this post was submitted on 18 Aug 2023
50 points (69.8% liked)

Privacy

31876 readers
511 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
all 29 comments
sorted by: hot top controversial new old
[–] Achird@sh.itjust.works 195 points 1 year ago (5 children)

Proton are very transparent about what data is and isn’t stored, how data is protected and what (very limited) data may be available in the event of a legal warrant - going through all the proper channels.

Complying with legal warrants doesnt make the service insecure or not private. It makes it a legal and legitimate company.

It shouldn’t really be a surprise to any of it’s users.

[–] nbailey@lemmy.ca 56 points 1 year ago (1 children)

Some people have the idea that a private business is going to break the law or defy their governments requests for them. That’s completely deluded, nobody would ever open willingly expose themself to that kind of risk. No organization is going to let themselves go on trial for $15/month. It seems we have a binary idea of privacy, when the reality is much more complex.

[–] Black_Gulaman@lemmy.dbzer0.com 18 points 1 year ago

It's the "if you're not with us, then you're against us" mentality.

Huh, I guess these people haven't been roaming the real world for a long time, they get their ideas from television shows and movies.

[–] randomguy2323@lemmy.kevitprojects.com 21 points 1 year ago (1 children)

I agree with you these people think that Proton will fight and protect you for $11 a month. Lol we really have to keep in mind that companies will comply to a government request its on you to keep your data secure and communications encrypted.

[–] authed@lemmy.ml 7 points 1 year ago (1 children)

Even if your messages are encrypted, you still leak a lot of data (aka metadata)

Yes you are right. But as Michael Bazell said just expect that everything you said its going to be leak.

[–] AnonymousLlama@kbin.social 10 points 1 year ago

The best take on here. The reasonable one that still highlights how much better it is compared to other mainstream services

[–] RickyRigatoni@lemmy.ml 6 points 1 year ago

Remember that time I think it was Signal got a warrant for all data they had on a user and literally all the data they had was account name, creation date, and last login date? That was funny.

[–] Treczoks@kbin.social 4 points 1 year ago

Well, in the US, FISA warrants are technically legal, too.

[–] jet@hackertalks.com 43 points 1 year ago* (last edited 1 year ago) (1 children)

What they can share, IP, Recovery Email, Payment information, for every email: From, To, Subject, Time, Size..

Basically all of your metadata. If you're concerned about people knowing your metadata, especially who you're talking to and when you're talking to them, don't use proton. Better not to use email at all.

[–] jhulten@infosec.pub 9 points 1 year ago

That second part. The 'e' in email stands for evidence.

[–] randomguy2323@lemmy.kevitprojects.com 30 points 1 year ago (1 children)

Please tell me of a email service that is government proof. There is none that doesn't and will never exist. Of course Proton is private and secure as the user is. All of this boils down to the user security hygiene.

[–] worfamerryman@beehaw.org 6 points 1 year ago (2 children)

They talk about for the number of requests has grown as the number of users has. Previously they advised users to use their onion address.

Additionally they said the emails and other stuff is encrypted so it’s really just some meta data that is being handed over.

[–] jet@hackertalks.com 3 points 1 year ago* (last edited 1 year ago) (1 children)

just some metadata...

We kill people based on metadata https://www.wired.com/2015/03/data-and-goliath-nsa-metadata-spying-your-secrets/

And don't for a second think you're safe just because you're not doing anything wrong. The people you're in communication with could be a target, and you could be the plus one collateral, or just the plus one cleaning the network up. You don't want to be a target. Metadata can make you an inadvertent target. Even if you're doing everything right yourself

[–] worfamerryman@beehaw.org 3 points 1 year ago (1 children)

Then what do you suggest for an email client? My point is, you do the best you can and not make a big deal on couple thousand requests being handed over when there are 100m accounts.

[–] jet@hackertalks.com 2 points 1 year ago

Tutanota is the only email provider that I know that stores all data encrypted, AT REST.

Due to the nature of email, messages in transit are not encrypted (at least the metadata).

Depending on your risk tolerance, this might be fine.

I would recommend end to end encrypted communication for sensitive information (signal, etc).

Consult privacy guides for the tradeoffs of email and messengers.

[–] randomguy2323@lemmy.kevitprojects.com 2 points 1 year ago (1 children)

Yes as I said before its not like yes I will use Proton mail for nefarious stuff and expect that Proton will defend you against a government. The user is responsible for their data safety.

[–] worfamerryman@beehaw.org 1 points 1 year ago

I completely agree. It’s hard for a lot if people to look at the big picture and realize that the data handed over was likely for some pretty serious illegal stuff.

Additional, most people just are trying to hide their data from advertisers.

[–] mtchristo@lemm.ee 15 points 1 year ago (1 children)

Never forget every email that leaves Protonmail to other email providors are not anymore secure or encrypted as using gmail or others.

Second no one can certify that incoming emails and meta-data can't be read and recorded to a ghost mailbox before getting encrypted. you have no control on what happens on their servers

privacy shouldn't rely on trust

[–] TheHobbyist@lemmy.zip 3 points 1 year ago (1 children)

It's really difficult if not impossible to be private with services you can't trust... suppose you were to not trust Tor. How can you prove it to be private if you can't trust anything they say or share? I think it's almost impossible, isn't it?

You're going to have to put trust somewhere if you want to be private, whether it's your device's hardware, software, ISP or other...

[–] mtchristo@lemm.ee 4 points 1 year ago (1 children)

I don't think that Tor relies entirely on trust. it rather relies on the probability that there needs to be at least half of entry and exit nodes compromised for a attacker to be able to deanonymize users trying to access the clearnet. the hidden network is even harder to deanonymize as there are more than 6 hops in the path. and all nodes participating in the network are visible.

proton on the other hand can do what ever they please on their servers and can never get caught with it.

[–] TheHobbyist@lemmy.zip 3 points 1 year ago

I don't disagree with you. But if you start with the assumption that a service cannot be trusted, it's really difficult, maybe even impossible that despite it, privacy is safe. That's a different claim. Especially as this claim would have to hold across the whole end to end. I can't see how one can imagine having any privacy in such a scenario.

[–] authed@lemmy.ml 6 points 1 year ago

Only private if you use gpg... But you still leak metadata

[–] chris@lemm.ee 3 points 1 year ago

In other news, water is wet.

[–] TraditionalMuslim@reddthat.com -5 points 1 year ago (1 children)

Protonmail is basically a honey pot. I lost all trust the moment they gave the French government a protestor's location. Why the hell is it complying to foreign government requests?

[–] jet@hackertalks.com 2 points 1 year ago* (last edited 1 year ago)

They have to, because they had the data they have to obey lawful requests.

But the fault is still theirs. They architected a system where they have access to data that will endanger people. They deliberately disincentivize signing up via the onion network. They require two-factor verification of identity for most signups. They're deliberately making sure they have the data to expose people.

If they truly cared they would have architectured a system that was as close to zero knowledge as possible. Were they insured they never had access to personal data. I.e. Tor sign ups possible, let people pay with Monero, never require identity verification.