The expectation that Proton would be able to disobey the legal requests of their local authorities with impunity is unrealistic. Protonmail makes certain claims about privacy, particularly about encryption. They don't make any claims that they have the intention, or ability for that matter, to defy local authorities at their peril. Like Grugq said in one of his presentations (paraphrased): "Don't expect your VPN company to do your jail time for you". I'm neither for nor against Protonmail. I don't think they've been dishonest. I think people have an unrealistic expectation of the service they offer. They offer additional privacy, not legal indemnity.
This is exactly what baffled me about people saying "I'm cancelling my PM subscription" as if they didn't make this abundantly clear. In their transparency report, they state very clearly that they "may also be obligated to monitor the IP addresses" being used to access accounts engaged in criminal activity.
Privacy activists, for some reason, don't take the time to read transparency reports.
> This is exactly what baffled me about people saying "I'm cancelling my PM subscription" as if they didn't make this abundantly clear.
We are on a thread talking about them removing claims on their marketing material... that's abundantly clear to you?
Have we reached that level of expectation? That it's abundantly clear when marketing material are not saying the same thing as reports?
> In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.
This is what the Transparency Report say too. In EXTREME criminal cases. Is it abundantly clear to you this case is an EXTREME criminal cases too? This was someone that manifested by squatting a building... is that extreme to you? My definition of extreme is a tiny bit higher, I would expect risk of life or at least a pretty large amount of money involved... not a bunch of kids manifesting gentrification.
> We are on a thread talking about them removing claims on their marketing material... that's abundantly clear to you?
As a Protonmail customer, thanks for saying this. There seems to be this idea that a blog post Proton made in 2014 is being "up front" about their policies.
I agree that Protonmail has been dishonest in their marketing, but marketing =/= policies.
If you're storing any kind of information you'd rather keep private on a server you do not control and not diving into the policies and blog posts of said provider to make doubly sure they're all they say they are, it's no one's fault but your own when something inevitably happens. Either do your due diligence or blindly accept the risk. People took the second option and look what happened.
And yes, I would say an order from Swiss courts that was unappealable is an extreme criminal case. Anything that could threaten Protonmail qualifies.
> And yes, I would say an order from Swiss courts that was unappealable is an extreme criminal case. Anything that could threaten Protonmail qualifies.
So before this case, if I told you is someone in France trespassing enough for ProtonMail to log and provide IP, you would say sure?
My point is that this is not what most people would expect by reading extreme criminal case. If it's not what they expect, it is thus misleading.
I also wouldn't even agree that this is an extreme criminal case. What an non extreme one then? This is not an exception, this is simply a criminal case. It clearly doesn't need to be extreme to allow them to get the IP.
Protonmail was forced by Swiss courts, period. Protonmail will not risk themselves for you. No client of Protonmail is worth fighting the Swiss courts over. Protonmail bowed down to the laws of the country they operate in, a smart move if they wish to continue legal operations.
If you still do not understand this fact, or that I am speaking strictly about the repercussions that a Swiss company could face by ignoring a court order from Swiss courts in Swiss law in Switzerland, then we have nothing else to discuss.
> If you still do not understand this fact, or that I am speaking strictly about the repercussions that a Swiss company could face by ignoring a court order from Swiss courts in Swiss law in Switzerland, then we have nothing else to discuss.
Where did I say they shouldn't have done this? I do understands that fact.
The issue isn't on what they did, it's on how they said they were protected against this but actually wasn't. We are talking about their marketing materials promising anonymity that they can't legally provide.
If that was a mere misunderstanding from their parts and they thought they could actually get away from providing the IP but couldn't actually, sure it was a simply mistake from their part to say that, I would agree with you, but you provided the proof that they knew, and you even said it was "abundantly clear" that it was the case.
I'll say the same as you, if you don't understands that part, we have nothing else to discuss. Even more so if you believe that it's fine to promise stuff that you can't legally provide.
What about the perception they gave that state if you were being monitored you would be notified? The part not made clear was that they could delay notifying you for months.
They did make it clear and did so before this outcry:
> Swiss law requires a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding. However, in certain situations, notification can be delayed. This includes the following cases [...]
I think he is talking about the CEOs blog post, where he does not make that clear and absolutely creates the impression that the French activist received a notification. It even sounds like that you get a notification as soon as somebody just requests it, even if PM declines / fights it. [0]
> Under Swiss law, it is obligatory for a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding.
People will read this and the majority will think there is some kind of notification as soon as that happens. I mean, users here on HN thought that.
Only if you click the link, the one that you shared, then you'll know that there are multiple situations where that notification will be delayed.
I think that is actually the worst part about the whole situation so far. One can argue that they should've made the potential logging more clear right under their no logs marketing. But pretty much doing the same stunt again with the notification, does feel a bit like intent... or stupidity.
1. Their homepage stated ""By default, we do not keep any IP logs...". Due to complaints about this being a lie, they have today removed this statement
2. Their website also stated "No personal information required to create an account". However, for creating an account through Tor a phone number is required. This has been an issue for 4 years [1]
How could I expect Proton to disobey legal requests? That's crazy.
There are 180 countries and not one will let you create a company that doesn't have to log IP addresses?
Proton should change their description to: "We don't really care so much about your privacy and make fake marketing claims because we are just another tech company trying to make as much money as possible"
> The expectation that Proton would be able to disobey the legal requests of their local authorities with impunity is unrealistic.
Untrue.
There are many way to resist authority without being seen as blatantly disobeying the law.
In this particular case, they could have gone with the standard: "can't technically do it, we don't have the infrastructure". Or: "the guys who manages the logs just quit, we can't recover the information". Or: "we don't have the budget to implement that, it'd bankrupt us" ... etc ... make as many lame excuses as the day is long.
Drag things into court and just bog the effing big brother machine down in technicalities long enough until they simply give up or the French activist has had ample time to skedaddle.
The ways you've listed would work only once (each). With several hundreds of requests per year PM would pretty quickly run out of plausible excuses to not start storing the requested info.
Also - what is so precious about this particular request compared to 700 requests PM received last year (if we trust PM on that)?
Also - the purpose of any commercial activity (which surely PM email service is) is to make money for their owners. How much money and for how long would come from PM if they constantly would be resisting authorities (or from authorities point of view - obstructing justice)?
This. If you pay ProtonMail, you don't have your emails automatically scanned by some company to show you advertisements, and you have encryption at rest. That's all.
