Technology @lemmy.world RedditEnjoyer @lemmy.world 6 mo. ago

Proton Mail Discloses User Data Leading to Arrest in Spain

restoreprivacy.com Proton Mail Discloses User Data Leading to Arrest in Spain

Proton Mail came under scrutiny for its role in a legal request by the Spanish authorities leading to the identification and arrest of a user.

111

111 comments

This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

I like how no ones talking about how Apple (the one its fanboys say is most privacy centric company) was the one that helped identity the individual.
“Privacy” means two different things depending on the audience. For me privacy means that my information is not being used to advance some organizations commercial interest. For others it means that my information will never be shared with a government.

Don’t advertise to me

Or

Don’t narc on me

I guess I don’t really expect a company to resist pressure from government agencies on my behalf. Especially if I have been using their service to commit crimes in my country. If you are doing things your government would prefer you didn’t, hire a good lawyer and consult with them about what should be sent via email (spoiler, it’s nothing). The mafia doesn’t send emails, or put anything in writing, if you do crimes, you shouldn’t either.
They provided the backup e-mail address

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

Just in case anyone thinks they decrypted mails and handed them over, nope. I hadn't thought about that "settings" are not encrypted. Guess if you want to stay anonymous you shouldn't add your private mail address in there as a backup.
I don’t know much about the case beyond some very lazy peripheral searching, but it strikes me that Proton’s compliance isn’t an issue, but the requests themselves are totally unjustifiable and based on malicious prosecutions to nab some separatists on ridiculous terrorism charges for their nonviolent action and protests.

This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.
Doesn't look like Proton did anything wrong, they can't fight these requests and he was caught by identifying information he linked to his account.
As much as some of us may dislike it when a company does these kinds of things. You can't really blame them for following the laws of the country that they are headquartered in.

You can blame them for operating there to begin with in cases like Apple in China, but you could hardly blame them for following the laws of the US where they are headquartered for example.

If the law of the land where the headquarters is requires them to give up the data they do have to partner nations then they don't really have much choice in the long run if they want to continue to exist.
If you use ANYTHING other than face to face meetings when discussing something illegal, you get what you deserve.
Proton a few years ago disclosed the IP address of the user of a certain mailbox upon request by LEA. That was enough to get the person found and arrested (I don't remember what the case was about). They HAVE to comply with these requests, ~~but they DON'T need to log/retain those info~~ ETA: and I was wrong, thanks @Cheradenine@sh.itjust.works to set me straight. But I think the point still stands. I don't want to be ALWAYS be tied to a VPN, there are some scenarios where I can't use a VPN.

That was the moment I decided to selfhost my email server.
What I am find curious about this is if a recovery email would have any weight in court. I can add whatever recovery email I want to an account. It doesn't have to be mine.
Not the first time https://discuss.privacyguides.net/t/proton-mail-discloses-user-data-leading-to-arrest-in-spain/18191
Yes its a good thing the result is what it is, but you watch, theyll try to use it as justification. And as a small(ish) fyi, try running a tracert on whatever site youre looking at. Unless you are directly connected to that site, there are likely multiple hops -domains- that your connection passes through to get from your machine to the target. Each one of those has the potential to read what youre doing and reporting on it.
This is why you sign and encrypt the contents of email. If the recipient doesn't have the public key, they can't read the content.

Allowing a service provider to "handle your keys" is tantamount to letting the fox watch the henhouse.

Proton doesn't provide IMAP/SMTP access for free accounts, so you won't be able to encrypt emails locally.

This ultimately is the tech version of "trust me bro". This means you are as secure on Proton as you are on GMail, depending upon how you use the service.
proton is untrustable

You've viewed 111 comments.