Proton welcomes Sir Tim Berners-Lee to its advisory board – as ProtonMail suffers a privacy backlash Privacy-centric communications specialist Proton, best known for its ProtonMail encrypted email platform, has announced the appointment of web daddy Sir Tim Berners-Lee to its advisory board. Founded in Geneva in 2013, ProtonMail - the core product of Proton Technologies AG, which branched out into virtual private networking …
It's webmail FFS, if they can decode it to deliver the HTML webpage, they can decode it to deliver the plain text to whoever demands it. If their software can decode it, render it as HTML and sent it to you, they can decode it. The core claim here of end to end encryption is bollocks. When its rendered as HTML, its decrypted, even if the TLS connection between them and you is secure, and the file on their servers is encrypted, the session must be decryptable, to be renderable.
https://eprint.iacr.org/2018/1121.pdf
So, immediately this is a sus! The core claim is false. And clearly the Swiss authorities are in on it, because nobody is pointing out the bogus nature of a WEBMAIL system being end to end, and nobody is challenging that in court to obtain emails. So there will be a backstory we are unaware of.
After another CIA swiss front companies CryptoAG was discovered, the question immediately to ask is:
Is this employee roll, chosen by HR for the needs to the company? or chosen by CIA Marketing for a projected image of this company? Does this company look and smell like a Swiss company or an American CIA front company?
My perception may be different than yours because I've worked in Switzerland, and dealt with Swiss companies often, even in Vaudoise, even near that new office block they're in now. To me this is no-brainer. Overfunded, chock full of CERN people to leverage CERN's reputation, nothing like a Swiss company I would expect. Marketing something that by its nature is a false claim. Sus.
But that's just my own judgement.
Does adding Sir Tim Berners-Lee to that company make it more like a Swiss company? Does it fix the core problem, an insecure webmail system pretending to be secure?
To the downvoter.
Read this (French police statement extract quoted by MuArF):
https://twitter.com/MuArF/status/1433459776189607938/photo/1
It says Protonmail asked them to send their require via Europol or Interpol. [What Swiss court order? Protonmail said they ignored the request from France, here the police say Protonmail told them to resend it via Europol or Interpol. What Swiss law, what Swiss court order that could not be challenged??? Protonmail told them to simply send it via a different channel!].
"It appears that the company PROTONMAIL informs us that the email address has been created (blanked). The IP address linked to the account is as follows (blanked). The medium used is a device (blank) identifies the number (blank)."
The info they sent was more than the IP address, it was also the account creation date, and data about the connecting device. THE STORY FROM PROTONMAIL DOES NOT MATCH THE EVIDENCE HERE.
"la response obtenue la vingt six janvier deux mil vingt-e-un, nouse demandant d'utiliser le canal INTERPOL ou EUROPOL pour faire parvenir nos requisitions,"
26th January 2021, a long time ago, they are required by Swiss law to promptly inform people of requests for their records. When was that done?
From this (post from the squatters using that email address):
https://paris-luttes.info/recit-policier-de-sainte-marthe-15258?lang%3Dfr
This was a minor squatting case, they took over a Siemp property, that had been vacant for 6 years, and protested Siemp (a large commercial developer) buying up the area, leaving properties empty for years, drive down prices and driving out residents, and buying up the area. That's the essence of their protest.
None of this is a major thing that would involve Europol or Interpol FFS. So now tell me Protonmail is not a sock puppet operation, because the more I dig the more it smells like an old sock to me.
Protonmails Tweet:
"ProtonMail only complies to Swiss court orders that we cannot contest. It would be illegal for us to comply to requests from non-Swiss authorities. However, the Swiss authorities can agree to assist foreign services such as Europol."
Europol agreement:
https://www.europol.europa.eu/sites/default/files/documents/agreement_between_the_swiss_confederation_and_the_european_police_office.pdf
Applies to:
"drug trafficking/ trafficking radioactive substances/ illegal immigrant smuggling; / trade in human beings;/ motor vehicle crime/ terrorism / forgery / money laundering"
Which was it? It fits none of these.
The Europol agreement says it must be consistent with Swiss law. I can't find any right to demand data without legal challenged in Swiss law. Again I ask for solid detail, WHAT SWISS LAW, WHAT SWISS COURT ORDER that could not be contested?
This appears to have been a simple request that was voluntarily complied with. With Protonmail actively guiding the French, and presumably Europol helping launder the request under one of their limited remit terms*.
"Article 7, Section 5. Individuals shall have the right to have access to data related to them transmitted under this agreement, or to have such data checked, in accordance with the applicable provisions of the Europol Convention or the Swiss legislation."
Terrific, so there will be more information coming in future no doubt? Assuming it was routed through Europol and they comply with their own rules. That'll be fun Tim, do you fancy fronting that?
The information I got from searching the email address, was available to Protonmail by searching, it was a public mention of the email address the police were investigating. So any such claim along the lines of "we couldn't possibly know what this email was used for" when a simple search would have revealed that, is false.
I wonder, if they are so helpful providing low tier information, and given that they control their website. Any claim of "its end to end encrypted we cannot read your emails" essentially is trivial to bypass, since its their website running and delivering their code with their choices. If they chose to read the emails, their code would read the emails.
But hey, CERN! Switzerland! Tim Berners-Lee! Smell the sock Tim? stinky stinky sock? Is that smell really Gruyère Tim? Or American cheese like product?
* I bet most of you Europeams wouldn't dare even question it, given the surveillance powers of these creeps.
tl;dr: When discussing law, details matter. Context matters.
""drug trafficking/ trafficking radioactive substances/ illegal immigrant smuggling; / trade in human beings;/ motor vehicle crime/ terrorism / forgery / money laundering" It fits none of these.
What, specifically, "fits none of these?" The Interpol order? If you have the information and background to understand the situation, please share.
" Again I ask for solid detail, WHAT SWISS LAW, WHAT SWISS COURT ORDER that could not be contested?...This appears to have been a simple request that was voluntarily complied with."
Legitimate question. We don't know what Swiss law. Heck, I don't know Swiss legal theory to even know what questions to ask. Even heavily statutory systems like in Germany rely on a large foundation in order to be interpreted and applied. Still, the intent of your question is important. Don't discard it in your rush to claim that Proton are extrajudicial frauds.
"What, specifically, "fits none of these?" The Interpol order? If you have the information and background to understand the situation, please share."
+++ What? You can literally google using the Protonmail address, and simply read the posts they made using that address, 'it': the cause of the order that the police searched for. Feigning ignorance is no excuse here. Also Interpol? or Europol?
+++We got to see an extract from the French side on Protonmails part of this includes information like creation date, which necessarily is logged BEFORE any court order, and the device ID, which also would be logged BEFORE the court order, to do otherwise would require the client side software change to obtain that device ID, no?
"It appears that the company PROTONMAIL informs us that the email address has been created (blanked). The IP address linked to the account is as follows (blanked). The medium used is a device (blank) identifies the number (blank)."
Feel free to correct me if I'm wrong or mistranslated it.
A device ID is a huge problem here, if that's an Android ID it identifies the user. Are you telling me an email provider sends out users ID proxy on uncontestable secret* orders?
*If they're not secret, then lets see them!
+++The core thing, their promises are implemented by their code. If they wanted to do something else their code would do that something else. Inherently their core product is flawed and you're simply trusting them not to look. They say decryption is done in the browser, but that's a choice in their code that's under their control. Trust is all you have.
You said this:
"Don't discard it in your rush to claim that Proton are extrajudicial frauds." I said, "does not pass the sniff test".
Sniff it, does it pass the sniff test? No? Then avoid it.
All the decoding is done locally on the browser if you use Protonmail web mail.
Depending on when your account was created, there is a separate mailbox unlock password to decode the encrypted blob sent to your browser after you use your login password. From what I understand they made it a single password more recently for new users, so assume the login password gets re-used to unlock the content too. Old users like myself still have 2 different passwords, one to login and one to decode the mailbox.
It will be interesting to hear if that change enabled more surveillance or not. Maybe Tim can look in to that for us!
The gist I got from the articles is they started logging for that account when asked to by the court order, rather than giving out previously logged information. But its hard to trust the medias accuracy when reporting precise details of things these days so I guess we will get clarification eventually but remain not sure for now.
None of that encryption passes muster. THEY deliver the code that implements THAT 'local' claim. If they wanted access to any emails, they would simply deliver different code.
Given its webmail that would be done PER USER PER ACCESS even.
So the core product claim is bollocks and you simply rely on trusting them not to look.
They don't pass the sniff test even remotely. Switzerland might have a "strong-privacy-law" image but that's just image, it has all the usual surveillance agreements, and in reality its hosted CIA front companies secretly before, Crypto AG being one of the best known ones.
They smell like "American Cheese Like Product" in a Swiss sock, not Gruyere.
Crypto AG backdoored encryption that undermined Swiss security too for the benefit of the US. With bad-actors in Switzerland knowingly involved in that without the consent of the Swiss public. Of course those people have decided to align Switzlerland with USA forever. Trump might have seized power and they could not protect Switzerland from Putin-friendly surveillance, having dismantled their own encryption.
Numpties in hi-viz jackets compromizing their own countries' security for some sort of loyalty to a foreign power. UK & Australia know that feeling well I think.
I would suggest Protonmail relocate just across the border to France, bring themselves under GDPR, if there is anything in the EU that prevents privacy protection, then the fix is to join me in hammering home the message that "democracy required privacy" and fixing the laws, and bringing the hi-viz numpties back under sovereign loyalty.
Yes they could potentially changed the code they serve up but it only takes one whistleblower to say that happened for the whole company to be destroyed.
Mega had the right idea with a browser extension with the code in so if used, you would not be vulnerable to a server side code change. ProtonMail should offer something similar.
Any company could be taken over and covertly run like the Germans and US did with Crypto AG. Im not sure what your point is. With pretty much any external service you are putting your trust in the company not to do bad stuff with your data. If you use Gmail or Hotmail its guaranteed your emails are passed along and accessible to the 5 or 14 eyes.
I know Sir Tim Berners-Lee does support privacy in his more recent statements.
But does anybody else see the irony in his appointment to a privacy based email service?
The man most famous for giving us the WWW using hypertext to allow us easier access to all the world's information on the Internet. He is now to advise on how to keep information private using the Internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
