Proton Mail Discloses User Data Leading to Arrest in Spain

This is not the first time ProtonMail gave data to feds

https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-

Archive: ProtonMail Search Led The FBI To A Suspect Threatening A 2020 Election Official

They also gave recovery email in the election suspect case, which most users use their old personal email when setting up, which they can correlate info back to you. Looks like ProtonMail is going to also provide recovery emails and IP logs for data requests by governments.

4 Likes

Are you required to add a phone number or recovery email address to create a Proton account? That screams bad opsec.

What else are they supposed to do? Shutdown the whole company because of one guy with awful OPSec?

11 Likes

Pretty sure if you used a VPN or Tor you will be required to do so. But you can always use a temporary email from like Temp Mail: free temporary disposable email generator. One-time 'fake-like' private secure emails and then remove it later from ProtonMail account settings.

4 Likes

Time to practice good OPSEC GitHub - jermanuts/bad-opsec: Collection of links on bad opsec

5 Likes

Yeah definitely see your point. Still would be nice not to have to enter any recovery email at all and use something more private for the recovery feature instead. There are a lot of options ProtonMail could choose from.

1 Like

Since this has been talked about today I have seen conflation between recovery vs. verification email addresses and they appear to be distinctly different:

  • Recovery Email: You are not required to have a recovery email address. This is an optional step during registration or after an account is created used to recovery your account if you lost your password.
  • Verification Email: During registration you may be asked to provide a verification email address. This email is not associated with your account and is hashed for the future.
    ** I say “may”, but human verification is almost always required in my experience with Proton and email is the least invasive option in my opinion.

Blockquote “Note that if you enter your email or mobile phone number, we only save a cryptographic hash of this personal data. It’s impossible to derive your phone number or email from that hash, and it’s not permanently associated with the account that you create.”

This article contains both the quote above as well as a screenshot showing the optional step of “Maybe later” when asked for a recovery email.

8 Likes

Correction to your post, not government"s" but government, which is Switzerland. If a court order comes from Swiss authorities, they have to oblige. If you want to stay anon, then you shouldn’t add recovery email, phone, or even payment methods which can be directly linked to you, like Paypal or credit card.

From a Proton employee on Reddit
It seems like the Swiss authorities forced Proton to assist. This isn’t surprising, as the case is being trialled for terrorism (La Audiencia Nacional investiga a Tsunami Democràtic por indicios de terrorismo).

Proton is not a service for criminal activities and hiding from the law. As a Swiss provider, Proton has to adhere to Swiss laws (terrorism isn’t legal in Switzerland). Personally, I would not want Proton to shelter such people either.

From the information in the link in r/privacy, it looks like the only data Proton had, was the recovery email, which is optional. This cannot be encrypted as otherwise the recovery doesn’t work. Some commenters on the r/privacy thread are right, it is entirely possible to use a secure service in an unsecure way. Linking your Apple ID to an account used for criminal activities is a bad idea, especially as Apple collects a ton of information, unlike Proton.

10 Likes

The problem is that governments like to use the terrorism card for anything and everything to force companies to submit to the law.
We recall that Proton once gave up an activist’s IP address, and France passed off the request as terrorism.

Here again, Proton fails and gives the recovery e-mail address (even if giving the same as his Apple account is stupid) and next time, what will it be? A flaw in Proton sentinel or another automatic analysis tool?

Proton is definitely something to keep an eye on, especially with the proliferation of services and analysis tools now in place.

Translated with DeepL.com (free version)

3 Likes

Fearmongering™

All companies will give unencrypted data to the government if required by law. The biggest security and privacy threat is between the chair and the computer, and privacy tools and services can’t mitigate this.

12 Likes

They are not decrypting the emails, right? If requested by the Swiss authorities they can log the IPs which are accessing the emails only. And that “activist” is wanted by Europol, so he wasn’t your typical glue loving hippie.

What could be done to prevent this? Not use your real IP, instead use Tor or VPN when connecting to your mails. Recovery mail field is not encrypted. I am not sure about the Sentinel logs but considering Proton needs these logs to check for anomalities, I think they are not encrypted either.

1 Like

Last time, Proton gave away the IP address of an environmental activist, because they were responding to a terrorism-related request. In France, our beloved government has invented the word ecoterrorism to blame people who demonstrate against government projects that destroy the environment.

From what I understand from the article, the Democratic Tsunami is a group that advocates independence for Catalonia, not quite the terrorist profile, but hey, I don’t know any more.

In any case, as I’ve already said, governments like to play the terrorism card for anything and everything. In France, we’ve already had several cases of journalists bugging demonstrators etc. in the name of “terrorism”.

Translated with DeepL.com (free version)

3 Likes

Web-based E2EE implementations, such as Proton Mail’s webmail or Bitwarden’s Web Vault, rely on the server dynamically serving JavaScript code to the browser to handle cryptography. A malicious server can target you and send you malicious JavaScript code to steal your encryption key (and it would be extremely hard to notice). Because the server can choose to serve different web clients to different people—even if you noticed the attack—it would be incredibly hard to prove the provider’s guilt.

Therefore, you should use native applications over web clients whenever possible.

2 Likes

They don’t have native apps for desktop, only Electron wraps, right? But when I checked Windows desktop of Proton Mail it shows sandbox enabled. Does that mean it is secure or it has no effect on security?

image

Also, there are regular audits on Bitwarden and Proton. If there are some vulnerabilities, then these audits should show them. Considering I have zero coding knowledge I have to trust audits and remediations done by the devs.

From the PM vs. Spain article:

Like before, Proton Mail’s compliance with these requests is bound by Swiss law, which mandates cooperation with international legal demands that are formalized through proper channels (Swiss court system).

What else is there to say about this.

6 Likes

Most likely people are expecting Proton to ignore every law agency and country laws, delete all logs, refuse any cooperation with courts, support every illegal act, and act as a anonym black hat hacker group.

6 Likes

In this case it was truly terrorism

this feels like a nothing burger to me. You want the companies that provide you services to follow the law. I do dread this now being linked along with that french activist story for all time, anytime someone asks about Proton though :roll_eyes:

Exactly this.

Even if you had the warped mindset that Proton should be willing to risk their business and break the law for its users, it would still be pretty far-fetched to think they would do that for $9.99/month.

2 Likes

What everyone seems to miss in the last few comments. It is not up to proton to decide to give it or not. It is the court and rule of law. Proton doesn’t give your data to the government, unless the court decides it is necessary. It is not the government’, nor proton’ call, but the courts decision.

If you want to live in a world without court and law, well… Not sure how to reply to that. Not me.

11 Likes

Friendly reminder everyone: If your threat model involves evading FBI/INTERPOL/etc, PG’s recommendations alone will not suffice.

8 Likes