The ProtonMail guys always said that unless they were 20 miles from the littoral, in the sea side, they had to abide by national laws. So it was bound to happen.
What makes me sad is how flimsy their entire premise (not necessarily "promise") turned out to be: all it took was some minor rascal in France to hug the wrong tree (so to speak), and ProtonMail is in the open saying they can't even protect the IP address of their customers. From there, all it takes is for somebody to change a law in Switzerland and end-to-end encryption of the messages themselves will only be "by default."
I think there is a market for datacenters in open seas.
The premise of "we'll never log your IPs" is something that no company can hold.
- Local law enforcement can force the to do so.
- Locals laws can change.
- Guys with guns might barge in and demand it.
Mostly, you can understand that they don't _intend_ to log IPs, and aren't in the business of collecting and redistributing data. But that doesn't mean you can count on absolute and unconditional secrecy.
Indymedia UK didn't log the IPs of website visitors. They used an Apache module that stripped IPs from Apache log messages. I know this, because I had root on the server.
Indymedia was widely infiltrated, I think; certainly there were some infiltrators, and they often trolled that Indymedia loggeed IP addresses.
There was a tool we could use to capture addresses; they were captured to memory only, and the tool could only be switched on for a limited time; it usually got switched on for less than an hour - long enough to find and block the addresses of particularly egregious spammers and trolls.
An SMTP server could be run without address logging; but a commercial SMTP server would be damned hard to administer without IP addresses in the logs.
[Edit] Indymedia had two servers seized in the UK; one was the property of Bristol Indymedia, and didn't run Apache. The other was run by Indy UK, and didn't log addresses. There was therefore no fallout from the seizure, except that the cops hung onto it for about 5 years. When we finally got it back, we retired it - we couldn't trust it, and it was by then obsolete kit anyway.
> Indymedia UK didn't log the IPs of website visitors. They used an Apache module that stripped IPs from Apache log messages. I know this, because I had root on the server.
I believe you're confusing "is not actively logging" with "will not log, even when law enforcement takes over the server" (which a court order essentially comes down to, if you don't comply). The former is what ProtonMail also does. The latter is what no company can offer.
Our server was seized by the police. Nobody was arrested (well, they didn't really know who we were). We weren't even asked to make the server start up for them; we certainly weren't asked to circumvent the logging suppression; and had we been asked, we would have declined.
But then we weren't a corporation. Between us, we had little to lose. We didn't have to help the cops. Protonmail is a business, so I suppose they are much more likely to roll over. Still, I'm pretty disappointed; their whole sctick is security, and they pitch to the likes of whistleblowers. It looks pretty bad to me.
The IndyUK server was seized from Rackspace, under the directions of the FBI (this was in Manchester, UK; I guess Rackspace US were leaned on by the feds, and HQ leaned on the Manchester datacenter). I think the feds kept the disks, which were encrypted.
I don't know, it looks fine to me. Switzerland isn't a super push-over state and has a reputation for valuing privacy (which is worth much more money than doing small favors for the US, RU or CN), so I don't expect them to go for "yeah sure that person leaked evidence of war crimes, we'll get right on getting you their IP". At the same time, to do business, you need to comply with the absolute minimum of laws.
If Rackspace just flat out refused to follow court orders, they wouldn't be able to run a data center. A DC that will comply with a court order is better than no DC imho.
Perfect is the enemy of good, and PM is definitely good at doing email with a high degree of privacy. Should you use it from your home dial-up while leaking the definite proof that reptilians are running the show? Probably not, but that doesn't make them unusable. For a lot of other threat models, they're perfectly fine, at least until proven otherwise.
Virtually no one (besides a few trained super spies) will resist and not comply once the first finger nail is coming off. Court orders are just the friendly foreplay, and they'll escalate from there depending on how important it is for them to get them to comply. If you're betting your safety on anyone withstanding that and not giving up their password, you're setting yourself up for disappointment (and pain!).
Not sure this would be a solution. In this case it seems like Protonmail wasn't logging IP but then was compelled to by law. So my assumption here is even if they stripped IPs, law enforcement could compel them to unstrip them going forward for an account. And that's what happened in this case.
That said, if there was a third entity that removed IPs for Protonmail, maybe that could get away with it. Kind of like how Tor is functioning.
We don't know what jurisdiction this happened in - Belarus, Switzerland, or the USA. I doubt that Switzerland or the USA empower the police to force a private company to put up a bogus service on the internet - especially on behalf of China.
We also don't know whether the activist was taking advantage of Protonmail-to-Protonmail security, or whether one end of the connection was non-Protonmail.
My guess: they were logging IP addresses, at least for SMTP, and the activist was using SMTP.
>"we'll never log your IPs" is something that no company can hold.
Four words: The Intercept, Secure Drop. A one-way mail (content submission) system that runs exclusively on Tor, and thus can't be supboenated for users' IP address.
While I get your premise due to concerns of law, I think it is entirely feasible - and hinges on execution, marketing ability. We already have IP-hiding technology, whether Tor or Freenet or other such. The concern is "are we good enough yet to make it a sustainable business?"
For sake of example: if a hypothetical competitor to ProtonMail was to offer sign-up and email access only over Tor protocol, it would effectively be safe from police's demands to start logging IPs - thanks to technical measures. The actual difficulty is in the business side: getting enough paying customers to install & enable relevant browser or browser plugin.
Granted, the police could try to force the hypothetical competitor to install malicious JavaScript that would try to gather & leak users' IP address or other identifying information through other means, but that's solvable in the longer run just as well.
I also have to wonder if the market size for this a truly anonymous email truly is. Who would go out of their way to pay for more expensive email that was untraceable? How many reporters? How many "freedom fighters"? How many large-scale criminal organizations? And does the very fact of using it bring unwanted attention?
Excellent contention, and I don't have a ready-made answer yet.
Curiously enough, we've seen anonymous services succeed for results unrelated to privacy-from-government: places like Omegle & ChatRoulette use anonymity for fun; places like 4chan use anonymity both for fun and also to avoid certain problems common to name-posting. Anonymity has long been a viable alternative put to good use in literature, arts, and entertainment. Perhaps the proper marketing would be along those lines?
Not just no company: no person can make such a promise. There is no one who is outside the reach of government power, should a government develop sufficient interest in that person's doings. The only way to really avoid this is to remain completely anonymous throughout the development process, and that's a tall order.
Of course they can, at least in the US, however if someone asks for my ID while paying cash I will say "fuck that" and turn around and leave their brick building.
Eh it was more about the affront than security. I know there are eyes in the sky just about everywhere :) . Especially with things like cops tapping into porch cameras.
Well, yes and no. Currently, Swiss law doesn't support this and providing the IP is based on specific requirements for telecommunication providers as far as I know. But yes, the law could be changed. However, keep in mind that Switzerland is a direct democracy and people here frequently actually vote on such issues directly (if one can gather enough support from the public).
Bingo. And if the stakes were high enough many jurisdictions have laws that allow for it to happen under wraps. i.e. being forced to lie about collecting data.
Signal uses an OTR variant (I believe OTR masks the identity of the sender/receiver) -- not sure how thorough their implementation and protocol are[1]. Although if authorities already have the IP of one user they might gather a list of contacts.
That's good though, no? They're collecting the information from you. I know it's a joke, but it's the difference between watching my home insides without me knowing - and showing up to my home with a warrant.
The joke is made at the expense of people who are naively saying that you can't be forced to turn over something you don't have, as if that's a defense that will work. They can mandate that you collect the thing they want you to turn over, then put you in prison and seize your assets if you don't comply.
>I think there is a market for datacenters in open seas.
The idea of having a isolated sovereign floating platform in the ocean doesn't doesn't really solve the problem of escaping the rules of national governments because it still needs network connections into those countries.
Whether it's underseas fiber optic cables or bouncing signals off of satellites, the datacenter will be rendered useless if nations' citizens get a "This site can’t be reached. [...] ERR_CONNECTION_TIMED_OUT"
It addition to the physical network topology challenges, the ip address space allocation is controlled by IANA ... which is a government entity.
>Whether it's underseas fiber optic cables or bouncing signals off of satellites, the datacenter will be rendered useless if nations' citizens get a "This site can’t be reached. [...] ERR_CONNECTION_TIMED_OUT"
Not if Elon succeeds with Starlink:
>>@thesheetztweetz:
How does transmitting into a country without a local downlink work on the regulatory side?
>@elonmusk:
They can shake their fist at the sky [0]
For context, certain countries like India have quite strict regulation of satellite comms, requiring special permission[1] even to use plain consumer tech like Iridium. I presume EU would also try to tightly regulate consumer satellite comms, just like it requires real (government issued) ID to use cell phones - specifically to register locally purchased SIM cards, again for national security reasons.
[1] https://www.osac.gov/Content/Report/9db45731-1eec-477a-a7af-... >There are multiple instances of authorities confiscating undeclared satellite phones from foreign travelers upon arrival in India. The official notice states: "All foreigners travelling to India are hereby informed that it is illegal to use/carry Thuraya or other such satellite phones in India. Custom authorities in India may seize such phones and legal action may be taken against the passenger concerned."
You can't expect Elon Musk to solve your woes regarding your being under the jurisdiction of your government. Elon and his companies, sattelites, etc. are subject to regulation, despite his marketing.
> right up until the UK cut their supply and comms links.
So if a referendum in Switzerland passed tomorrow which changed the law so that the Swiss government had to refuse to process any foreign warrants requesting IP addresses of email users, would France cut their trade and comms links to Switzerland?
you start with a military force that is enough to prevent another sovereign nation from doing something bad like cutting off your comm link, or forcing or freezing your bank account...
A small and geographically distributed nuclear arsenal would also be a good starting point if you wanted to avoid having the large standing army needed for conventional deterrence.
Still doesn’t solve the banking issues, but one problem at a time I suppose.
There is a limit to that. North Korea does a lot of things that no government likes, but so far they are okay. There are a lot of bigger countries that have even more immunity to targeting.
I find Sealand fascinating. Imagine founding an off-grid location as a data haven, and it got popular. What would happen? I can see covert operations from foreign governments happening for example, driven by copyright lobbyists. Would they then need to hire security forces or train their own armed forces? Would it eventually join global political organizations to influence and protect its position? It gets really interesting to think about.
There's no doubt in my mind there would be huge demand for such a thing. People hate that the government can spy on anything you do. The chilling effect is exhausting.
It was just outside, that was the point, but yes destroyed and the size of internationally recognised territorial waters was expanded to prevent it happening again - so yes, it was inside today's Italian territorial waters. (Note the info box thing says 'preceded by: international waters', not Italian.)
Another major challenge is communication. Even when you have a data haven, how do you plug into the Internet backbone? How do you get Tbps bandwidth to serve the world? The Cypherpunks did some related research in the 90s, nearly all communication lines are controlled by the major ISP or the state, and they are extremely expensive to build.
> The dot-com crash not only cut the bottom out from colocation pricing, but also took out HavenCo's fiber-optic link when the company providing it went bankrupt. That left the entire operation with a pokey 128 Kbps satellite link, which staggered badly under denial-of-service attacks.
In Neal Stephenson's novel Cryptonomicon, the data haven is a main theme in its plot.
Let us suppose for a moment that you could put a ship out in the sea, using solar panels and wind power, and satellites, you could provide a service. It might not be a service that’s always available, or all that fast, but it is technically feasible.
A ship is way too easily intercepted by any country with a navy. And your flag bearing country probably won't care, if you even have one. You need to go to space!
> I think there is a market for datacenters in open seas.
That's what the Sealand [1] dudes thought.
Until a bunch of boats showed up loaded with men carrying rifles who simply took over the country.
And when that happens, who/where do you turn to to whine that someone took your thing?
That's what sovereignty means: you're on your effing own. For real this time.
One thing most people tend to forget about governments: they have the monopoly on physical violence.
That's the first, most important and probably only useful thing you pay taxes to your government for: physical security.
If you want to run a DC in open seas:
- buy a bunch of gunboats
- hire a small army to provide physical security
- try and not piss off any of the real countries lest they be the one showing up with many more gunboats than you may muster and take over the "open sea DC".
- your services won't be cheap: gunboats must be maintained, armies paid and fed.
The problem is that someone always controls that service. So they can always go after that person (irrespective of where the service is) and force them to modify it.
I was thinking you could have some sort of satellite service with data stored on the satellite. Allow multiple authorised ground stations to connect and store/retrieve emails for users. But again, the person that controls the software and operation would be a target.
One would need to operate the service as a Tor Location Hidden service and have no presence on the Clear Net. They would also need, very good operational security and careful configuration in order to stay hidden.
> can't even protect the IP address of their customers.
Why even the IP address is both technically and law-wise on of the hardest thinks to protect. The only way to get anywhere close to it is by using a VPN, Tor or similar additionally to whatever protection the service provides, and surprise, they do have a onion site (I think).
Their Tor have issues as i understand it.. eg redirecting to clearnet anf Old version and requiring phone number. But they say vpn would have solved it…
To quote
“ There's an important distinction here. Under Swiss law, email providers fall into a category which requires us to comply with certain legal requests. Swiss law does not have a provision which could force a VPN provider to log.”
“ With VPN the legal principle is different. Thousands of users might be using the same server, logging them all would be assuming everybody is guilty until proven innocent. This is considered to be disproportionate. In the email case, it is possible to request information on a specific user, and that is considered to be proportionate.”
And this was quite obvious for someone who actually looked into staying anonymous (or gave the Protonmail threat model page a deeper read).
> What makes me sad is how flimsy their entire premise (not necessarily "promise") turned out to be: all it took was some minor rascal in France to hug the wrong tree (so to speak), and ProtonMail is in the open saying they can't even protect the IP address of their customers.
That's a big simplification. It took quite a few authorities to wave through a very draconian request for (what appears to be) a minor crime. As Protonmail themselves pointed out, they never promised to protect the IPs and they could explicitly not promise that. In fact, they even stated very clearly that they could not. Expecting them to print that on the frontpage is quite unreasonable when their marketing has to compete with shady VPNs that promise the sky.
> From there, all it takes is for somebody to change a law in Switzerland and end-to-end encryption of the messages themselves will only be "by default."
While this is a reasonable threat, it's not like one could do this in an afternoon.
Or you protect your own IP, I wonder if ProtonVPN could have done that? Would have been a nice test of those claims as well.
All in all, I still trust ProtonMail, they are handling this quite well and transparently. Their original messaging was probably a compromise between getting the message out there and leaving some room for things like this. Arguably that was a mistake, or maybe with the whole truth in bold on the front page, people would have flocked less to ProtonMail? I still don't agree with that original messaging though, as they don't themselves anymore.
Still pretty great free service if you ask me. If a family plan was cheaper I'd have migrated everyone there a long time ago.
I agree that they are a great email provider, the lesser evil, and I myself use a paid plan. But I believe that, as a society, we are rolling down a slippery slope where digital privacy becomes more difficult everyday.
A couple of weeks ago, it was Apple announcing that they will spy by default in all of their customers via the iPhones because of child pornography. Apple has spent galleons of gold marketing itself as a privacy-first company and they are not a pushover; for them to do that, whatever is going on behind the curtains must be grim.
I thought it would be a few years before somebody wanted to use something like that technology for something less serious. Then yesterday the news broke that courts had forced ProtonMail to break their business just so the French police could find a climate activist.
In my view, we are heading to a world where our electronic devices and services will be used to prosecute petty crimes, like drinking alcohol in Arab countries or even parking over the line anywhere else.
Their intentions are good, the law is vague and easy to abuse and we slide down that slippery slope. Don't blame PM for having to adhere to the law. In their latest announcements they advise you to use TOR, then you won't have this problem and your emails will be encrypted beyond anyone's reach. Well... [0]
Why would anyone trust ProtonMail? If you're not doing anything shady you don't need E2E. If you're doing something that attracts police attention - and relative triviality is clearly not a factor - what they're offering won't protect you.
Saying "Well, you could also use our VPN as well" is more marketing. Of course they'll have to comply with legal requests for that too.
This is a political issue. What's missing is the legal oversight which prevents overreach. Demanding logs to catch a mass murderer is one thing. Demanding logs to catch someone who is being financially and politically irritating is on a completely different level and much harder to justify.
ProtonVPN or a similar service would have helped that.
They are only required to provide the IP Addresses from ProtonMail but ProtonVPN gets different treatment legally speaking, were they cannot (currently) force logging [0][1].
I would assume you'd also need to have some sort of armed forces too, otherwise whichever country wants you data can sail over with their Navy and take it.
If you have a navy capable causing halt to EU, CN, US, AU, etc you should go ahead and claim an entire island. Maybe collect some taxes, try to get UN recognition…
Operating outside of national protection requires either extremely small scale and high risk or it requires becoming a quasi-nation.
> all it took was some minor rascal in France to hug the wrong tree (so to speak), and ProtonMail is in the open
We must be living on alternate time lines - try reading their transparency report. This is not even the first time this week, let alone the first time ever.
>I think there is a market for datacenters in open seas.
This will never happen. There are too many clandestine ways for this to suddenly no longer be there in ways that would be totally deniable for anyone doing the deed. Whether it's just "cut a cable" supplying the data streams or physical destruction of the vessel housing the data center.
> I think there is a market for datacenters in open seas
You might escape the laws constraining you, but you will also escape the laws protecting you.
So if there is a datacenter in the open seas either:
- It's operated by some government, potentially indirectly through some straw mans.
- It's undermined by some goverment using it as a honypot or similar.
- It's so small that no-one cares about it.
- It's gone.
So IMHO, realistically speaking there is no such marked, if you want to escape the law it's properly easier to do so inside of an country instead of escaping onto the sea and then trying to somehow connect internet.
What makes me sad is how flimsy their entire premise (not necessarily "promise") turned out to be: all it took was some minor rascal in France to hug the wrong tree (so to speak), and ProtonMail is in the open saying they can't even protect the IP address of their customers. From there, all it takes is for somebody to change a law in Switzerland and end-to-end encryption of the messages themselves will only be "by default."
I think there is a market for datacenters in open seas.