Anyone know how Proton determined this was a TOS violation without reading the customers’ emails? Smells like a load of fish paste.
2 Likes
Proton claims the low iteration rate for Linux is due to the relative rarity of (skilled) Linux developers. Not sure if true but Andy said it on Reddit.
As for the main topic, the critics are making so many assumptions that it smells like FUD.
2 Likes
Everyone who is not caught in the proton subscription trap and/or has direct interest in the service (employee, investor, etc.) can see how objectively bad this is. It leaves a bad taste in my mouth that privacy community that is aligned with Proton would immediately peddle the words of Andy Yen and Proton as the truth when they have been known to be liars (check how they changed advertising post the climate activist case). The amount of grace they are given is incomparable when people turn on Microsoft, Google, and Apple for far less. There is no FUD or larger campaign, its just a bad reason given by them.
They could also separately ban just email for these random requests from anyone that they comply with (when there is no clear violation of law or ToS) instead of selling a combined suites and making people lose their passwords, calendars, etc.
The orientation of the forum is clear, and commentators seem to dislike truth seeking while readers seem to like it judging from the reactions. Here is phrack zine, an entity known to not lie like Andy yen and proton, presenting their side:
3 Likes
well proton mail doesn’t encrypt the emails in the recipient’s mailbox, popular misconception about that. No doubt that’s where law enforcement obtained a copy for their subpoena.
3 Likes
For historical context and completeness:
Hi everyone,
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
Thank you for your understanding,
The Proton Team
Source:
9 Likes
Thanks for the update, genuinely!
I just forwarded the response to a similar post on another forum, that’s why I wanted to express it
Yeah, this whole situation for me just boils down to Proton acting to quickly regarding the disabling of the accounts.
No data was turned over, and some accounts where restored. So basically a whole bunch of drama for nothing.
I hope that in the future we in the privacy community can act with a bit more compassion to one another. We are already taking on the biggest corperations in the world, this infighting is not helping our cause at all. Sure we should keep an eye and keep eachother sharp, but immedeatly assuming malice at the first sight of smoke has got to stop.
11 Likes
Here's another response from Andy:
There’s some misinformation floating around that I think is worth a post to clarify.
Proton generally only suspends accounts if 1) forced to do so by a Swiss govt order 2) we are sure beyond a reasonable doubt the user breached Protons Terms of Service (ToS) or 3) we detect that the user has been compromised.
Contrary to what some people think, Proton generally only suspends a single service and not all services. For example, let’s say you decide to start sending spam in violation of Proton ToS, Proton Mail may be suspended, but Proton Pass will continue to work. There are of course exceptions to this (for example, if an attacker is hitting your account or has already gotten in, we’ll lock the whole thing down until you get in touch with us).
In general, account suspensions due to (1) and (2) are extremely rare, with (3) being slightly more common. (2) typically happens with newly created accounts with are used for spamming or registering large number of accounts at third party services (such as Instagram, etc). The odds of an account you have been using for a while suddenly being suspended is virtually zero, and even then, we have a 24/7 team you can contact to appeal.
For ToS violations, it is irrelevant who reports the violation to us, if the violation is verified beyond a reasonable doubt, Proton will suspend the account. Proton data is encrypted, but we use OSINT techniques, our datasets of dark web chatter, information shared with us by other tech companies, and various other methods to do verification.
From time to time, there are claims that Proton is suspending accounts improperly. Our policy is not to comment publicly on specific cases, but there is usually more to the story than meets the eye, and the anonymous posters on the internet generally don’t disclose the full story. Such claims should therefore not be taken as fact, as the facts themselves are usually wrong.
To give an illustrative example, recently it was claimed that Proton was blocking the account of journalists. However, these were not “journalists” in the traditional sense, but hacktivists who were involved in a number of hacking incidents, which is a violation of Proton’s ToS, and therefore subject to suspension of all accounts. In this case, I made the decision to exceptionally restore two accounts because hacktivism cases are not always black and white. However, Proton’s policy is that if you use some accounts for illegal purposes, you will also lose access to the accounts where you have not yet conducted illegal activities.
Proton has no choice but to enforce ToS, because if activities which are illegal under Swiss law, or other activities which are technically not illegal but damaging to Proton (such as sending spam) where not forbidden, Proton would unfortunately become blocked by other email providers, hurting legitimate users.
In enforcing our ToS, we show no favor or bias. It does not matter your ideology or which “side” you are on, Proton enforces the ToS uniformly.
Proton’s ToS can be found here: Terms of Service | Proton
Proton’s abuse appeal form can be found here: Abuse appeals form | Proton
Abuse and ToS violations can be reported here (all reports are treated confidentially): Report abuse form | Proton
Thank you for your understanding.
3 Likes
This is a good, objective breakdown of the situation along w/ explanations of CERT et al:
Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service.
In layman’s terms, the users were good in Proton’s eyes, and then a governmental agency reached out to Proton and said “these accounts are violating your ToS and you should ban them”. Proton then decides to ban them.
I disagree. They took the CERTs word for it, deleted the accounts and then ignored any subsequent convo until the topic went viral.
IMO, the concern isn’t whether they are hacktivist or journalists (like Andy Yen frames) but whether they were hacking with their Proton accounts. Proton has backtracked due to lack of evidence of hacking using the proton account, no? Please call me out if I’m off-base here.
IMO, the issue isn’t that they acted quickly but that they (blindly) followed the CERT and only reinstated the accounts after the public blowback got louder.
Proton did not publicly specify which CERT had alerted them, and didn’t answer The Intercept’s request for the name of the specific CERT which had sent the alert. KrCERT also did not reply to The Intercept’s question about whether they were the CERT that had sent the alert to Proton.
Just adding this to illustrate the (lack of) transparency here as well.
5 Likes
Re: what you shared, I think the framing that Proton gives is an example of why people don’t trust them:
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton
I don’t know how many emails were sent, but at minimum two. One was sent on 8/22 (as per this article) and the last one is sent on 9/6, so they were aware of the problem for two weeks yet try to frame it as a 48h time crunch
the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
- If all emails were sent to the legal inbox, then legal was aware of it for two weeks, not on the Saturday and so their framing is disingenuous.
- If all emails were not sent to legal, then the involved party sent it through the proper channels where they were ignored for two weeks before escalating to legal.
Are they not pulling corporate catch-22 here?
4 Likes
I have read the article, I even think the Intercepts title is a touch dramatic. Its technically correct, but misses alot of nuance.
We would just have to agree to disagree I guess.
5 Likes
If proton were too quick to ban then reinstate after this matter got more attention fortunately, doesn’t it make Proton more prone to gov censorship or from any other entity? They can order anyone to get their account vanished and Proton will comply no questions asked? They “can’t read emails” then how they can very that stuff other than looking at emails subjects and deduce? No insights whatsoever.
It does not feel egregious that some workflow or process suspended the account. If even only a front line employee. Once escalated internally to Andy, suspensions were reversed. I do think the appeal process could be improved as it does feel like the appeal only made it to Andy through public discourse.
The TOS says the following is a violation:
Attempting to access, probe, or connect to computing devices without proper authorization (i.e. any form of unauthorized “hacking”);
I note the TOS does not also end in the statement “except and unless you are hacking North Korea and/or China then its fine.”
Quote from Andy:
I restored two accounts exceptionally because I am personally sympathetic towards them, and there is just enough grey zone to make this permissible, but a stricter interpretation (applied by the team originally) would be that they broke ToS. Like I said, not always black and white.
For your amusement, this reply tweet from Sam Bent:
Your “zero-access design” claim is a lie, you absolutely can see account content when emails arrive from non-Proton users, which is the majority of email traffic,
This is true of a variety of Proton services. Proton having the technical ability to read all incoming email that is not E2EE and choosing not to in-spite of this is a good thing.
1 Like
Lets ignore that bent guy, he does not really produce anything thats worth paying attention to, he just like to create outrage for clicks like the typical influncer.
4 Likes
They did not delete the accounts. They disabled them.
Coming from someone who works in security, you don’t always have time to have all the details. And when the suspicion is high enough it can be reasonable to lock someone out and freeze the situation while gathering more intel after. Frustrating for the user but sometimes necessary to prevent worse. And yeah sometimes it turns out that this wasn’t the right response (false flag). Mistakes happen, it is all human work after all. Genuinely I do not believe there was any bad intend here.
7 Likes
The Intercept’s article is fake news (they didn’t research what actually happened) according to Andy.
1 Like
From my perspective, highlighting that an account is disabled instead of deleted implies that Proton was on a path to restoring the accounts.
Coming from someone who works in security, you don’t always have time to have all the details. And when the suspicion is high enough it can be reasonable to lock someone out and freeze the situation while gathering more intel after.
I agree with this concept 100%. This is the crux of the disagreement though. You insinuate that Proton was gathering intel when none of the evidence points to this. They literally ignored subsequent emails for two weeks and only changed their perspective and revisited the issue when it went viral.
Frustrating for the user but sometimes necessary to prevent worse. And yeah sometimes it turns out that this wasn’t the right response (false flag).
Mistakes happen, it is all human work after all.
Genuinely I do not believe there was any bad intend here.
Again, these weren’t accounts banned via an automated report. A governmental agency reached out and told them how to enforce their own ToS. The account was deleted disabled indefinitely but was reinstated when it went viral and there was no evidence of hacking using a proton account.
They literally researched the issue when they talked to the magazine and reached out to Proton directly with questions (some of which were ignored ie: which CERT requested the account takedown). That is how you write an article for a news site. OTOH, you have the Proton CEO who says “this is fake news” and “they aren’t (real) journalists” then provide no evidence and somehow that is convincing to people? Ask yourself what evidence has Proton shared? Some tweets and talking points but what evidence?
Additionally the main argument in the shared link makes the same argument that I already addressed:
IMO, the concern isn’t whether they are hacktivist or journalists (like Andy Yen frames) but whether they were hacking with their Proton accounts. Proton has backtracked due to lack of evidence of hacking using the proton account, no? Please call me out if I’m off-base here.
7 Likes