Privacy
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn't great, if contents of the website are behind a paywall maybe copy them into the post
- Don't promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
I wish they would go into more detail why this specific case could not be legally challenged. Their response sounds good otherwise (especially also that they recommend Tor for such cases), but this deliberate omission makes me think that the case was maybe not so clear cut after all.
I have looked a bit into it. In case anyone is curious, I believe that the authorities found the e-mail in question ([email protected]) here:
https://paris-luttes.info/occupation-d-un-local-du-petit-14575?lang=fr
And/or here:
https://radar.squat.net/fr/event/paris/local-du-h/2021-02-24/ag-publique
this sucks, but I also can't blame them too much
most people seem to have an unrealistic expectation for protonmail to function as an underground criminal organisation, providing email services to drug dealers, and wiping their asses with subpoenas, which runs contrary to their goal of providing user-friendly private email to as many people as possible, not only the ones that would go to extremes no matter what
The CEO of ProtonMail previously: https://threatpost.com/protonvpn-ceo-blasts-apple-myanmar/165022, and https://protonmail.com/blog/protesters-free-speech is pretty hypocritical now, but you can spot a pattern, that he only opposes the systems and governments the West opposes too. In that way, I consider him to be nothing more, than the willing tool of propaganda, for his own enrichement.
He's a business man trying to run a business, while also following the law. The line will always be drawn at keeping the business going.
from their comment on reddit, it seems there wasn't much they could do
In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).
what did you expect them to do?
Clearly state the difference between ProtonMail and ProtonVPN differences in the kinds of data that are being collected. The issue is not compliance, the issue is that they’d provide enough data for it to be useful, defeating the purpose of their privacy marketing.
Try a little harder at least. Just the surrounding publicity even for a lost court-case would have been a net benefit.
Their explanation sound like "we couldn't do anything against this legal over-reach because the entity that did the legal over-reach said that it was all legal and fine", which when you think about it longer than 3 seconds is true for each and every case where the authorities request something. An internal "review" by a biased party involved in one side is not the same as a real test in court.
from my understanding it's a legally binding order that they legally literally can't appeal
Yes that is what they claim, but in most jurisdictions there is no such thing as an unappealable order (only after it has been already once dismissed in court can the judge rule-out further appeals) and there usually is some official legal recourse despite what the authorities like to claim in their own self-interest.
If there was a similar precedence case, which would have made chances in court extremely low, then they could have said so. But they basically admit by omission that they didn't even try.
Really what is the average person suppose to do to have a private email? I heard Edward Snowden say that email is fundamentally flawed and will never be secure. I've thought about hosting my own email server, but even then i need to buy a domain name likely with my own card, buy a VPS with my own card and it traces back to me.
Just in case, perhaps one can get away with dynamic DNS sort of pseudo domain, not a full domain, so that you can access services you host at home, without having to know the IP. At any rate, whether pseudo DDNS or full DNS, the IP is fully recognizable.
The advantage of a VPS might be some protection against home blackouts and internet lost every now and then, depending where you live. However, self hosting poses several issues. Isolating your network (firewalls plus kernel hardening), hardening the servers,protect against common attacks such as denial of services, as well as infiltrating the services. All than not to mention dealing with spam and much more.
However, I'm tending towards the idea the we have to self host, now a days. Trusting providers is not wise. Granted email is not secure, neither private, however the same applies to other services. FB is even looking at ways to extract information from whatsapp without decrypting messages... Signal leaks quite some information about its users, and though the advertise themselves about not able to decrypt messages, they can and probably do share all metadata they grab.
I'd really like distributed mechanisms, to take over, and become mainstream, not just decentralized, because then there are no servers to depend upon, and the information is just shared among those whom the information was generated for, no trusting in servers, not even your own.
I like the idea of self hosting email - it just seems to be a total pain however. I’ve done it a few times but the process is so fragmented and I just don’t have the time to dedicate to maintaining it.
Email has not been designed with security in mind. Even if the content is encrypted, email still leaks a lot of metadata, including:
- To, From, Cc, Date and Subject.
Using PGP is not helping since it is a phased out - and obsolete - technology which has a lot of problems:
If you need secure communication a good solution is E2EE which is enabled by default in signal and in element. Ideally, you should use e-mail to receive newsletter, sign in to sites and nothing more.
That being said, the whole situation about ProtonMail is quite overblown. As detailed in their transparency report, and privacy policy they MUST provide account's information like the IP address if the Swiss criminal investigation requires them. By default, they don't log the IP of the users.
Now, if this is a real concern for you, then you should not using their service. Otherwise, go for it. ProtonMail is still a valid choice.
Edit: However, it's important to understand that every time you visit a website, you automatically send a set of features to it , including your IP address. It's just how internet works. The whole "no log policy" is not something you can verify. You have to fully and blindly trust the provider whether it is located in a 5 Eyes country or in Iceland.
Edit: self hosting a email server it's actually really, really difficult. It's not something that a unskilled person could do.
"Private" and "Anonymous" are different things.
You can protect privacy with encryption, and I believe ProtonMail does work for that, but trying to protect anonymity is an entirely different beast. I'm not convienced it's possible at all in any way that's reliable (not just email but also even simple web browsing) unless there's a change in how routing works in the internet, or a new layer is developed (like I2P, but even that's not really a warranty).
One shouldn't expect otherwise. See also https://web.archive.org/web/20210719011623/https://privacy-watchdog.io/truth-about-protonmail/.
Crazy
Fuck I pay for them!
That is a big Oof. But yeah, PM is far from being perfect. I use it bc:
- Better tan Gmail & etc
- Unable to selfhost email :c
But one thing, how secure will be to selfhost your own eMail? If I selfhost one, which will be the most secure & private teaks that I can apply?
If you selfhost the email on your own hardware, then the IP will be apparent to anyone. If you selfhost it on somebody else's hardware, they can be legally compelled to log your IP as happened here with proton. But if you aren't committing any crimes, selfhosting either way is probably more private than proton, since you are more confident in what software is running, while with proton you have to trust that the frontend being served is actually the e2e encrypted one
I personally use migadu. Don't know about how private it is but I is cheap and allows for loads of addresses and domains.
Have you considered disroot mail? It’s what I use and it’s awesome
I am assuming they were not using proton VPN?
~~Even if their were, proton company would have been legally required to trace their connection through proton VPN. Using tor would have been the better move.~~
EDIT: apparently swiss laws exempt VPNs from these sorts of legal issues.
As always, comments get piled on while nobody understands the real issue. I expect far better quality than Reddit here.
- ProtonMail has been exposed multiple times for not being activist friendly.
- You are not supposed to use emails for high threat models without referring to this guide https://digdeeper.neocities.org/ghost/email.html
- This is not a question of ProtonMail vs Gmail.
- This is not a question of self hosting or not.
- This is not a question about legalese crap, but what ProtonMail really stands for.
- Everybody needs to understand the difference between privacy, security and anonymity and how this is achieved.
I expect far better quality than Reddit here.
Yes, but we need people like you to provide that content. In short, don't expect other people to be that change; that change starts with you. Thanks for the resources and level-headed opinion. People in general who use any service provider for "privacy reasons" should only do so to keep the issuing company from scanning their messages and selling data about you. Email itself, regardless of how it's set up, will fail you if you're thinking it will keep you hidden.
My privacy community c/privatelife is in the sidebar of c/privacy ;)
Besides, I have provided massive amounts of content in the form of comments on Lemmy, on this year old account of mine. I am also on Reddit, where my r/privatelife exists.
This is not a question of ProtonMail vs Gmail.
What do you mean by this?
Presumably for a lot of people that is going to be the main, perhaps only, question.
And that is the problem here. ProtonMail is not going to keep you safe. Gmail is not going to keep you safe. Who is going to keep you safe? Your OPSEC. You possessing the knowledge about how email works, and how privacy, security and anonymity work, and how you will control these elements. These are the things that should be debated, not X vs Y email brand.
Ey, thanks for the comment. Really good one. Really useful resource