IMHO, THE HEADLINE IS ACCURATE
I disagree. Words have meaning. How you use them matters, and this headline to me strikes accurate. Proton helped the FBI. They helped an FBI investigation. The fact that they didn’t directly hand over the user’s info to the FBI is irrelevant. The original request was made by the FBI, and they got the information they asked for from the Swiss government who compelled Proton to do so.
Yes, Proton followed the law. Nobody is saying they should have disobeyed the law. But the truth is this: most Proton users are unaware of all the types of information Proton holds that are not E2EE and that can be shared with authorities. And in my opinion, that is partly Proton’s fault because Proton is not completely upfront about it.
By that I mean that Proton doesn’t share ALL that information in their marketing or make it easily available on their website. It’s not front and center. They are open about the fact that some of the metadata around your emails is not E2EE, but that doesn’t cover everything. There are a lot of things they have NOT communicated in their marketing or on their website that you have to ask to know the answer.
I am sure that a lot of people here had no idea that your recovery email address could identify you until the controversy about that Spanish activist who was identified through their Apple ID that they used as recovery.
Some companies keep records of the information you delete, and we don’t know the full details of that. For example, 1Password keeps a record of all the email addresses you used with your account even after you change it. I had to ask Proton to find out if they keep records of deleted recovery email addresses. It was not in their marketing nor on their website. I don’t believe that has changed.
PROTON BARES SOME RESPONSIBILITY AND CAN DO BETTER
Who said the activist expected to be anonymous? We don’t know that.
In my opinion, as with many companies, there is a significant gap between Proton’s marketing messaging and what they actually deliver in terms of protection. Ideally that gap should be tiny, but many people, understandably, only retain what is in the marketing.
If Proton were forthright about what they don’t protect in their marketing and communication on social media and websites, we would be less upset about these cases.
I understand that Proton is rightly obeying the law. But the reason these controversies look bad is because there is a lack of transparency and lack of effort to protect users’ privacy. I suspect that Proton doesn’t want to be so transparent that it hurts their marketing efforts, but I still believe that more transparency and better efforts to protect user privacy would go a long way.
I disagree that there isn’t much Proton can do. There is actually a lot.
- Be transparent about ALL the things that can be shared about users in full detail.
- Be transparent about ALL the information that you retain and for how long.
- Make that information clear, explicit, comprehensive, and easy to find.
Put it in your marketing. Let people see it when they sign up and easily find this information when they visit your website. Include it in the welcome email.
- Make your credit card payments anonymous like Posteo.
Posteo is a private email provider based in Germany, and they have found a way to NOT connect the data that they receive during credit card payments with your email account with them.
They have been doing this since 2009! Why can’t Proton follow this model?
- Accept anonymous payments.
Contrary to popular belief, Proton does not accept anonymous payments.
And that is a big problem.