The articles format is awful and designed to wast your time.
This article also just points out the use of Livekit but doesn't deliver what that means for your security. Maybe instead of writing a hit piece you could have dug deeper, talked to Proton?
I've seen alot of articles and posters here being negative on Proton, calling it "shady", regurgitating facts that are supposed to be gotchas but have tons of nuance if you dig and am beginning to think there is some coordinated effort to get people not to use it.
Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
>Most of the privacy claims (of all type of apps) are essentially garbage...
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
They are very expensive. Cheapest Power9 system Raptor Systems has is $6,794.99 and it has only 4 cores and 8GB DDR4 RAM and 128GB SSD. Reminds me of Sun Sparc pricing.
How are they leading? If I parse this correctly, "actually" open would mean fully open data training and weights? Then, by this definition, I'm only aware of Olmo (AllenAI - Seattle), Apertus (Swiss) and to some degree (unclear what data was actually published) Nemotron (Nvda, US). What are some examples of chinese similar models? (I'm not aware of any).
I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.
I think the argument is that when you load a webpage, you download the code everytime you want to run it, from servers owned by the company building the service. So they can choose to serve you different software (e.g. with a backdoor), just this one time and just for you, and you won't know (not that it would be impossible, but it is generally impossible in practice).
When you download a program on Linux through the distro package manager, you download it once and run this, every time. You know very well when it gets updated. You can compare the hash of your program/package with the one distributed by the distro, and the distro is not the developer of the program (so there is another layer there). You can audit that code (if open source), and at the very least you can compare with others to see if they receive the same code. And again, the program is served by the distro, not by the developer. The backdoor situation would require asking the developer to implement a backdoor, and then asking the distro to server you a different executable, and then hoping that you never, ever check the hash of that program that you own offline. It's a lot harder.
In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.
Same applies to e.g. WhatsApp Web, which is an interesting example because there exists a browser extension allowing you to "validate" that you run the code Meta expects you to run. Though you still have to trust Meta: the extension only helps making sure that nobody other than Meta is abusing you. The WhatsApp mobile app doesn't have that problem, as it is distributed as an archive by a third party (Play Store).
Using what mechanism? Most Linux updates are not pushed but rather pulled at the user request. You can use Linux totally offline. This is fundamentally different than a webapp, where code is sent with every visit
Distros have mirrors and they don't know which one you use. The updaters don't send user IDs and downloading the package lists is separate from downloading the packages. So targeted backdoor distrubution is much harder than a company's web UI with user logins targeting a specific user.
Debian requires unattended-upgrades to be installed (it's not installed by default), Mint and Fedora has the option of enabling automatic updates (disabled by default), Arch has no mechanism for automatic updates.
Signal pushing updates every other day is pretty much a security anti-pattern though. It makes it almost as vulnerable as a web app to this kind of thing, but this isn't the typical Linux software experience by any stretch.
I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer)
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
You need mechanisms to avoid the possibility. The mechanisms to do such things exist by default, by both the software provider (e.g. Proton) and the software distributor (e.g. Apple for App Store, Google for Play Store, Cloudflare or AWS for web stuff), and various countries have laws that allow them to secretly compel implementing specific backdoors.
In order to block the distributor from going rogue, you need to be able to guarantee that the user device can only install/run code signed by the provider, who must never give those keys to the distributor. My impression is that Android is the only major platform that ever had this, but that Google ruined it a few years ago in the name of lighter bundles by insisting that they hold the keys. (I once had VLC from Google Play Store, but replaced it with a build from F-Droid under the same app ID; Google Play Store shows it has an update for it, but that it can’t install it.)
In order to block the provider or distributor sending specific users a different build, you need something more like Certificate Transparency logs: make it so that devices will only run packages that contains proof that they have been publicly shared. (This is necessary, but not sufficient.)
And if you’re using web tech, the mechanisms required to preclude such abuse do not at this time exist. If you’re shipping an app by some other channel, it can do a resource integrity check and mandate subresource integrity. But no one does things that way—half the reason for using web tech is specifically to bypass slow update channels and distribute new stuff immediately!
Not sure if that counts as proper evidence, but I have seen some logs[0] albeit with encryption but from my understanding, they control the encryption keys or atleast certainly have the ability to change (if they get hacked themselves for example)
Would you like to see a proper evidence of the logging policy? I feel like I can try finding that again if you/HN community would be interested to see that.
Edit: also worth pointing out that keeping logs with time might be a form of meta-data, which depending on your threat-vector (journalism etc.) can be very sensitive info.
I'd like to see any kind of evidence that there's any substance of in these accusations of services not actually being private - not just theoretical theorycrafting about mechanisms.
And how does that compare to other services we have available and people actually use.
You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back
Hmm, I am not completely sure what the website is trying to say (there is soooo much text and it's quite unreadable). But it feels like it says "it is hosted on US servers, so it's baaaaad".
The thing is, it seems to be end-to-end encrypted with MLS, which means that the servers cannot decrypt the conversations. Probably some metadata are leaking (which IP is in a call with which other IP), but that's a different threat model. Metadata is always a harder problem.
Now I don't know if Proton knows which users are together in a call, or if it's just leaking IPs. Maybe the article says it, but I didn't have time to decrypt it :-).
Especially questionable choice by Proton not to opt for the self-hosted option. LiveKit offers an enterprise tier that even lets you set up your own mesh, so you are not dependent on their hosted infra.
I'm sorry I had to use a feature on my browser I rarely use which is summarize. I'm pretty sure your point is valid and concerning but the way that page was designed is just too painful to read.
Yeah this same site did an article on some minor ubuntu bootloader drama some weeks ago and when I recognized the design I just stopped reading. If you have something to say don’t go out of your way to make it hard to parse.
After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it.
https://talk.brave.com/
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
Perhaps you may not remember the US government's tendency to invade privacy for suspicious reasons (that is, at the very least extra-legal and sometimes downright unconstitutional).
You mentioned a warrant. I do not believe that has been a required threshold.
I am not American so my lense may be a different one.
What I am coming from is basically an extension of the German Laws that Govern the Mail Secret (Briefgeheimnis) which actually is constitutionally enshrined in the German constitution.
But has notable exceptions that can be made uppon federal law. The burden for these is supposed to be pretty high.
I think this should not happen willy nilly. And if thats the case in the US I am obviously against it.
It is a complex multi layered subject because it has to weigh the rights of multiple people against each other.
I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is.
French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data.
Problem is - under French law, their police would not be able to get that data from local providers.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy".
For a company that is selling essencially trust, they sure are shady as f...
I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia?
I think the key difference is the amount of data the service can offer when it is asked to do so by some legal entity. Signal famously claims to barely have any useful data to turn over when ordered to do so [1]. If some provider states they are pricacy-focused and protect your data from governments, but can still offer loads of your private data when ordered to, that damages their privacy claim.
EDIT: "some provider like Proton" -> "some provider", never wanted to imply Proton specifically did or does this.
> If some provider like Proton states they are pricacy-focused and protect your data from governments, but can still offer loads of your private data when ordered to, that damages their privacy claim.
"Loads" of private data? When has this allegedly happened or how would it technically even be possible?
Well, Proton themselves say they will provide information about who has contacted a randsomware attacker to law enforcement. https://proton.me/legal/law-enforcement
So that probably has happened. Whether they've even provided other private data I don't know, but
> how would it technically even be possible
Well, it's not possible if you trust their claims about E2EE, but that is just a claim. How's that any different from a non-encrypted email provider saying they won't provide your emails to others? It all comes down to trust in the end.
They don't claim email is E2EE. Of course they need to know email metadata to route messages. That's unavoidable if you are using email. It's not encapsulated like that.
> Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times.
This would be obvious to anyone knows how email works. It would be very silly for them to claim otherwise.
Keyword is "like": a service like Proton. No idea if and what data they have offered to their government. I was merely trying to offer an explanation to the parent commenter, who was wondering how people can critique pricacy-focused services offering data when required by law.
Fair enough, I agree. In Proton case, I'm biased because I used to work there ~2019-2022 and the company was basically printing money from subscriptions alone (covid likely helped with that), while fighting (pretty successfully) every request to avoid providing even that limited metadata, because alternative of ruining your core strength - privacy - meant the death of the business. I don't know if anything changed, but I'd bet the goals remain largely the same - providing good-enough privacy any commercial company can realistically give you. Unencrypted user data in this business is poison, and they're well aware fwiw.
But don't they have both the encrypted data and the decryption keys? I don't remember giving them my keys to use, and I can look at my stuff from multiple devices so the keys aren't stored on my device.
So they must have the ability to look at all that encrypted data anyway?
You seem to be hiding behind this "like" while writing into comments about Proton - making accusations and theories that imply it's Proton that actually does that.
I mean, is it really a conspiracy theory to want or believe that there are services (based in Europe) that don't hand over any and all user data to the USA government when asked? It's probably wrong to believe it to be the case, but just because it's wrong doesn't make it "conspiratorial".
It's quite hypocritical of Proton to claim that they protect against government surveillance when they do things like this though [0]. Their legal team has probably ensured they don't claim anything strictly false, but the implication and the reality are wildly different.
Proton's marketing definitely makes it sound like they are fully anonymous and wouldn't even have anything to hand over to law enforcement. Look at the wording they use to describe the product.
Proton has always-on end-to-end encryption and zero‑access encryption, meaning even we do not have access to your data.
[...]
Based in Europe, Proton ensures your data is protected by some of the world’s strongest privacy laws. Because Proton isn’t a US‑based company, we can’t be compelled by laws such as the US CLOUD Act to hand over your data to the US government or terminate your services. [1]
Obviously as we have seen, they 100% can and will hand over your data to the US government. Yes, it's in the privacy policy/ToS & they're compiling with local laws. But that's clearly not how that reads.
[In 2021, the Switzerland-based vendor provided local police with the IP address and device details of a netizen the cops were trying to identify. That individual – a French climate activist who was already known to police – was later arrested.
Shortly after that kerfuffle, Proton removed the claim that it didn't track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities.] [2]
They're Swiss, so while technically in Europe, they are not in the EU. Maybe they're closer than the US, but they're still a foreign tech company in the EU.
Yeah, there's another thread showing a similar trend. In a strange way it's making Trump's incessant nonsensical big-upping of himself and the US as-a-whole make sense in a cultural context that I hadn't thought was as pervasive as maybe it is. It explains that polls still show 30% support.
There's nothing bad about SFU, particularly the version you wrote, which forms the basis of Livekit. It would be my first choice for supporting larger groups in Briefing anyway. If the traffic is E2EE, it doesn't matter if an SFU is involved. The critical part is the signalling, in my opinion. This is where the initial communication is established. In the current version of my app, whose source code is yet to be published, this can happen via an untrusted server.
Please remind me: Is there any legitimate business venture that can operate outside the laws of the country they are registered?
If there is, why don’t these people who write blog posts and comments about how “this is all a scam!!” “It’s a psyop! “They” control it all!” If it’s all black and white, if there no real difference between a company like Proton and Google or Microsoft, then why don’t they create a business that provides a service where there’s no way to any government know anything at all, ever? They’ll be printing money..
But perhaps the conspiracy realm and public broadcast of ideals is more attractive than a real business.
Yes, you shouldn’t trust 100% in a person let alone a group of people that form a company. Grow up.
This is the worst form of Article I've ever seen. Did the author read this? Is there even really an author or did Chatgpt just write all of it and generate the page?
Proton is the most shady company out there, especially with the fact that they try to make you put all your eggs into their basket. I stopped using their email (when they used to be an only email company) when they dropped the .ch domain. Same goes with botched security products like grapheneOS and the likes, when the hardware is backdoored, the modem is tracking you more than your psycho ex, yet you are given these illusion of security to buy.. you are not, in fact, you are gonna get more obvious for fingerprinting than using an average iPhone like most people and blend in. Honeypot, hornets nest, whatever the terminology but the concept being used and is still used to lure people in and make the job easier to ID them than going after them in the wild.
nope, you can make new emails with .ch as well, just not on the free tier. I am looking at my settings now. .ch is definitely an option when creating new emails. I believe pm.me is also only for paid plans.
What a shitty website. I got to about the third slowly-fading-in-picture-of-text block and realised that whether or not I wanted to read it, it's more effort than it's worth.
No, if a website is that obnoxious I just close the tab. It is not worth yet another mental drain on my limited attention span to read slop.
Just give me the boring single .htm page with your thoughts or a Wordpress site with minimal plugins. I'd hate to think the strain the author puts on people with accessible needs making this.
I just love people who go on their soapbox to complain about a newer alternative when the status quo is worse
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
So again "why don't we have better privacy respecting options?" Maybe because if we try to do it some "privacy advicates" will throw a massive fit complaining about all its shorcomings (and still not pay for the service)
Proton does offer more privacy than mainstream providers, because they have less information to hand over when courts compel them.
Proton isn't perfect by any means, but the idea that there is no meaningful privacy difference between Proton and (for example) Gmail because both respond to court orders is flat-out false.
Your complaint is not at all what the article is about.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
Pretty funny because a few weeks ago some dude felt compelled to virtue signal about how he was moving off American-controlled services like Gmail, as some ostensible protest against Trump and the Iran War. I pointed out that Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov, and my comment got flagged lol.
Proton being at the behest of Uncle Sam has been old news for a while.
"Controlled" is a bit hyperbolic, but there's a collaboration agreement between the USA government and the Swiss government, so Proton has to comply with requests from for example the FBI. Quoting a comment by Proton staff on Reddit
> First, let's correct the headline: Proton did not provide information to the FBI. What happened is that the FBI submitted a Mutual Legal Assistance Treaty (MLAT) request, which was processed by the Swiss Federal Department of Justice and Police. Proton operates exclusively under Swiss law, and we only respond to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is an important distinction.
> [...]
> The only information Proton could provide was a payment identifier because the user chose to pay with a credit card. This is information the user themselves provided to us through their choice of payment method. Proton also accepts cryptocurrency and cash payments, which would not have been linkable to an identity.
So basically, don't trust Proton with information unless you want the FBI to know it.
Sorry, perhaps the takeaway is clearer when you see the full quote [0]. I omitted it for space, here's the relevant part
> Third, let's talk about what was actually disclosed. No emails were handed over. No message content. No metadata about who the user communicated with. The only information Proton could provide [...]
Yes, paying by crypto prevents Proton from disclosing your identity that way. Is there anything preventing Proton from disclosing the email content or metadata? Do they claim they won't disclose that? Clearly they do allow themselves to disclose metadata [1]
> For example, in ransomware cases, we can preserve information about which victims contacted the suspect, so that victims can be notified.
So, "just don't pay with a credit card" comes with the additional caveat of "don't email somebody you don't want the FBI to know you emailed". Whether you also need to "don't write anything you don't want the FBI to know", I haven't investigated further, but you could perhaps look that up yourself. I will just assume that to be the case based on what I've seen.
There are limits of what you can encrypt, in all of the cases of proton being critiqued for its compliance with law I haven't seen any instance of them being able to disclose email content, where metadata is "who we're sending email to", which is, I assume, not encryptable if you want an usable service. That being said, the quote does make your pov clearer, thank you for that.
This article also just points out the use of Livekit but doesn't deliver what that means for your security. Maybe instead of writing a hit piece you could have dug deeper, talked to Proton?
I've seen alot of articles and posters here being negative on Proton, calling it "shady", regurgitating facts that are supposed to be gotchas but have tons of nuance if you dig and am beginning to think there is some coordinated effort to get people not to use it.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
https://www.raptorcs.com/content/BK1SD1/intro.html
https://www.scmp.com/tech/big-tech/article/3347684/alibaba-d...
Weirdly, the authoritarian state is the one saving us from our own digital authoritarians.
How are they leading? If I parse this correctly, "actually" open would mean fully open data training and weights? Then, by this definition, I'm only aware of Olmo (AllenAI - Seattle), Apertus (Swiss) and to some degree (unclear what data was actually published) Nemotron (Nvda, US). What are some examples of chinese similar models? (I'm not aware of any).
I think that’s a sweeping generalisation.
When you download a program on Linux through the distro package manager, you download it once and run this, every time. You know very well when it gets updated. You can compare the hash of your program/package with the one distributed by the distro, and the distro is not the developer of the program (so there is another layer there). You can audit that code (if open source), and at the very least you can compare with others to see if they receive the same code. And again, the program is served by the distro, not by the developer. The backdoor situation would require asking the developer to implement a backdoor, and then asking the distro to server you a different executable, and then hoping that you never, ever check the hash of that program that you own offline. It's a lot harder.
In a way, for ProtonMail (in your browser) to be "end-to-end encrypted", you have to trust Proton. But that kind of defeats the purpose of end-to-end encryption.
Same applies to e.g. WhatsApp Web, which is an interesting example because there exists a browser extension allowing you to "validate" that you run the code Meta expects you to run. Though you still have to trust Meta: the extension only helps making sure that nobody other than Meta is abusing you. The WhatsApp mobile app doesn't have that problem, as it is distributed as an archive by a third party (Play Store).
Which ones are these "most distros"?
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
I think that would be widely decried especially on HN if that is one day implemented.
In order to block the distributor from going rogue, you need to be able to guarantee that the user device can only install/run code signed by the provider, who must never give those keys to the distributor. My impression is that Android is the only major platform that ever had this, but that Google ruined it a few years ago in the name of lighter bundles by insisting that they hold the keys. (I once had VLC from Google Play Store, but replaced it with a build from F-Droid under the same app ID; Google Play Store shows it has an update for it, but that it can’t install it.)
In order to block the provider or distributor sending specific users a different build, you need something more like Certificate Transparency logs: make it so that devices will only run packages that contains proof that they have been publicly shared. (This is necessary, but not sufficient.)
And if you’re using web tech, the mechanisms required to preclude such abuse do not at this time exist. If you’re shipping an app by some other channel, it can do a resource integrity check and mandate subresource integrity. But no one does things that way—half the reason for using web tech is specifically to bypass slow update channels and distribute new stuff immediately!
The ways to avoid it is by having locked and cryptographically verified software and connections.
The evidence that it's being actively used in the US is in the secret proceedings of a secret court. I kid you not, look up FISA warrant
Would you like to see a proper evidence of the logging policy? I feel like I can try finding that again if you/HN community would be interested to see that.
Edit: also worth pointing out that keeping logs with time might be a form of meta-data, which depending on your threat-vector (journalism etc.) can be very sensitive info.
[0]: my another comment here: https://news.ycombinator.com/item?id=47624960
And how does that compare to other services we have available and people actually use.
The thing is, it seems to be end-to-end encrypted with MLS, which means that the servers cannot decrypt the conversations. Probably some metadata are leaking (which IP is in a call with which other IP), but that's a different threat model. Metadata is always a harder problem.
Now I don't know if Proton knows which users are together in a call, or if it's just leaking IPs. Maybe the article says it, but I didn't have time to decrypt it :-).
Obviously proton should selfhost everything but I can understand why they didn't want to.
Please, people, use your own words, and don't overdo every little thing. It's tiring. When everybody does this, nobody stands out.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it. https://talk.brave.com/
For document collaboration, I'm not aware of much else that's private/encrypted (etc) however. https://www.privacyguides.org/en/document-collaboration/
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
You mentioned a warrant. I do not believe that has been a required threshold.
E.g., https://judiciary.house.gov/media/in-the-news/jordan-biggs-d...
But has notable exceptions that can be made uppon federal law. The burden for these is supposed to be pretty high.
I think this should not happen willy nilly. And if thats the case in the US I am obviously against it.
It is a complex multi layered subject because it has to weigh the rights of multiple people against each other.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy". For a company that is selling essencially trust, they sure are shady as f...
EDIT: "some provider like Proton" -> "some provider", never wanted to imply Proton specifically did or does this.
[1] https://signal.org/blog/looking-back-as-the-world-moves-forw...
"Loads" of private data? When has this allegedly happened or how would it technically even be possible?
So that probably has happened. Whether they've even provided other private data I don't know, but
> how would it technically even be possible
Well, it's not possible if you trust their claims about E2EE, but that is just a claim. How's that any different from a non-encrypted email provider saying they won't provide your emails to others? It all comes down to trust in the end.
https://proton.me/mail/privacy-policy
> Account Activity: Due to limitations of the SMTP protocol, we have access to the following email metadata: sender and recipient email addresses, the IP address incoming messages originated from, attachment name, message subject, and message sent and received times.
This would be obvious to anyone knows how email works. It would be very silly for them to claim otherwise.
So they must have the ability to look at all that encrypted data anyway?
It's quite hypocritical of Proton to claim that they protect against government surveillance when they do things like this though [0]. Their legal team has probably ensured they don't claim anything strictly false, but the implication and the reality are wildly different.
[0] https://freedom.press/digisec/blog/proton-mail-is-not-for-an...
Proton has always-on end-to-end encryption and zero‑access encryption, meaning even we do not have access to your data.
[...]
Based in Europe, Proton ensures your data is protected by some of the world’s strongest privacy laws. Because Proton isn’t a US‑based company, we can’t be compelled by laws such as the US CLOUD Act to hand over your data to the US government or terminate your services. [1]
[1] https://proton.me/business/blog/proton-workspace
Obviously as we have seen, they 100% can and will hand over your data to the US government. Yes, it's in the privacy policy/ToS & they're compiling with local laws. But that's clearly not how that reads.
[In 2021, the Switzerland-based vendor provided local police with the IP address and device details of a netizen the cops were trying to identify. That individual – a French climate activist who was already known to police – was later arrested.
Shortly after that kerfuffle, Proton removed the claim that it didn't track user IP addresses from its website. Proton has also previously been accused of offering real-time surveillance of users to authorities.] [2]
[2] https://www.theregister.com/2024/05/13/infosec_in_brief/
See also: ProtonMail filters this into its junk folder: New claim it goes out of its way to help cops spy https://www.theregister.com/2019/05/29/protonmail_dismisses_...
A search on your favorite search engine of 'instances where proton has turned over user info to the government' will provide further reading.
I don't think I'll ever be not surprised by this.
Otherwise if everything is trusted I love that we can have conversations without depending on others over the internet :)
I think they can know the IP from every participant in the call and some other metadata?
"We kill people based on metadata."
- Michael Hayden (former NSA and CIA director)
If there is, why don’t these people who write blog posts and comments about how “this is all a scam!!” “It’s a psyop! “They” control it all!” If it’s all black and white, if there no real difference between a company like Proton and Google or Microsoft, then why don’t they create a business that provides a service where there’s no way to any government know anything at all, ever? They’ll be printing money..
But perhaps the conspiracy realm and public broadcast of ideals is more attractive than a real business.
Yes, you shouldn’t trust 100% in a person let alone a group of people that form a company. Grow up.
The animation is just some text fading in. If you want to read those text, the only way is disable reader mode and wait..
Just give me the boring single .htm page with your thoughts or a Wordpress site with minimal plugins. I'd hate to think the strain the author puts on people with accessible needs making this.
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
So again "why don't we have better privacy respecting options?" Maybe because if we try to do it some "privacy advicates" will throw a massive fit complaining about all its shorcomings (and still not pay for the service)
Good job on mocking others though :*
Proton isn't perfect by any means, but the idea that there is no meaningful privacy difference between Proton and (for example) Gmail because both respond to court orders is flat-out false.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
Proton being at the behest of Uncle Sam has been old news for a while.
Would you mind elaborating, pretty please?
> First, let's correct the headline: Proton did not provide information to the FBI. What happened is that the FBI submitted a Mutual Legal Assistance Treaty (MLAT) request, which was processed by the Swiss Federal Department of Justice and Police. Proton operates exclusively under Swiss law, and we only respond to legally binding orders from Swiss authorities, after all Swiss legal checks have been passed. This is an important distinction.
> [...]
> The only information Proton could provide was a payment identifier because the user chose to pay with a credit card. This is information the user themselves provided to us through their choice of payment method. Proton also accepts cryptocurrency and cash payments, which would not have been linkable to an identity.
So basically, don't trust Proton with information unless you want the FBI to know it.
> Third, let's talk about what was actually disclosed. No emails were handed over. No message content. No metadata about who the user communicated with. The only information Proton could provide [...]
Yes, paying by crypto prevents Proton from disclosing your identity that way. Is there anything preventing Proton from disclosing the email content or metadata? Do they claim they won't disclose that? Clearly they do allow themselves to disclose metadata [1]
> For example, in ransomware cases, we can preserve information about which victims contacted the suspect, so that victims can be notified.
So, "just don't pay with a credit card" comes with the additional caveat of "don't email somebody you don't want the FBI to know you emailed". Whether you also need to "don't write anything you don't want the FBI to know", I haven't investigated further, but you could perhaps look that up yourself. I will just assume that to be the case based on what I've seen.
[0] https://www.reddit.com/r/privacy/comments/1rltej7/comment/o8... [1] https://proton.me/legal/law-enforcement