which is obviously a boon for privacy, but I have no clue what Swiss law might have to say on that front.
Bill, organizer of stuff@adrienne I'm no defender of Proton (looking for an offroad from them, actually), but in this case, they were compelled by legal action from the Swiss government to hand over payment data. Since the payor had used a credit card that traced back to an individual, the Swiss government could find that person. And the FBI somehow (legally?) got ahold of the data from the Swiss. This circumstance is not unique to Proton - it would apply to any legally operating business with credit card customers. 🤦
Weird Socks
Malstrøm 
🧉
rk: it’s hyphen-minus actuallyThe problem is there’s not much that can be done, ultimately. If you run your own mail server, you’re exposed in a million ways: domain registrar, hosting provider, etc. Short of some sort of “account identifier and pay with an envelope of cash in a hole in a tree every month” anonymous mail hosting isn’t a thing.
Encrypted-at-rest is nice but honestly it does add a fair amount of friction and I’m getting old.
@rk @ohmu @wcbdata i don't know anything about Posteo but apparently they firewall your payment data away from your account data somehow? So they might be an alternative. https://furry.engineer/@ysegrim/116181161858800673
Ysegrim (@[email protected])
@[email protected] @[email protected] @[email protected] While Posteo.de stores your payment details (they have to), they do not connect it to your account. The only information connected to your account is _that_ you paid. Meaning, while they already straight out reject a third of their requests for formal incorrectness (and file complaints), last year they never provided any user/payment data because they straight up do not store it. https://posteo.de/en/site/transparency_report
hyperreal