From: runningman@writeable.com
On 07/07/2024 13:18 Stainless Steel Rat wrote:
> On Date: Fri, 5 Jul 2024 00:33:15 +0200 (CEST), Nomen Nescio
nobody@dizum.com>
> said in Message-ID: <51806c4b1812fd6170511532a8950e63@dizum.com>:
>
>> Encrypted mail service Proton hands suspect's personal info to local
>> cops
>>
>> Infosec in brief Encrypted email service Proton Mail is in hot water
>> again from some quarters, and for the same thing that earned it flak
>> before: Handing user data over to law enforcement.
>
> Nothing new here -- in fact, the incident you're referring to is several
> years old.
>
>> Proton, which offers several services it touts as being secure and
>> safe, includes an end-to-end encrypted email product. Ostensibly
>> designed for the privacy conscious, Proton say it is unable to read
>> the content of email and attachments, be free of trackers and ads,
>> and have the "highest standards of privacy."
>
> The phrase, "famous last words" comes to mind here. If Proton had just a
> copy of your PGP public key, they would be correct -- there would be no way
> for them to decrypt your email traffic. However, they have both halves of
> the PGP key-pair, so it is entirely within the realm of possibility that
> they could be compelled to decrypt a user's email -- it just hasn't happened
> yet.
>
> The case of Hushmail some 17 years ago proves this -- Hushmail made similar
> claims, and the DEA compelled Hush to decrypt the emails for a list of
> accounts. A DEA spokesman boasted of having received in excess of 100,000
> decrypted email messages.
>
>> Be as that may, there is still user info Proton has access to and can
>> be pressured to divulge. In 2021, the Switzerland-based vendor
>> provided local police with the IP address and device details of a
>> netizen the cops were trying to identify. That individual a French climate
>> activist who was already known to police was later arrested.
>>
>> Shortly after that kerfuffle, Proton removed the claim that it didn't
>> track user IP addresses from its website. Proton has also previously
>> been accused of offering real-time surveillance of users to
>> authorities.
>
> No surprise here, frankly.
>
>> In this latest instance, Proton handed over an account's recovery
>> email address information to Swiss police concerning a suspect
>> believed to be supporting Catalonian separatists. Spanish cops handed
>> the recovery address to Apple, which was reportedly able to identify
>> the individual associated with the account.
>>
>> Proton told advocacy outfit Restore Privacy it was well aware of the
>> case, but its hands were tied under Swiss laws against terrorism.
>
> That is true of most providers, frankly -- Proton is hardly alone in this
> regard. The suspect was insane to use an Apple email as a recovery address.
>
>> "Proton has minimal user information, as illustrated by the fact that
>> in this case data obtained from Apple was used to identify the
>> terrorism suspect," a Proton spokesperson protested. "Proton provides
>> privacy by default and not anonymity by default because anonymity
>> requires certain user actions to ensure proper OpSec, such as not
>> adding your Apple account as an optional recovery method."
>
> They're right -- this was unbelievably stupid on the part of the suspect.
>
>> When we reached out to Proton it directed us to a Twitter thread from
>> its CEO Andy Yen, in which he says much the same.
>
Anyone who believes in the security of online encrypted email services
is a dunce.
If you want confidentiality use PGP mail from you own computer.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
