Mastodawn

It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.

Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.

The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.

Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.

Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.

Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.

There is, however, some useful (but more nuanced) information here:

Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.

Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).

But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.

People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.

Show thread

Alexander The 1st Mar 8

@malwaretech The thing that gets me is - is the company being requested by the MLAT allowed to challenge their local government on the legality of the request?

Like how Apple famously refused to make a program to automatically decrypt their iPhones to federal, state, or municipal authorities to be able to decrypt a terrorist's phone, and as I recall, that actually went to court on that?

Could Proton not do the same with the request made of them?

Show thread

ohir Mar 9

@AT1ST @malwaretech
> Like how Apple famously refused ...
Apple refused protecting their bottom line. Then this iPhone was soon "decrypted by a group of hackers" IIRC. Good PR and not a penny wasted for the 3mo coverage all over the nets.
> Could Proton not do the same with the request made of them?
1. There is no crime-story on the warrant
2. Check prices of legal representation in the Switzerland first. For "ultimate plan"/yr sum you can buy a few microseconds of lawyer time.

Show thread

Alexander The 1st Mar 9

@ohir @malwaretech I mean, the first link I found indicated that it is negotiable [ https://www.getyourlawyer.ch/en/lawyer/fees/ ], but I find it surprising that ProtonMail isn't paying for lawyers just as a cost of business. Maybe they don't have trial lawyers that are more expensive, but they couldn't as a Non-Profit find a lawyer to do it pro bono? This would be an amazing case for them, whether they won or not.

How much does a lawyer cost? Everything about legal fees

Legal fees are essentially based on three factors: hourly rate, amount of work and complexity of the matter. Here are the best tips.

GetYourLawyer

Show thread

ohir Mar 9

@AT1ST @malwaretech
They advertise confidentiality of the communication and that _only_ between INTERNAL (Proton) accounts. Nothing more, nothing less. Thats what they sell: c-o-n-f-i-d-e-n-t-i-a-l-i-t-y. For people who do not know how to read gnupg manual. All gui, easy to click.

Then using money earned on their email product they provide more services that used properly _allow_ people to stay safe from being targeted way longer than any other service provider – and these they provide free. They explain the possibilities and explain threats. Problem is that many many many way so many people now just does not want to read before they click or tap.
You can stay a bit, for a longer while, anonymous using Proton: you sign up for a free account using their free #vpn built into #vivaldi and never ever log in to this account not using vpn. Very simple.

Not that you can use such account for a malicious public posting. When "imminent threat" is detected, esp. to some #EElite member, anyone on your packet way to the service will act to uncover you. Read the silk road story as a primer.

Show thread

Alexander The 1st Mar 9

@ohir @malwaretech "Anyone on your packet way to the service will act to uncover you."

The big detail is that it was the person *closest* the endpoint that did the uncovering that bothers people; had it been ProtonMail's ISP, it would be a different question.

But the issue that people take issue with is that ProtonMail appears to have folded without *any* resistance, over something they claim they would not normally fold over. Hence the "It's not the same as them giving data directly to the FBI if they give it to the Swiss government who then gives it to the FBI." distinction they appear to be trying to make.

Show thread

ohir

@AT1ST @malwaretech
There is no way to *resistance* in many countries. You can complain on merit. Or go to jail for *resistance*. Such resistance to a valid warrant is called "Obstruction of Justice" and penalties vary by country from 3 to 8 years.

Then yet again now in simple words: why do you feel entitled to the costly legal representation from the service provider who never advertised "anonymity services"? On what basis? Why mines and over ten thousand other people $80 this year payments should be spent to cover for someone posting explosive threats to the FB. Should Uber "resist" a warrant seeking robber taping Uber services to get the loot from the crime scene?

Show thread

Alexander The 1st Mar 9

@ohir @malwaretech "There is no way to resistance in many countries. You can complain on merit."

...My point is that it seems they relied on the Swiss government to do the resistance and judge the merit. The point of a "Resistance lawsuit" is to complain on merit.

(Also, ProtonMail both makes income, and kind of makes the argument that Swiss companies *cannot* share information with foreign law enforcement under criminal penalty [ https://proton.me/blog/switzerland ]. They're doing this reveal of information as a "Loophole" to their own privacy marketing.

At the minimum, this is a bad look for P.R. purposes.)

Why is Proton based in Switzerland? An analysis of Swiss privacy laws | Proton

Switzerland has a strong reputation for privacy, dating back over 100 years, but is this reputation actually backed up by strong laws?

Proton

Show thread

Alexander The 1st Mar 9

@ohir @malwaretech Like, Uber doesn't make the claim that you can get privacy in Uber, but Proton *specifically* said this on that web site:

"Strong privacy protections: Switzerland has a constitutional right to privacy and strict data protection laws. Unlike companies in other countries, Proton cannot be compelled by foreign or Swiss authorities to engage in bulk surveillance."

That's a major reason they say "This is why we're Switzerland-based.".

And here? Here they are "Loopholing" that whole statement.

Show thread

ohir Mar 9

@AT1ST @malwaretech
Proton can not be compelled to provide bulk surveilance.

What is to be misunderstood in the "bulk" word? They stated what laws of their incorporation says.

Privacy does not mean anonymity. Encryption does not mean anonymity.
Encryption provides confidentiality, this is a vessel for privacy. Tech can provide your mail can not be read by their staff if both parties use two-key approach. As this was too hard for the masses, one can now turn this on.

The problem is so many people can not grasp the details. Then the easy and enough-secure provider is magnitude better for the masses than alternatives feeding the monster siliconiacs.

Were Proton started their message with "dear user, remember we are obliged to help law enforcement to know you" this would be as much misunderstood. And prospect non US user would be inclined to choose eg. Apple mail instead. Because "you know, Apple protects their customers".

Reiterating: Privacy is not anonymity. Encryption is not anonymity. There is no anonymity on current Internet, only are ways to up cost and time to discover. Like hand routed Tor between mail services hosted in separate mafia states.

Show thread

ohir Mar 9

@AT1ST @malwaretech
> Swiss companies *cannot* share information with foreign law enforcement under criminal penalty
True. You can not sell your customer data without a warrant from the Swiss authorities. Thats why Swiss bankers got so insanely rich. They can not be compelled to be customer watchers, then a valid warrant must have had a valid warrant subject.