back to article ProtonMail deletes 'we don't log your IP' boast from website after French climate activist reportedly arrested

Encrypted email service ProtonMail has become embroiled in a minor scandal after responding to a legal request to hand over to Swiss police a user's IP address and details of the devices he used to access his mailbox – resulting in the netizen's arrest. Police were executing a warrant obtained by French authorities and served …

  1. Yorick

    > though it's unclear why the company was logging user-agent strings and IP addresses of client logins

    The Protonmail statement says they can be compelled to log a user’s IP when Swiss law has been broken. That’s the most likely explanation: They got a court order and started logging IP addresses and user-agent strings for this particular user, after being presented with the order.

    1. Anonymous Coward
      Anonymous Coward

      What court order?

      If they weren't logging those IP addresses and connection strings, there was nothing to seize. They said the weren't. As to a court order requiring you to implement such logging when demanded.... show me the law that says any such thing, that somehow cannot be challenged!

      Better still show me the court order itself. All I could find was copyright related (Article 77i CopA). The US pushed them to backdoor their privacy right, so they added a IP logging in the copyright law, but that's for copyright infringement.

      Whenever dealing with "Swiss" stuff that feels America, (I class Proton Mail as this), you should recall Crypto AG, the "Swiss" encryption system, that was actually a CIA front.

      https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/

      " The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican."

      "But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages. "

      When you see a well funded company in encryption like this, I suggest you ask who the f**k funded that and who is the target audience. Is this company too good to be true?

      So don't be surprised when the slightest court order lands on a fake CIA operation, and they cave immediately to create case law, in Switzerland or elsewhere, because that's what they're there to do, fold. Create false case law, false consensus, undermine privacy rights.

      All that western tech, its all shit, its all backdoored. All secret police notices, all secret surveillance, backdoored encryption, false systems. All of it.

      1. Alpine_Hermit

        I agree with some of your points. But ProtonMail has always made it clear to anyone who reads their T&Cs that they come under Swiss laws and they are obliged to provide information to the authorities IF supported by a court order.

        The Swiss legal system is robust and the right to privacy strong. It fills me with hugely more confidence than in my old homeland which has sadly become an authoritarian tinpot nation, especially since the Johnson Junta took over.

        I use ProtonMail occasionally and never regarded it as a service that is totally hidden from the law, rather a service under stronger Swiss laws than the US and elsewhere.

        1. anothercynic Silver badge

          Did you read the English T&Cs or the French? That makes a big difference and that's what the controversy revolves around.

        2. Adam Nealis

          I've posted a couple of questions on the protonmail subreddit about what happens if they get a court order.

          There is never an official reply. Of course, I am just a non-entity, not worth replying to.

      2. Anonymous Coward
        Anonymous Coward

        Thanks for reminding me about Crapto AG. Maybe it's time to consider quitting ProtonVPN. Any recommendations for replacement?

        1. Blackjack Silver badge

          Every VPN spies on you even those that say that don't. The business is in selling data not on the VPN service itself.

          1. Lon24 Silver badge

            I'm thinking using a one time pad sticking a stamp on it and plopping into any postbox is probably more secure unless the postie has an incredible memory - and some do!

            Otherwise there is nothing to trackback once delivered if you use disposable gloves.

            1. John Brown (no body) Silver badge
              Coat

              "Otherwise there is nothing to trackback once delivered if you use disposable gloves."

              ...and remember not to lick the envelope!

              The trenchoat with the dark glasses in the pocket. And the Fedora ----------------->

              1. Mnot Paranoid
                Gimp

                Philatelicks

                Stamps and envelopes have been self-adhesive for many years now. Our survey revealed that most people didn't like the licking.

                1. A.P. Veening Silver badge

                  Re: Philatelicks

                  And before that you could either use a wet sponge or a dog's tongue.

                  1. HelpfulJohn

                    Re: Philatelicks

                    Dogs have DNA, too though it is rarely registered in massive government databases.

                    Or so we are led to believe. :)

          2. idiot taxpayer here again

            @Blackjack. EVERY VPN?

            A sweeping statement indeed. Please present the proof. Just to feed your paranoia, there are at least 4 trackers om this page. (Doubleclick.net, google-analytics.com. googletagmanager.com, twitter.com)

        2. Anonymous Coward
          Anonymous Coward

          Outlook.com now has an encrypted mail function. Uncle Bill and Uncle Sam would never do to us what the Swiss did ⸮

        3. katrinab Silver badge
          Black Helicopters

          I would actually recommend you don't use a VPN for this purpose, and use burner phones paid for with cash.

          If you want to for example watch American Netflix outside of the US, or BBC iPlayer outside of the UK; then VPNs might help with that, otherwise I think you are just advertising yourself as someone who is up to no good, and if anything, making it easier for them to track you.

          1. Trenjeska

            in (most) EU countries, buying any telephone with access to the network mandates personal registration with proof of identification. Burner phones are very difficult to come by.

          2. Anonymous Coward
            Anonymous Coward

            Only marks you as a target of interest

            Using a burner phone - makes you stick out like a sore thumb. All they do is filter out all the "known phones" (that they know who owns what), and focus on the "unknowns".

      3. heyrick Silver badge

        All that western tech, its all shit, its all backdoored.

        FTFY.

      4. Nate Amsden

        "If they weren't logging those IP addresses and connection strings, there was nothing to seize."

        It sounds like they have the ability to log based on user account. So perhaps while they don't log normally, if such a request comes in that they have to get the IP then they can flip a flag in their code/config to start logging for that particular user account, then assuming the user logs in again they have the information.

        If you are that paranoid about hiding your IP etc then you shouldn't be trusting a single provider like this, should be routing traffic over multiple different places to further obscure your information, and not wait for some news event like this to start doing it. Also of course use a dedicated browser that is not used for anything else except that service, if your even more paranoid perhaps use a dedicated VM with that browser.

        Seeing the anonymous relay service they offer in the article reminds me of my early internet days using the I think it was anon.penet.fi (??) email relay, sometimes took days for email to be processed through that. I have been hosting my own personal email(around 350 different addresses for different purposes at the moment) since about 1997(along with web, DNS and anything else I want). Though of course doing that is not for 99.999% of people out there.

      5. HildyJ Silver badge
        Holmes

        Blame the French

        The court order was from French authorities and transmitted to Switzerland via Europol (an EU version of Interpol). The logging only began after the court order.

        The data was requested as part of an investigation into a group of climate activists who have occupied several commercial spaces and apartments in Paris.

      6. Trenjeska

        Any Dutch company that provides communication between 2 or more persons/entities is by default required to log that basic information by LAW. Not logging it is already punishable. So yes anonymity is fleeting.

    2. anothercynic Silver badge

      The problem is that the English statement on their site said that they would log (and retain) IP addresses for a certain period of time, and would if required by Swiss law provide them to law enforcement.

      HOWEVER - The French statement said no such thing. The French statement was simply "we don't log any IP addresses", and *that* is where the brown smelly stuff hit the big round metal whirly thing.

      There was a long thread on Twitter between the CEO of ProtonMail and some of the French folks raising the objections that the messaging was inconsistent. If you're a French person, you were under the impression you were safe (unless you read the English version too, but since there is a version français, why would you). If you were English, you knew what you were getting yourself into and understood that once Swiss law enforcement was involved, all bets were off.

      There was even a question from someone asking if ProtonMail would start deploying canaries. I don't remember whether there was a response to that.

      1. heyrick Silver badge

        The problem with canaries is that the people we most need canaries over are the same people who influence the lawmakers.

        https://www.law.cornell.edu/uscode/text/18/2709#c

    3. DevOpsTimothyC Bronze badge

      The Protonmail statement says they can be compelled to log a user’s IP when Swiss law has been broken.

      Exactly which SWISS law was broken? French ones, yes sure, but the statement says Swiss.

      They got a court order and started logging IP addresses and user-agent strings for this particular user, after being presented with the order.

      AFAIK A court order cannot force you to log that sort of thing if you never logged any of that information in the first place. That was effectively Apple's defence about getting into phones. There was no mechanism, they would have to create one.

      A defence here is "We do not log produce web server logs. We have no infrastructure to retain those logs. To comply with this court order would cost ......"

      1. katrinab Silver badge

        There would be a Swiss law that is equivalent to the French one that was [allegedly] broken.

  2. A Non e-mouse Silver badge

    Absolute privacy/anonymity on the Internet is hard. Very hard.

    1. Anonymous Coward
      Anonymous Coward

      Nope, just use the "off" button on your device.

  3. The Man Who Fell To Earth Silver badge
    FAIL

    Tor

    Pretty much reinforces that if one wants to be difficult to track down, you'd probably be wise to put Tor between yourself and protonmail. (Or anything else.)

    Better yet, don't use the Internet.

    1. IGotOut Silver badge

      Re: Tor

      There are plenty of cases where TOR has been used and people still get caught.

      It makes it difficult to trace, not impossible.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tor

        yes, it does not make it impossible, but the key adjective is "difficult". Unless those after you, are very, very, very powerful, the 'difficult' becomes 'good enough'.

        1. Graham Cobb Silver badge

          Re: Tor

          Yes, for tracking of IP connections it would probably require the 5-eyes to bother to use their resources and data - not likely for much except terrorism.

          However, Tor is not a magic privacy screen: there are plenty of possible mistakes that can still be made using Tor for privacy and anonymity. As a simple example, if you have a ProtonMail account and have ever sent a message to anyone's personal email address, they could be contacted to ask if they know who you are or anything about you, or their address can be correlated with clearnet emails to try to get some idea of who you might be. So, never forward, CC or send any message (however innocuous the message itself is) from your ProtonMail account to anyone who knows who you are (and certainly NEVER to your normal email account). Obvious in hindsight, but easy to forget.

          And there are many other mistakes it would be easy to make. Tor only protects IP addresses, not other ways of finding out who you are.

    2. Pascal Monett Silver badge

      Re: Tor

      You are aware that Tor was created by the US intelligence community ?

      If you think they don't know how to subvert it, I have a bridge to sell you.

      1. JWLong Bronze badge

        Re: Tor

        @Pascal Monett

        It was the US NAVY that developed TOR, with intelligent agency help I'm sure.

        And I loved the "buy a bridge" comment. I trust the internet about as far as I can throw a handful of feathers.

        1. Pascal Monett Silver badge

          I absolutely agree on who is responsible for Tor, but intelligence agencies were absolutely a part of it.

          The quote I refer to is this :

          "The core principle of Tor, Onion routing, was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, to protect U.S. intelligence communications online. "

          The CIA and the NSA have their hands in this, make no mistake.

          As for the bridge, I'm sorry but that it is traditional Internet-speak :).

          As for your feathers, are they frozen ?

          1. A.P. Veening Silver badge

            As for the bridge, I'm sorry but that it is traditional Internet-speak :).

            It predates the internet by at least a couple of decades.

    3. steviebuk Silver badge

      Re: Tor

      For Tor to be affective you need to be using a VPN as well so you encrypt your Tor connection. This is because so many Tor exit nodes are comprised and can be sniffed and monitored.

      1. AVee

        Re: Tor

        I'd think that's bad advice in most cases.

        If the police get an IP address from a mail provider which turns out to be a TOR exit they can track that back to where the connection originated. If the TOR exit is compromised they can see where you are going to some extend, but if you properly use https for everything that's not telling them to much. The exit node too cannot tell where the connection originated. So if the police is trying to figure out who you are they are pretty much stuck.

        Now add the VPN. The police gets an IP address which points to a VPN provider. They get a warrant and the VPN provider tells them the original IP for that connection, the account used to log in, billing address and credit card used and other IP addresses used by that account. They ignore the IP address and go straight for the credit card holder. Not really an improvement I'd think.

        On top of that the VPN provider is the exit same position as the exit node. They can sniff and monitor just as much. Assuming they don't seems pretty naive to me.

        1. katrinab Silver badge
          Black Helicopters

          Re: Tor

          VPN is probably worse, because they likely have everything; whereas without VPN, your traffic is likely split between your landline provider, cellphone provider, public wifi, etc.

        2. steviebuk Silver badge

          Re: Tor

          Not really as lots of VPN providers give you the option to buy their service anonymously.

    4. Bartholomew

      Re: Tor

      > Pretty much reinforces that if one wants to be difficult to track down, you'd probably be wise to put Tor between yourself and protonmail. (Or anything else.)

      Tor only works "IF" you assume that there is no way to cross-correlate the approximate timing and approximate packet sizes entering the tor network with those leaving the tor network.

      1. Graham Cobb Silver badge

        Re: Tor

        Possibly true, but that is certainly beyond the capabilities of all except really major agencies like NSA. And even for them it is likely they would need to know in advance - I am sure they don't collect per-packet traffic data on all links on the Internet everywhere.

        The main advantage/purpose of Tor is to prevent blocking of access to sites/data. Anonymity is a lesser goal but, in my view, is still likely to be quite effective except in particular, targetted cases.

        1. Bartholomew

          Re: Tor

          You do not need to harvest and store the data, only the metadata.

  4. KarMann Silver badge
    Coat

    Cops can read the SMTP spec too, y'know
    [Citation needed]

    Oh, sure enough, the cops just gave me a citation!

    1. teknopaul Silver badge

      Nothing is unencrypted in modern smtp

      "unencrypted information from email headers, inherent to the SMTP email specification,*

      Smtp should not be run plain text its generally tunnelled over ssl or the is an upgrade to ssl on port 25. There is minimal handshake before starttls.

      All email headers should be encrypted in transit only ip address would be visible if the promises about not logging were true.

      In this case its not true. I'll believe them that they took special measures for this court order.

      In the UK you have to log ips incase the spy's want it,

      And when they ask you are not allowed to tell anyone.

      The fact that we hear about this is a ringing endorsement of swiss law and proton mail. You Were wrong if you thought it impossible.

      But check yer spec knowledge much like http Smtp can be run fully plain text or fully over ssl or can upgrade to ssl on the same socket.

      1. Graham Cobb Silver badge

        Re: Nothing is unencrypted in modern smtp

        I have my mail server set up to add a warning in the subject line of received mail if it crossed a link that did not use starttls. Very little mail now triggers the warning, but some still does.

        And, of course, the headers are completely unencrypted inside every forwarding node - and no one knows what they choose to log (they might choose to take a full copy of every email they see).

  5. Anonymous Coward
    Anonymous Coward

    Who'd have thunk it ?

    just that really. If you don't own manage and understand what's happening with your data, why would you be surprised ?

  6. Mike 137 Silver badge

    "As a Swiss company, ProtonMail is obliged to obey Swiss law and comply with Swiss legal demands"

    This is of course the case in every jurisdiction on the planet, which is to some extent why the fuss over US Privacy Shield as a special case was somewhat peculiar. Even under the GDPR the forces of law and order have special access to personal data in pursuit of their duties (for rather obvious reasons).

    1. Anonymous Coward
      Anonymous Coward

      Not quite always...

      "This is of course the case in every jurisdiction on the planet..."

      Yes and no. There are still (thankfully!) a number of places on this planet that are nominally within the jurisdiction of an entity that lacks the physical ability to enforce its own laws (there's also Antarctica which is its own weird case). ProtonMail would be far more secure if it were located in Somalia and surrounded by mercenary riflemen, an armored division, and a few SAM batteries. While it would still nominally be obligated to obey Somali law, the so-called authorities would have no practical ability to enforce it and it's inconceivable that they would even try on behalf of France. Whether such an entity would be able to defend all of its connectivity is another matter; satellite communication could be used, but China has effective control of all orbital craft. Everything else comes with choke points and links to less friendly nations.

      We've all known for a long time that PM's marketing guff about being located in a Swiss bunker was just that. Now they've gone and proved it. Even if PM isn't being run by the CIA, it may as well be. They were simply playing on long-outdated memories of Swiss banking secrecy laws that were dismantled by the United States and their allies 50 years ago. Those laws never had any application to PM's services anyway and the simple fact is that the Swiss will happily give up anyone and anything to anyone, just like all western governments.

      If anyone is still paying for PM today I cannot fathom why; there are other services that are much cheaper and much more honest about the security they offer (i.e., none). If you want to encrypt your message content, go ahead (that's all PM gave you anyway) but as you can see, that won't help you. If you need privacy, you need to set up your own encrypted radio links or on a local basis you can use suitable dead-drops for OTP-encrypted paper notes. The former is easier for the enemy to locate; the latter is more physically dangerous for the people communicating. If you aren't sufficiently serious about your cause to take those steps, you aren't serious enough to go to prison for it, either, which means you need to limit yourself to (invariably ineffective) lawful protest. Using someone else's infrastructure means you're trusting people who will be given trivial incentives to betray you. Letting a rank and file cop sitting at his desk in Paris send you up just by sending an email is a disgrace to your own cause; if you care enough to risk ending up in prison, learn proper tradecraft and make the enemy work for it.

      1. Clausewitz 4.0
        Devil

        Re: Not quite always...

        Nice Somalia idea

        1. Anonymous Coward
          Anonymous Coward

          Re: Not quite always...

          Because Somalia's territory is now magically immune from foreign interference, and its internet links and addresses magically protected?

          Unlike Switzerland, they'd be in a really poor position to defend themselves if, after being asked to act, they did not or could not, and then whatever more powerful government decided it was time to block its IP addresses, its DNS, or send in a drone to shutdown a datacenter.

          1. Anonymous Coward
            Anonymous Coward

            Re: Not quite always...

            I specifically addressed the problems of defending communication links. Did you read my post, or just decide you didn't like it because it doesn't fit your personal politics?

            Let's get into more of these technical details, then, in a scenario in which an effectively sovereign service provider does not cooperate with foreign law enforcement authorities.

            "block its IP addresses"

            That's not a thing, as I'm sure you know. It's possible for a determinedly authoritarian censorship state like China to block access to address space from within its borders, usually. It's generally not possible otherwise, because there are many links to many other links and the design of the Internet is such that it's generally possible to get a route from anywhere to anywhere. In fact, in most countries this isn't even tried, even when the destination is genuinely harmful (e.g., malware distribution); it's too easy to work around by obtaining and advertising other IP blocks. Instead, the enemy tend to go after DNS.

            "[block] its DNS"

            The way this normally works is that the registrar receives and acts upon a court order valid in the jurisdiction in which it operates, and removes (or redirects) the second-level domain from its zone files. I should think it would be very challenging for France to obtain such an order against the Somali registrar. However, the simple fact is that it would almost certainly be ineffective; nothing would stop our hypothetical service provider from having thousands of DNS domains at dozens of different registrars in many different jurisdictions. There are numerous examples of this that have been reported on and discussed here, including the popular Pirate Bay and Sci-Hub. Shutting down all of them and keeping them all shut down is no simple task, but it is at least technically possible. However, there's a better way for our hypothetical service provider to operate: Run its own root servers with a couple dozen different IP addresses. Or, if the service can itself be accessed at a single IP, simply publish a list of such IPs that can be used and tell customers how to populate /etc/hosts or their own local resolvers. Anyone serious enough about the confidentiality, integrity, and availability of their communications to use what would have to be a very expensive service provider would certainly not mind setting up alternative DNS clients (or using some other protocol stack, even, as the discussion of tor indicates) to guarantee access to it. Again, it's possible for some states to filter IP blocks, but filtering dozens of them at thousands of peering points, when they can easily be changed anyway as a few are filtered, is a fool's errand.

            "send in a drone to shutdown a datacenter"

            Now I'm sure you didn't read my post, because I specifically mentioned the presence of SAM batteries. And do you really think France is going to use military force over refusal to cooperate with Interpol? Somalia is a well-known quagmire like Afghanistan, Vietnam, etc., and the setup I've described should be sufficient to make victory, if possible at all, VERY expensive. A single drone with an air-to-ground missile or a few bombs wouldn't get close to a facility defended as I've described. It's likely that the Americans could take it out with a dozen cruise missiles launched by offshore naval vessels; those cost several million dollars apiece not to mention the cost of moving those vessels into position, launching, and resupplying them. Nothing is impossible if you have enough money, but considering that there are numerous countries that *already* don't cooperate with US (or French, etc.) law enforcement authorities, one would really have to wonder whether they'd bother to spend it that way.

            It would, if nothing else, be interesting to see more individual assertions of sovereignty and defiance of these oppressive powers, and this dull dreary used-up world needs more things that are interesting. If one of them also resulted in a genuine increase in privacy for Internet users who want it, that'd be great too. You probably assume I support the individual at the centre of this story, but I do not. If he is guilty of the crimes of which he has been accused, he is a thief, a vandal, and a serial trespasser; if it were up to me, he would hang for those crimes. I just think the cops should have to work for it, because I believe everyone has an absolute sovereign right to private communication. The State must yield to the individual, always.

      2. Alpine_Hermit

        Re: Not quite always...

        Have you spent too much time chewing on qat in Somalia?

  7. amanfromMars 1 Silver badge

    Something to Realise and Get Thoroughly Used To.

    Apparently, if you can believe what you can read in some news, Westminster bods prefer to use and trust Telegram to keep their communications safe and secure and secret, but it is not something to be risking your life on being effective, methinks.

    Everything is available to anyone who really wants it and knows what to do to get a hold of it.

  8. lglethal Silver badge
    Go

    Just curious...

    So what did the Climate Activist actually do?

    1. stungebag

      Re: Just curious...

      All police forces find it hard to distinguish between activists, whose policies and methods they may not as individuals support, and criminal behaviour.

      Maybe this group had overstepped the mark, but look at the UK's undercover police scandals where police infiltrated activist groups who were not criminals to the point where they formed relationships with and even fathered children on their targets.

      1. ThatOne Silver badge
        Devil

        Re: Just curious...

        > and even fathered children on their targets

        That's the best part of the job!

      2. Chris Fox

        Where would PM draw the line?

        Not only did the police infiltrate non-criminal activist groups, in some cases they then sought to encourage said activists to commit criminal acts, and who were then prosecuted without the police revealing their role in instigating and facilitating those criminal acts (and actions that lead to the longest ever English civil trial in the McLibel case). The infiltration was so extensive that some "activists" meetings consisted almost entirely of under-cover cops. Of course the UK government's answer to this scandalous state of affairs is to grant undercover ops immunity from prosecution for such criminal activity, while also labelling activists "terrorists" for engaging in *lawful* civil disobedience.

        Presumably PM would be happy to collaborate with the oppressive actions of a wannabe police-state, provided all the paperwork was in order?

    2. Anonymous Coward
      Anonymous Coward

      Re: Just curious...

      quite possibly, he is ALLEGED to commit a crime. And please, don't tell me the courts and judges are independent and fair, etc, etc, so 'there must have been a good reason'. Some are, some aren't.

      1. Diogenes

        Re: Just curious...

        quite possibly, he is ALLEGED to

        ------

        Ah you are confusing English common law and the presumption of innocence with the French Napoleonic Code.

      2. Alpine_Hermit

        Re: Just curious...

        “ Some are, some aren't”

        The Swiss are.

        Not perfect, but they try much harder than others, in my experience.

    3. jnievele

      Re: Just curious...

      Well, he wasn't a "climate activist"... he was an "anti-capitalist" and "anti-gentrification" activist who broke into several buildings:

      https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/

      1. Anonymous Coward
        Anonymous Coward

        Re: Just curious...

        Yeah, anti-capitalist and broke into buildings... clear to shoot on sight, no court order required.

        Justification to undermine privacy is quite feeble here. If allowed to continue, it'll get worse and worse.

        1. MrDamage

          Re: Just curious...

          From the article linked in the post you replied to:

          > "For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants.

          Learning to read would be the first step in not looking like a fool.

          1. Anonymous Coward
            Anonymous Coward

            Re: Just curious...

            Learning to read the whole thread would be the first step in not looking like a fool.

            Please recalibrate your sarcasm filter too.

    4. Anonymous Coward
      Anonymous Coward

      Re: Just curious...

      I think that they activated for the climate.

    5. jgarbo
      Devil

      Re: Just curious...

      He complained loudly about the weather. Off with his head!

      1. Mnot Paranoid
        Big Brother

        Re: Just curious...

        You will own nothing, and you will "be happy"... or else!

  9. Graham 32

    By default...

    > By default, we do not keep any IP logs

    "By default" covers what happened. Watch out for the weasel words. However, they now don't even say that. Are they now compelled to log all IP addresses?

  10. Anonymous Coward
    Anonymous Coward

    Your data belongs to you

    and various other, for now undisclosed, parties.

    1. John Brown (no body) Silver badge

      Re: Your data belongs to you

      Also worth remembering that data about you is not necessarily your data.

  11. Gwaptiva

    "In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)."

    Hmmm, either some issue in the reporting or just utter BS: Where I'm from, and I suspect this is the same in other countries in the Council of Europe, whether or not an act contrary ot national law has "in fact" taken place can only be determined by a Judge. Not by the executive branch. These orders can (and routinely are) appealed or fought.

    1. LDS Silver badge

      can only be determined by a Judge

      And what do you believe people working for Federal Department of Justice are?

      And what "this was also the final determination of the Federal Department of Justice which does a legal review of each case" means?

      And this does not mean he's been found guilty - it just means there are enough evidences a warrant can be delivered.

  12. Handy Plough

    They've been selling snakeoil for years. The opensource intelligencia and Snowdonites have been espousing their virtues for as long. Anyone else that works in email, epecially the security side, has been saying that Protons claims are spurious at best. Looks like their marketing is just downright misleading.

    1. Pascal Monett Silver badge

      Well in any case, ProtonMail has now publicly and officially joined the vast coterie of "secure" mail services that are anything but.

      Their lies destroy their credibility as far as I'm concerned. If you say you don't record IP addresses and, in fact, you do, you are not worthy of my trust.

  13. jnievele

    Apparently what El Reg calls "Climate activist" was actually a squatter charged with breaking-and-entering commercial and private buildings as a protest against gentrification and "capitalism":

    https://techcrunch.com/2021/09/06/protonmail-logged-ip-address-of-french-activist-after-order-by-swiss-authorities/

    1. Imhotep Silver badge

      But he did it to get out of the weather.

    2. TVU

      That report stated that, "Proton’s marketing claims as a ‘user privacy centric’ company", whereas a more accurate description might be "Proton’s marketing claims as a ‘cave in at the first opportunity centric’ company".

      I don't use that service and I certainly won't use them now if they do not protect the privacy of their users which is their supposed raison d'etre anyway.

      1. Charles 9 Silver badge

        At this point, I don't think we can expect any provider anywhere to be able to keep to such a high standard. No provider is above the law, and no business is worth getting shut down over a signed, sealed, and delivered court order with the laws to back it up.

  14. chivo243 Silver badge
    Boffin

    speak in code, duh

    I had a friend back in college, he came from the South Side of Chicago, gang territory. I once visited him there, he took a phone call from a *friend* and the whole thing was in code... something like pig-latin with lots of St's and be and eb's. When I asked what it was about, he said the party is at so and so's house, but his parents shouldn't know he was going...

  15. Anonymous Coward
    Anonymous Coward

    There is zero security and anonymity...

    ... on the internet, your phone, your PC or your apps.

  16. Anonymous Coward
    Anonymous Coward

    I wonder what'll happen, when they get served a valid court order demanding they issue a trojaned javascript file to targets-of-interest that, after they enter their password to unlock their private key in their browser, forwards it onwards...

    1. Wellyboot Silver badge

      >>What'll happen<<?

      The obvious - They would continue to follow Swiss law after talking to their lawyers.

      1. Charles 9 Silver badge

        And if said lawyers reply, "They got you dead to rights..."?

        And you find out similar laws are everywhere?

    2. DevOpsTimothyC Bronze badge

      I wonder what'll happen, when they get served a valid court order demanding they issue a trojaned javascript file to targets-of-interest

      Is that legal under Swiss law? Wouldn't that fall under hacking laws and AFAIK most countries prohibit hacking (even for law enforcement purposes). The only times hacking is typically allowed is for national security by the intelligence services.

  17. amanfromMars 1 Silver badge

    SNAFUBAR CodeXSSXXXX

    Facebook says it doesn't read WhatsApp messages, but an investigation found it actually does ....... What's good for the goose is good for the gander.

    1. DevOpsTimothyC Bronze badge

      Re: SNAFUBAR CodeXSSXXXX

      That news article is clickbait. The title implies FB is able to read any message and that it does this routinely while the content has words to the effect of "The messages have been forwarded to our abuse team".

  18. Danny 2 Silver badge

    Even a magic bullet still needs to be shot corectly

    Protonmail encryption wasn't compromised. They don't log IP by default but can be ordered to log individuals under Swiss law. They always recommended access through an onion and even provide a free service that would almost certainly have prevented this arrest. They are going to support the activist.

    The only other option they had was to close down completely, like Lavabit did in the US, locking ever user out of their data without notice.

    The takeaway here is Protonmail is fine as is for everyday use, but anyone with a state actor after them should being using an onion service to access it. And don't forget it is child's play to set up point to point VPNs with anyone you trust in real life.

    Me, I'm unconcerned because I can't even persuade anyone I know that encryption is good practice by default. I setup Protonmail accounts for them for ease of use, and they forget their passwords.

  19. Anonymous Coward
    Anonymous Coward

    More misdirection......

    In order to arrest this person in Switzerland, two things needed to be in place:

    1. A server between a sender and a recipient (in this case the Proton server)

    2. An account identifiable to one (or two) specific people (because the people used a debit or credit card to pay for their service)

    There are lessons here for anyone who wants to maximise their privacy:

    3. Wherever possible use end points which are not associated with your own account (e.g. internet cafes, hijacked WiFi, etc)

    4. Make sure that your end device is anonymous (throw away email addresses, disguised MAC addresses, burner phones, etc)

    5. Attempt to make sure that your messaging is going to others who also use rule #4 (so that your "social network" is not easy to build)

    6. Use peer-to-peer messaging (see Ricochet. So no servers, no "cloud")

    Note that the "security" associated with "end-to-end encryption" does not appear in items #3 through #6. These rules are intended to protect your identity.

    Of course, if you can use private encryption BEFORE any of your messages enter ANY channel.....this will make the CONTENT of your messages harder for the snoops.

    But the idea that the Proton service (or the Telegraph service) provides "limited security" is simply the latest piece of marketing misdirection.

    1. DevOpsTimothyC Bronze badge

      Re: More misdirection......

      6. Use peer-to-peer messaging (see Ricochet. So no servers, no "cloud")

      You haven't really thought that one through have you? It's a little difficult to use P2P when both ends are behind a NAT

      1. Anonymous Coward
        Anonymous Coward

        Re: More misdirection......

        @DevOpsTimothyC

        You haven't thought that through have you? How come my web browsing comes back through NAT back to 192.168.1.25 on my laptop? ....no.....no special arrangements on my NAT router!!

        1. jtaylor Bronze badge

          Re: More misdirection......

          "It's a little difficult to use P2P when both ends are behind a NAT"

          "my web browsing comes back through NAT...no special arrangements on my NAT router!"

          That's because only one end is using NAT. If this were a phone system, you're making outbound calls through a phone trunk to directory numbers and then saying you don't need a real phone number. Yes, you do, when you make those calls you are dialing out to a real phone number.

  20. steviebuk Silver badge

    They've just killed protomail

    I'm assuming lots of people will now avoid it and move elsewhere.

  21. saxicola

    Account deleted.

  22. Teejay

    Re: Trust

    And now, let's talk about Threema...

  23. Tron Bronze badge

    NSA *cough* Google *cough*

    -Crypto AG was secretly owned by the CIA.

    If the NSA turn out to be holding the joystick at Google, I wouldn't be the slightest bit surprised.

    VPN in unreliable. We need distributed routing with inherent VPN abilities.

    On a point of order, all companies are subject to the law of the land depending upon where they are based and where they operate. Multiple jurisdictions. It's not their fault, but they should not promise what they cannot deliver.

    The internet is fairly heavily censored, search is a pale shadow of what it used to be and there is no anonymity online. Governments operate like organised crime gangs, but are more professional than the private sector versions. If your government go after you, they will get you. So be careful what you surf for.

    It's a surprise that they should highlight ProtonMail's legal vulnerabilities merely to nick a climate activist. Most governments are implementing climate change mediations indirectly via the takedown of globalisation under the aegis of Covid restrictions. Although they might dislike the activities of climate activists, they share similar goals for different reasons.

    Climate change activists want you to stop going on holiday and buy local, second hand if possible. Governments have blocked much international travel, squeezed/sanctioned supply chains, limited availability of goods, suppressed trade and ended most migrant labour. Unexpected fires at chipmakers, blocked canals etc. Both groups are on the same side, targeting global trade and the general public.

    1. fajensen Silver badge
      Pint

      Re: NSA *cough* Google *cough*

      Both groups are on the same side, targeting global trade and the general public.

      No, they are not. Government demands Growth. It's sponsors demand Growth. If we do not have Growth, especially at the leverage levels we have now, the entire global finance system will blow up. With the usual 1920's fallout, maybe even some literal fallout since abandoned nuclear facilites does not age well.

      Governments may have restricted things along the lines of what some climate activists wants, but, governments also compensated quite adequately for the lost demand to keep Growth going, despite the Corona restrictions.

      Climate activists are Anti-growth. The current model of infinite exponential growth and it's sidekick of infinite consumption of ressources based on a fixed volume planet will of course collapse in a dire way but that happens Later.

      When people are given several bad options they will usually pick the one that is less immediately bad, therefore, government naturally sees anti-growth activites, especially sucessfull ones, as being Worse than terrorism (After all, there is Growth potential in protecting us against terrorism, meaning that terror is aligned with the Growth objective).

  24. sreynolds

    I would never trust them...

    Was looking at their wireguard implementation and how they overcame that stupid hardcoded IP address (by hardcoding a single ip address 10.2.0.2 - ie log2(1) = 0 information) but was taken a back by the line proton mail was started by some guys who met at CERN. Was this during a visit or was it doing privacy work for CERN or does it have any other relevance. I would be more trusting of the usual way these things happen - a few of us went for some beers in a pub and then this came about.

    1. Anonymous Coward
      Anonymous Coward

      Re: I would never trust them...

      Yeah, nothing useful on the internet ever came out of CERN, did it...?!

      By the very nature of CERN, it employs lots of techie IT people. It's no more unlikely that some of them working there might discuss not-quite-work things and come up with some good ideas there than it is in any other large technical organisation.

      1. Anonymous Coward
        Anonymous Coward

        Re: I would never trust them...

        Are you saying that http was better than gopher?

      2. RAMChYLD
        Trollface

        Re: I would never trust them...

        I'm pretty sure the CERN guys are evil to the core. Ever watched Steins;Gate?

        I'm also sure that they're working with another evil organization called the IEEE to bring about the end of the world to appease their mad god, it of the old one tooth, which wants Earth demolished so the alien race that hired it, the Lyrans, can build their hyperspace bypass.

        1. sreynolds

          Re: I would never trust them...

          In my opinion they are just like bitcoin; a big waste of energy.

  25. FIA Silver badge

    It’s fairly simple really.

    If you want to do something that breaks the law, don’t use a law abiding company to do it.

    1. sreynolds

      And what do you have to say about the Union Bank of Switzerland? I don't remember them throwing their clients into the fire? Apart from that thief who stole the information on a USB drive.

      1. FIA Silver badge

        You misunderstand. I’m not passing judgement. I’m pointing out the thought process you need to follow.

  26. Wzrd1

    It seems that Proton privacy & no logs is guaranteed whole

    Whole, like sliced Swiss cheese.

  27. DevOpsTimothyC Bronze badge

    Proton's public statement is still lying

    The firm's privacy policy, which was updated yesterday, now says: "If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation."

    So exactly which SWISS law was this user breaking? A French Europol order which is confirmed by a Swiss judge implies to me that a FRENCH law was broken, bit a Swiss one.

    I see it in the same way as the Assange extradition, the US used the fact that the UK has an espionage law, aka this activity would have been illegal if it had happened in your country. I assume that's why the Swiss judge confirmed the warrant. Note there's also no details of a "Swiss criminal investigation.", just that the Swiss are aiding the French

  28. Frank Fisher

    Privacy is over

    The global state corporate superstate needs access to ever word you say, in order to monitor, uncover and brainwash you. They can't keep this phony baloney hysteria going without that level of control; so no laws, no principles, no regulation, no ethic or IT best practice will keep their goons at bay.

    You are the product. You all know this. Today you are the data product. Tomorrow you will be Soylent Green. You really do all know this.

    1. Mike 137 Silver badge

      Re: Privacy is over

      "Tomorrow you will be Soylent Green"

      Only in the movie. In the original book Soylent Green was made from soya and lentils (hence the name). The millieu of the book was nasty too, but in other ways.

      1. Danny 2 Silver badge
  29. Anonymous Coward
    Anonymous Coward

    Just putting this out there from a digital transformation perspective

    Just putting this out there, following on from the "Privacy is over" post by Frank Fisher.

    Digital transformation is such that data is supposed to be equity, there are levels to this with "dark data" also being coined, with mechanisms at play to consolidate data in order to relate to the individual. This can be used for marketing, to product focus, statistical analysis, measure usage of resources, track things like infection, and much more as we move in to AI.

    Now we have companies like Aon who sell this data to human resources departments to determine viability of a person before employment, meaning that its profitable for privacy to be eroded, and the individual being sold as a product to companies.

    Could VPN companies be a way to simply consolidate data flow, so that these companies can then quietly sell data of the user? How do you prove otherwise beyond flowery words? Not saying that Proton is one of them. But the opportunity for profit here is high.

    If things continue, the idea of monitory movement (cash flow) will fail, that with capitalism, and we will head in to a neo orwellianism.

    How? Well for the current system of trade to work, people need to earn so to spend. And currently companies want people to buy their products. But if there is the eventual loss of privacy, people will not create, be on edge and eventually act out due to loss of some form of freedom to relax. Psychosis comes to mind here.

    Look at companies like amazon, they are streamlining the low "paid" worker, who still claims benefits, as the pay is so low that they cannot afford to live and eat. And the reputation of these "workers" depend on references from the current company. Again, Aon here.

    Now Amazon have a high turnaround, which shows on paper that they "higher" allot of people. But this is for contract, gig work, rather than long term employment. All companies want to make their portfolio look as viable as possible, so this will turn in to the norm, as markets with high valued workers get more flooded. It was not long ago that i as an engineer was told to get in to IT and networking. This was when pay was in the 50k range. Now the skills (not locked in to a specific system) as seen in the low range of 20k, with automation and ai being the big money for now. But even that will become cheap.

    The point i am making here, is that while technology is helpful, it can be a hindrance if focused in the wrong way. And currently i only see us heading in to a dictatorship made up of:

    - Big data collection and analytics

    - Device power being made solely for data processing and collection, pushing cost of sead

    processing and power usage on to user. Mesh networks is another form of tenancy by companies, to again use user utility for their purposes. Look at amazon’s ring and dot as an example.

    - Users reputation continually at risk, if they have the wrong opinion or look at the wrong things, stagnating innovation and development, while we rely on AI

    There is allot to cover here. And i feel while i have put allot down, it may not be suited for this audience and as a comment post. Sorry for the long post all and bad English.

  30. jollyboyspecial

    "In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)."

    How does this fit with their assertion that they don't keep IP logs?

    Anybody replying that they have to know the IP address an email originated from just think for a second. The emails are only traversing their servers. If they don't want to keep logs they don't have to. Once the email has winged upon it's merry way then they don't need to keep anything at all.

    Now they may be required by Swiss law to keep such logs and that's fine by me. I'm not one of those people who thinks that companies should break the law just to keep their customers happy. However what I do believe is that they must be in breach of contract for stating that they don't keep IP logs when clearly they do.

    There are anonymous email servers in all sorts of countries who would wipe their collective arses on request from Europol. Just a thought.

    1. Danny 2 Silver badge

      "just think for a second...There are anonymous email servers in all sorts of countries who would wipe their collective arses on request from Europol. Just a thought."

      A thought you didn't take a second to think through. Irony bypass?

      ProtonMail don't log IP addresses by default but they can be ordered to in specific cases which is why they suggest using onion access. They've always been upfront about this, unlike the risk of trusting your safety to some unknown third world front company.

      As a former activist who has been on the bleeding edge of counter-surveillance I'd like to add to further safety measures.

      Firstly, use a different free 'burner' protonmail account for every action.

      Secondly, ProtonMail were also forced to hand over the "fingerprints" of the user so don't use the same computer setup for different actions. Those fingerprints include browser, screen resolution, OS version, etc, that seem random but hugely narrow any search.

  31. low_resolution_foxxes Silver badge

    Well, perhaps the authorities really were concerned about children protesting over gentrification.

    But if I was being cynical, that sounds unlikely, considering this groups largest PR escapade. Unless I'm mistaken, these are the French protestors who physically broke into BlackRock HQ in France, smashed up the place and accused them of murder. It strikes me that cause and effect are likely routed from that event, having likely caused a minor aneurysm among American "important people in finance".

    It is reported PM have the ability to activate IP logging when faced with a valid Swiss court order. Not a default activity.

    Perhaps this individual wished to continue the BlackRock escapade at other investment houses?

  32. bigtreeman

    protonvpn tor

    I use tor over protonvpn as suggested in the article.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021