XPost: alt.privacy.anon-server   
   From: Use-Author-Supplied-Address-Header@[127.1]   
      
   On Date: Fri,  5 Jul 2024 00:33:15 +0200 (CEST), Nomen Nescio    
   said in Message-ID: <51806c4b1812fd6170511532a8950e63@dizum.com>:   
      
   > Encrypted mail service Proton hands suspect's personal info to local   
   > cops   
   >   
   > Infosec in brief Encrypted email service Proton Mail is in hot water   
   > again from some quarters, and for the same thing that earned it flak   
   > before: Handing user data over to law enforcement.   
      
   Nothing new here -- in fact, the incident you're referring to is several   
   years old.   
      
   > Proton, which offers several services it touts as being secure and   
   > safe, includes an end-to-end encrypted email product. Ostensibly   
   > designed for the privacy conscious, Proton say it is unable to read   
   > the content of email and attachments, be free of trackers and ads,   
   > and have the "highest standards of privacy."   
      
   The phrase, "famous last words" comes to mind here. If Proton had just a   
   copy of your PGP public key, they would be correct -- there would be no way   
   for them to decrypt your email traffic. However, they have both halves of   
   the PGP key-pair, so it is entirely within the realm of possibility that   
   they could be compelled to decrypt a user's email -- it just hasn't happened   
   yet.   
      
   The case of Hushmail some 17 years ago proves this -- Hushmail made similar   
   claims, and the DEA compelled Hush to decrypt the emails for a list of   
   accounts. A DEA spokesman boasted of having received in excess of 100,000   
   decrypted email messages.   
      
   > Be as that may, there is still user info Proton has access to and can   
   > be pressured to divulge. In 2021, the Switzerland-based vendor   
   > provided local police with the IP address and device details of a   
   > netizen the cops were trying to identify. That individual a French climate   
   > activist who was already known to police was later arrested.   
   >   
   > Shortly after that kerfuffle, Proton removed the claim that it didn't   
   > track user IP addresses from its website. Proton has also previously   
   > been accused of offering real-time surveillance of users to   
   > authorities.   
      
   No surprise here, frankly.   
      
   > In this latest instance, Proton handed over an account's recovery   
   > email address information to Swiss police concerning a suspect   
   > believed to be supporting Catalonian separatists. Spanish cops handed   
   > the recovery address to Apple, which was reportedly able to identify   
   > the individual associated with the account.   
   >   
   > Proton told advocacy outfit Restore Privacy it was well aware of the   
   > case, but its hands were tied under Swiss laws against terrorism.   
      
   That is true of most providers, frankly -- Proton is hardly alone in this   
   regard. The suspect was insane to use an Apple email as a recovery address.   
      
   > "Proton has minimal user information, as illustrated by the fact that   
   > in this case data obtained from Apple was used to identify the   
   > terrorism suspect," a Proton spokesperson protested. "Proton provides   
   > privacy by default and not anonymity by default because anonymity   
   > requires certain user actions to ensure proper OpSec, such as not   
   > adding your Apple account as an optional recovery method."   
      
   They're right -- this was unbelievably stupid on the part of the suspect.   
      
   > When we reached out to Proton it directed us to a Twitter thread from   
   > its CEO Andy Yen, in which he says much the same.   
      
   Again, no surprise there.   
      
   Stainless Steel Rat   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)