TheHunterFRMar 9
Marcus Hutchins 

It feels like Proton are being intentionally misleading in their statements. They know that most of their customers aren't familiar with how legal process actually works, so are happy to spread half-truths.

Under US law, a US law enforcement agency (LEA) typically has to apply for a subpoena or search warrant with a US court. The court is then responsible for deciding if the legal bar for search a request has been met, then either grants or denies it.

The problem is, if a company has no real US footprint (no US corporate entity, offices, servers, etc.), then a US court typically doesn't have the jurisdiction to compel the company to hand over customer data (except in some rare circumstances). Even if the court approved the warrant anyway, it wouldn't really be legally binding.

Which is why the Mutual Legal Assistance Treaty (MLAT) exists. MLAT enables law enforcement agencies in one company to send requests for information to law enforcement agencies in another. Switzerland has such a treaty with the US. This means that the FBI can request that Swiss authorities hand over a Swiss company's data on their behalf.

Any country requesting information held by a company in a foreign jurisdiction would typically do so via MLAT. Which means from Proton's perspective, the legal request would appear to originate from their local law enforcement, not the FBI. Which they clearly understand based on their Reddit post.

Saying "we don't respond to legal requests from anywhere other than Swiss authorities" seems very intentionally worded to give the impression that the company does not cooperate with foreign law enforcement. But since it'd be the Swiss authorities handling any such requests, they'd have to comply, since as they admitted, they have to comply with local laws.

There is, however, some useful (but more nuanced) information here:

Firstly, MLAT requests are handled by local law enforcement according to local law. So if there is a difference between the law of the sending and recipient country, that might mean the MLAT request is denied. That probably doesn't mean much, because if you're on the FBI's radar, the chances are you did something that is also massively illegal in Switzerland too.

Secondly, they are 100% correct in saying that no other service provider is going to do any better. They're all beholden to local laws, and the ones that think they're not tend to get their doors blown off by SWAT like CyberBunker did. The only exception is if the company resides in a country which does not cooperate with US law enforcement (which Proton does not).

But the part that's extremely disingenuous is that the "we only respond to requests from the Swiss authorities". That statement is likely intended to imply they don't cooperate with law enforcement in any other countries, which is simply not true. Switzerland has MLAT agreements with over 30 counties.

People really need to understand that no company is going to shield you from the FBI (or any reputable law enforcement agency). They'll use misleading statements to make it sounds like they don't cooperate with law enforcement, but they do. They have to.

Mar 8 at 10:29pmWeb
Show threadsilhouette   Mar 8
@malwaretech well you convinced me, time to give all my data to an Indonesian bulletproof hoster
Show threadKallistiMar 8
@silhouette @malwaretech
I wonder if ocean floor datacenters could take advantage of laws on international waters
Show threadDave "Wear A Goddamn Mask" Cochran Mar 8
@kallisti @silhouette @malwaretech depends how much cement they're encased in, i'd wager
Show threadWilfried KlaebeMar 10

Their power generation will probably not be in international waters.

@dave_cochran @kallisti @silhouette @malwaretech

Show threadFranchesca6d ago
@wonka @dave_cochran @kallisti @silhouette @malwaretech
Geothermal baby, yeh!
Show thread⁂ Jnk ∞ 📎Mar 9
@kallisti @silhouette @malwaretech I mean you could just use an ol' boring ship if you want to have a lot of computers in international waters. The hardest part would be to transfer energy and data, but cooling would be easy af.
Show threadiam-py-testMar 9
@jnk Wouldn't it still need to fly the flag of some country, and be under that country's legal jurisdiction?
If I recall correctly ships which don't fly the flag of any jurisdiction, or fly the flag of a country they aren't registered in, exist in legally ambiguous territory where some of the normal protections afforded to vessels might not apply.
Show threadJens FinkhäuserMar 9
@jnk @kallisti @silhouette @malwaretech I think power is the easier of the two, considering how much power is used on ships. 😃
Show thread✶Rayotron✶Mar 9

@jnk @kallisti @silhouette @malwaretech

All of this talk about safe havens in international waters reminds me of Pirate Bay's attempt to buy Sealand then HavenCo's shenanigans there.
https://en.wikipedia.org/wiki/Principality_of_Sealand

Principality of Sealand - Wikipedia

Show thread⁂ Jnk ∞ 📎Mar 9
@rayotron they tried to have a pIRATE ISLAND? Like literally a pirate bay? This is beautiful, I need to live on that timeline
Show threadCedar Fen Farm Cedar Fen FarmMar 9

@kallisti @silhouette @malwaretech

Nice piracy target.

Show threadBruce Heerssen Mar 9

@kallisti @silhouette @malwaretech

LOL. Datacenters on the ocean floor seems wildly impractical, but still far more realistic than datacenters in space.

As far as legalities go, unless the datacenter's owners are also on the ocean floor, they'll have to comply with their country's law enforcement regardless of where the data resides.

Show threadKallistiMar 9

@bruce @silhouette @malwaretech

If she is to be believed, Maxie Reynolds makes a case that it is not, in fact, impractical.

https://darknetdiaries.com/episode/166/

Maxie – Darknet Diaries

Maxie Reynolds loves an adventure, especially the kind where she’s breaking into buildings (legally). In this episode, she shares stories from her time as a professional penetration tester, including high-stakes physical intrusions, red team chaos, and the unique adrenaline of hacking the real world.

Show threadBruce Heerssen Mar 9

@kallisti @silhouette @malwaretech

Neat. I'll give it a listen. Thanks 😊

Show threadHenryk PlötzMar 9

@bruce @kallisti @silhouette @malwaretech Microsoft did a prototype, to a reasonable degree of success: https://en.wikipedia.org/wiki/Project_Natick

Neatest result: The failure rate of a data center entombed below several tons of water is actually lower than that of a regular data center, because there aren't any humans in there that could pull out the wrong drive by accident.

Project Natick - Wikipedia

Show threadsu_liamMar 9
@henryk @bruce @kallisti @silhouette @malwaretech Not a bad point, but it’s still subject to the data cable crossing a shoreline. These things are vulnerable enough to thieves looking for copper without running afoul of local governments with guns and armies and backhoes.(why did predictive text give me Zendaya as a correction for “backhoez?” Did it think I was spelling it backwards? I suspect treachery. Or LLM.)
Show threadKallistiMar 9
@su_liam @henryk @bruce @silhouette @malwaretech how do you think intercontinental Internet currently works?
Show threadsu_liamMar 9
@kallisti @henryk @bruce @silhouette @malwaretech The difference between a cable carrying one offending data center’s content vs. a cable carrying, say Europe.
The Great Firewall of China is a far more complicated thing than ripping some wires out of the ground.
Show threadDazzaMar 9
@kallisti @silhouette @malwaretech
Hmm.. If my data is adrift (not clearly in transit) do I have to pay salvage to whoever recovers it (before the pirates, state sponsored or not, get it)?
The right of free passage is one thing. The right to just bob about in the ocean as though it's some sort of "the floor is lava" defence is not so well established. In fact it's established that a vessel is subject to the laws of the country who's flag it flies. Hence flags of convenience and all that but it's not "stateless".
Show thread(hic/haec/hoc)Mar 8
@silhouette @malwaretech I hear there's a good one in the island of Kinakuta
Show threadAlexander The 1stMar 8

@malwaretech The thing that gets me is - is the company being requested by the MLAT allowed to challenge their local government on the legality of the request?

Like how Apple famously refused to make a program to automatically decrypt their iPhones to federal, state, or municipal authorities to be able to decrypt a terrorist's phone, and as I recall, that actually went to court on that?

Could Proton not do the same with the request made of them?

Show threadPinkMar 8
@AT1ST @malwaretech does Proton have Apple money?
Show threadAlexander The 1stMar 8
@can @malwaretech Do they *need* Apple money to challenge the Swedish legal system? Justice should not just be for the rich; the Swedish government should have a vested interest in their own companies being able to challenge an MLAT request so it is not just a "Did they cross their 'i's and dot their 't's?" system of justice.
Show thread@frueheneuzeitMar 8
@AT1ST Swiss. Not Swedish. Cuckoo clocks, not IKEA. *facepalm @can @malwaretech
Show threadAlexander The 1stMar 8

@stefan_hessbrueggen @can @malwaretech Okay, that's a fair point.

My answer then goes to both the Swiss *and* the Swedish governments.

On the other hand, that makes the monetary issue seem less of a concern - aren't they infamous for having a *lot, of money?

Show threadMarcus Hutchins Mar 8
@AT1ST No, Apple just outright refused and has enough money to tie most of the federal government lawyers up in court for the rest of their careers
Show threadAlexander The 1stMar 8

@malwaretech So they're skirting the government request *entirely* on money and lack of compliance?

I am not saying that ProtonMail has to *win* their case, but it does feel like ProtonMail is just folding right out of the gate.

Like how it has been pointed out that a Filibuster where you have to keep debating an issue in the House or the Senate to block it became suddenly a "If you threaten to filibuster it, then I guess we don't bother testing that you *can* filibuster this law - it's just dead.".

Show threadThe Lack Thereof Mar 9

@AT1ST

No, it's a different situation from a technical perspective.

One is a request for data (mail) a company already has stored on its own servers, and that that company can already access at will.

The other is a request for a company to develop and provide a tool to the government, so the government may unlock devices belonging to 3rd parties, and independently access the data therein.

To build a flimsy analogy here, one case is the government coming to your house and saying "give me all the files from the safe in your office".
The other is the government going to the safe company and saying "give me a skeleton key to unlock every safe you've ever made"

Show threadAlexander The 1stMar 9

@lackthereof The technical difference is only partially why that stance was taken.

As I understand it, they didn't even give away mail, they gave away the credit card processing token (Or the information outright), so that the credit card processing company could reveal more information. That is, Proton Mail made a point that they still cannot actually retrieve mail from their servers without doing the skeleton thing, and they aren't doing that.

But they did hand over information similar to a journalist not giving away their source, but instead giving away where they met their source and who knew their source, on account of a warrant.

Show threadSaupreiss #Präparat500 🗽Mar 8

@AT1ST

Absolutely.
Also, no such things as gag orders are known (yet…) on this continent.

@malwaretech

Show threadohirMar 9
@AT1ST @malwaretech
> Like how Apple famously refused ...
Apple refused protecting their bottom line. Then this iPhone was soon "decrypted by a group of hackers" IIRC. Good PR and not a penny wasted for the 3mo coverage all over the nets.
> Could Proton not do the same with the request made of them?
1. There is no crime-story on the warrant
2. Check prices of legal representation in the Switzerland first. For "ultimate plan"/yr sum you can buy a few microseconds of lawyer time.
Show threadAlexander The 1stMar 9
@ohir @malwaretech I mean, the first link I found indicated that it is negotiable [ https://www.getyourlawyer.ch/en/lawyer/fees/ ], but I find it surprising that ProtonMail isn't paying for lawyers just as a cost of business. Maybe they don't have trial lawyers that are more expensive, but they couldn't as a Non-Profit find a lawyer to do it pro bono? This would be an amazing case for them, whether they won or not.
How much does a lawyer cost? Everything about legal fees

Legal fees are essentially based on three factors: hourly rate, amount of work and complexity of the matter. Here are the best tips.

GetYourLawyer
Show threadohirMar 9

@AT1ST @malwaretech
They advertise confidentiality of the communication and that _only_ between INTERNAL (Proton) accounts. Nothing more, nothing less. Thats what they sell: c-o-n-f-i-d-e-n-t-i-a-l-i-t-y. For people who do not know how to read gnupg manual. All gui, easy to click.

Then using money earned on their email product they provide more services that used properly _allow_ people to stay safe from being targeted way longer than any other service provider – and these they provide free. They explain the possibilities and explain threats. Problem is that many many many way so many people now just does not want to read before they click or tap.
You can stay a bit, for a longer while, anonymous using Proton: you sign up for a free account using their free #vpn built into #vivaldi and never ever log in to this account not using vpn. Very simple.

Not that you can use such account for a malicious public posting. When "imminent threat" is detected, esp. to some #EElite member, anyone on your packet way to the service will act to uncover you. Read the silk road story as a primer.

Show threadAlexander The 1stMar 9

@ohir @malwaretech "Anyone on your packet way to the service will act to uncover you."

The big detail is that it was the person *closest* the endpoint that did the uncovering that bothers people; had it been ProtonMail's ISP, it would be a different question.

But the issue that people take issue with is that ProtonMail appears to have folded without *any* resistance, over something they claim they would not normally fold over. Hence the "It's not the same as them giving data directly to the FBI if they give it to the Swiss government who then gives it to the FBI." distinction they appear to be trying to make.

Show threadohirMar 9

@AT1ST @malwaretech
There is no way to *resistance* in many countries. You can complain on merit. Or go to jail for *resistance*. Such resistance to a valid warrant is called "Obstruction of Justice" and penalties vary by country from 3 to 8 years.

Then yet again now in simple words: why do you feel entitled to the costly legal representation from the service provider who never advertised "anonymity services"? On what basis? Why mines and over ten thousand other people $80 this year payments should be spent to cover for someone posting explosive threats to the FB. Should Uber "resist" a warrant seeking robber taping Uber services to get the loot from the crime scene?

Show threadAlexander The 1stMar 9

@ohir @malwaretech "There is no way to resistance in many countries. You can complain on merit."

...My point is that it seems they relied on the Swiss government to do the resistance and judge the merit. The point of a "Resistance lawsuit" is to complain on merit.

(Also, ProtonMail both makes income, and kind of makes the argument that Swiss companies *cannot* share information with foreign law enforcement under criminal penalty [ https://proton.me/blog/switzerland ]. They're doing this reveal of information as a "Loophole" to their own privacy marketing.

At the minimum, this is a bad look for P.R. purposes.)

Why is Proton based in Switzerland? An analysis of Swiss privacy laws | Proton

Switzerland has a strong reputation for privacy, dating back over 100 years, but is this reputation actually backed up by strong laws?

Proton
Show threadAlexander The 1stMar 9

@ohir @malwaretech Like, Uber doesn't make the claim that you can get privacy in Uber, but Proton *specifically* said this on that web site:

"Strong privacy protections: Switzerland has a constitutional right to privacy and strict data protection laws. Unlike companies in other countries, Proton cannot be compelled by foreign or Swiss authorities to engage in bulk surveillance."

That's a major reason they say "This is why we're Switzerland-based.".

And here? Here they are "Loopholing" that whole statement.

Show threadohirMar 9

@AT1ST @malwaretech
Proton can not be compelled to provide bulk surveilance.

What is to be misunderstood in the "bulk" word? They stated what laws of their incorporation says.

Privacy does not mean anonymity. Encryption does not mean anonymity.
Encryption provides confidentiality, this is a vessel for privacy. Tech can provide your mail can not be read by their staff if both parties use two-key approach. As this was too hard for the masses, one can now turn this on.

The problem is so many people can not grasp the details. Then the easy and enough-secure provider is magnitude better for the masses than alternatives feeding the monster siliconiacs.

Were Proton started their message with "dear user, remember we are obliged to help law enforcement to know you" this would be as much misunderstood. And prospect non US user would be inclined to choose eg. Apple mail instead. Because "you know, Apple protects their customers".

Reiterating: Privacy is not anonymity. Encryption is not anonymity. There is no anonymity on current Internet, only are ways to up cost and time to discover. Like hand routed Tor between mail services hosted in separate mafia states.

Show threadohirMar 9
@AT1ST @malwaretech
> Swiss companies *cannot* share information with foreign law enforcement under criminal penalty
True. You can not sell your customer data without a warrant from the Swiss authorities. Thats why Swiss bankers got so insanely rich. They can not be compelled to be customer watchers, then a valid warrant must have had a valid warrant subject.
Show threadiam-py-testMar 9

@AT1ST Depends what remedies exist under both the MLAT and Swiss law. I'm not sure if they could challenge in US court, Swiss court, or both.
In US court, companies can move to quash a subpoena, but if a magistrate judge found probable cause, that would probably be a difficult battle. Not to mention the grounds for quashing a subpoena in the first place are very limited, and I don't think that any remedy is even available here but am not an expert (https://www.law.cornell.edu/rules/frcp/rule_45).

Once the case gets the court - and it doesn't seem it ever did here - there could be motions to suppress the evidence on the grounds it was illegally obtained. That seems unlikely to prevail here, especially given that analysis would probably be under US law, not Swiss law.

There could also be other challenges to the case, i.e. first amendment challenges, but without knowing the facts its hard to know how successful those challenges would be. All of that is so far down the road that it wouldn't be in Proton's calculus.

I am not a lawyer, take everything I said with a lot of skepticism.

Rule 45. Subpoena

LII / Legal Information Institute
Show threadAlexander The 1stMar 9
@iampytest1 Ah, so the caveat to the "Swiss privacy law is the strictest" part for Proton is that, if the Swiss judicial system thinks the MLAT request is above board, companies or related persons *can't* challenge it because the judge already ruled "Probable cause" on it, and they don't want to re-litigate it?
Show threadiam-py-testMar 9

@AT1ST That I don't have an answer to.
If this was a subpoena to a US company subpoenaed under US law, they could challenge it in US court but it will be an uphill battle.

I have no idea how Proton could challenge the subpoena under Swiss law, and my guess is they wouldn't be able to challenge it under US law, but I am not a lawyer and I really don't know.

Show threadMaki 🔻 🌹Mar 8
@malwaretech The MLAT request may originate from a country other than Switzerland, but it is still brought to Proton from the Swiss authorities in accordance to Swiss law, which makes it a legal request from Swiss authorities. Proton is not misleading in this.
Show threadderekheldMar 8

@RandamuMaki @malwaretech I have similar thoughts. I don’t see how this is misleading.

Now if we found out the request was flawed and that Proton could/should have contested it but didn’t then by all means they should get big heapings of criticisms. But so far at least that doesn’t seem to be the case here.

Show threadEckes Mar 9
@derekheld they should content all requests, didn’t they even say so on the package?
Show thread🐈‍⬛David SommersethMar 9

@eckes @derekheld

https://proton.me/legal/transparency

Transparency report | Proton

Proton's transparency report with aggregate statistics of legal orders from the Swiss authorities, covering Proton Mail, Proton Drive, and Proton Calendar.

Proton
Show threadamdMar 9

@RandamuMaki

Someone can be absolutely correct and still be misleading. That’s sort of the difference between “misleading” and “lying”

Show threadMaki 🔻 🌹Mar 9
@amd Or people could just admit they fail at reading comprehension. Proton is not the bad guy in this scenario. They have to aqcuiesce to lawfully made requests like this.
Show threadamdMar 9

@RandamuMaki not sure who would need to admit that.

Malwaretech acknowledged they have to follow a legal request… that’s basically the whole point of his post.

Maybe you didn’t read his post??

Show threadPinkMar 8
@malwaretech the trick is to not have that data accessible in the first place. Like Mullvad back when they were forced to give out data.
Show threadGustavoMar 9
@can @malwaretech Thus the need for "private by design" systems: people don't need to trust on "we are not logging your data" or "we will not give governments your data" if we first make sure they don't have this data.
Show threadJames CridlandMar 8

@malwaretech

Not sure that Proton’s 100% true statement - that they only respond to requests from the Swiss authorities - is “intentionally misleading”. As you have outlined, it is literally the truth.

We’re all aware that international treaties exist. But, as you also outline, they are subject to domestic law. And that isn’t a given - breaking US tax law is unlikely to have any impact on Swiss authorities, who would likely deny requests for assistance before it ever reaches Proton.

I don’t like Proton much as a company - they do too many things, for one. I don’t use them (any more). But I don’t think your attempt to deliberately stir up FUD about them is warranted here.

Show threadJames CridlandMar 8

@malwaretech As for keeping your privacy…

Mullvad sells (tamper-proof) paper vouchers on Amazon.

I buy one with my credit card. Amazon ships it to me. They know I bought a Mullvad subscription, and my address and credit card. But they don’t know which Mullvad account it relates to.

Mullvad knows they shipped a bunch of paper vouchers to Amazon. They know this voucher came from there. But they don’t know who I am - they have none of my details other than the voucher information.

This seems a simple method of firewalling the purchase information from the service to which it relates. Given Proton’s size, and its professed security credentials, it’s curious why they don’t do similar.

Show threadGentleman ProgrammerMar 9

@james @malwaretech Obliquely, they do accept cash which I guess would be anonymous.

https://proton.me/support/payment-options#cash

Payment options | Proton

Find out which payment methods and currencies you can use for your paid Proton subscription. How to pay with card, PayPal, Google Pay, Bitcoin, cash, bank transfer.

Proton
Show threadNathan A. StineMar 8

@malwaretech I think they should be more upfront about what they're selling. They sell security. They don't really sell anonymity. People think Proton is "I create an account and everything I do is anonymous." It isn't, Proton never said it was, but people make assumptions.

But let's not pretend that any other similar service (Tuta, etc.) wouldn't do the same thing.

Show threadohirMar 9
@stinerman @malwaretech
Yes. This is! For masses fleeing FB "encrypted"=="anonymous". And I have a hard time to explain to such persons, usually just born as activists, that there is no anonymity on teh nets.
Show threadGerardMar 9
@ohir @stinerman @malwaretech
Indeed, I don't think most people would want to live in a world with *unbreakable* anonymity - there are some people who really do need to be tracked down and prosecuted.
For instance, I wouldn't want child pornographers to be free to continue their activity with impunity.
Show threadGerardMar 9

@ohir @stinerman @malwaretech
That said, I also don't want to live under mass surveillance (by govs _or_ corps) and think LEAs shouldn't be able to break anonymity frivolously.
But for most people living in democratic systems, I think over-reach (which will always be a danger) needs to be addressed legally and politically, rather than technologically.

There are obviously variations between countries and over time in how much freedom there is to pursue such remedies. Because of that, some people do have a greater need to protect their identity. I think it's okay for that not to be easy. I'd also suggest that most people complaining about proton are probably not members of this category.