ProtonMail provides information used to identify email owner...
Awesome...
Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester
A court record reviewed by 404 Media shows privacy-focused email provider Proton Mail handed over payment data related to a Stop Cop City email account to the Swiss government, which handed it to the FBI.Joseph Cox (404 Media)
The 8232 Project
in reply to J.R. Cruciani • • •Lytia
in reply to The 8232 Project • • •The 8232 Project
in reply to Lytia • • •Arthur Besse
in reply to The 8232 Project • • •Why do you think Proton stores the association between accounts and payment identity?
Many privacy-oriented companies actually accept credit card payments and simply don't store that information.
::: spoiler answer:
proton is snake oil
:::
detren
in reply to Arthur Besse • • •Rhonda Sandtits
in reply to detren • • •Another comment linked to a reddit post where Proton explained what happened.
Yeah, the credit card was on file for recurring payments.
NuXCOM_90Percent
in reply to Lytia • • •You must be new here...
On the one hand, I really like how often Proton's shortcomings are highlighted. This SHOULD be a wake up call that you should never rely on a company to protect you and should instead focus on what you can do to ptorect yourself. And Proton... actually are pretty good in that regard. Connect from a burner/live image computer over public wifi using tor (or something similar) and their free accounts are STILL the gold standard for journalism and whistleblowers.
But the problem is that people are stupid and lazy (and many outlets actively benefit from "Eww, proton is bad. If only they had paid for NordVPN to really protect them from the FBI! ~Note, NordVPN provides no guarantees of protection~ ". So we just get stupidity.
like this
TVA likes this.
Aldrik
in reply to The 8232 Project • • •Dadifer
in reply to Aldrik • • •Lytia
in reply to Dadifer • • •Dadifer
in reply to Lytia • • •Lytia
in reply to Dadifer • • •mnemonicmonkeys
in reply to Dadifer • • •TachyonTele
in reply to mnemonicmonkeys • • •Proton Mail: Sign-up
account.proton.memnemonicmonkeys
in reply to TachyonTele • • •I don't see any anonymous payment methods on this page.
Tuta has a 3rd party provider that you can send cash or Monero to and get a gift card to pay for your account.
Mullvad will directly take cash and Monero.
I don't see anything suggesting that Proton does anything similar
TachyonTele
in reply to mnemonicmonkeys • • •mnemonicmonkeys
in reply to TachyonTele • • •I had looked to possible anonymous payment methods for Proton and found nothing before.
I asked because you were making a claim against what I had found. Not my fault you made a false claim without proof
TachyonTele
in reply to mnemonicmonkeys • • •mnemonicmonkeys
in reply to TachyonTele • • •I could say the same to you. You're the one who sent a link without checking if it was relevant to the conversation.
Most people would accept that they made a faux pas and quietly leave the thread. Instead, you decided to get defensive and snarky about it. Grow up.
Lytia
in reply to mnemonicmonkeys • • •Sorry to reply to a two week old comment, this is their supported payments page: proton.me/support/payment-opti…
You can use a prepaid visa to buy account credits, or proton gift cards. They don't support monero, which is really annoying, but it's not the biggest hassle to convert from monero to bitcoin for a purchase.
Payment options | Proton
Protonmnemonicmonkeys
in reply to Lytia • • •The link leads to an error 404.
Have you tried doing specifically that and/or do they claim you can do specifically that? I tried doing the same thing when making a Tuta account and it wouldn't accept prepaid cards, though they do have a 3rd party source you can pay cash or Monero for gift card codes, giving true anonymity
I think the issue is that Bitcoin hasn't been anonymous for a few years now (unlike Monero).
Lytia
in reply to mnemonicmonkeys • • •Remove the period at the end of my link, most clients should automatically, but in hindsight not the best place to punctuate anyways.
Personally, no I have not tested it, however it should be the same as a regular debit card, which I know through testing that they accept, and a quick internet forum search says they do accept Visa gift cards.
If you generate a brand new wallet, convert your monero to bitcoin, and then pay Proton, there's very little to trace back to you.
ScoffingLizard
in reply to Lytia • • •scytale
in reply to ScoffingLizard • • •AmbitiousProcess (they/them)
in reply to scytale • • •GreenShimada
in reply to The 8232 Project • • •halcyoncmdr
in reply to GreenShimada • • •Not at all. Proton doesn't require any personal info at all. But if you pay with a credit card... That has your personal info tied to it. It's their fuck up paying with a credit card. Proton accepts other payment methods that aren't tied to your identity.
Proton is required by law to provide information they have when the courts say so.
toynbee
in reply to halcyoncmdr • • •like this
TVA likes this.
AmbitiousProcess (they/them)
in reply to toynbee • • •Proton uses Chargebee for payments, which has its own data retention policy of essentially "as long as we want to", but Proton does themselves keep limited data like the billing name, and last 4 digits.
Proton's privacy policy says nothing about a pre-set time delay after which they'd delete that data. They only claim that they "reserve our right" to remove your payment information if they think it's no longer valid. So theoretically, that might mean if your card's expiry date has passed, but that's not a confirmation.
The best way to reliably make sure Proton wouldn't have any info on you is to not have ever tied any real information about yourself or your payment info to that account.
GreenShimada
in reply to halcyoncmdr • • •Auli
in reply to halcyoncmdr • • •halcyoncmdr
in reply to Auli • • •Vinylraupe
in reply to The 8232 Project • • •JustEnoughDucks
in reply to The 8232 Project • • •Yeah, I am no fan of proton and they have lied before (no log VPN logs magically finding logs for authorities and then later removing the no-log claim).
But this is literally just proton being legally compelled to hand over data the user willingly gave (not being harvested or de-encrypted). A nothing story.
Da Cap’n
in reply to J.R. Cruciani • • •I just switched from proton to mailbox. Mailbox gives you a say so over what happens when law enforcement asks for your account info.
IMG-9273.jpg
IMG 9273 — Postimages
postimg.ccLytia
in reply to Da Cap’n • • •Da Cap’n
in reply to Lytia • • •Lytia
in reply to Da Cap’n • • •Khanzarate
in reply to Da Cap’n • • •You do realize that you don't get time, generally speaking, to delete things, when a government legally demands your info, right?
As soon as any company sees a lawful order demanding information, deleting it becomes a crime.
If this same thing happened to mailbox.org, you heard about it immediately, and hit all the delete buttons you can find, mailbox.org will still hand over your info to them, as they're legally obligated to do so. It's not a gdpr violation or anything like that.
like this
TVA likes this.
Da Cap’n
in reply to Khanzarate • • •Lytia
in reply to Da Cap’n • • •like this
TVA likes this.
Da Cap’n
in reply to Lytia • • •Lytia
in reply to Da Cap’n • • •Da Cap’n
in reply to Lytia • • •Encrypt-Keeper
in reply to Da Cap’n • • •Luminous5481 "lawless hethen" [they/them]
in reply to Da Cap’n • • •the germans share intelligence with US agencies. you're more likely to have your data given to the US government if your email provider is in germany than you are if they are most other places in europe.
they also keep trying to pass laws to force all tech companies to backdoor encryption in germany. when that happens, your data would be safer literally anywhere else, including currently the US.
Da Cap’n
in reply to Luminous5481 "lawless hethen" [they/them] • • •AmbitiousProcess (they/them)
in reply to Da Cap’n • • •It's preemptive for when you DIE. That's why in the screenshot you sent it says "in the event of my death", not "if the government comes knocking, violate the law and delete my data first".
You can delete your data from Proton, too, but the payment information, which was how this person was identified, is stored regardless by their third-party payment provider.
Mailbox only erases your payment info 4 weeks after you've last paid, and ended your contract with them, and they use Ayden for payments, which also has no set date at which they'll delete your payment information.
nelson
in reply to Da Cap’n • • •SleepyPie
in reply to J.R. Cruciani • • •like this
TVA likes this.
Voxel
in reply to SleepyPie • • •Manalith
in reply to Voxel • • •I'm not saying Proton was right or wrong to hand over data, who knows how much if a fight they really out up, but it seems more like an OpSec thing, where they found the account because they used that email to create a user account somewhere that they then posted about being a part of this group rhe FBI was going after.
I'd say your best bet to avoid this would be to create a free account that doesn't have any payment info and doesn't use your premium account as a recovery method of any kind if you're going to use it as the email associated with a social media account. Or like someone else mentioned, if there's an anonymous payment method, always use that.
Again, not a great look for Proton, but doesn't really go against any of their claims as far as data encryption is concerned. Not sure if they could encrypt that payment info.
Voxel
in reply to Manalith • • •Your technical and legal understanding seems limited. I personally work in the IT space and am a hobbyist in legal matters, in particular data protection.
I'm pretty sure there was nothing they could've legally done to protect the payment information.
It's not a "bad look" for Proton; instead, it's just people being confronted with reality.
If you commit a crime, law enforcement will be after you, and if your operational security sucks, there will be no service that can counter that.
AmbitiousProcess (they/them)
in reply to SleepyPie • • •If you're worried Proton could identify you to authorities, either just make a new Proton account and pay anonymously (cryptocurrency or cash by mail), since that's the only way this person was identified, or you could use what I'd consider to be the next-best, which is Tuta.
Nowhere near as slick a UI, less overall offerings (only email and calendar), but it costs less and generally provides similar security and privacy to Proton. Though again, you'd have to pay via private means, otherwise you're gonna get identified by the same mechanism this person was if the government really decided to come after you by your account.
Tuta: Turn ON privacy for free with secure emails, calendars & contacts | Tuta
TutaLuminous5481 "lawless hethen" [they/them]
in reply to AmbitiousProcess (they/them) • • •this person said it once, but I'll say it again.
the same thing can happen on Tuta unless you pay with an anonymous method. these are privacy focused email providers, they are not anonymous email providers. they keep as little data on you as they need, but if you're paying with a credit card then obviously you have your real name tied to the account.
corvus
in reply to Luminous5481 "lawless hethen" [they/them] • • •quick_snail
in reply to SleepyPie • • •Create a new account in Tor Browser. Pay with monero.
Never link your old account to your new account. Never write your name. Never email anyone off proton mail, unless you setup PGP first. Never login to your new account in a browser other than Tor Browser.
Proton is the best option, but tech can't fix stupid.
Griffus
in reply to J.R. Cruciani • • •Proton only promises one of those.
North
in reply to J.R. Cruciani • • •Some people in the comment section are really dumb switching to other alternatives thinking that Proton isn't trustworthy because they gave the information despite the organisation not using anonymous currency. What's ironic is that some of these people are switching to those alternatives where you can't even use anonymous currency.
Also, kind of a clickbait title.
glitching
in reply to J.R. Cruciani • • •article in case you can't read it: ~~lemmy.ml/post/44086795~~ edit: better link in a reply.
proton coulda put up a fight, a loud one, for optics sake if nothing else. rolling over on any (and by implication, all) request should be the last straw in their long line of snafus; by way of "death by a thousand cuts", I would never entrust them with anything of importance.
signal demonstrated that you could decouple payment info from user data and a shop that touts the privacy part of their offerings coulda at least mimic such a thing.
edit 2: fuck any and all pay-with-crypto shills and the horse they rode in on.
Arthur Besse
in reply to glitching • • •that link only has two paragraphs of the article; there are 8 more in the full article here on archive.org
Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester
Joseph Cox (404 Media)Encrypt-Keeper
in reply to glitching • • •glitching
in reply to Encrypt-Keeper • • •I imagine they got courts and lawyers and motions and hearings and stuff over there, even if the fight is doomed you need to show your teeth once in a while. and what's with the proton employee reviewing whether there were "explosives" and "guns" involved, naturally based on super-reliable evidence, what the fuck is that?!
and alla that aside, why do they have payment and user info on file, for what fucking purpose? there's either user privacy or there ain't. and them folks are in the "ain't" camp.
Encrypt-Keeper
in reply to glitching • • •That’s not how it works. They can’t just refuse to comply with a lawful order from a judge. They could be put in actual jail. This affects all email providers.
glitching
in reply to Encrypt-Keeper • • •Encrypt-Keeper
in reply to glitching • • •quick_snail
in reply to J.R. Cruciani • • •quick_snail
in reply to J.R. Cruciani • • •OccasionallyFeralya
in reply to quick_snail • • •Ghostie
in reply to J.R. Cruciani • • •geneva_convenience
in reply to Ghostie • • •/home/pineapplelover
in reply to geneva_convenience • • •Not this again...
For one, it was Andy Yen, posting on his personal rather than from Proton's account.
Second, if you follow the money, Andy Yen and Proton donates a lot of money to liberal organizations. They also campaign for Democrats actually.
The downfall of this is all because he thought Gail Slater would be a good pick and the entirety of the privacy community thought he undid all of his privacy advocacy and foundation overnight.
scribe.rip/@ovenplayer/does-pr…
Doomsider
in reply to /home/pineapplelover • • •DJ Putler
in reply to Ghostie • • •Ghostie
in reply to DJ Putler • • •Doomsider
in reply to Ghostie • • •Ghostie
in reply to Doomsider • • •Doomsider
in reply to Ghostie • • •Ghostie
in reply to Doomsider • • •Innerworld
in reply to J.R. Cruciani • • •BigTuffAl
in reply to J.R. Cruciani • • •just really sad to call yourself a privacy company and then feed your customer to the gestapo
people can end up as embarrassing footnotes in history a number of different ways, but being a dishonest coward company in the privacy sphere is basically speedrunning it
hackitfast
in reply to BigTuffAl • • •I never trusted ProtonMail. Right when you sign up, you're constantly bombarded with advertisements to upgrade to pro. They're plastered everywhere with obnoxious banners.
I get that they're a business and they need money to operate, but the ads are so obnoxiously "in your face" that in my mind their priority isn't your privacy, it's your money.
Tutamail is the better service.
Scrollone
in reply to hackitfast • • •Plus, the owner of Proton said that Trump also did good things.
That was the straw that broke the camel's back.
blueberry_793
in reply to hackitfast • • •redpulpo
in reply to hackitfast • • •They’re a paid service with a free tier — of course they promote upgrades. That’s literally how freemium products work.
But ads for a paid plan don’t suddenly mean the privacy model is fake. By that logic every privacy service with a free tier would be “untrustworthy.”
If you prefer Tuta, fine — but pretending Proton exists only to grab money is a pretty shallow take.
LiamBox
in reply to J.R. Cruciani • • •chilly_legumes
in reply to J.R. Cruciani • • •RheumatoidArthritis
in reply to chilly_legumes • • •chilly_legumes
in reply to RheumatoidArthritis • • •RheumatoidArthritis
in reply to chilly_legumes • • •The way email forwarding works is: email is being received in full (by Google in your case), they look up processing rules, and send a copy to your Proton account, then optionally delete it.
The only thing you protect yourself from this way is Google knowing your IP address every time you check email. They have seen the contents and all headers of forwarded messages.
youmaynotknow
in reply to J.R. Cruciani • • •They gave payment data to the authorities, because, guess what, they HAVE to provide whatever is subpoenaed. Did they provide emails, IP addresses? Doesn't say any of that. There's the option of paying with crypto, but the imbeciles that know they are going to be at risk of being found, paid with a credit or debit card.
404 media is more of the same sensationalism laden bullshit out there. Make a fucking Strom out of a drop of water.
Doomsider
in reply to J.R. Cruciani • • •Oh boy, their man fawning over Trump is aging like fine milk.
Proton the company that prides itself protecting privacy when it is literally the law of the country they are in. It is like a cabby advertising that they have license and insurance.
redpulpo
in reply to Doomsider • • •Doomsider
in reply to redpulpo • • •Please, using crypto alone isn't going to do shit. The barrier to entry for truly anonymous usage is not something most people will ever accomplish.
Privacy is effectively dead but yet we have a company trying to advertise about it. Proton has always been marketing garbage meant to attract people's money.
Garbage company with no ethics other than taking care of their pocket book.
redpulpo
in reply to Doomsider • • •You’re mixing up privacy and anonymity. Encryption alone doesn’t make you anonymous — that’s true — but Proton never claimed it would. Their promise is that email content is end-to-end encrypted, which is why they can’t hand over the messages themselves.
In the case reported by 404 Media, the identification came from payment information, not from breaking encryption. If you pay with a credit card, your identity is already tied to the account. That would happen with any service under a legal jurisdiction.
The real takeaway isn’t that Proton is “garbage”, it’s that most people misunderstand what encryption actually protects.
Doomsider
in reply to redpulpo • • •I was talking about both. The fact that Proton exists as a middle man to expose a customer is the reality of the situation. Do you think they score points for blaming their customer!? I really have a hard time dealing with shills for corporations.
The real takeaway is the way Proton advertised itself was a fucking lie and now they have to spend all their time back peddling while shills like you do PR for them.
Garbage company with to leaders who say stupid shit about politics they don't understand and make idle threats to their own government saying they are going to move like the little fascist bitches they are.
redpulpo
in reply to Doomsider • • •Proton didn’t “expose” the user by breaking encryption. According to the reporting, the identification came from payment information, which any company legally has to keep and can be compelled to provide under a court order. The email content remained encrypted.
This isn’t unique to Proton — any service operating under a legal jurisdiction is a potential middleman if it stores identifiable data. That’s exactly why anonymity requires Tor, anonymous payments, and strict OPSEC, not just encrypted email.
So the real lesson isn’t that encryption is fake; it’s that privacy tools don’t automatically give anonymity, and many people expect them to.
Doomsider
in reply to redpulpo • • •redpulpo
in reply to Doomsider • • •You’re still confusing two completely different things: privacy and anonymity. Encryption protects the content of messages, not every piece of metadata around an account. Proton has always been clear about that.
In the 404 Media case, the identification came from payment information, not from Proton breaking encryption. If someone pays with a credit card, their identity is already tied to the account. That would happen with any provider under legal jurisdiction.
Honestly, the way you’re framing this suggests you don’t really understand how encryption, metadata, and OPSEC work. Encryption ≠ anonymity. Anyone who actually works in security knows that.
Doomsider
in reply to redpulpo • • •redpulpo
in reply to Doomsider • • •I’m not shilling for Proton. I’m pointing out a basic distinction you keep ignoring: encryption protects message content, not identity.
Calling Proton’s encryption a “lie” just shows you’re arguing emotionally rather than technically. Anyone who actually understands the space knows encrypted email was never meant to guarantee anonymity.
Doomsider
in reply to redpulpo • • •redpulpo
in reply to Doomsider • • •I read it just fine. What you’re doing is calling it a “lie” because you expected anonymity from a tool that advertises encrypted email. Those aren’t the same thing.
Anyone who actually understands the basics of privacy tools knows that. Your argument sounds more like frustration than a technical point.
Doomsider
in reply to redpulpo • • •Please, they changed their marketing and had to make several clarifications. They were deceptive to begin with. It was always dumb considering they only ever followed the law. It was never like they went above and beyond.
Hey we are company that follows the law pick us just doesn't have the vibe that got them their business.
I criticize the company for their practices you are playing shill pretending to "inform" me about technical issues.
redpulpo
in reply to Doomsider • • •I’m not pretending anything. You’re criticizing their marketing, I’m pointing out the technical reality behind the claims. Those are two different discussions.
Proton’s core claim has always been encrypted email content, not immunity from legal orders. No company operating in a country can ignore the law.
If your argument is that their marketing created unrealistic expectations, that’s a fair criticism. But calling it a “lie” and ignoring how the technology actually works doesn’t make the argument stronger.
Doomsider
in reply to redpulpo • • •I am here saying Proton sucks for X and Y reason. The fact that all Proton can do is blame their users rather than develop more robust practices speaks to the opposite of what got people to buy into their ecosystem to begin with
So this is much more than their marketing. Like any corporation they suck just because they exist. As their ecosystem grows they will increase in price and enshitification will quickly set in. It is inevitable.
Finally their leadership has made so many statements that are frankly so out of touch with reality it isn't funny. I feel sorry for people that are getting taken advantage of. Proton is just another predatory lying corporation.
This story is yet another example of the damage this company has caused because of their carelessness. Instead of figuring out how not to store this information on their servers they choose to put their users at risk.
There is so much wrong with this company it isn't funny. I called Telsa and Musk several years ago as garbage and I fully believe Proton is in the same vein.
redpulpo
in reply to Doomsider • • •You’re free to dislike Proton, but most of what you’re describing isn’t unique to them — it’s how any service operating under a legal jurisdiction works. If a company stores payment or account data, a court can compel it. That’s true for Proton, Tuta, Gmail, or anyone else.
Expecting a hosted email provider to somehow eliminate all legal exposure for users just isn’t realistic. If someone needs real anonymity, the solution was never a normal email service in the first place.
Criticizing marketing or leadership is fair. But blaming Proton for the basic limits of hosted services sounds more like anger at the system than a technical critique of the product.
حمید پیام عباسی
in reply to J.R. Cruciani • • •