this post was submitted on 13 May 2024
218 points (98.7% liked)

Privacy Guides

17037 readers
20 users here now

In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.

This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.


You can subscribe to this community from any Kbin or Lemmy instance:

Learn more...


Check out our website at privacyguides.org before asking your questions here. We've tried answering the common questions and recommendations there!

Want to get involved? The website is open-source on GitHub, and your help would be appreciated!


This community is the "official" Privacy Guides community on Lemmy, which can be verified here. Other "Privacy Guides" communities on other Lemmy servers are not moderated by this team or associated with the website.


Moderation Rules:

  1. We prefer posting about open-source software whenever possible.
  2. This is not the place for self-promotion if you are not listed on privacyguides.org. If you want to be listed, make a suggestion on our forum first.
  3. No soliciting engagement: Don't ask for upvotes, follows, etc.
  4. Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
  5. Be civil, no violence, hate speech. Assume people here are posting in good faith.
  6. Don't repost topics which have already been covered here.
  7. News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
  8. Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
  9. No help vampires: This is not a tech support subreddit, don't abuse our community's willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
  10. No misinformation: Extraordinary claims must be matched with evidence.
  11. Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
  12. General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.

Additional Resources:

founded 2 years ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 71 points 7 months ago* (last edited 7 months ago) (3 children)

Sounds like an avoidable problem, that Proton didn't have a whole lot to fight it with. Obviously they could/should have fought it in court, but this could have been avoided if the individual simply didn't link a recovery email and/or didn't share the same email across Apple products + protesting. Although, the article does point out that if you sign up over Tor or a VPN it requires a verification email, which sucks- ~~though you could just use a temporary email address to get around it.~~ As CaptObvious pointed out (literally @[email protected] lmfao) the reporter pointed out Proton rejects temporary emails.

Key information:

The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual

individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

This case is particularly noteworthy because [...] complex interplay between technology firms, user privacy, and law enforcement.

requests were made under the guise of anti-terrorism laws

primary activities of the Democratic Tsunami involving protests and roadblocks

Proton Mail’s compliance with these requests is bound by Swiss law

Comment from Proton:

We are aware of the Spanish terrorism case involving alleged threats to the King of Spain, but as a general rule we do not comment on specific cases. Proton has minimal user information, as illustrated by the fact that in this case data obtained from Apple was used to identify the terrorism suspect. Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper OpSec, such as not adding your Apple account as an optional recovery method. Note, Proton does not require adding a recovery address as this information can in theory be turned over under Swiss court order, as terrorism is against the law in Switzerland.

[–] [email protected] 36 points 7 months ago (2 children)

The reporter noted that disposable verification addresses are rejected by Proton.

[–] [email protected] 14 points 7 months ago (1 children)

You can simply use either: a different protonmail address or a similar service like tutanota.

[–] [email protected] 12 points 7 months ago (1 children)

And how do you get either of those using a throwaway verification account?

[–] [email protected] 9 points 7 months ago (1 children)

I mean, suit yourself if you insist that you can or only want to do it with a throwaway. I'm saying you can do it with similar services like tutanota as the failover address, eliminating the need for a throwaway.

[–] [email protected] 5 points 7 months ago

My bad. I thought Tuta also required a verification email when I created an account several years ago. Just tried it, and they don't appear to these days. Good to know. Thanks.

[–] [email protected] 4 points 7 months ago (1 children)

Ah, my bad, I'll edit my comment.

[–] [email protected] 4 points 7 months ago

It feels a little like we're playing Whack-a-Mole with threading multiple email providers here. :)

The handle is a hobby nickname, by the way. My wife started calling me that as a trail name several years ago, and it stuck.

[–] [email protected] 16 points 7 months ago (1 children)

I don't know if what I do is the right way around this but, as stated Proton will reject disposable verification emails and you cannot use another proton account to verify a new one.

My workaround for this is to verify proton with a Tutanota account which is also created with as little to no identifiable information as possible.

TLDR: Proton accepts Tuta emails for verification and Tuta emails can be created anonymously.

[–] [email protected] 11 points 7 months ago (6 children)

Which leads to the next logical question: Why not just use Tuta in the first place?

[–] [email protected] 9 points 7 months ago (1 children)

Valid point. I do prefer the UI with Proton, I find it nicer to click through. Also, Tuta usually makes you wait 2-3 days before you can use it - not a big deal really, unless you're trying to sign up for something new.

load more comments (1 replies)
load more comments (5 replies)
[–] [email protected] 4 points 7 months ago

Sounds pretty messed up.

[–] [email protected] 58 points 7 months ago (3 children)

nothing I read about this group on Wikipedia points to terrorism, it repeatedly says they advocate nonviolence
I guess these days though it's become some kind of magic password to get whatever the hell you want

[–] [email protected] 40 points 7 months ago (1 children)

It always has been in Spain. I adore the people and culture, but they’ve always overreacted to Basque and now Catalan independence movements.

load more comments (1 replies)
load more comments (1 replies)
[–] [email protected] 19 points 7 months ago

The requests were made under the guise of anti-terrorism laws

Remember this the next time someone in government says "We need tough anti-terrorism laws". They also get to define what counts as terrorism, so anyone inconvenient can be destroyed and the public told "We're just keeping you safe from terrorism."

[–] [email protected] 18 points 7 months ago (5 children)

Nothing they can do about that.

[–] [email protected] 8 points 7 months ago (1 children)

They could avoid storing the recovery email in plaintext. A hash would be sufficient if they require the user to enter their recovery email for confirmation when they really need to recover the account.

For an ostensibly privacy-oriented service, Proton makes some weird architectural choices.

[–] [email protected] 12 points 7 months ago (1 children)

I've had to use the recovery, they need plaintext because they send you a recovery code or a support ticket (depends) nobody knows all their emails.

[–] [email protected] 4 points 7 months ago (23 children)

they need plaintext because they send you a recovery code or a support ticket

Sure, but we're talking about architectural choices. It is Proton's choice to use that system; it is not required for the goal of account recovery.

load more comments (23 replies)
load more comments (4 replies)
[–] [email protected] 14 points 7 months ago (8 children)

I do not understand why people continue to trust Proton. They seem no better than Gmail from where I sit.

[–] [email protected] 67 points 7 months ago (1 children)

Proton upheld their claim of privacy, no Emails were disclosed. But they never promised anonymity cause that's something they simply can't do under the Swiss law. If you willingly give them your other mail addresses or contact details, they have to comply. Sure they could have denied the Spanish authorities, but it takes less than a week to get a court order for things like this.

[–] [email protected] 22 points 7 months ago (3 children)

And if they didn’t require that secondary email address or would allow a temporary, they would have had nothing to give in the first place.

Proton aren’t the victim here.

[–] [email protected] 42 points 7 months ago (1 children)

They don't require a secondary email address.

[–] [email protected] 4 points 7 months ago

They do in certain cases. If you sign up through a VPN or Tor, they require you to provide a recovery email. They don't accept temporary email addresses, and even if you don't sign up work a VPN, they'll still collect and be obligated to hand over your IP

[–] [email protected] 36 points 7 months ago

Proton doesn't require a recovery email.

Proton isn't the victim, but they aren't at fault either.

[–] [email protected] 20 points 7 months ago (1 children)

Oh yes because you HAVE to give them your real.name@gmail address. Very cool and privacy focused.

Suspect knew what info he had put where. Poor OPSEC.

[–] [email protected] 6 points 7 months ago (1 children)

Yes, as the reporter demonstrated, you have to give them a second email address. Or did I miss your point?

[–] [email protected] 29 points 7 months ago (1 children)

I think you missed their point. You don't have to give them anything related to or connected to your real name or identity.

load more comments (1 replies)
[–] [email protected] 24 points 7 months ago (4 children)

Depends in what field. Proton, at least, doesn’t scan your email contents and metadata to sell it on to advertisers.

load more comments (4 replies)
[–] [email protected] 20 points 7 months ago (2 children)

I don't think that Proton sells my data to advertisers or trains AI using my emails and documents. As of laws, unfortunately any service in any reputable country has to obey them. You can always buy a server in some banana republic and set up an email service there, but even then there are some risks.

load more comments (2 replies)
[–] [email protected] 18 points 7 months ago (1 children)

Way way better than gmail IMO. One simple reason is if you have something wrong with your account you can get in contact with a real human. And still better data protection than anything in the US. I'm not a journalist or freedom fighter so for my use case it's ideal.

load more comments (1 replies)
[–] [email protected] 6 points 7 months ago

Because we can see through the clickbait to what actually happened.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago)

Obviously they have user data that be shared. I can't even remove my card details (burner) when everything is paid for.

But I wonder They got the recovery email and requested a new password for proton.. another reminder to set 2FA

load more comments
view more: next ›