Justin !
evacideIf you pay Proton Mail for a service, they may hand over the payment data in response to a court order: https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
cliffle@evacide I've been following the articles on this, and was curious -- you would know this better than I -- does it sound like they were in a position where they had a legal alternative?
Bill, organizer of stuff
Nathan A. Stine@wcbdata @cliffle @evacide cash is a supported payment method:
https://proton.me/support/payment-options#cash
https://proton.me/support/payment-options#cash
private_brewing@cliffle This is exactly what they have already said they would do, but it is very common for me to encounter people who use Proton Mail who do not expect this.
Dj PorCus - Will@evacide @cliffle @stinerman There is a thin line on logging stuff for user debug (being an isp/supplier for friends, i have some clue, not pretending it's expertise), therefor where is that line. also, i might understand that proton needs to comply with swiss law (which isn't up to date vs data retention and digital data, because totally f*ing legacy.) my short swiss citizen view : we're in deep shit with this and local politics dont care. ( i'm geneva's former pirate party founder and lost)
maya_b 🇨🇦and with owners in the US, there's even more legal jeopardy potential. where the servers are located is less relevant than who owns them.
contrast that with Tuta, sure it's EU owned but you have to go through more layers to get to account details, and not as easily strong-armed.
though the French MS email saga from a while back makes it all muddier. French authorities will comply with requests made through the proper channels, a US judge said she didn't have to and demanded compliance - putting MS-France in non-compliance with the US court order, or non-compliance with French law.
Schroedinger's PossumAll email providers that operate legally - including Tuta - must provide this info if they have it upon court request. If your threat model includes this risk, then having owners in a different country does not protect you at all.
To be clear, I like Tuta, but I haven't seen any evidence yet that they wouldn't be forced to do the same if they operate there.
agreed. however the reach of US courts is limited by entities that have no US ties. Tuta is still bound, and I expect that a properly processed request through German officials would result in a disclosure, but that requires a bit more rigour than I'd expect from an entity with US ties.
choomba@schroedingerspossum @maya_b @cliffle This is exactly it. It's bad opsec to leave data your provider can hand over. Any company must and will comply with local law. It's your responsibility to not leave a paper trail. Proton, like a few other service providers like Mullvad, offers cash payments via mail. If you don't use that or stick to a free plan, that's on you.
Robot
Bro
James@cliffle @evacide All companies have to comply with the jurisdiction in which they are registered. In this case they complied with Swiss law, not the FBI directly, so the headline seems a bit misleading.
The takeaway is: If you pay for any service in a traceable way, you are not anonymous. If you want to be anonymous, consider cash or Monero.
Mikalai@cliffle @evacide
They had no alternative because mail uses classical style federation, in which provider always has metadata to perform service.
In contrast, there is a web style federation, in which vendor isn't given communication metadata.
From HOPE16 conference: at 37:10 https://www.youtube.com/watch?v=JRP0dW_zy_c&t=2230s
#hope16 #PrivacySafe
They had no alternative because mail uses classical style federation, in which provider always has metadata to perform service.
In contrast, there is a web style federation, in which vendor isn't given communication metadata.
From HOPE16 conference: at 37:10 https://www.youtube.com/watch?v=JRP0dW_zy_c&t=2230s
#hope16 #PrivacySafe
HOPE_16 - TRACK 3 - TOBIN 201/202 - DAY 1
the elder sea@evacide Mail cash, I guess? Not really into crypto.
Rashunda@evacide It's even worse if you pay for Proton Mail and live in CH like I do (also citizen). It means they'll just turn my sh*t over to Bern. I wonder if they'd even inform me.
Patrick Seemann
esplovago 
Simon Zerafa (Status: 
😊)
Siv Jones@simonzerafa @evacide I think you mean "anonymity" rather than "privacy". No corporation is immune to legal compulsion. If you link a credit card to an account of any type, it will show up in all kinds of metadata via credit card companies and data brokers, and the banking records will forever deanonymize the account.
So yes, pay for a ProtonMail account with CC if you want, but use a free one if you want *anonymity* in addition to privacy.
Ellie 🏴🏳️⚧️@evacide When will people stop using this honeypot?
Tekchip@evacide this is far from new? What happened to the internet never forgets? Proton regularly complies with police/government/legal etc.
2021
EVHaste
DooDeeYou can actually pay Posteo in cash by mail: send banknotes in an envelope with a code to Posteo.
@Tutanota as alternative does not offer direct cash payment, but you can buy Tuta gift cards cash same way via the reseller Proxystore.
@protonprivacy also accepts cash payments according to their support, by sending physical money via post. You get the details by contacting Proton support…
But if you pay with a Creditcard, you have an US provider an board
Hugo@hlrx Also worth adding: for the IP address side of things, Mullvad VPN is a great match — you can even pay cash by mail, no account needed. Keeps the whole setup nicely anonymous if you have to.
leberschnitzel
Weird SocksMay I assume @Tutanota would be bound to do the same thing?
Ingo@lasombra_br @evacide you'd think so, but a surprising amount of people don't realize a credit card immediately deanonymizes whatever they pay for with a card.
Quasit
LisPi
StellarN0va@evacide Paying with Crypto or Cash is still an alternative
caitp@evacide so the only real solution is to run your own mail server, because corporations will always do this if pressured?
Flipper 🐬🏳️🌈
waffles 🇨🇦
EQ
Domenico De Treias
MHLoppy@caitp I guess in theory you could find a service that will shut down before complying (ala 2013 Lavabit), but I can't imagine there are many of them at any given time because, well, they'll shut down (by design) on a frequent basis. Not sure if better or worse than the headache of running it yourself. @evacide
Thorium
David Snyder@evacide yeah proton has done this before and has made statements about it that proton is a privacy tool, not an anonymity tool. Hate to see it still though.
Its definitely good to make people more aware of this though, thanks.
Orca 🌻 | 🎀 | 🪁 | 🏴🏳️⚧️@evacide Glad that I paid them nothing while I was still using Proton Mail.
Michael Santaly@wonkothesane @evacide
I mean both.
Paying for something is definitely the fastest way for the cops to trace the payment back to me.
But also I don't want to give Proton money because they did this (multiple times), for ideological reasons.
I mean both.
Paying for something is definitely the fastest way for the cops to trace the payment back to me.
But also I don't want to give Proton money because they did this (multiple times), for ideological reasons.
@Orca That’s fine. But it’s also really disingenuous to claim Tuta, Fastmail, or any other hosting provider wouldn’t do this
@wonkothesane
They can become unable to do this if the mail provider just accept the payment - enable premium on that account - not save the payment information. (I don't know if that meets the requirements of law, though.)
But I guess recurring payment does exist because that would be bad for business otherwise. Or they just save the payment methods indefinitely.
They can become unable to do this if the mail provider just accept the payment - enable premium on that account - not save the payment information. (I don't know if that meets the requirements of law, though.)
But I guess recurring payment does exist because that would be bad for business otherwise. Or they just save the payment methods indefinitely.
@Orca With Proton you have the option of paying in crypto (this isn’t as untraceable as people pretend) and cash. But nothing is more tied to your identity than a credit card, and as you’re saying all companies are going to give you the option of renewing your sub via saved payment
Proton does not save your card info if you delete it
As much as I hate to blame users this really strikes me as an opsec issue on their part.
It’s a horrible situation but it sucks to see it sensationalized
John Breen@evacide I support the idea that you should pay for your email service, if you value your privacy.
Using ANY commercial email service exposes you to surveillance and your identity being exposed. Especially if you use your iOS or Google device as a computer.
I continue to hold that Proton is better than a "free" gmail or microsoft account.
For example, I currently support my mastodon instance via Patreon. Patreon could and would expose my identity. They have my email. Still I persist.
Using ANY commercial email service exposes you to surveillance and your identity being exposed. Especially if you use your iOS or Google device as a computer.
I continue to hold that Proton is better than a "free" gmail or microsoft account.
For example, I currently support my mastodon instance via Patreon. Patreon could and would expose my identity. They have my email. Still I persist.
ℂ𝕖𝕝𝕖𝕤𝕥𝕖@world: /# 
@evacide Privacy != Anonymity. Beware!
Steffie 🏳️⚧️ :rubber_pride-heart-600: : :triple-moon-transfem: @evacide My reading and understanding of this, is that the Swiss govt order came from an MLAT request from the FBI, and not a US court warrant. Thus, the issue, to me, is how US law enforcement essentially uses MLAT to bypass what in the US could be withheld without an appropriate judicial review. Maybe I’m projecting a misunderstanding, but when I had to respond to such requests, in the ISP I ran, we would, generally, only comply with a legal warrant or order authorized by a court.
@steff A lot of people use Proton Mail because they think its location in Switzerland gives their data greater legal protections than it might have in the US or the EU. In some cases, this may be true, but as you can see in this example, these protections are not absolute.
@evacide Exactly. There’s an odd assumption that simply offshoring services increases privacy or anonymity when the reality is that it may leave one more exposed to the global panopticon. Certainly, I think there are other questions here about how Proton’s operational policies are not optimized to protect anonymity; yet, I feel it’s important to understand that maintaining security and privacy goes far beyond simply choosing a ‘secure provider’, but requires ongoing diligence to mitigate your operational and legal risks.