Technically ProtonMail doesn't have your key. In your web browser it's reconstructed from your password. But they can change the javascript to give them the key or the data anytime they want to.
Some years back my boss went on a business trip where he refused to say where he was going. But he sent a few emails during that trip, and on a whim I clicked on "show headers" in Outlook and saw they contained the IP address he sent the emails from. From those I found out which ISP owned the IP address and where the ISP was located. When he returned I asked him "how was <country>?" and he pretended to be surprised until I told him his emails betrayed him.
Point being, assume any email you send is public and can be used to dox you.
Warrant canaries are pie-in-the-sky idealism. All a government has to do is issue a gag order and most people/companies aren't going to risk being targeted by pissed off agencies full of psychopaths with a grudge.
The theory is sound: the government can prohibit you from saying you got a warrant, but not prohibit you from not saying you didn't get a warrant.
The problem is, it assumes the government plays by the rules. I can see a judge saying that removing the canary statement is tantamount to saying you got a warrant and ordering the site to leave it up.
At that point, the court is ordering you to lie, but your only recourse is to litigate it for three years, by which time it won't matter anymore anyway.
I can see a judge saying that removing the canary statement is tantamount to saying you got a warrant and ordering the site to leave it up.
The canary doesn't have to be removed in order to be invalid, it just stops being updated with the latest date or message - and that's how you know the website is compromised.
That's no longer a gag order and, aside from that, any lawyer worth their salt would fight that and win.
FWIW, I've also been on sites with canaries that have expired (most recently Voat.co), with the admin checking up once in a while, and ignoring all requests from people asking him to update the canary.
It became obvious the site was compromised. The canary worked.
Attached to the bottom of any government demand backed by soldiers with guns. That's all it takes.
What you're describing is a banana republic. America isn't quite there, yet.
Yeah I thought the guy from Protonmail had a good point. If they don’t comply with the law, they get shut down. They can only do their best under the circumstances.
Gab has decided to ignore demands from the German government they believe conflict with US law and are unreasonably censorious and probably will get the service banned in Germany.
Protonmail is a Swiss company and isn't obligated to comply with US law. Everyone and every company makes their choice.
The FBI don't serve their demands to Protonmail directly, they make a request through the Swiss authorities who make the demand on their behalf, representing the swiss government. It's the joy of globalism.
Right, but Gab would not ignore having to comply with US law, which is what happened to Protonmail. They were complying with a request from Swiss authorities, which there is no reasonable way to ignore.
My point being that you do not ignore the laws of the country you are based in and continue operating. It just doesn't happen. The only way to avoid it is to flee to a country with less strict laws.
Will they immediately comply, or will they lawyer up and fight it? Is there an actual warrant, and how does that even work for 200,000 accounts?
I got caught up in the Voltage copyright cases 10 years ago. Voltage, a copyright exploiter, went after my ISP for contact info on a bunch of IP addresses. The big duopoly in my area rolled over immediately and gave them the info.
My small ISP took things to court, pointed out that Voltage had done this before and never actually brought suit; they just send letters telling people to pay with the threat of a suit. Judge disagreed and ordered the info released. To this day they haven't filed suit against anyone.
The point is, I'm still with said ISP. You can't win them all, but you can fight them all. If Protonmail gives in right away without a fight, I'll drop them immediately.
It does bring home the larger point, which is, don't trust any online platform with your data. People need to learn how to encrypt their own files offline.
If you want to encrypt your email then you need to encrypt your message before you send the email. Do not rely upon a 3rd party service to handle the encryption for you.
Use PGP to encrypt the message and then email. Now it doesn't matter who the fuck is hosting the email service.
One thing to remember is encryption is only as good as who holds the keys.
Also who holds the program.
Technically ProtonMail doesn't have your key. In your web browser it's reconstructed from your password. But they can change the javascript to give them the key or the data anytime they want to.
What'd you go with?
Some years back my boss went on a business trip where he refused to say where he was going. But he sent a few emails during that trip, and on a whim I clicked on "show headers" in Outlook and saw they contained the IP address he sent the emails from. From those I found out which ISP owned the IP address and where the ISP was located. When he returned I asked him "how was <country>?" and he pretended to be surprised until I told him his emails betrayed him.
Point being, assume any email you send is public and can be used to dox you.
Was it Thailand?
So... how's their warrant cannary?
Warrant canaries are pie-in-the-sky idealism. All a government has to do is issue a gag order and most people/companies aren't going to risk being targeted by pissed off agencies full of psychopaths with a grudge.
The way a canary works is that, if it isn't updated at its regular interval, that tells you the site is compromised.
Unless the government forces you to update it (which isn't a gag order), the canary serves its purpos.
The theory is sound: the government can prohibit you from saying you got a warrant, but not prohibit you from not saying you didn't get a warrant.
The problem is, it assumes the government plays by the rules. I can see a judge saying that removing the canary statement is tantamount to saying you got a warrant and ordering the site to leave it up.
At that point, the court is ordering you to lie, but your only recourse is to litigate it for three years, by which time it won't matter anymore anyway.
The canary doesn't have to be removed in order to be invalid, it just stops being updated with the latest date or message - and that's how you know the website is compromised.
"oh, and don't stop updating your warrant canary"
Attached to the bottom of any government demand backed by soldiers with guns. That's all it takes.
That's no longer a gag order and, aside from that, any lawyer worth their salt would fight that and win.
FWIW, I've also been on sites with canaries that have expired (most recently Voat.co), with the admin checking up once in a while, and ignoring all requests from people asking him to update the canary.
It became obvious the site was compromised. The canary worked.
What you're describing is a banana republic. America isn't quite there, yet.
Ah fuck.
That sounds like Proton Mail didn't have a choice but gave info to it's users about better protection levels anyway.
If that's correct I don't see what they could have done better that didn't result in them bing shut down/targetted.
I've seen plenty of corporate double speak that amounts to "fuck you" we are all from reddit after all, but this aint it.
Yeah I thought the guy from Protonmail had a good point. If they don’t comply with the law, they get shut down. They can only do their best under the circumstances.
Gab has decided to ignore demands from the German government they believe conflict with US law and are unreasonably censorious and probably will get the service banned in Germany.
Protonmail is a Swiss company and isn't obligated to comply with US law. Everyone and every company makes their choice.
The FBI don't serve their demands to Protonmail directly, they make a request through the Swiss authorities who make the demand on their behalf, representing the swiss government. It's the joy of globalism.
This is what Interpol is (being used) "for", ja?
Right, but Gab would not ignore having to comply with US law, which is what happened to Protonmail. They were complying with a request from Swiss authorities, which there is no reasonable way to ignore.
My point being that you do not ignore the laws of the country you are based in and continue operating. It just doesn't happen. The only way to avoid it is to flee to a country with less strict laws.
That's the big question.
Will they immediately comply, or will they lawyer up and fight it? Is there an actual warrant, and how does that even work for 200,000 accounts?
I got caught up in the Voltage copyright cases 10 years ago. Voltage, a copyright exploiter, went after my ISP for contact info on a bunch of IP addresses. The big duopoly in my area rolled over immediately and gave them the info.
My small ISP took things to court, pointed out that Voltage had done this before and never actually brought suit; they just send letters telling people to pay with the threat of a suit. Judge disagreed and ordered the info released. To this day they haven't filed suit against anyone.
The point is, I'm still with said ISP. You can't win them all, but you can fight them all. If Protonmail gives in right away without a fight, I'll drop them immediately.
It does bring home the larger point, which is, don't trust any online platform with your data. People need to learn how to encrypt their own files offline.
Eh, I'm gonna keep using it to get recurring one-time coupons by creating new accounts. Just sucks that a lot of providers ban their email addresses.
you got anything for discord and their faggot demanding a cellphone number? all the ones i try get blocked.
If you want to encrypt your email then you need to encrypt your message before you send the email. Do not rely upon a 3rd party service to handle the encryption for you.
Use PGP to encrypt the message and then email. Now it doesn't matter who the fuck is hosting the email service.
Isn't Protonmail in Switzerland ?
They could lose the info due to an error... FBI dies it all the time