Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Technology

ProtonMail Logged IP Address of French Activist After Order By Swiss Authorities (techcrunch.com) 153

ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. From a report: The company has communicated widely about the incident, stating that it doesn't log IP addresses by default and it only complies with local regulation -- in that case Swiss law. While ProtonMail didn't cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying premises rented by Le Petit Cambodge -- a restaurant that was targeted by the November 13th, 2015 terrorist attacks in Paris.

On September 1st, the group published an article on Paris-luttes.info, an anticapitalist news website, summing up different police investigations and legal cases against some members of the group. According to their story, French police sent an Europol request to ProtonMail in order to uncover the identity of the person who created a ProtonMail account -- the group was using this email address to communicate. The address has also been shared on various anarchist websites. The next day, @MuArF on Twitter shared an abstract of a police report detailing ProtonMail's reply. According to @MuArF, the police report is related to the ongoing investigation against the group who occupied various premises around Place Sainte-Marthe. It says that French police received a message on Europol.

This discussion has been archived. No new comments can be posted.

ProtonMail Logged IP Address of French Activist After Order By Swiss Authorities

Comments Filter:
  • and at the end of the day, no company is going to stand up against a government. Hopefully some lessons have been learned.

    • by tinkerton ( 199273 ) on Monday September 06, 2021 @12:46PM (#61769335)

      Wikileaks have an approach where they cannot know who contacts them unless the source chooses to make himself or herself known to them.
      Protonmail is different. I don't know how motivated they are about standing up to western governments.

      • I would turn in a bunch of private addresses and say oops, we use proxy firewalls and those are their IP addresses.
        • I would turn in a bunch of private addresses and say oops, we use proxy firewalls and those are their IP addresses.

          They would ask you from the logs from those firewalls. The first time you'd be able to tell them you didn't turn them on. The second, perhaps, that you messed up and got the wrong addresses. After that if you didn't shape up they could arrest you for interfering with an investigation or contempt of court. The only reasonable way around this is onion routing, like tor, or private connections and even there you have to be really careful.

          • These activists want the government to take over private restaurants, stores, apartments, etc. They object to private companies running businesses.

            If they had their way, the ISP and the email service would be run by the government.

            They got bit when the email service cooperated with an order from the government. If they had their way, there wouldn't have even been any news for the order, since the email service would be run by the government. Poetic.

            • These activists want the government to take over private restaurants, stores,
              You are just silly.

              apartments, etc.
              Perhaps.

              They object to private companies running businesses.
              Most certainly: nope.

              They got bit when the email service cooperated with an order from the government.
              You got it a little bit strange. There is no order from the government.
              There is no government in the EU that could make such an order.

              It is a court order. HUGHE DIFFERENCE.

          • Consequently:

            This is not a ProtonMail security problem.
            This is not an email security problem.
            This is not an in internet security problem.
            This is not an in internet problem.
            This is not a government nosiness problem..
            This is not a government problem..
            This is a human being problem
            This is poblem with how much nosiness human beings will put up with from their governments.
      • I don't know how motivated they are about standing up to western governments.

        Why western...

        • Because that is where you prove your independence: by standing up to your own side, not the adversaries. And in this case they rolled over pretty easily.
          An extra reason is that it's our side who has the regime change enthusiasts and protonmail may want to contribute to that. Their role in the Belarus airplane case was questionable.

    • Re: (Score:3, Insightful)

      by JRZO ( 6971596 )
      So much for "By remaining outside of US and EU jurisdiction, we provide a safe and neutral location to protect your confidential data."

      Source: https://protonmail.com/pricing [protonmail.com]
      • I think proton mail/vpn and what not just shot them self in the fot and made their services totally useless. I forsee a mass exodus of pretty much anyone that used it for the reason of feeling a tiny bit of security.
        • I foresee a mass exodus

          To where?

          • Facebook or Gmail!

            I tried to type that with a straight face...

            • Well, if it isn't a magical government-free fantasyland with a giant statue of that terrorist named John Galt out front, then why bother with the hassle and ending up in spam folders? Might as well just go back to regular mail. So going back to gmail actually makes sense.

                • He is the son of Mr and Mrs Galt, who named him John at his birth.

                • Who is John Galt?

                  https://en.wikipedia.org/wiki/... [wikipedia.org] jumps to mind as he is considered the first "political novelist" for his commentary on the Industrial Revolution and Galt in Ontario was named after him I think.

                  but Aighearach probably means the Ayn Rand character in "Atlas Shrugged".

                • I think he was the "hero thug" of a terrible book by Ayn Rand. Very popular with the foaming-at-the-mouth side of economics theory, I read part of it on an oil rig in a Siberian forest when there very literally was not a single other Latin script book in the eating hall's bookshelf. It is a terrible, unmemorable read - I couldn't remember my place from one meal break to the next. "Atlas Haemorrhoid", or something like that.
                • He's the hero in the novel Atlas Shrugged. He's presumed to be a protagonist. The author is careful to insist he's not a terrorist, because he only commits monetary violence, he doesn't directly kill anybody. He just tries to starve them by throwing the output of their work into the ocean.

                  He's presumed to be very libertarian and pro-individual, because he had determined the victims of his terrorism were part of a group he despised, and blamed for society's woes.

                  In the end, his group of "we hate altruism" fr

                  • Oh, yes, and I left out the important part that he, or his idiot followers, tagged "Who Is John Galt?" all over freeway overpasses and things. So when a person says, "Who is John Galt?" it means they're one of the terrorists. Wow, I can't believe I almost left that out!

                    • So was xenog (above) making a deliberate reference to indicate he knew exactly who John Galt was, or was he simply asking the question?

                      Mind. Blown. Norman, correlate.

        • by alexgieg ( 948359 ) <alexgieg@gmail.com> on Monday September 06, 2021 @04:31PM (#61769929) Homepage

          made their services totally useless.

          Their e-mail boxes continue fully encrypted, unless the arrested activist provides his password to the police. Besides, the activist should have used ProtonMails .onion address if they thought their IP address was information that needed protecting.

          • I note that the IP address provided (TFS mentions no arrests) was the IP address from which the account was set up, not necessarily the one (or even one of the many) from which it was used to send a particular message.

            I'm almost tempted to find Proton Mail's website, set up a couple of accounts, then send the user name and passwords for them to Joe Random Activist in my personal address book for onward distribution (from a third-party disposable email account, of course ; also "address book" in the sense o

        • by Anonymous Coward

          I saw the same exact negative sentiment with Hushmail when they were "asked" by Interpol to help decode a suspected drug dealer's mailbox.

          Asked in given a choice between doing so, or facing having the entire business shut down and the top people in the company arrested as co-conspirators or even accessories, with obstruction of justice charges tossed in for shits and giggles.

          Same thing with Protonmail. Email isn't like thepiratebay or wikileaks and easily decentralized. It had to have some geographical pl

        • by Bengie ( 1121981 )
          They've been doing this since forever. This is why they have their transparency report. Ignoring a court order makes you a criminal. Hard for a criminal to run a legitimate business where the operation of the business is the crime.
      • by Aighearach ( 97333 ) on Monday September 06, 2021 @04:13PM (#61769879)

        If "secure" means, "you can break the law and the gubermint can't investigate you" then yes, you won't have security.

        For most people, secure email means something different than that.

      • by alexgieg ( 948359 ) <alexgieg@gmail.com> on Monday September 06, 2021 @04:27PM (#61769915) Homepage

        to protect your confidential data

        IP addresses aren't protected confidential data, they're public, and ProtonMail explains in their FAQ that if the Swiss government requests them to log IP addresses, and their challenges to the request are denied (they say they always challenge those requests as much as allowed by the law), they're obliged to log and provide it to the police, which is why they provide a .onion Tor version of their webmail for use by those who need, in addition to encrypted communication, also their IP addresses protected, adding most other e-mail providers don't provide .onion access at all.

        If activists use a security service in an insecure manner, not following the service provider's own instructions on how to achieve the maximum protection available, is that really a fault of the service provider?

        • In Europe at least, IP address is considered personal data (don't know what you mean by confidential), in most cases:

          > In a ruling rendered on 17 December 2014, the BGH referred the following questions to the ECJ:

          > Whether, under Article 2a of the EU Data Protection Directive 95/46/EC, an IP address is personal data when the IP address is stored by a website provider and > a third party (e.g., an internet access provider) possesses sufficient additional data to identify the user.

          • Almost. In Europe IP addresses *can* be considered to be personal data. The ruling you refer to specifically has the condition on when it can and can't be considered, and you even quoted that in your last sentence.

            In countries with strong data protection laws or weak civil laws a legal means of identifying the owner of an address isn't present and in cases where the IP address doesn't link to a specific person it is not personal, e.g. VPN.

            Conclusion: This is a massive legal grey area in Europe very much ope

            • > has the condition on when it can and can't be considered, and you even quoted that in your last sentence.

              Yep, which is why my addendum "in most cases". Which I realise now is probably wishful thinking...

      • by praxis ( 19962 )

        So much for "By remaining outside of US and EU jurisdiction, we provide a safe and neutral location to protect your confidential data."

        Source: https://protonmail.com/pricing [protonmail.com]

        Technically, they are correct (about being outside the US and EU. Switzerland is not a member of the EU or US.

    • Ironic that it happened in the country famous for its resistance, then.
    • Sure there is. It's called a one-time address.
  • by RightwingNutjob ( 1302813 ) on Monday September 06, 2021 @12:34PM (#61769309)

    The moment two people have to interact to get something done, anonymity is compromised just a little bit by the little bit of information exchanged to make it happen.

    Perfect security (in the Shannon sense) can only exist with perfect trust, that is to say the antonym and opposite or anonymity.

    There are theoretical and practical means to get you a little security and a little anonymity, but the two are fundamentally at odds with one another.

    • by AmiMoJo ( 196126 ) on Monday September 06, 2021 @01:51PM (#61769509) Homepage Journal

      In this case though using a cheap VPN service in a different jurisdiction would have protected the target.

      • Against a nation state actor or a well-funded adversary? A VPN provides the thinnest patina of protection.
        • by AmiMoJo ( 196126 )

          TFA says it was the police.

          Unlikely they would deploy the resources necessary against this activist, let alone be prepared to reveal that they have them in court.

          • It would not require any sophisticated technique. Evidently, sending a warrant to europol or Interpol had the desired effect against proton mail. I would be willing to bet it would work against a VPN provider.
            • by AmiMoJo ( 196126 )

              How would sending a request to the Swiss police via Europol subvert a VPN?

              Are you suggesting that the Swiss police routinely hack foreign servers or tap major international interconnects, and then have a huge data centre processing it all to try to correlate VPN users, and that they would be willing to admit that and provide technical details to a court in order to secure the prosecution of this activist?

              • > How would sending a request to the police via Europol subvert a VPN?

                > Are you suggesting that the Swiss police routinely hack foreign servers or tap major international interconnects

                You're making this far more complicated than it is.
                It works the exact same way it worked with Protonmail.

                You send the request to the government who has jurisdiction over the VPN provider, they provide the IP address(es).

                • by AmiMoJo ( 196126 )

                  The IP addresses of what? Everyone who accessed their VPN server at roughly the time someone accessed Proton Mail? Great, now you have a list of thousands of IP addresses and no way to figure out which one relates to the account you are interested in.

                  Not that VPN providers can be forced to provide such information anyway, if they are in the right jurisdiction.

                • You send the request to the government who has jurisdiction over the VPN provider, they provide the IP address(es).
                  Nope.
                  You sent it to a court and provide evidence why you think it is wise to figure out the IP address.

              • You send the warrant to the country where the VPN service provider is located. Countries cooperate with Europol/Interpol quite regularly because it scores diplomatic points. Chuckleheads like these protestors are not worth expending diplomatic or political capital to protect.
                • by AmiMoJo ( 196126 ) on Tuesday September 07, 2021 @03:03AM (#61770867) Homepage Journal

                  You can send the warrant where the VPN provider is located but any decent one still won't be able to help you determine who accessed that website, and in many jurisdictions there is no obligation to add additional logging to find out.

                  In Norway, for example, VPNs are not ISPs (legally speaking) so have no obligation to help by logging. Even if they did log, it would need some heavy deep packet inspection to produce any meaningful results, which is not cheap.

          • TFA says it was the police.

            There's a distinction in competence between using the word police generically (a bunch of thugs beating down drunks and handing out speeding fines) and specific police forces. In the Netherlands for example the police force have in their jurisdiction dedicated cyber crimes units which are much more equivalent to (and often work with) the likes of the FBI. It was the "police" which undertook a multi year long intelligence operation to breach the Encrochat platform.

            Just saying "the police" doesn't really help

            • by AmiMoJo ( 196126 )

              Even so, I doubt they have the technical capability to unmask a properly configured VPN. If they did it would be big news.

              NSA/GCHQ level, sure, but nothing public. Remember that anything they do will have to be entered as evidence in open court.

    • by taustin ( 171655 ) on Monday September 06, 2021 @04:01PM (#61769831) Homepage Journal

      The moment two people have to interact to get something done,

      The moment that you do something on the internet, there's more than two people involved in the interaction. The internet is a public place. I'll get modded down for pointing it out, but that doesn't make it any less true.

      Don't do anything on the internet you wouldn't do on the street in front of your house.

  • by bubblyceiling ( 7940768 ) on Monday September 06, 2021 @01:22PM (#61769419)
    This just goes to show that there really is no such thing as a secure provider and the real solution is to have your own server
    • by mortonda ( 5175 ) on Monday September 06, 2021 @01:32PM (#61769457)

      This just goes to show that there really is no such thing as a secure provider and the real solution is to have your own server

      ... and that's not really going to work out well either. https://xkcd.com/538/ [xkcd.com]

      • Sometimes attacking the suspect with a wrench messes up the investigation, though.

        And in the case of real security, to protect yourself against criminals, somebody is a web cafe somewhere can't reach me with a wrench, but they can definitely call up some (outsourced) phone number and social-engineer my account into their hands.

        Or maybe even exploit a bug and crack my service provider, or my server, as the case may be. So the security differences require a more complicated analysis than the situation present

        • Sometimes attacking the suspect with a wrench messes up the investigation, though.

          Which is only really relevant if the investigator is interested in presenting his (or her) case in something resembling public. If they are ... "results focussed" then they are probably a bit scarier and have the arc welder and salt-water soaked sponges on hand when they drag you into the room with the hose-washable floor.

          • "results focussed"

            You've been watching too many crime movies.

            And stop typing all that <blockquote> shit. You just type <quote>foo</quote> and it works. Like this:

            foo

      • Comment removed based on user account deletion
    • by chill ( 34294 )

      Oh, yeah. THAT would have REALLY hidden your IP address.

    • Does having your own server really solve the problem? I have a virtual server with digital ocean. I am sure digital ocean would provide IP's given a court order or whatever. I guess you could have our own server at your home. But in that case, the server IP itself would be your IP. You can't hide the IP of a mail server. Could you go into detail about the setup you have or are envisioning?

    • I don't think the primary attraction of using ProtonMail is "hide from the government".

      The primary attraction is: It's not Google.

      Google gives you free email in hopes of making money off of you. They used to outright scan your emails and use that to fuel adverts, though their current policy is not to bother since they get plenty of marketing data on you from all their other services you use. BUT Google is also notoriously bad at customer service, and is infamous for straight-up cancelling people for TOS v

    • That server doesn't do you any good if it's not connected to the internet - via an ISP.

    • Comment removed based on user account deletion
  • by nospam007 ( 722110 ) * on Monday September 06, 2021 @01:44PM (#61769485)

    Use a VPN inside Starbucks, so that we are spared such articles forever.

    • Here here!
      • "Hear! Hear"

        They are homophones which make more sense when you see the correct version. Another pet peeve is "homed in (on)" and "honed in (on)".

    • by taustin ( 171655 )

      Starbucks, like most retailers, have security cams.

    • Comment removed based on user account deletion
      • "Why would I go to Starbucks? They sell expensive water."

        Free WIFI, you could also use another chain.

    • Use a VPN inside Starbucks, so that we are spared such articles forever.

      NO! Don't use a VPN. Just go into Starbucks. Then we can be spared their "coffee" as well.

  • Good. (Score:5, Interesting)

    by JaredOfEuropa ( 526365 ) on Monday September 06, 2021 @02:33PM (#61769615) Journal
    I'm all for privacy and against mass surveillance, but I'm fine with this sort of wiretap when it involves the police investigating a specific person or group, following due process and getting a court order (or however that works in Switzerland). As long as we are not expected to all give up our privacy so the police have an easier job of it.

    Also, I'm always happy to see squatters being taken care of.
    • Is this really necessary, when we know exactly where the squatters are? Surveillance laws typically don't stop at requiring providers to cooperate in individual cases. To prevent leaks, telecommunications providers must usually install hardware which enables law enforcement access without giving any information about the targets to the providers. [wikipedia.org] This leaves judges as the only oversight, especially when parallel construction [wikipedia.org] is used to obscure the methods of investigation, and it is well known that some har

    • Re:Good. (Score:5, Insightful)

      by schweini ( 607711 ) on Monday September 06, 2021 @05:00PM (#61769987)
      Exactly!
      Most people I know were fine with the old phone-wiretap procedure:
      Police suspect something very fishy, go to a judge, get a time-limited warrant if the judge think it's justified, and can then eavesdrop a bit.
      I fail to understand why this system should be that much different in the digital age (although it's a it useless thanks to encryption, but that is another matter). If the system is abused,the victim can legally procede against it.

      There is a wider and deeper problem of power abuse (like the famous National Security Letters) that has to urgently be fixed. But that's also another matter.
      • although it's a it useless thanks to encryption, but that is another matter

        Even utterly perfect encryption with no leaking of decryption keys can leave a useful information trail : who was talking to whom, and when. And that is fairly hard to hide, since you need the "From" and "To" data to be able to converse, and the "when" data to keep the messages in order (unless you actually have a delivery process which guarantees sequential delivery of entities sent in sequence, which IP does not and never did). It'

  • ProtonMail requires another email to register with. That seems a bigger risk. At least I can obscure my IP with VPN, but if ProtonMail is 'the most' secure email address then I must use a 'less' secure email to register with.
  • Anyone thinking they're safe while using Protonmail the Swiss safe haven... Should read the history of Crypto AG.

    https://en.wikipedia.org/wiki/Crypto_AG

  • For people who don't understand security or have read too many cyberpunk novels and believe it's real.
    • and Switzerland is a safe haven for your money and privacy if you've read too many spy or crime novels.

    • by HiThere ( 15173 )

      Well, if they'll allow you to send encrypted emails it probably is. Of course, there's the problem of originally transmitting the one time pad. The classic solution is to base it off some popular (in some sense) published work. For this purpose I think Finnegan's Wake would be nearly ideal, though everyone need to be using the same edition. So you initialize your random number by feeding a key starting at a particular character in a particular line on a particular page, and everyone needs to use the sam

  • by dogsbreath ( 730413 ) on Monday September 06, 2021 @04:21PM (#61769901)

    ... if the details are important to you.

    ProtonMail makes no claims about anonymous access. I've had an account with them from early on and in their policy docs they very directly pointed out they are in Switzerland and subject to Swiss laws. When I signed up I noted that they do not claim to have a no logging policy.

    They updated their website today with an explicit statement about following legal orders from Swiss authorities. I thought that was very clear from the beginning and it should be obvious that things like access IPs and logs would be available to Swiss law enforcement upon demand.

    Email is not an anonymizing service. Use an appropriate proxy or VPN service if obfuscated trace back is required. Use an anonymized payment method if necessary.

    Choose wisely.

    • ProtonMail makes no claims about anonymous access.

      Well they do, but you need to use their service properly, i.e they provide an onion address for expressly this purpose: https://protonmail.com/blog/to... [protonmail.com]

      Simply signing up to a VPN also does nothing if I don't run my VPN client.

  • Comment removed based on user account deletion
  • by PPH ( 736903 ) on Monday September 06, 2021 @08:20PM (#61770325)

    ... an empty building in Paris presently occupied by a bunch of squatters. Great police work, guys.

  • This was used against someone I don't like, so I don't see the problem.

  • Long story short: no online secure email provider is safe. The only way to use encrypted email securely is with a desktop client.

    I thought this would be obvious, but it seems that some clueless individuals actually believe the misinformation being spread by these providers.

Established technology tends to persist in the face of new technology. -- G. Blaauw, one of the designers of System 360

Working...