This follows right after their recent shenanigans with the climate activists, and overt overtures to place themselves as Google for EU sovereign technology enthusiasts and governments.
Ideally, people should not depend on these services for privacy, anonymity, or any of the CIA triad. Evaluate if you actually want email for personal communication instead of thinking of which encrypted email provider to use. Evaluate if you need cloud storage instead of which cloud provider to use. The default behavior being sold is to trap you in subscriptions and take potential donation money away from local first, offline first projects based on devices you control.
These services sell you on the premise of “buy this for peace of mind”, and sell that peace and not actual security. Reevaluate what your threat model is periodically, and cut dependencies. Remember the fear of inconvenience is higher than the inconvenience, and the more you donate to the right projects, the more of a chance they have to make the experience more accessible.
This is a warning bugle, hopefully it is heard across the privacy and security community.
Good post @darwinism. It’s great to see Phrack Magazine call out that Proton’s primary concern is making money… they have no moral compass. They put their bottom line above everything which is why they tout privacy but give up the goods to everyone that comes aknocking. That’s why they celebrate/advertise/market their product as open sourced but refuse to make the code public for most of their latest releases. That’s why they celebrate Trump’s election yet tell European audiences that they need to distance themselves from the authoritarian US administration. They have no moral compass and will do anything to make money.
To say the privacy community is compromised in their relationship with Proton is an understatement. In fact, I posted earlier in this thread @'ing @Proton_Team to call them to task and a moderator hid my comments from view, ‘restored’ them and then deleted them altogether so that there’s no trace of them ever occurring. All that’s left is some notifications on my profile:
Your comment was removed because it was off topic. You cannot expect that companies will reply to you here. And you were mentioning a question that wasn’t even addressed at Proton. Please refrain from dragging this off topic. Thank you.
I do wonder protons motives here. I understand that they cannot just go full lavabit and shutdown the company everytime they get a request. But disabling it outright with any fight or publicity is suspicious.
Had to make a new comment, but here’s where it gets into the greyish area for me. From what proton says on it’s privacy policy:
We will only disclose the limited user data we possess if we are legally obligated to do so by a binding request coming from the competent Swiss authorities. We may comply with electronically delivered notices only when they are delivered in full compliance with the requirements of Swiss law. Proton’s general policy is to challenge requests whenever possible and where there are doubts as to the validity of the request or if there is a public interest in doing so. In such situations, we will not comply with the request until all legal or other remedies have been exhausted. Under Swiss law, subjects of judicial procedures have to be notified of such procedures, although such notification has to come from the authorities and not from the Company. Under no circumstances can Proton decrypt end-to-end encrypted content and disclose decrypted copies. Aggregate statistics about data requests from the competent Swiss authorities can be found in the transparency reports listed in our products-specific policies.
Yes, there is a proton email address, however it was tied to a spear-phishing operation that was a campaign that impersonated people from the South Korean government. HOWEVER this was not related to the whistleblowers account
If the whistleblower was distributing the logins as proof, that would technically fall under proton’s rule of no sharing hacked or stolen data. Who’s to say that the gov didn’t have Proton disable the account too? This is just my “Anything happened” look at it
People using Proton and once again conflating privacy with anonymity. If you want to be completely anonymous using Proton; use a VPN, don’t include a recovery email at all since at it is not encrypted (by the way, the climate activist violated these two rules) , don’t disseminate emails with your Proton address if it’s going to have personal information and pay for it with Monero. If
If these folks were serious about anonymity they would have done all of this and made it impossible for Proton to be able to locate their email address, but they highly likely did not because of said conflation.
From the way i read it it seemed they used a dedicated proton address for this disclosure and it was allegedly suspended. The allegation sounds as if they did this on request of the South Korean government.
It remains hard to argue for or against Proton without more details. So far it seems a very one sided story with little to no details. While understandable they don’t want to share the contents of what actually was communicated it is hard to say something about it.
Proton Mails terms of service are quite clear. An account can be disable/deactivated for numerous valid reasons. Lacking any concrete details, it’s nothing more than speculation at this point.
There was no legal request with due process, the timeline make it clear, it was a voluntary action. Proton’s response also shows the same, since they would actually inform the users when they receive a proper legal complaint against them (it is swiss law to inform users of any legal requests on accounts).
No, it would not. Fair use and reporting is not = sharing anywhere, including Switzerland, EU, and US. Laws are very clear on it, otherwise all journalist and security researcher accounts can be shut down.
No one did that. Parroting the same line in every thread across the internet is misleading. Read the text instead of imposing your idea of what happened. The issue here is the “primary” email of the person, which is NOT anonymous being suspended. Also proton deleted their promise of anonymity on their website after the climate activist case, so they have always been scummy.
You do not understand the situation at all, and everyone who reacted in supported is similarly a headline skimmer. How can a coordinated disclosure happen without direct communication? You literally need to work with the vendor for solution and eventual disclosure.
There is no valid reason. The journalist was a real person, who was doing a responsible disclosure coordinated with the internet security services of SK. There was no ToS and Legal violation. Proton ““can”” delete accounts at will, but doing it without reasons makes them scummy, and violates the image they keep selling across the internet. When will the straw that breaks a camel’s back come and people will hold them accountable to their words instead of the smug dismissals by “oh they can do what they want, it’s in the policy”.
I am much amused to see the abusive relationship all software suites develop with their users. Users buy into their promises, they violate them, users defend their actions to feel good about their choice and spending (since why would they, “smart users”, choose a bad service, it MUST be the incident is painted badly), and the cycle continues. Apple hostages do it, proton hostages do it, and soon other hostages will do the same. Sunk cost fallacies keep these idiocracies afloat.
This is Phrack zine, not some college dorm room hacker. I know not everyone must know them, but they are actually an authoritative voice in hacker spaces. Proton doing this to them just adds to the overall enshittification of their services.
Finally, online forums would be better served if their audiences actually read stuff, instead of reacting to the headline, picking the easiest bad faith interpretation they can dismiss, and generally being unsuspecting smug parrots. That behavior is better confined to spaces that monetize idiotic actions and uninformed opinions like twitter.
Get what you’re saying and fair use and journalisim is generally protected. But Proton’s TOS isn’t the same as swiss or EU law. Like I mentioned before, Proton prohibits hacked or stolen credentials sent or distributed through their services. Yes even if it was in good faith, that was probably a TOS violation.
Fair use protects journalists from government and legal retaliation for publishing leaked material. Even if what the journalist was doing was legal under government law, proton or any other provider can enforce their own rules.
Proton isn’t going to delete someone’s account for journalism, but if hacked data was shared or distributed then yeah it’s proton’s call. I’m not ruling out gov pressure either. If you look at proton’s transparency report, swiss authorities even serve orders to proton.
And to address “Well how would that work?” Switzerland and South Korea have a MLAT (Mutual Legal Assistance Treaty) to have the SK gov contact the Swiss Federal Office Of Justice and they would review everything and then make a Swiss Order. They could have ordered to have the account suspended, but again this is speculation.
Why is that an unreasonable expectation? Some companies have an official presence on PG, hence it’s natural to expect that some interaction with them is possible here, even if the chanace are low. Notesnook responded to a post I made here. And the creator of Alias Vault has responded to many comments about his app.
If I was trying to publicly reach a company with the hope that they would respond, I would try every communication channel that I can think of, PG being one of them.
Could you come over less hostile? I have ran this community long enough to know that soms apparent scandals end up being nothing more then a nothing burger.
I am not saying thats the case here, but I am waiting for mode jnformation before writing over the entire company. If we keep burning companies at the first sight of smoke, then there will be no alternatives left.
Can you point out where I am hostile? I am happy to correct the language. But harsh=/=hostile, I do not owe Proton any more flowery language than I do any other participant in any forum as long as I follow community guidelines.
I am also not burning any companies. Proton is a for profit corporation that deserves the same level of scrutiny as Apple, Google, and Microsoft. They are not owed a soft spot just because they say they are on “the same side”.
I have also seen enough scandels to know most of the times nothing happens to the companies, and they keep their crowd which censors and pushes down any discussion and criticism on that issue. Then the story is modified in public memory, and it turns into “get better OpSec” rather than holding a company accountable to their words which they actively advertised and grabbed users with.
Exactly. Proton team has an account here, and hence they are a participant. If it is against the rules to tag anyone, then maybe it is correct to censor, otherwise I do not understand why asking a question is forbidden, especially on a public platform they voluntarily joined (and then abandoned considering their replies).
