Continuing the discussion from Proton Mail Discloses User Data Leading to Arrest in Spain:
Proton did it again but with the North Korean hackers.
Included with the ransom note on the locked Kansas systems was the email address ReneeAFletcher@protonmail.com, the document says. The U.S. sent a legal request to Proton Technologies in Switzerland, which runs ProtonMail, which then provided the recovery email address linked to that account: whas1985@yahoo.com.
Proton is really starting to become a problem, which is why Proton is complying with the demands of a hypocritical state such as the United States.
Can we not jump to conclusions over a single sentence in an article again, please.
Proton is not complying with the US, they comply with Swiss courts. Besides, there is no single company which can object to compliance. Could you name a few if you know?
It’s another bad OpSec case, the user left a traceable recovery email with proton and they complied with a legal order rather than shutdown. That’s not a Proton problem by any definition, it’s someone messing up and leaving themselves open with bad OpSec.
They gave out a recovery email and an IP address. Those are 2 of the easiest things to avoid giving to companies. Personally I count this as a win for proton and their reputation. If proton was doing anything we needed to be concerned about we wouldn’t be hearing anything about it because that would expose them.
Also if someone managed to discover that proton really was a honeypot or whatever I’m sure they’d win the CIA award for excellence in journalism before they managed to post the exposé anywhere.
If you don’t want Proton to know your recovery e-mail, don’t give a recovery e-mail. Its literally as simple as that.
I really don’t understand how people perceive stories like this as surprising or negative, it seems quite irrational/naive. Proton’s response to a valid court order is (1) obvious, and (2) indirect confirmation that Proton can’t be compelled to give out more than they’ve already acknowledged they will give out when legally compelled to do so.
Again the same FUD. While they are valid concerns about Proton forcing recovery email, very clearly this isn’t a concern for most people. But again, some prefer spreading FUD so people will doubt Proton and use Gmail, Yahoo, etc (like those NK hackers did BTW)
Its clear proton minimizes data available compared to traditional email providers.
Proton still shouldn’t get a free pass either. Try signing up for a Proton or Tuta email account from a VPN or TOR, and don’t supply a recovery email account. It won’t let you create an account (Tuta blocks you, Proton flags it if you sign up for any accounts right after making the account).
There should be additional ways to have a recovery message sent to a privacy respecting service: Signal, Session, SimpleX, etc.
Note about Google:
Notably, the document says investigators determined what other Gmail accounts were associated with this one because they were “linked by cookies,” suggesting they were accessed by the same device.
That’s still bad OpSec, and planning though. If they flag account sign ups immediately after creation, research, learn that, and then plan for it.
I hear you, but I think people are rightly susprised at the kind of data Proton has on them, and what they are able to share if compelled by a Swiss warrant.
I think Proton should make it very clear what kind of information they retain on their users and are able to reveal if requested by the Swiss government. I have read their privacy policy and there are things that are not clear or obvious. The recovery e-mail is one of those things.
As far as I can tell, this is the second time this happens. The first time was with a Spanish activist. I’m not necessarily saying that Proton is at fault, but this is definitely a weakness, and they should probably consider finding a way to encrypt verification e-mails.
Everything pertaining this was gone over last month here Proton Mail Discloses User Data Leading to Arrest in Spain - #51 by ifled
They can’t encrypt recovery emails otherwise they would have no way to see the email needed for a recovery.
Proton is designed to be private, not anonymous. Anonymity requires more than PG recommendations can provide, as well as caring about proper OpSec.
Realistically unless you want every privacy provider to pull a Lavabit and shut themselves down due to a LEGAL request, theres nothing that can be done. And if every company shuts down then nobody is left operating to help protect privacy.
You make excellent points. Truly, you do. And in light of that, of what Proton can and can’t do, it is vitally important that they make it crystal clear what data they collect about their users.
They explain a lot in their privacy policy, and it’s in simple plain language, but as I said there is still stuff that is unclear. I don’t know if it’s been updated since, but I don’t remember it mentioning recovery emails. Either way, I personally think Proton should make a blog post about what kind of data they would be able to share about a user if they were compelled by a Swiss warrant. I suspect they won’t do that because it could scare off current and potential users, but I think they should do it. So people know exactly the extent of their privacy.
Ever since these stories came out, I took a lot of notes with comments and questions, and I intend to share them here, because I suspect there are some things that haven’t been discussed widely in the community.
I usually like to advocate for Proton since they are the best option, in my opinion, against big tech. And I agree with others that criticizing Proton because of this isn’t really fair since it’s really the result of bad opsec on the hacker’s end and since we cannot really expect Proton, or any other company, to deny warrants from legal authorities enforcing the law.
But I cannot imagine how a “hacker” of any caliber could fail so much in their opsec as to use a connected recovery email. If they could fail that much in this regard, then I can imagine most Proton customers would “fail” as well. Although to be fair, the average Proton customer’s threat model would probably not consider this as (big of) a vector of compromise to their privacy.
Tangentially related: This reminds me of a criticism that someone from the Privacy Guides team had about Proton that I agreed with (cannot remember source, tho; will edit once I do): that Proton’s UI for setting up a non-email/phone number recovery was a bit confusing. This would obviously lead more people to use the recovery email and phone number option even though they might not have wanted to, regardless of their threat model. (Although in the thread that this was mentioned, I do think that Proton claimed to have fixed it now by making it more clear that recovery phrases exist, or something.)
This isn’t to say that the hackers used a recovery email because Proton’s UI was confusing. It’s just something that popped up in my mind, not directly related.
Edit: I found the source of what I was talking about. Corrections in what I said can be found in the post and its replies.
See the other thread, not totally true, but you do need a verification email (which is encrypted) and by default they will autofill recovery email with this verification email. It also true that I was forced to put a recovery email to be able to receive TOTP codes to my adress.
I agree, although that would be an infrastructure nightmare.
Also, there might be spam concerns. While hased verification email are helpful, one issue is that you could use the same adress for multiple adresses. For example, joe.smith@gmail.com and joesmith@gmail.com are different adresses, but Gmail ignores the dots.
Hi there, we just want to clarify that Tuta never requires a third-party recovery email address (or phone number) for exactly this type of security threat. We also allow VPN and Tor signups, you will just be prompted to solve a captcha to make sure you aren’t a bot. We’ve even created a tutorial for signing up through Tor here: https://youtu.be/oXv3llPIfvo
We do not condone the use of our services for criminal activity, these steps are taken to ensure the highest degree of user privacy.
@jonah also goes over it in a bit more depth in the linked thread at the top and the I linked a few posts ago.
Probably should go without saying 
A far more relevant headline would be “North Korean hackers listed a traceable Yahoo account as their Proton recovery address”