crispy caesusMar 7
Taggart

In the whole Proton situation, there are a lot of mixed equities and real problems surfacing, but not all of them are appropriately ascribed to Proton.

Let's put aside for the moment that the FBI sucks. They do! Under the US MLAT with Switzerland, is it Proton's role to deny the request from the US government?

Is it not; it is the Swiss government's role to do so if they wish. If they do so, they endanger a treaty that has been in place since 1977, while also signaling to other countries with similar agreements that their word is mud—or at best, contingent on them liking the current government of the ally country.

Maybe not an awesome tradeoff to stick it to the Feebs.

And Proton, like them or not, has been clear about their position on honoring Swiss law from the jump. And should they leave Switzerland for another EU country, it will be that state's laws they abide by.

You may contend that Proton should deny lawful (note: not necessarily ethical) requests from their government to protect their users. That's a position you can take, but I don't believe it has ever been Proton's. Their primary privacy offer is end-to-end encryption between email addresses that support it, and on-disk encryption of your data, along with a VPN. They make anonymous accounts possible, but do not guarantee any data you give them will be withheld from lawful requests from Swiss authorities, which is what happened here.

Transparency report | Proton

Proton's transparency report with aggregate statistics of legal orders from the Swiss authorities, covering Proton Mail, Proton Drive, and Proton Calendar.

Proton
Mar 5 at 11:19pmWeb
Show threadVarxMar 5

@mttaggart No profit seeking company is going to deny a lawful order. Very few will even fight a lawful request.

I've said it before and this is just more proof. The ONLY solution to any info you don't want in the hands of a government is self hosting or to figure out how to NOT give it to a company. They can't give what they don't have.

Show threadFritz AdalisMar 6
@mttaggart
While their actions follow the letter of the law and are expected, they don't match their marketing. For example, https://proton.me/blog/switzerland.
Even the page you linked just talks about all the data they didn't provide. Maybe they could mention the risks of credit card use at signup and in their policies, or maybe not accept credit cards at all considering they serve many at-risk customers? Somehow I don't see either happening.
Why is Proton based in Switzerland? An analysis of Swiss privacy laws | Proton

Switzerland has a strong reputation for privacy, dating back over 100 years, but is this reputation actually backed up by strong laws?

Proton
Show threadTaggartMar 6

@FritzAdalis From the page you linked:

Swiss companies are not allowed to share information with foreign law enforcement under criminal penalty.

That's exactly what happened/didn't happen here. They do not bury their privacy policy or transparency reports. If they only accepted crypto, they'd be instantly branded as a tool exclusively for crime. I really don't know what you're asking of them here.

Show threadFritz AdalisMar 6
@mttaggart
Really it's just for them to make their marketing clearly match the reality of what they provide. Non-technical people see them as completely anonymous, and aren't going to read their multiple privacy policies, they're going to listen to the ad or youtuber who said their vpn is anonymous and not understand that there's a difference. Make it clear for people who are at-risk that their products are not completely anonymous.
Show threadB05HMar 6
@mttaggart as an american working for a european org, every time i mention MLAT, the leo orgs run to the hills and I never hear from them again. so cases that get a successful MLAT have to be super well argued to get the government to forward the request. The swiss don’t seem like the magic lockbox they once were known for.
Show threadNoah BaileyMar 6
@mttaggart no web service is expensive enough for them to go to jail on your behalf. Always remember that…
Show threadthedoctorMar 6
@mttaggart Might I ask what situation you're referring to? I wasn't able to find an obvious answer.
Show threadMike SpoonerMar 6
@mttaggart I remember giving Proton Mail a tryout in 2018, and *even then* they were explicitly clear, up front, that they would comply with Swiss Govt lawful requests for access to the limited information that they did hold.
Show threadtheHastyOneMar 7
@mttaggart this is all over my feed. And I guess the question is do you think they should have gone LavaBit over unencrypted metadata? I think not