topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Saturday September 25, 2021, 5:10 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: ProtonMail deletes "we don't log your IP" after French activist arrested  (Read 2167 times)

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,008
    • View Profile
    • Donate to Member
https://www.theregis...r_ip_address_police/
Cops can read SMTP spec too, y'know...
Encrypted email service ProtonMail has become embroiled in a minor scandal after responding to a legal request to hand over to Swiss police a user's IP address and details of the devices he used to access his mailbox – resulting in the netizen's arrest.

Their website prior to this event stated: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."  Apparently, that wasn't quite correct.  They have changed that statement to something a bit more vague.
In their defense, they were served with a bona fide legal order from Swiss (not French, though it was vis-a-vis Europol) authorities, which they are legally beholden to.

In this case, Proton received a legally binding order from the Swiss Federal Department of Justice which we are obligated to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).

The sticky question as to why they were logging access via IP address when their policy explicity stated that was not so is addressed in the comments at the article.  Apparently, they don't log IPs as a matter of course, but at the behest of a court order, they were obligated to do so.

Caveat Emptor.

Found at CodeProject News

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,399
    • View Profile
    • Donate to Member
Thanks for sharing this. I was unaware that this had happened.

I have to admit, I skimmed the article (because I was looking for it to state what Swiss law was broken in France) and it didn't seem like it gave much pertinent information. This article from TechCrunch seems like it does a more thorough job:

https://techcrunch.c...y-swiss-authorities/

There, ProtonMail is quoted as seeming to suggest that if the person had been using Tor or a VPN--including ProtonVPN!--their actual IP address would not have been given to the authorities.

nickodemos

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 113
    • View Profile
    • Donate to Member
It is simply proof that at no point are you ever truly anonymous on the net. If at anytime a state authority wants information, they can get it.

Used to be they could just go in and demand the logs. Now they know better. They get a court order to monitor your actions and the company is forced to comply. Sure they still do not log anything for everyone else, but if you're targeted by that state agency there is little they can do to stop it.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 10,954
    • View Profile
    • Donate to Member
I think protonmail is caught between a rock and a hard place with this one. But they aren't prevaricating or obfuscating when asked questions. One hilarious example-



That's from https://www.reddit.c..._protonmail/hbqha63/ and some interesting comms there.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,399
    • View Profile
    • Donate to Member
Personally, I don't see anything wrong with what ProtonMail did. They followed the law. An argument could be made that the law(s) should be changed. But they complied as they were legally required to do. And if the person of interest had been a little more careful about masking his IP address, ProtonMail would not have had anything useful to give to the authorities.

ProtonMail still didn't give the contents of the emails to the authorities, because they can't! And if you have read through their FAQs, etc., they were always very explicit (at least in English) in saying which info could be gleaned and which info was encrypted/protected from outsiders (which includes ProtonMail).

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 10,954
    • View Profile
    • Donate to Member
Personally, I don't see anything wrong with what ProtonMail did. They followed the law. An argument could be made that the law(s) should be changed. But they complied as they were legally required to do. And if the person of interest had been a little more careful about masking his IP address, ProtonMail would not have had anything useful to give to the authorities.

ProtonMail still didn't give the contents of the emails to the authorities, because they can't! And if you have read through their FAQs, etc., they were always very explicit (at least in English) in saying which info could be gleaned and which info was encrypted/protected from outsiders (which includes ProtonMail).

Oh, I totally agree. What people are up in arms about is the fact that this isn't displayed more prevalently. IMO, if you're going to be doing something where privacy is a need rather than a convenience, you should be reading the terms and such a bit closer in any case.

c.gingerich

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 738
    • View Profile
    • The Blind House
    • Donate to Member
I use ProtonMail, it's a great service and will continue to do so. I agree that they didn't do anything wrong.

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,846
    • View Profile
    • Donate to Member
Here is a transcript of data that has to be logged in Europe: link   See item: article 5, section 1, subsection (a)

This data has an can be stored for 6 months to 2 years, depending on national law of EU members. And yes, there is GDPR, which makes sure user rights on privacy are more respected. But that was a 2016 ruling, that had to written in law by 2018, but that doesn't mean implementation of that law is enacted upon in 2018. There might be a provision inside that companies have to comply as fast as they are able, because of a pandemic there may have been a shortage on people working on this, there are not enough people to check if companies comply and/or deliver fines, etc.

As not all members of the EU are shining examples of humanitarian progress, who knows how long meta date like IP addresses and date/time are not logged in those countries.

nickodemos

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 113
    • View Profile
    • Donate to Member
I agree that it is still a good service. I was just pointing out that if you are under the eye of a govt agency, there is little that a company can do to protect you.


dantheman

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 727
  • Be good if you can!
    • View Profile
    • Donate to Member
Does someone recall reading in the fine print somewhere, Proton Mail explicitly mention that unless the Swiss gov.t or their security service formally asks for this info. that they would never share anything to compromise our privacy?

Shades

  • Member
  • Joined in 2006
  • **
  • Posts: 2,846
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #10 on: September 12, 2021, 05:54 PM »
Your IP (v4) address is not part of your personal data.

It would be if that IP address was a static one. But as there are only a limited amount of IP (v4) addresses available, your ISP will assign you a different one whenever they see a need to do so.

It is considered meta-data and can be used as evidence against you when the IP address is known and the time/data of when it was assigned to you. Without that information, it is circumstantial at best and has been used successfully in courts as a defense against accusations.

A court order has to be obeyed, by any company, anywhere. As you are allowed time to find resources to help you in your defense, the accuser is allowed resources to legally build their case. Without the defender knowing about that. Welcome to the society you have chosen to participate in.

Proton mail, by default, does not log even meta-data. But has to comply if ordered to do so. Proton mail did mention that they don't log your meta-data by default. If you the reader comprehend from that text that the government cannot touch you, you are dearly mistaken. Content of the messages send through Proton mail have not been compromised, so nothing more than meta-data is retrievable as evidence.

A similar thing happens when you use a VPN. Their texts read as those services make you anonymous on the internet. And they don't, as that is not how the basics of the TCP/IP protocols even work. Government can ask your ISP for the same meta-data and see when and how long you are connected to your VPN provider of choice. Then the government only needs to ask your VPN provider about the meta-data you are generating on their servers and that is already enough circumstantial evidence to make things stick, without having to know the exact content of what is communicated between you and the services you connect to.

All the re-assuring texts you are fed by any service that promises anonymity on the internet are worth almost naught. In that sense, you should be happy that IPv4 still exists. With IPv6 each device will get a static IP number and then your IP address is suddenly hard evidence in court. If you are up to no good on the internet, an IPv6 address will not be your friend. Sorry, was reminded about the joke: "What is the difference between a friend and a best friend?" "A friend helps you move, a best friend helps you move....bodies!" With that in mind, an IPv6 address won't even help you move. It would be more like the card in Monopoly: "Go directly to prison, do not cross start, do not collect funds."

dantheman

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 727
  • Be good if you can!
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #11 on: September 12, 2021, 07:32 PM »
Well, that sounds alot like court law stuff to me.

At least  now i know who to run to for help if they ever come after me for something!  :)

Never liked law semester in high school.

Come to think of it, never liked high school much either!

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,838
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #12 on: September 21, 2021, 07:58 PM »
Hardly surprising. Any company can assert they have a corporate philosophy and strong policies that can override or bypass governmental authority. At least until someone shows up brandishing a subpoena, search warrant, or handcuffs.  :tellme:

There’s an old admonition in the IT world that applies here:

“Never trust any system or network you don’t hold root level access and authority over.”

Anonymity is possible. But not on a public network…like… the Internet? ;)

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,008
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #13 on: September 22, 2021, 12:12 AM »
...
Anonymity is possible. But not on a public network…like… the Internet? ;)

7proxies.png

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,838
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #14 on: September 22, 2021, 07:22 AM »
^”Good luck, I’m behind 7 proxies.”

Three of which are clandestinely operated in whole or in part by various government intelligence agencies, and the rest which have been rooted by them.  ;) :P

Old Russian proverb:

“Anytime four men conspire in a hidden place to overthrow the Czar, three of them are fools, and the fourth is secret police.”

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,399
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #15 on: September 22, 2021, 08:56 PM »
My hope for the internet as a whole is that it starts operating more similarly to IPFS + TOR and as a result all traffic would be more akin to P2P and no one would know if the data you're requesting was for yourself or just to pass on to one of your peers.

Probably a pipe dream...

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 10,954
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #16 on: September 22, 2021, 09:22 PM »
Probably a pipe dream...
Probably?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,838
    • View Profile
    • Donate to Member
Re: ProtonMail deletes "we don't log your IP" after French activist arrested
« Reply #17 on: September 23, 2021, 10:36 AM »
My hope for the internet

I’ve long since given up any hope I might have had for the Internet.

When it was smaller and frequented largely by the technically literate there was a brief period of time when there was a naive belief, in many quarters, that it would be a transformative technology that would magically remain somehow divorced from acquiring all the negatives virtually every previous technological advance dragged along in its wake. And while it’s good to have a dream, most times those dreams completely ignore the lessons of history. And the Internet is just one more case of an advance being coopted for the purposes of the lowest common denominator.

Robinson’s Rule is inescapable:

”Nothing truly good ever survives being ‘discovered’”