Marcus Hutchins Mar 8

It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.

Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.

The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.

Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.

Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.

Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.

There is, however, some useful (but more nuanced) information here:

Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.

Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).

But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.

People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.

Show threadNathan A. StineMar 8

@malwaretech I think they should be more upfront about what they're selling. They sell security. They don't really sell anonymity. People think Proton is "I create an account and everything I do is anonymous." It isn't, Proton never said it was, but people make assumptions.

But let's not pretend that any other similar service (Tuta, etc.) wouldn't do the same thing.

Show threadohirMar 9
@stinerman @malwaretech
Yes. This is! For masses fleeing FB "encrypted"=="anonymous". And I have a hard time to explain to such persons, usually just born as activists, that there is no anonymity on teh nets.
Show threadGerard
@ohir @stinerman @malwaretech
Indeed, I don't think most people would want to live in a world with *unbreakable* anonymity - there are some people who really do need to be tracked down and prosecuted.
For instance, I wouldn't want child pornographers to be free to continue their activity with impunity.
Mar 9 at 10:24amWeb
Show threadGerardMar 9

@ohir @stinerman @malwaretech
That said, I also don't want to live under mass surveillance (by govs _or_ corps) and think LEAs shouldn't be able to break anonymity frivolously.
But for most people living in democratic systems, I think over-reach (which will always be a danger) needs to be addressed legally and politically, rather than technologically.

There are obviously variations between countries and over time in how much freedom there is to pursue such remedies. Because of that, some people do have a greater need to protect their identity. I think it's okay for that not to be easy. I'd also suggest that most people complaining about proton are probably not members of this category.

Show threadohirMar 9

@GerardThornley @stinerman @malwaretech
> for most people living in democratic systems
Not many democracies left, Switzerland internally is closest to, Scandinavian countries still stand close. Romania possibly too. But within EU I see no healthy democracy now, only façade ones. But still protective enough.

In EU someone's socially unaccepted private endavours are protected by law. You can see your French neighbor being close to their cousin and this is protected. You can not as a journalist "be outraged at", as cousin-cousin relations, while not accepted by ~80% of respondents, are not forbidden hence are private matters of people – protected by law to not be named and shamed. Problem is, the EU law agencies are bad at enforcing this protection, esp. on US-owned platforms. LeMonde journalist can not name, yet any wacko at Xusk can call fork and torch mobs on the "immoral" cousins.

Most people who seek "anonymity" belongs to this huge set. They in fact seek safety from the lynch, nothing more.

The mass surveillance in EU is rampant, yet EU citizens do not feel it due to laws shielding privacy. This feeling may soon change with current push to fully identify population using internet services and mandatory screening for anti-ruling-class sentiments. The opposition to this shift needs protection ...[TBC]