Once again, in light of the protonmail revelations, it’s not private unless you run it yourself.

Follow

techcrunch.com/2021/09/06/prot

ProtonMail’s founder and CEO Andy Yen reacted to the police report on Twitter without mentioning the specific circumstances of that case in particular. “Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” he wrote.

@thegibson UUUuugh. I rarely use my ProtonMail, but now I definitely won't be using it for conspiracy^W protests^W crime. And I pay for a ProtonVPN, and Yee saying it's safe for now is still insufficiently certain.

@mdhughes Almost every VPN provider out there may not log your access, but they do use zeek on the backend to monitor traffic for botnets... which means they are actually logging, just not where one expects.

@thegibson I'm fine with them kicking me off if I become a hegemonizing swarm. I just don't want them giving, say, the RIAA my address.

@mdhughes @thegibson yea, I trust VPN providers; but only so far as I don't expect them to tell Cartoon Network that I torrented those old episodes of Dexter's Lab

@thegibson

I researched protonmail a bit when it was founded post-Lavabit.

I had problems with their US ties. At least some of its dev or ops were based out of the US in Mass, and key execs were US citizens. Both made it possible to end around their privacy by applying direct leverage to those resources.

They had also been very clear about their adherence to Swiss law from the beginning. This led me to read the Swiss laws regarding electronic privacy. Cont'd...

@thegibson

Swiss law around electronic privacy allows for inter-agency requests such as the one discussed. I didn't think that offered much protection vs governmental interference by the EU, though it may offer some more protections vs US interference. Not much really, as EU has 5 Eyes member nations.

So it is easy for the US to end around direct interfacing with the Swiss by proxying their request through Germany or another compliant 5 Eyes ally.

Cont'd

@thegibson

Something to consider when using ANY privacy service based in Switzerland. There are several mail and hosting services that purport privacy offering like Protonmail, but once you understand the limits of electronic privacy by Swiss law, it makes it clear that those protections aren't much better than the US. Only more transparent to you, the user.

Self hosting a mail server for privacy reasons in the US has its own specific limitations.

Cont'd

@thegibson

1- You must read your ISP TOS very carefully.

1a- Most ISPs don't allow ANY hosting, unless you have a business account which is usually double the cost. Even with that, many don't allow mail hosting.

1b- Some TOS allow entry without a warrant if you have the ISP equipment in or on your property. Literally, the ISP can open your front door and allow the police to walk in, or act on their behalf.

2- This does not stop the govt from playing man-in-the-middle at your ISP office

@thegibson

So, a way around the equipment issue is to have your own equipment on the property only (Xfinity/Comcast). This usually means you provide your own modem and handle your own installation of wiring.

Xfinity will often provision a modem that you have to turn back in. Even if they have a record of that, they are notorious for "losing" records and charging at the end of service for "missing" gear. This also means they can claim ignorance when complying with a premise request.

@thegibson

So, for me, when I consider self-hosting mail, I have to understand that unless I own my own premises, and have a clear relationship with my ISP regarding their right to entry, and I own the transmission media on my property interfacing with the ISP, then I can feel somewhat secure in hosting my mail server.

But that doesn't stop collection of meta-data at all. That can be done at my ISP central office.

@bill Plenty of ways around your ISP having access to that traffic though.

@thegibson

Absolutely. But that is the subject of another long thread, and my fingers are tired after climbing :)

@bill I very much understand.... I have a brisket to attend to.

@Tay0 In theory, yes...

Although that is also able to be monitored if you try hard enough.

Metadata will kill you.

@Tay0 I think the question comes down to ProtonMail's marketing... A lot of people right now feel like they were lied to.

@Tay0 I personally don't use them... for what we see here.

sooo...

@Tay0 @thegibson also re matrix, is it any more secure than xmpp with encryption? At least xmpp is not typically implemented as a consistent storage across servers
@thegibson @Tay0 I’m not sure why people are so upset. ProtonMail didn’t lie, those users lied to themselves. They always said if you’re doing Edward Snowden stuff, look elsewhere or run your own.
@Tay0 @thegibson if I’m not mistaken it can be found in the agreements and help sections. After reading the article it seems like governments are taken advantage of the loophole.

@thegibson @akeno when it comes down to it, services like ProtonMail are honeypots. Even if the founders are sincere in their intentions, they’ll all roll over when legally compelled to do so. No sane person will make a meaningful sacrifice for your privacy, except, potentially, you yourself.

Sign in to participate in the conversation
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.