519
Proton Mail Discloses User Data Leading to Arrest in Spain (restoreprivacy.com)
submitted 4 months ago by RedditEnjoyer@lemmy.world to c/technology@lemmy.world
111 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[-] Alk@lemmy.world 240 points 4 months ago

This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.

[-] ID411@lemmy.dbzer0.com 34 points 4 months ago

Proton doesn’t get a free ride here.

They are bound Swiss law and should not be retaining any identifying information.

If they are going to give up everything they have on you when the feds come knocking, they shouldn’t keep anything or they shouldn’t market themselves as private and secure .

[-] QuaternionsRock@lemmy.world 65 points 4 months ago

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

The user specifically requested that Proton retain this PII for account recovery.

Speaking of which, how do they implement recovery emails? Do they save your private keys only if account recovery is enabled?

[-] Periodicchair@lemmy.world 40 points 4 months ago

Recovery email only restores access to the account, so you can get future emails. But all data is lost, emails sent in the past (saved emails) are not recovered.

https://proton.me/support/set-account-recovery-methods

[-] asdfasdfasdf@lemmy.world 43 points 4 months ago

No, Proton does get a free ride here. The information they provided was the recovery email address, which they were required to do by law.

The only data they don't encrypt (can see) is that which they absolutely need to store unencrypted. If they encrypt your recovery email address, then... they can't send you any recovery emails to it since they can't see it.

This is 100% the fault of the user.

All any service can do is give you the best tools available to maintain your privacy, but they can't stop you from shooting yourself in the foot.

Firefox is also great for privacy, but if I use it to fill out some info on some phishing sites then that's not a them problem.

load more comments (1 replies)
[-] EncryptKeeper@lemmy.world 23 points 4 months ago

They are bound by Swiss Law, so they have to comply with lawful orders. They are very up front about this even within their marketing that pertains to protection from other government authorities. They are also very good at explaining exactly what is protected and what inherently isn’t. A recovery email isn’t. In order for a recovery email to work by its very nature, Proton has to have a record of it. But at the same time they don’t require you to set one. Proton hasn’t done anything that they’ve promised not to. There comes a point where you need to put a little effort into understanding the product you’re using.

load more comments (6 replies)
[-] RootBeerGuy@discuss.tchncs.de 20 points 4 months ago

But if you use their service for free, you do not have to provide any identifying info. As far as I am aware there is no check what you enter is legit and there is no requirement to supply a backup address. So the whole solution for a user to stay anonymous as much as they can with Protonmail is simply to not enter any identifying info.

[-] sudneo@lemm.ee 11 points 4 months ago

How do you imagine a recovery email to work, if the provider doesn't store it, and you lost access to your email by definition in the moment you need it? Recovery email is not needed, you can totally use your account without and proton doesn't ask for it. It's a feature where you obviously are disclosing that piece of information and link two accounts. It's either that or not using that feature.

load more comments (6 replies)
[-] 0x0@programming.dev 22 points 4 months ago

Proton's mails are encrypted... between proton accounts. Send an email to a hotmail account and bye-bye encryption. Proton does rely on PGP so you can use that if the recipient supports it.

[-] EncryptKeeper@lemmy.world 32 points 4 months ago* (last edited 4 months ago)

They mean encrypted at rest. As in, Proton cannot hand over a copy of all your emails to a law enforcement agency, they don’t have access.

This means law enforcement would have to capture an unencrypted email in transit, or obtains your emails from either recipient individually.

[-] Evotech@lemmy.world 20 points 4 months ago

Mail stored in proton is encrypted

[-] asdfasdfasdf@lemmy.world 12 points 4 months ago

https://proton.me/support/password-protected-emails

A Password-protected Email is an email that requires a password to open it. It’s a way you can send a secure, end-to-end encrypted email to anyone who isn’t on Proton Mail.

[-] yolo@r.nf 157 points 4 months ago

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

I like how no ones talking about how Apple (the one its fanboys say is most privacy centric company) was the one that helped identity the individual.

[-] azalty@jlai.lu 49 points 4 months ago

Proton leaked the recovery email. Apple has never given any guarantee about their mail service, which isn’t the case of Proton

Don’t put any recovery info on Proton

[-] EncryptKeeper@lemmy.world 22 points 4 months ago

Proton has never given any guarantee about hiding all account metadata from the Swiss government either.

load more comments (3 replies)
[-] NeatNit@discuss.tchncs.de 13 points 4 months ago

Don’t put any recovery info on Proton

About that. I'm still making the transition from gmail and currently most of my mail still goes to gmail first and gets forwarded to Proton through their easy switch process. Surely this is just as up for grabs as a recovery email, right?

FWIW I'm not likely to be investigated any time soon so I'm not worried either way.

[-] Spedwell@lemmy.world 20 points 4 months ago

That's significantly worse privacy-wise, since Google gets a copy of everything.

A recovery email in this case was used to uncover the identity of the account-holder. Unless you're using proton mail anonymously (if you're replacing your personal gmail, then probably not) then you don't need to consider the recover email as a weakness.

[-] NeatNit@discuss.tchncs.de 8 points 4 months ago

That's significantly worse privacy-wise, since Google gets a copy of everything.

Obviously, but I still haven't gone through all the things I've ever signed up to and changed my email to the proton one. When I sign up to new stuff I use Proton, this is a necessary step for transition... And one that is likely to stay in place for a very long time since I'm going to keep procrastinating it.

Unless you're using proton mail anonymously then you don't need to consider the recover email as a weakness.

Excellent point.

[-] Pohl@lemmy.world 147 points 4 months ago

“Privacy” means two different things depending on the audience. For me privacy means that my information is not being used to advance some organizations commercial interest. For others it means that my information will never be shared with a government.

Don’t advertise to me

Or

Don’t narc on me

I guess I don’t really expect a company to resist pressure from government agencies on my behalf. Especially if I have been using their service to commit crimes in my country. If you are doing things your government would prefer you didn’t, hire a good lawyer and consult with them about what should be sent via email (spoiler, it’s nothing). The mafia doesn’t send emails, or put anything in writing, if you do crimes, you shouldn’t either.

[-] efstajas@lemmy.world 50 points 4 months ago

I guess I don’t really expect a company to resist pressure from government agencies on my behalf.

Personally, I expect them to resist to the extent possible by law. The cops need to follow a lot of rules to make legally binding requests for data. I understand that if they do, there's not much a company can do other than hand out the info, but if there's a legal way to deny such a request, I expect the company to pursue it.

[-] PM_Your_Nudes_Please@lemmy.world 15 points 4 months ago

Pretty much. I’m not expecting a company to spend millions of dollars in court costs and lawyer fees on my behalf. But if it’s clear that the government is overreaching, the company should at least go “hey uhh judge, wtf?”

[-] xenoclast@lemmy.world 8 points 4 months ago* (last edited 4 months ago)

Companies selling data don't tend to be picky who they sell to. Governments and police buy data all the time.

The best part is a government can buy data and and can change the rules on what is illegal.

So, if they decide tomorrow that your innocent behavior is a threat, you're now a criminal.

load more comments (1 replies)
load more comments (1 replies)
[-] RootBeerGuy@discuss.tchncs.de 126 points 4 months ago

They provided the backup e-mail address

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

Just in case anyone thinks they decrypted mails and handed them over, nope. I hadn't thought about that "settings" are not encrypted. Guess if you want to stay anonymous you shouldn't add your private mail address in there as a backup.

[-] Alk@lemmy.world 52 points 4 months ago

Yeah. Even if they couldn't hand over recovery emails, having a personal email as a backup to a "private and sensitive" email account is bad practice.

load more comments (13 replies)
[-] BertramDitore@lemmy.world 58 points 4 months ago

I don’t know much about the case beyond some very lazy peripheral searching, but it strikes me that Proton’s compliance isn’t an issue, but the requests themselves are totally unjustifiable and based on malicious prosecutions to nab some separatists on ridiculous terrorism charges for their nonviolent action and protests.

This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.

[-] sudneo@lemm.ee 8 points 4 months ago

The same thing which happened in the past. Antiterrorism laws used for -if I remember correctly - and environmental activist.

load more comments (2 replies)
[-] TheTimeKnife@lemmy.world 52 points 4 months ago

Doesn't look like Proton did anything wrong, they can't fight these requests and he was caught by identifying information he linked to his account.

load more comments (4 replies)
[-] flop_leash_973@lemmy.world 50 points 4 months ago* (last edited 4 months ago)

As much as some of us may dislike it when a company does these kinds of things. You can't really blame them for following the laws of the country that they are headquartered in.

You can blame them for operating there to begin with in cases like Apple in China, but you could hardly blame them for following the laws of the US where they are headquartered for example.

If the law of the land where the headquarters is requires them to give up the data they do have to partner nations then they don't really have much choice in the long run if they want to continue to exist.

[-] baseless_discourse@mander.xyz 25 points 4 months ago* (last edited 4 months ago)

Plus there isn't many jurisdictions with stronger privacy law than the swiss. It is unlike they made a bad choice for choosing a headquarters.

I guess they can operate on the public sea or the arctic, but I imagine the commute will be terrible.

[-] ikidd@lemmy.world 17 points 4 months ago

"Nobody's going to jail for you" is pretty much the way to think about any cloud privacy service. They may not keep logs unless they're required to, but in the end, they will comply to stay in business.

[-] Alpha71@lemmy.world 36 points 4 months ago

If you use ANYTHING other than face to face meetings when discussing something illegal, you get what you deserve.

[-] MadBob@feddit.nl 36 points 4 months ago

Although I like the idea of a drug smuggler typing "as per my previous email..."

load more comments (2 replies)
[-] Im_old@lemmy.world 30 points 4 months ago* (last edited 4 months ago)

Proton a few years ago disclosed the IP address of the user of a certain mailbox upon request by LEA. That was enough to get the person found and arrested (I don't remember what the case was about). They HAVE to comply with these requests, ~~but they DON'T need to log/retain those info~~ ETA: and I was wrong, thanks @Cheradenine@sh.itjust.works to set me straight. But I think the point still stands. I don't want to be ALWAYS be tied to a VPN, there are some scenarios where I can't use a VPN.

That was the moment I decided to selfhost my email server.

[-] Cheradenine@sh.itjust.works 28 points 4 months ago

In that particular case they did need to log the ip because they were compelled to do so by a Swiss court.

That was an opsec failure on the user, if they used a VPN or Tor they would not have been caught.

[-] 0x0@programming.dev 7 points 4 months ago

A VPN would've only shifted the "blame" unless it was a decent one like IVPN.

Tor would've been much better, especially considering Proton has an .onion address.

[-] Cheradenine@sh.itjust.works 13 points 4 months ago

Yes, by VPN I meant something decent. Not whatever spyware is top on the Play Store for circumventing geoblocks.

They were already using Proton Mail, they just were probably thinking that was enough. It would have been if the French had not been able to convince a Swiss court that their request was valid.

load more comments (3 replies)
[-] barsoap@lemm.ee 16 points 4 months ago

Posteo doesn't have to retain IPs and doesn't, it also doesn't retain payment info (though if you transfer by wire there's still a window where a payment can be traced AFAIU).

They will also absolutely forward any and all traffic for a particular account to law enforcement when given a court order. What's it with criminals thinking that they can outsource opsec to legitimate businesses. Defending against a state-level actor actively hunting you down, watching closely and pouncing on any and every mistake, is a vastly different beast than making sure google doesn't know about the butt plug you just bought.

load more comments (2 replies)
load more comments (2 replies)
[-] asdfasdfasdf@lemmy.world 21 points 4 months ago

What I am find curious about this is if a recovery email would have any weight in court. I can add whatever recovery email I want to an account. It doesn't have to be mine.

[-] friend_of_satan@lemmy.world 19 points 4 months ago

If your recovery email address is not yet verified, click the Verify now link and then the Send verification email button. You’ll be sent a link to confirm that the email address belongs to you.

https://proton.me/support/set-account-recovery-methods#how-to-add-or-change-a-recovery-email-address

load more comments (1 replies)
[-] gencha@lemm.ee 9 points 4 months ago

I still find it fascinating that you can go to jail because there's an IP address in a log file somewhere or because of a screenshot of a messenger communication.

load more comments (5 replies)
load more comments (2 replies)
load more comments
view more: next ›
this post was submitted on 07 May 2024
519 points (94.4% liked)

Technology

58302 readers
4331 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s@lemmy.world
enu@lemm.ee
fry@fry.gs
L3s@fry.gs
enu@lemmy.world
L4s@fry.gs
L4s@lemmy.world