@malwaretech Maybe the users of one of those three platforms are slightly more tech savvy and simply don't agree with your feelings?

I've been a paying Proton user (Visionary) since nine years and I've never felt they're misleading me.

Maybe you shouldn't react to that by considering those than don't agree with you as being fanboys, but rather knowledgeable.

@troed @malwaretech so your take is that #proton doesn't have to follow Swiss law? Or that the cooperating doesn't happen? Or that FBI wouldn't lie to Swiss authorities to get them to request the data?

There's only one way for companies to protect your data - if they don't have it in the first place. If they have to collect the data to provide the service, you need to assume they might hand it over and act accordingly.

@drizzy

Even though I am on Mastodon I guess I would be one of those domain experts Marcus is talking about. I used to sit on the board of and be a politician for the Swedish Pirate Party - where knowing exactly what the current legal system affords when it comes to privacy was pretty much a requirement.

There are two takes on this story: 1) Do Proton misrepresent their offering and 2) How did the FBI end up with the name behind the account.

For 1 it's simply no. Proton are correct in that the Swiss judicial system doesn't lay flat when a request comes in from an international partner so their marketing is honest. Providers in some other jurisdiction would be much more eager to hand out account owner data.

For 2 it's unfortunately bad OPSEC on the account owner's part. If you rely on being anonymous you can't hand out your credit card details - regardless of where you sign up. Proton offers both cash and crypto as payment options - which is the best anyone can do.

... but facts spread much more slowly compared to hot takes.

@malwaretech

@troed @malwaretech But see - this is not about experts (legal, technical or otherwise) being able to understand what Proton *actually* means when they say "We do not respond to legal requests from anywhere other than Swiss authorities".

I'll write their asterisk for them:
Except if the other side convinces Swiss authorities (even by lying) a serious crime has occurred in which case we might be compelled to give them whatever we have so use TOR/VPN and pay with cash/crypto.

@drizzy

Where has Proton not been honest with that?

https://proton.me/blog/protonmail-threat-model

The claim is that Proton somehow should have done something different. I have yet to see what that something is. They clearly state all over the place that privacy != anonymity and that if you're going up against government adversaries maybe Proton isn't what you need.

@malwaretech

@troed @malwaretech Let me clarify a bit. Proton's great. I'd have no issue recommending it.

But it *is* hard to communicate threat models to ordinary folks. The threat model blog post is great - do they link to it when people sign up? I don't think so. How would people even know? To be clear I know that communicating this clearly is hard.

The distinction between using "MLAT" and "Helping FBI directly" is of course there but in the end - the result is the same for the affected individuals.

@drizzy

This page is linked from their front page, as the reason why their whole "Swiss privacy laws" matters:

https://proton.me/blog/switzerland

I'm not sure those who bring up MLATs realize that there's a huge difference in what other countries do when those come in and what the Swiss judicial system does - see under the "Legal differences between Switzerland and other countries" heading.

I still don't know what Proton should do differently.

@malwaretech