Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?
While an IP address is not an identity, it can still zero in on a location. I suspect governments and ISPs all keep historical logs of who was assigned what address.
An IP address in itself is not an identity, but it can be easily resolved to one. This is why IP address are considered PII, and are handled like such by any competent security organization.
Do you have any source to back that up? Last I heard a random person or company won't have a way to find out the real identity given just an IP in general.
Per multiple opinions I got from people whose job was to advise me on the matter, a 2016 ECJ ruling[0] suggests that it doesn't matter if a provider can find a person from their IP address or any other detail, but that there exists a scenario where it is possible.
I am not sure how the CCPA treats IP address, but unless you're at Google or Facebook, it doesn't matter. Few can afford to build separately for the EU and the rest of the world, and hence err on adapting the strictest interpretation.
But the threat actor in this case is a state, which does have that ability. (And data brokers of varying degrees of shadiness can and do provide this info to anyone for a price.)
You may need a bit more than that. Especially for shared IPs or when using CGNAT as you need which IP and Port-range was used and during what time-range.
It can be used to identify a location, but not an individual.
I assume it could be easily challenged in court (network was compromised, “i give out my WiFi to anyone who visits my home”) without other supporting evidence.
Not in Germany, where you are responsible for the Wifi access, see hundreds of copyrights fines each year...
Anyway, it puts the persons living in that location on the radar of the police, and other evidence can be collected (For example by getting a warrant and taking all electronics out of the "location").
Apparently in Germany you can do public wifi now, but you have to register as a telecommunications provider, and comply with all law enforcement requests to wiretap your wifi.
In a previous case some years ago, a French activist’s IP address was provided by Proton on court order. Proton does store IP address and does provide it when legally demanded to.
They were legally compelled to add IP logging for that specific user. After this incidence, they went on to obtain a court ruling in Switzerland, where they operate, so that this specific attack cannot happen again. In their blog post about it [1], they instruct concerned users to access their account over Tor.
Of course when Proton say they don't log, we just have to take their word for it. People who don't want that element of trust can use Tor. Personally I believe their story in this case.
It works sometimes. Usually, it requires phone number or email verification. This is important for protonmail to maintain a revenue stream as they don't allow multiple free accounts for the same person.
Note that even in those cases when additional verification is requested, the email addresses are not tied to your account - we only save a cryptographic hash of your email. Due to the hash functions being one-way, we cannot derive it back from the hash: https://proton.me/support/human-verification
> 2.5 IP logging: By default, we do not keep permanent IP logs in relation with your Account. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (e.g. spamming, DDoS attacks against our infrastructure, brute force attacks). The legal basis of this processing is our legitimate interest to protect our service against nefarious activities. If you enable authentication logging for your Account or voluntarily participate in Proton's advanced security program, the record of your login IP addresses is kept for as long as the feature is enabled. This feature is off by default, and all the records are deleted upon deactivation of the feature. The legal basis of this processing is consent, and you are free to opt in or opt out of that processing at any time in the security panel of your Account. The authentication logs feature records login attempts to your Account and does not track product-specific activity, such as VPN activity.
> Proton Mail is in the title because it's where they went first, but the actual identification (real name, phone number etc.) seems to come from Apple on request for info related to the address.
Irrelevant to the point. Proton Mail provided authorities with user data.
> The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’
In this case the email address was the lead, but I wonder what other info would be enough to get the phone provider to spill the beans. For instance would an IP address used at a specific time be uniquely identifying if it was VPNed by Apple at that moment ?
Or a Google Ad cookie that could get correlated to other devices showing similar behavior (the same way Google tracks households or related accounts) ?