ProtonMail Logged IP Address of French Activist After Order By Swiss Authorities (techcrunch.com) 153
ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. From a report: The company has communicated widely about the incident, stating that it doesn't log IP addresses by default and it only complies with local regulation -- in that case Swiss law. While ProtonMail didn't cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users. For the past year, a group of people have taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris. They want to fight against gentrification, real estate speculation, Airbnb and high-end restaurants. While it started as a local conflict, it quickly became a symbolic campaign. They attracted newspaper headlines when they started occupying premises rented by Le Petit Cambodge -- a restaurant that was targeted by the November 13th, 2015 terrorist attacks in Paris.
On September 1st, the group published an article on Paris-luttes.info, an anticapitalist news website, summing up different police investigations and legal cases against some members of the group. According to their story, French police sent an Europol request to ProtonMail in order to uncover the identity of the person who created a ProtonMail account -- the group was using this email address to communicate. The address has also been shared on various anarchist websites. The next day, @MuArF on Twitter shared an abstract of a police report detailing ProtonMail's reply. According to @MuArF, the police report is related to the ongoing investigation against the group who occupied various premises around Place Sainte-Marthe. It says that French police received a message on Europol.
On September 1st, the group published an article on Paris-luttes.info, an anticapitalist news website, summing up different police investigations and legal cases against some members of the group. According to their story, French police sent an Europol request to ProtonMail in order to uncover the identity of the person who created a ProtonMail account -- the group was using this email address to communicate. The address has also been shared on various anarchist websites. The next day, @MuArF on Twitter shared an abstract of a police report detailing ProtonMail's reply. According to @MuArF, the police report is related to the ongoing investigation against the group who occupied various premises around Place Sainte-Marthe. It says that French police received a message on Europol.
There's no such thing as secure emails (Score:2)
and at the end of the day, no company is going to stand up against a government. Hopefully some lessons have been learned.
Re:There's no such thing as secure emails (Score:5, Interesting)
Wikileaks have an approach where they cannot know who contacts them unless the source chooses to make himself or herself known to them.
Protonmail is different. I don't know how motivated they are about standing up to western governments.
Re: There's no such thing as secure emails (Score:2)
Re: (Score:3)
I would turn in a bunch of private addresses and say oops, we use proxy firewalls and those are their IP addresses.
They would ask you from the logs from those firewalls. The first time you'd be able to tell them you didn't turn them on. The second, perhaps, that you messed up and got the wrong addresses. After that if you didn't shape up they could arrest you for interfering with an investigation or contempt of court. The only reasonable way around this is onion routing, like tor, or private connections and even there you have to be really careful.
The activists for what they asked for (Score:3, Interesting)
These activists want the government to take over private restaurants, stores, apartments, etc. They object to private companies running businesses.
If they had their way, the ISP and the email service would be run by the government.
They got bit when the email service cooperated with an order from the government. If they had their way, there wouldn't have even been any news for the order, since the email service would be run by the government. Poetic.
Re: (Score:3)
These activists want the government to take over private restaurants, stores,
You are just silly.
apartments, etc.
Perhaps.
They object to private companies running businesses.
Most certainly: nope.
They got bit when the email service cooperated with an order from the government.
You got it a little bit strange. There is no order from the government.
There is no government in the EU that could make such an order.
It is a court order. HUGHE DIFFERENCE.
Re: (Score:3)
This is not a ProtonMail security problem.
This is not an email security problem.
This is not an in internet security problem.
This is not an in internet problem.
This is not a government nosiness problem..
This is not a government problem..
This is a human being problem
This is poblem with how much nosiness human beings will put up with from their governments.
Re: There's no such thing as secure emails (Score:2)
I don't know how motivated they are about standing up to western governments.
Why western...
Re: (Score:2)
Because that is where you prove your independence: by standing up to your own side, not the adversaries. And in this case they rolled over pretty easily.
An extra reason is that it's our side who has the regime change enthusiasts and protonmail may want to contribute to that. Their role in the Belarus airplane case was questionable.
Re: (Score:3, Insightful)
Source: https://protonmail.com/pricing [protonmail.com]
Re: There's no such thing as secure emails (Score:3)
Re: (Score:2)
I foresee a mass exodus
To where?
Re: There's no such thing as secure emails (Score:2)
I tried to type that with a straight face...
Re: (Score:3)
Well, if it isn't a magical government-free fantasyland with a giant statue of that terrorist named John Galt out front, then why bother with the hassle and ending up in spam folders? Might as well just go back to regular mail. So going back to gmail actually makes sense.
Re: There's no such thing as secure emails (Score:2)
Re: (Score:2)
He is the son of Mr and Mrs Galt, who named him John at his birth.
Re: (Score:3)
Who is John Galt?
https://en.wikipedia.org/wiki/... [wikipedia.org] jumps to mind as he is considered the first "political novelist" for his commentary on the Industrial Revolution and Galt in Ontario was named after him I think.
but Aighearach probably means the Ayn Rand character in "Atlas Shrugged".
Re: (Score:3)
Re: (Score:2)
... a terrible book by Ayn Rand.
That doesn't narrow it down very much.
Re: (Score:3)
He's the hero in the novel Atlas Shrugged. He's presumed to be a protagonist. The author is careful to insist he's not a terrorist, because he only commits monetary violence, he doesn't directly kill anybody. He just tries to starve them by throwing the output of their work into the ocean.
He's presumed to be very libertarian and pro-individual, because he had determined the victims of his terrorism were part of a group he despised, and blamed for society's woes.
In the end, his group of "we hate altruism" fr
Re: (Score:3)
Oh, yes, and I left out the important part that he, or his idiot followers, tagged "Who Is John Galt?" all over freeway overpasses and things. So when a person says, "Who is John Galt?" it means they're one of the terrorists. Wow, I can't believe I almost left that out!
Re: (Score:2)
So was xenog (above) making a deliberate reference to indicate he knew exactly who John Galt was, or was he simply asking the question?
Mind. Blown. Norman, correlate.
Re: There's no such thing as secure emails (Score:5, Informative)
made their services totally useless.
Their e-mail boxes continue fully encrypted, unless the arrested activist provides his password to the police. Besides, the activist should have used ProtonMails .onion address if they thought their IP address was information that needed protecting.
Re: (Score:2)
I'm almost tempted to find Proton Mail's website, set up a couple of accounts, then send the user name and passwords for them to Joe Random Activist in my personal address book for onward distribution (from a third-party disposable email account, of course ; also "address book" in the sense o
Not many choices when government closes in... (Score:2, Insightful)
I saw the same exact negative sentiment with Hushmail when they were "asked" by Interpol to help decode a suspected drug dealer's mailbox.
Asked in given a choice between doing so, or facing having the entire business shut down and the top people in the company arrested as co-conspirators or even accessories, with obstruction of justice charges tossed in for shits and giggles.
Same thing with Protonmail. Email isn't like thepiratebay or wikileaks and easily decentralized. It had to have some geographical pl
Re: (Score:3)
tldr; Provable anonymous systems with bi-directional communication is still an active area of research
Re: (Score:2)
Re:There's no such thing as secure emails (Score:5, Insightful)
If "secure" means, "you can break the law and the gubermint can't investigate you" then yes, you won't have security.
For most people, secure email means something different than that.
Re:There's no such thing as secure emails (Score:5, Informative)
to protect your confidential data
IP addresses aren't protected confidential data, they're public, and ProtonMail explains in their FAQ that if the Swiss government requests them to log IP addresses, and their challenges to the request are denied (they say they always challenge those requests as much as allowed by the law), they're obliged to log and provide it to the police, which is why they provide a .onion Tor version of their webmail for use by those who need, in addition to encrypted communication, also their IP addresses protected, adding most other e-mail providers don't provide .onion access at all.
If activists use a security service in an insecure manner, not following the service provider's own instructions on how to achieve the maximum protection available, is that really a fault of the service provider?
Re: (Score:3)
In Europe at least, IP address is considered personal data (don't know what you mean by confidential), in most cases:
> In a ruling rendered on 17 December 2014, the BGH referred the following questions to the ECJ:
> Whether, under Article 2a of the EU Data Protection Directive 95/46/EC, an IP address is personal data when the IP address is stored by a website provider and > a third party (e.g., an internet access provider) possesses sufficient additional data to identify the user.
Re: (Score:3)
Almost. In Europe IP addresses *can* be considered to be personal data. The ruling you refer to specifically has the condition on when it can and can't be considered, and you even quoted that in your last sentence.
In countries with strong data protection laws or weak civil laws a legal means of identifying the owner of an address isn't present and in cases where the IP address doesn't link to a specific person it is not personal, e.g. VPN.
Conclusion: This is a massive legal grey area in Europe very much ope
Re: (Score:2)
> has the condition on when it can and can't be considered, and you even quoted that in your last sentence.
Yep, which is why my addendum "in most cases". Which I realise now is probably wishful thinking...
Re: (Score:2)
So much for "By remaining outside of US and EU jurisdiction, we provide a safe and neutral location to protect your confidential data."
Source: https://protonmail.com/pricing [protonmail.com]
Technically, they are correct (about being outside the US and EU. Switzerland is not a member of the EU or US.
Re: (Score:2)
Re: (Score:2)
Ain't no such thing as anonymity (Score:4, Interesting)
The moment two people have to interact to get something done, anonymity is compromised just a little bit by the little bit of information exchanged to make it happen.
Perfect security (in the Shannon sense) can only exist with perfect trust, that is to say the antonym and opposite or anonymity.
There are theoretical and practical means to get you a little security and a little anonymity, but the two are fundamentally at odds with one another.
Re:Ain't no such thing as anonymity (Score:5, Insightful)
In this case though using a cheap VPN service in a different jurisdiction would have protected the target.
Re: Ain't no such thing as anonymity (Score:3)
Re: (Score:2)
TFA says it was the police.
Unlikely they would deploy the resources necessary against this activist, let alone be prepared to reveal that they have them in court.
Re: Ain't no such thing as anonymity (Score:2)
Re: (Score:2)
How would sending a request to the Swiss police via Europol subvert a VPN?
Are you suggesting that the Swiss police routinely hack foreign servers or tap major international interconnects, and then have a huge data centre processing it all to try to correlate VPN users, and that they would be willing to admit that and provide technical details to a court in order to secure the prosecution of this activist?
Re: (Score:2)
> How would sending a request to the police via Europol subvert a VPN?
> Are you suggesting that the Swiss police routinely hack foreign servers or tap major international interconnects
You're making this far more complicated than it is.
It works the exact same way it worked with Protonmail.
You send the request to the government who has jurisdiction over the VPN provider, they provide the IP address(es).
Re: (Score:2)
The IP addresses of what? Everyone who accessed their VPN server at roughly the time someone accessed Proton Mail? Great, now you have a list of thousands of IP addresses and no way to figure out which one relates to the account you are interested in.
Not that VPN providers can be forced to provide such information anyway, if they are in the right jurisdiction.
Re: (Score:2)
You send the request to the government who has jurisdiction over the VPN provider, they provide the IP address(es).
Nope.
You sent it to a court and provide evidence why you think it is wise to figure out the IP address.
Re: (Score:2)
Re: Ain't no such thing as anonymity (Score:5, Interesting)
You can send the warrant where the VPN provider is located but any decent one still won't be able to help you determine who accessed that website, and in many jurisdictions there is no obligation to add additional logging to find out.
In Norway, for example, VPNs are not ISPs (legally speaking) so have no obligation to help by logging. Even if they did log, it would need some heavy deep packet inspection to produce any meaningful results, which is not cheap.
Re: (Score:2)
TFA says it was the police.
There's a distinction in competence between using the word police generically (a bunch of thugs beating down drunks and handing out speeding fines) and specific police forces. In the Netherlands for example the police force have in their jurisdiction dedicated cyber crimes units which are much more equivalent to (and often work with) the likes of the FBI. It was the "police" which undertook a multi year long intelligence operation to breach the Encrochat platform.
Just saying "the police" doesn't really help
Re: (Score:2)
Even so, I doubt they have the technical capability to unmask a properly configured VPN. If they did it would be big news.
NSA/GCHQ level, sure, but nothing public. Remember that anything they do will have to be entered as evidence in open court.
Re:Ain't no such thing as anonymity (Score:5, Insightful)
The moment two people have to interact to get something done,
The moment that you do something on the internet, there's more than two people involved in the interaction. The internet is a public place. I'll get modded down for pointing it out, but that doesn't make it any less true.
Don't do anything on the internet you wouldn't do on the street in front of your house.
Time to roll your own mail & other servers (Score:5, Insightful)
Re:Time to roll your own mail & other servers (Score:5, Insightful)
This just goes to show that there really is no such thing as a secure provider and the real solution is to have your own server
... and that's not really going to work out well either. https://xkcd.com/538/ [xkcd.com]
Re: (Score:2)
Sometimes attacking the suspect with a wrench messes up the investigation, though.
And in the case of real security, to protect yourself against criminals, somebody is a web cafe somewhere can't reach me with a wrench, but they can definitely call up some (outsourced) phone number and social-engineer my account into their hands.
Or maybe even exploit a bug and crack my service provider, or my server, as the case may be. So the security differences require a more complicated analysis than the situation present
Re: (Score:3)
Which is only really relevant if the investigator is interested in presenting his (or her) case in something resembling public. If they are ... "results focussed" then they are probably a bit scarier and have the arc welder and salt-water soaked sponges on hand when they drag you into the room with the hose-washable floor.
Re: (Score:2)
"results focussed"
You've been watching too many crime movies.
And stop typing all that <blockquote> shit. You just type <quote>foo</quote> and it works. Like this:
foo
Re: (Score:2)
Re: (Score:2)
Oh, yeah. THAT would have REALLY hidden your IP address.
Re: (Score:2)
Comment removed (Score:5, Informative)
Re: (Score:2)
Does having your own server really solve the problem? I have a virtual server with digital ocean. I am sure digital ocean would provide IP's given a court order or whatever. I guess you could have our own server at your home. But in that case, the server IP itself would be your IP. You can't hide the IP of a mail server. Could you go into detail about the setup you have or are envisioning?
Re: (Score:3)
I don't think the primary attraction of using ProtonMail is "hide from the government".
The primary attraction is: It's not Google.
Google gives you free email in hopes of making money off of you. They used to outright scan your emails and use that to fuel adverts, though their current policy is not to bother since they get plenty of marketing data on you from all their other services you use. BUT Google is also notoriously bad at customer service, and is infamous for straight-up cancelling people for TOS v
Gotta connect that server to the internet (Score:2)
That server doesn't do you any good if it's not connected to the internet - via an ISP.
Re: (Score:2)
Dear activists (Score:3)
Use a VPN inside Starbucks, so that we are spared such articles forever.
Re: (Score:2)
Re: (Score:2)
They are homophones which make more sense when you see the correct version. Another pet peeve is "homed in (on)" and "honed in (on)".
Re: (Score:2)
Maybe he was typing his response while sitting in a Starbucks using a VPN.
Re: (Score:2)
Starbucks, like most retailers, have security cams.
Re: (Score:2)
I'll see your security cam and raise you a mask.
Re: (Score:2)
Re: (Score:2)
"Why would I go to Starbucks? They sell expensive water."
Free WIFI, you could also use another chain.
Re: (Score:2)
Use a VPN inside Starbucks, so that we are spared such articles forever.
NO! Don't use a VPN. Just go into Starbucks. Then we can be spared their "coffee" as well.
Re: (Score:2)
I never bothered trying Kopi Luwak but maybe I just should for once. Considering the cost outside of Indonesia I doubt if you really drink it a lot :) If at all.
Haitian coffee used to be a favorite of mine, but couldn't get hold of it after the earthquake and everything went american NGO.
Good. (Score:5, Interesting)
Also, I'm always happy to see squatters being taken care of.
Re: (Score:2)
Is this really necessary, when we know exactly where the squatters are? Surveillance laws typically don't stop at requiring providers to cooperate in individual cases. To prevent leaks, telecommunications providers must usually install hardware which enables law enforcement access without giving any information about the targets to the providers. [wikipedia.org] This leaves judges as the only oversight, especially when parallel construction [wikipedia.org] is used to obscure the methods of investigation, and it is well known that some har
Re:Good. (Score:5, Insightful)
Most people I know were fine with the old phone-wiretap procedure:
Police suspect something very fishy, go to a judge, get a time-limited warrant if the judge think it's justified, and can then eavesdrop a bit.
I fail to understand why this system should be that much different in the digital age (although it's a it useless thanks to encryption, but that is another matter). If the system is abused,the victim can legally procede against it.
There is a wider and deeper problem of power abuse (like the famous National Security Letters) that has to urgently be fixed. But that's also another matter.
Re: (Score:3)
Even utterly perfect encryption with no leaking of decryption keys can leave a useful information trail : who was talking to whom, and when. And that is fairly hard to hide, since you need the "From" and "To" data to be able to converse, and the "when" data to keep the messages in order (unless you actually have a delivery process which guarantees sequential delivery of entities sent in sequence, which IP does not and never did). It'
registration email (Score:2)
Re: (Score:2)
It's been in place for a long time. They are also savvy enough to reject "mailinator" and similar domains.
Re: (Score:2)
unsafe (Score:2)
Anyone thinking they're safe while using Protonmail the Swiss safe haven... Should read the history of Crypto AG.
https://en.wikipedia.org/wiki/Crypto_AG
Re: (Score:2)
"because they were also swiss" is a bit thin as argument.
ProtonMail is a secure email service (Score:2)
Re: (Score:2)
and Switzerland is a safe haven for your money and privacy if you've read too many spy or crime novels.
Re: (Score:3)
Well, if they'll allow you to send encrypted emails it probably is. Of course, there's the problem of originally transmitting the one time pad. The classic solution is to base it off some popular (in some sense) published work. For this purpose I think Finnegan's Wake would be nearly ideal, though everyone need to be using the same edition. So you initialize your random number by feeding a key starting at a particular character in a particular line on a particular page, and everyone needs to use the sam
Pays to read the policy docs ... (Score:5, Informative)
... if the details are important to you.
ProtonMail makes no claims about anonymous access. I've had an account with them from early on and in their policy docs they very directly pointed out they are in Switzerland and subject to Swiss laws. When I signed up I noted that they do not claim to have a no logging policy.
They updated their website today with an explicit statement about following legal orders from Swiss authorities. I thought that was very clear from the beginning and it should be obvious that things like access IPs and logs would be available to Swiss law enforcement upon demand.
Email is not an anonymizing service. Use an appropriate proxy or VPN service if obfuscated trace back is required. Use an anonymized payment method if necessary.
Choose wisely.
Re: (Score:2)
ProtonMail makes no claims about anonymous access.
Well they do, but you need to use their service properly, i.e they provide an onion address for expressly this purpose: https://protonmail.com/blog/to... [protonmail.com]
Simply signing up to a VPN also does nothing if I don't run my VPN client.
Re: (Score:2)
That IP traces back to .... (Score:4, Funny)
Nothing to see here, move along. (Score:2)
This was used against someone I don't like, so I don't see the problem.
Think! (Score:2)
I thought this would be obvious, but it seems that some clueless individuals actually believe the misinformation being spread by these providers.
Re: Only fools (Score:3, Insightful)
Re: Only fools (Score:5, Interesting)
Re: (Score:2)
Well they're going after squatters. So they ask protonmail and protonmail says 'we can only give you the info if Switzerland tells us to but we'll tell you what you have to do: ask interpol, they will ask the Swiss who will gladly abide and then we will have to give it , ain't that cute?'
Re: Legally renting is somehow illegal? (Score:2)
To be fair protonmail was compelled to do so. But the real question is about sanity. I understand how these things work, trust me.
But launching such an attack seems very overreaching.
Can they not evict squatters and return property without making it an international study.
The police would be within their right to do so without using such a poor strategy that will probably enable the activists.
To be fair, there may be something that is pertinent to such a move, but I doubt it, if so they would have kept th
Re: (Score:2)
Protonmail explained the loophole and how to make use of it. Were they compelled to do so? Then in the twitter discussion Protonmail CEO denied the loophole :
.
Re: (Score:2)
If there's people conspiring to commit the crime who do not personally contribute, the conspiracy is still a crime. And the only way to (maybe) prevent it is to track down the planners and prosecute them, as well.
Otherwise, there's an old quote from P. T. Barnum about suckers that applies.
Re: (Score:2)
Were I running the forum, I would intentionally prevent you from registering. Your repeated screeds have caused me to sympathize with the forums rather than with you.
Re: (Score:2)
I feel like copy-pasting the standard "lorem ipsum" screed now.
Re: Why exactly can't we have nice things? (Score:2)
Re: (Score:2)
I don't actually care whether it's one person or a gang, or a bunch of unconnected individuals. They are a drag on any forum they post that garbage in.
The original poster can be forgiven the first time. It *is* a creative endeavor, and he is (probably) honestly expressing himself. The follow on copies should be grounds for banning. Unfortunately, this is difficult to manage.
Actually, if we had an AI reading the posts that could just say "That's already been posted twice, don't display it" or "Something