• SecurityPro@lemmy.ml
    link
    fedilink
    arrow-up
    92
    arrow-down
    1
    ·
    8 months ago

    “helped” is very misleading. Companies can’t refuse to provide information they have when served a search warrant / court order. These companies DID NOT choose to provide the info on their own.

    • Otter@lemmy.ca
      link
      fedilink
      English
      arrow-up
      22
      ·
      edit-2
      8 months ago

      Yep, which I think is why it’s more important to see what data is being collected and stored, rather than giving up data based on how trustworthy an entity seems

      If the tool doesn’t collect or log the data to begin with, then there’s nothing that can be stolen/taken/demanded

      The solution in this case might be for Proton (and the other companies) to list out risks and data collection information along the way.

      We need X in order to do Y. Read more on how Y works. Now here are some risks, and how to avoid them:

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      9
      arrow-down
      27
      ·
      8 months ago

      “helped” is very misleading. Companies can’t refuse to provide information they have when served a search warrant / court order. These companies DID NOT choose to provide the info on their own.

      You are suggesting all these companies are completely helpless against legal requests. That is not correct. A company should first make clear that the legal request is actually completely legitimate and correct. After that they can look at whether they should provide the information or not.

      See the data here :

      • SecurityPro@lemmy.ml
        link
        fedilink
        arrow-up
        44
        arrow-down
        2
        ·
        8 months ago

        As someone who has worked fraud and online investigations, and both written and served search warrants; it is not an option. A probable cause affidavit is presented to a judge and if the judge agrees there is sufficient probable cause, a search warrant is issued. This is an order by the judge and not optional. The judge can hold the company in contempt if they refuse to obey his/her order.

        • Deckweiss@lemmy.world
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          edit-2
          8 months ago

          Read the blog by the guy behind cock.li , he refused multiple illegitimate warrants so far.

          What matters is the jurisdiction of the service, not the one of the warrant author, otherwise china would have already warranted all data of all other world citizens lol

          • Railcar8095@lemm.ee
            link
            fedilink
            arrow-up
            2
            ·
            8 months ago

            Proton complies with Swiss law, and has to be channeled through Swiss official channels who rely the request.

            So there’s jurisdiction.

            • Deckweiss@lemmy.world
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              8 months ago

              That is true. But I wasn’t debating about this specific case, but rather the generalized statement.

              The comment I replied to implies “If there is a warrant, it is always legitimate and you have to follow it, because a lawyer said so”. That is not true and if it were the world would quickly go to shit, which I pointed out.

              • Railcar8095@lemm.ee
                link
                fedilink
                arrow-up
                3
                ·
                8 months ago

                I would say your interpretation was a bit extreme. Nobody implied a warrant from anywhere in the world.

                • Deckweiss@lemmy.world
                  link
                  fedilink
                  arrow-up
                  2
                  ·
                  edit-2
                  8 months ago

                  Again, it doesn’t matter where the warrant fomes from. What matters is where it goes to.

                  And that detail is pretty important, while being completely left out. They say:

                  it is not an option.

                  But yes it is, depending on the jurisdiction.

      • refalo@programming.dev
        link
        fedilink
        arrow-up
        13
        ·
        edit-2
        8 months ago

        Are you suggesting they didn’t do those things? Good info either way.

        Also there IS another alternative, the lavabit way… just go out of business /s

      • brunchyvirus@fedia.io
        link
        fedilink
        arrow-up
        12
        ·
        8 months ago

        There is a great talk from the Lavabit CEO who discusses what happened to him and his company when they found out Snowden had an email at his company. I won’t link it since it’s YouTube but it’s an hour long but he talks about his experience with the FBI and the courts. You can search for M3AAWG 2014 Keynote, I highly recommend it.

  • Lettuce eat lettuce@lemmy.ml
    link
    fedilink
    arrow-up
    43
    ·
    8 months ago

    Obligatory reminder:

    Email is not a secure medium! If you need truly secure and/or anonymous communications, DON’T USE EMAIL!

    Use a platform/protocol designed from the ground up for those things!

    • N0x0n@lemmy.ml
      link
      fedilink
      arrow-up
      6
      ·
      8 months ago

      Imagine talking about opsec and iCloud in the same sentence 🫣🤭

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      7
      arrow-down
      4
      ·
      8 months ago

      I do not blame Proton for complying with a request - it is a completely expected action from a company. However, I would blame them for advertising that makes them seem safer than they are for people who don’t know better.

        • JasSmith
          link
          fedilink
          arrow-up
          1
          ·
          8 months ago

          This is near the top on their landing page:

          With Proton, your data belongs to you, not tech companies, governments, or hackers.

          In the EU, one’s IP address can be considered private data as it can be used for identification. So far Proton has been caught handing over alternative email addresses and IP addresses, meaning their primary USP isn’t really accurate. At least not insofar as governments are concerned. I understand this occurred via Swiss court order, but they should not be headquartered in Switzerland. Panama has a history of rejecting foreign interference. All unencrypted data should be stored in Panama.

            • JasSmith
              link
              fedilink
              arrow-up
              1
              ·
              8 months ago

              Proton is as private as it can possibly (and legally) be

              That’s clearly inaccurate, since they could be headquartered in Panama, and store their data there. That would make them immune to Swiss court orders. There are already hosts which provide server space in Panama for exactly this reason.

                • JasSmith
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  8 months ago

                  LOL you can’t be serious. They would just be subject to Panamanian court orders.

                  Yes, and since Panama has a long history of telling foreign nations to fuck off, data is much safer there than in Switzerland. At least as a non-Panamanian. You claim Switzerland is the “most privacy-respecting country on the planet,” but I’d like to see the evidence. Since they comply with every court order, then I would argue one’s data is no safer in Switzerland than most other European countries. Which is to say, completely unsafe from most Western governments.

  • Schwim Dandy@lemm.ee
    link
    fedilink
    arrow-up
    18
    arrow-down
    8
    ·
    8 months ago

    “Proton does not require a recovery address, but in this case the terror suspect added one on their own. We cannot encrypt this data as we need to be able to send an email to that address if the terror suspect wishes to initiate the recovery process,…"

    I love that proton kept referring to the user as the “terror suspect” repeatedly so we would know they’re really the good guy here.

    • lemmyreader@lemmy.mlOP
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      Exactly. What makes this a bit complicated and maybe interesting from a historical point of view is that this is about Spain. A country which has been very slow with removing some of the “relics” from the fascist Franco era (Franco died in 1975) and at the same time having regions that long for independence like Basque country and Catalunya (and the post topic is related to that, Catalunya aiming for independence). Since the Twin Towers attacks in 2001 the words “terror suspect” and “terrorists” have been used much more often (also by ordinary “normies” people that I knew) and maybe not always rightly so.

  • Scolding0513
    link
    fedilink
    arrow-up
    7
    ·
    8 months ago

    Why has proton written somewhere exactly what data can be handed over to police? if there is, they need to be promoting this information more

  • Optional@lemmy.world
    link
    fedilink
    arrow-up
    6
    ·
    8 months ago

    If you sign up for a service using real information that can be traced to you (as in this case: home address, personal email) and then do illegal* things with the account, don’t.

    The * here is that what the alleged protester allegedly did or said is irrelevant. And the article is pretty clickbaity, unless the author was unaware of how online accounts work.

  • AnAnonymous@lemm.ee
    link
    fedilink
    arrow-up
    3
    ·
    8 months ago

    OpSec fail, never ever use any personal info when you are dealing with something you don’t want to be indentified for, it include obviously recovery emails, usernames and passwords.

    • Simon Müller@sopuli.xyz
      link
      fedilink
      arrow-up
      25
      ·
      8 months ago

      Proton and Wire didn’t share any decrypted ciphertexts, Wire shared a ProtonMail address and Proton an iCloud Address that they had set as a recovery method.

      Personal info like where they live came from Apple.

    • Squeak@lemmy.world
      link
      fedilink
      arrow-up
      15
      ·
      8 months ago

      Yes. They never gave away content of emails, because they couldn’t even if they wanted to. It’s encrypted.

      They gave the recovery email for the account to the authorities, which was an iCloud account tied to the user’s real name.

      • Vendetta9076
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        I know you’re correct about proton. Didn’t realize they were all like that.