
Clarifying ProtonMail and Huawei - gavingmiller
https://protonmail.com/blog/clarifying-protonmail-and-huawei/
======
dewey
Looks like Bloomberg is doing the same as with the "implant" rumors and
Supermicro a few months ago.

Gruber has a very nice disclaimer at the bottom of posts mentioning Bloomberg
now:

"Bloomberg, of course, is the publication that published “The Big Hack” last
October — a sensational story alleging that data centers of Apple, Amazon, and
dozens of other companies were compromised by China’s intelligence services.
The story presented no confirmable evidence at all, was vehemently denied by
all companies involved, has not been confirmed by a single other publication
(despite much effort to do so), and has been largely discredited by one of
Bloomberg’s own sources. By all appearances “The Big Hack” was complete
bullshit. Yet Bloomberg has issued no correction or retraction, and seemingly
hopes we’ll all just forget about it. I say we do not just forget about it.
Bloomberg’s institutional credibility is severely damaged, and everything they
publish should be treated with skepticism until they retract the story or
provide evidence that it was true."

[https://daringfireball.net/linked/2019/09/05/gurman-touch-
id](https://daringfireball.net/linked/2019/09/05/gurman-touch-id)

~~~
Barrin92
I'm still completely astonished by how little attention this got and that
Bloomberg has never been forced through public pressure to offer a correction.
It's bizarre given how large the story was when it first broke.

~~~
bgorman
Bloomberg is based in a country with secret courts and secret gag orders for
electronic surveillance (USA). Is is really that surprising that they have
been unable to provide evidence regarding major electronic surveillance
efforts?

~~~
ethbro
The irony would be if they were under a gag order not to issue a retraction.

But that's diving down the paranoia rabbit hole.

------
uallo
I wonder why ProtonMail is getting so much negative press. They are releasing
articles like that to clarify "the truth" on a regular base. Even here on
HackerNews, there are so many negative voices repeating the same things over
and over again. Even and especially those that (seem to) have been rectified
by ProtonMail. Usually, the people here seem to be neutral and fact-based, but
as soon as ProtonMail is involved many are getting wild.

While I have an inactive account at PM, I'm not involved with them in any way.
This is just an observation that I have made over the recent years.

~~~
rshnotsecure
That article does not clarify anything. I want to provide a link. It is
nothing but thousands of words saying they aren’t partnering by putting an app
in Huawei App Store.

For years companies used to provide all sorts of incentives to put apps in
their store. It benefits them highly.

This is ridiculous: [https://protonmail.com/blog/clarifying-protonmail-and-
huawei...](https://protonmail.com/blog/clarifying-protonmail-and-huawei/)

~~~
uallo
> For years companies used to provide all sorts of incentives to put apps in
> their store. It benefits them highly.

Are you implying that Huawei is paying ProtonMail so that they put their app
in the Huawei AppGallery? Can you provide any proof?

------
ztjio
As if I needed more evidence that Bloomberg is below 0 on the credibility
scale. They are officially a tabloid to me now.

~~~
icu
I still find it useful to read mainstream media, even 'free' publications like
Metro and the Evening Standard in London. What I do is not read them for news
per se, but a sort of high level scan of what the publication's bias is. What
narratives are being pushed? How has the publication ordered, or prominently
displayed articles? What news is completely omitted?

For example, no mainstream media outlet in the UK covers Al Quds day in London
(absolutely nothing about this on the BBC or print media). Facts on the ground
at the most recent (and previous) marches is that there is a lot of Hezbollah
flags flown.

Another example is the BBC’s treatment of Brexit on three flagship panel
shows, Question Time, Politics Live and Any Questions where Remain
commentators outnumber Brexit commentators 3 to 1.

In this instance, Bloomberg seems to be wanting to push the 'Huawei is spying
on you' narrative as well as 'Proton Mail isn't secure' narrative.

Make what you will of the points above, maybe they mean something, maybe they
don't. I just keep an open mind, try to think for myself, see things from
different perspectives, and do my best not to fall for my own cognitive
biases.

I still use Proton Mail, and I trust their service more than GMail (I migrated
from GMail to Proton Mail), but it's a nice reminder not to trust any
corporation too much or get complacent with security. I really don't feel like
rolling my own encrypted email solution so the question is, "Who am I willing
to trust the solution to?" Ultimately I'm accountable to myself.

As for media bias, sometimes it is blatant, most times however I find it
subtle. Either way it is pervasive. Unless you are scanning for it, I imagine
it is incredibly easy not to think for yourself.

~~~
Angostura
> Al Quds day in London

From what I can tell, the March on this day tends to attract less than 500
people. So lack of coverage is not a indication of BBC bias.

Regarding Brexit, Question Time seems to have Nigel Farrage on _all_ the time,
despite his lack of electoral success.

Still, I decide to take a look at last week's panel for you. And here is what
I found:

Kwasi Kwarteng - Pro Brexit

Emily Thornberry - Remain

Layla Moran - Remain

Ian Blackford - Remain

Iain Dale - Pro Brexit

Richard Tice - Pro Bexit

No huge anti-Brexit bias in evidence.

~~~
icu
Well Al Quds day might be perceived as news worthy due to Hezbollah being
officially considered a terrorist organisation by the United Kingdom along
with the United States, the European Union, the Arab League, the Gulf
Cooperation Council, Israel, Canada, the Netherlands, Australia to name a few.

Considering London has suffered from multiple ideologically possessed terror
attacks it might be worth reconsidering how newsworthy open support of a
terrorist organisation is.

Additionally, the Jewish community in London are particularly sensitive to the
march as Al Quds day brings about hate speech towards them.

I'm not saying Al Quds day should be banned in London, but I think a public
dialogue and debate should be had. In my estimation the lack of it is due to
the 'multiculturalism is our strength' narrative bias held at the BBC.

Now I'm not saying 'multiculturalism is bad', I'm the product of it, and I
definitely think it has benefits. But there are problems with it, which need
to be confronted and worked through for a better society. Without a doubt
these are sensitive, and ugly issues, but pretending they don't exist because
you are captured by bias, will not solve the issues.

As for your Brexit comment, I believe you are suffering from recency bias.

In a report published in January 2018 called ‘Brussels Broadcasting
Corporation?’, think-tank Civitas in conjunction with the group News-watch,
monitored thousands of hours of radio and TV shows dating back to 1999
including the BBC flagship Radio 4 programme Today.

Of 4,275 guests on Today between 2005 and 2015 who talked about the EU, only
132 were Brexiteers.

Put another way, just 3.2% of Today interviewees were anti-EU, despite
consistent public support for EU withdrawal throughout this time.

There are also a plethora of articles about this on Google, so in a way you
are kind of proving my point because the data is out there but you didn't want
to, or think to, look for it.

However I'm far less concerned about being 'right' and far more concerned
about dealing with reality... and I believe the more people that deal with
reality there are the better the world will be.

------
stakhanov
At the risk of making myself a punching-bag for downvoting, here.

Bloomberg is a source that investors and traders trust with getting them some
level of access to the rumour mill (in the spirit of the saying that exists
among traders that goes "buy the rumour, sell the news"). The problem here is
that, fact or fiction, rumours affect the financial markets, and not knowing
about them puts a market participant at a disadvantage.

The article starts by saying in indicative mood "ProtonMail is in talks with
Huawei Technologies Co. about including its encrypted email service in future
mobile devices [...]" ...I don't really see a problem with that part of the
statement since they were indeed in talks of some kind, and there's a certain
bandwidth of what "including" could mean. It could just mean "making available
through Huawei AppGallery", so there is nothing wrong with using indicative
mood here.

In the second paragraph, the article switches the modality and says "The Swiss
company’s service COULD come preloaded ..." Now, it could of course be the
case, as people are alleging, that they just completely made that shit up and
MANUFACTURED a rumour. But it could also be the case that they were reflecting
a rumour that was already out there and sufficiently widespread that they
thought that investors and traders should know about it. They used subjunctive
mood using the auxiliary verb COULD to signal that there was something going
on here about the modality of the statement.

ProtonMail speculated that a misunderstanding of their earlier announcement
must have been the basis of Bloomberg's article. But I guess we'll never find
out if that was indeed so.

ProtonMail clarified their earlier announcement and took issue with the word
"partnership" being used to describe their relationship with Huawei, but,
interestingly, they did not come flat out to respond to these assertions. For
example, they did not say that preloading was not a topic that was discussed.

Now, it stands to reason that preloading would amount to Huawei handing a huge
chunk of marketshare to ProtonMail, and then it's up to users to make up their
minds about the likelihood of Huawei asking for quid-pro-quo and ProtonMail's
response.

Rather than there being no basis at all for the Bloomberg article, another
scenario could be that ProtonMail saw that making-up-of-minds play out on
social media in response to the Bloomberg article and decided to do a one-
eighty on that as a result.

...I guess we'll never know.

~~~
SpicyLemonZest
It's inconceivable that a manufacturer would preload an app without some kind
of discussion of the app's content, and I think it's reasonable to be afraid
of even a non-explicit quid pro quo from Huawei. If ProtonMail-on-Huawei is
using so much as a new logging library because Huawei said the old one is
insecure, I want to know about that.

------
sessy
It's a recurring theme: Media outlets publish whatever they 'want' to believe
with little due diligence and the product makers have to scramble to put up
clarifiers.

~~~
ttraub
Media outlets certainly do that, but can't product makers sue them for
damages, when they publish false information that can tank a stock or kill a
company's sales?

~~~
scoobyyabbadoo
Usually not. To prove libel you have to prove: 1. the information is false, 2.
The speaker knew it was false, 3. The speaker spread the false information
_with the intent to harm_ the plantiff. Without all three it isn't libel in
the US.

------
zenlot
I'd me more interested in their clarification on NordVPN, ProtonMail/VPN and
the data gathering agency Tesonet.

~~~
dewey
Do you have a link?

~~~
safeplanet-fesa
The best way to learn about the incident is to read the discussions first-hand
from the Hacker News, for example, by searching "inurl:ycombinator protonvpn
tesonet". There is no point in reading any journalistic articles if you can
read Proton's responses here, except one article [0] - a compilation of
changing Proton's responses and them successively admitting more and more
things not in their favor. The compilation starts at the part called "Online
accusations fly".

[0] [https://restoreprivacy.com/lawsuit-names-nordvpn-
tesonet/](https://restoreprivacy.com/lawsuit-names-nordvpn-tesonet/)

~~~
ColanR
If protonmail keeps changing their story like that, it seems pretty damning
for their credibility.

~~~
protonmail
This particular "story" was also another hit piece from anonymous "sources".
We previously responded here:
[https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/)

But you don't have to just take our word on it. ProtonVPN in particularly has
been heavily scrutinized, by both Mozilla (who we partnered with) and also the
European Commission (which is providing funding):
[https://protonvpn.com/blog/is-protonvpn-
trustworthy/](https://protonvpn.com/blog/is-protonvpn-trustworthy/)

In other words, there are plenty of non-anonymous, legitimate third party
sources, who have checked things out and confirmed the story is bogus.

One main allegation was that Proton shares an address with another company,
but it fails to mention that our office in Vilnius is in a 30 story office
building with hundreds of other companies:
[https://www.instagram.com/p/BxMz62oHb6K/](https://www.instagram.com/p/BxMz62oHb6K/)

------
t0astbread
Does an F-Droid release mean Proton will finally remove their GSF
dependencies?

~~~
protonmail
That is indeed the plan, although there may be issues with battery life that
we need to resolve first.

------
turc1656
I'd like to point out one thing. The people at ProtonMail are clearly under
the belief that they are only subject to Swiss law because they are located in
Switzerland. That's not my understanding of the law at all. Granted, it seems
like an obvious conclusion but legally the truth seems to be different.

For instance, at my employer we had training on the GDPR rules and how they
relate to us. We are a US based company with many global clients. However, we
do have a physical presence in some EU countries so that does differ with the
ProtonMail situation. However, in our training we were told that our business
presence in the EU is irrelevant to the actual law because we would still be
bound by it as it relates to our global clients. The layman's explanation we
were given was that if you are using the internet to conduct digital business
across country borders then you are pretty much subject to the laws of _both_
nations between the client and the service provider.

That generally translates to defaulting to whichever law is more restrictive.
For companies like Facebook and Google, they've rolled out GDPR style
protections for everyone globally because it's much easier to do so than to
only have it apply to a portion of their users, but that's a separate story.

I think everyone intuitively understands and knows this to be true. We can all
think of cases where hackers have committed crimes that may only violate, for
example, US laws and have been tried and convicted of such crimes even though
they were committed overseas but the aggrieved party is the US or its
citizens.

I think what ProtonMail is really saying is that because Switzerland doesn't
have laws similar to China in this regard, China won't be able to convince
Switzerland to extradite them to China for prosecution.

That's also why Russia threatened to ban them - because they know there is
zero chance they will be willingly handed over to Russian authorities for
this.

~~~
pkilgore
> The people at ProtonMail are clearly under the belief that they are only
> subject to Swiss law because they are located in Switzerland.

What led you to believe this is so clear?

~~~
turc1656
These excerpts taken together:

1) _" As a Swiss company, when it comes to the data of Proton users, we will
only comply with the laws of Switzerland, the jurisdiction of our headquarters
and where all of our servers are located. As we have always consistently
stated in our terms and conditions and privacy policy, any requests which fall
outside of Swiss law will be politely refused"_

2) _" Proton does not have offices, employees, subsidiaries, or any permanent
establishments in China or Russia, and as such, we do not fall under the scope
of these laws, nor can these laws be enforced against us. However, this does
not mean authorities in these countries would not try to enforce the laws
anyways."_

~~~
protonmail
It's actually a bit more nuanced. Any government in any country can at any
time decide that their laws apply to you (because hey, it's a government, they
can do whatever they want). However, unless you are operating in that country,
there is very little they can do in terms of enforcing that upon you.

~~~
turc1656
Yes, that's the point I was trying to make - your country would have to be
willing to participate. That's risky, albeit to varying degrees, depending on
the country a person/business reside in because governments can change their
opinion at any moment or enter in new agreements to combat whatever they may
deem as "global crime".

------
Mbaqanga
Well that's kind of dramatically different than how the press is portraying
it.

------
humble_engineer
I was a gmail user a few months ago and I switched my entire life over to
protonmail because I didn't want to contribute to Google. I would have to say
the most frustrating part of the switch is the somewhat perplexed look I get
from people when they ask why I don't have gmail, they have to learn to spell
proton, fascinating. I would imagine we will see quite a few hit pieces
against protonmail in the coming years, and likely other email providers as
more and more people make the switch to a service that markets privacy.

~~~
Scarbutt
You can give myemail@pm.me instead of myemail@protonmail.com

~~~
fauigerzigerk
Yes, but first you have to activate it in the protonmail settings.

------
scoobyyabbadoo
I don't understand why people ever believed Protonmail's privacy claims to
begin with? Not that I have reason to doubt them either, but their security
seems nothing more than an unverified promise? I'm skeptical of my privacy
protection coming from small companies that could easily be bought outright by
governmental or political groups.

------
xgapp
By posting this you're practically caving to the mass media. In the long term,
it's best for everybody that you ignore them. Never pay the ransom or they
will become more powerful.

~~~
bovermyer
What are you talking about? Did you even read the article?

------
paulcarroty
This article sounds like suspicious excuse, really. I don't wan't to touch any
device/service affiliated with Huawei/Chinese intelligence.

Is there any good&reputable replacement for ProtonMail?

~~~
scoobyyabbadoo
Why was protonmail ever considered good or reputable?

------
rshnotsecure
ProtonMail does not support Yubikeys. I would like to ask all of HN to think
seriously about this and what this means. ProtonMail does many things exactly
right. This 1 oversight suggests something very very scary going on at the
organization.

HN does not allow you to delete comments. I would ask that if you think that
not having Yubikeys does not require a significant and immediate answer from
the ProtonMail team, to sign your name (I will) at the bottom of your
response. If you can’t do that, perhaps provide a burner email address.

Dan Ehrlich

dan@ehrlichserver.com

CISSP, CCSP, CISM

EDIT: spacing between my signature, change of comment to commentS

~~~
uallo
Can you elaborate why not supporting Yubikeys (yet) "suggests something very
very scary going on at the organization"?

~~~
rshnotsecure
Yubikeys are one of the few forms of 2FA that are highly resilient to being
phished. Google has not only an option to restrict SMS 2FA, but an additional
one below to restrict “all 2FA options except security keys” in GSuite.

It has been known for some time that TOTP 6 digit codes are easy to intercept.
SMS Codes can also be intercepted, or gained via SSB7 vulns/ SIM jacking. This
made things like Google Authenticator or Authy more resilient but certainly
still quite vulnerable.

To intercept and exploit MFA in ProtonMail would _absolutely trivial_ for a
skilled single person to do. DNS poisoning + this github library would be all
you needed:
[https://github.com/kgretzky/evilginx2](https://github.com/kgretzky/evilginx2)

EDIT: replaced quotemark with asterisk

~~~
uallo
That does not really answer my question. Why does missing support for Yubikeys
"suggest [that] something very very scary going on at the organization"?
Supporting Yubikeys is probably already in their list of planned features. But
ProtonMail is a relatively small company and the user base requesting that
feature might be relatively small. Yes, security is one of their top-most
priorities but so is earning money. The latter requires a large paying
audience where other features might be more important.

~~~
rshnotsecure
It’s such an oversight that to quote someone from early 20th century ... “is
this stupidity or is this treason”.

Not doing this was a deliberate choice. The benefits of implementing it
outweigh at maybe a dozen orders of magnitude not implementing it.

The very scary thing btw is simple. They were bribed the same way the
WordPress Core Contributors have been for years. Let me discuss this quickly,
and I’m happy to name names in a separate posting (Gary Pendergast out of
Australia is going to jail though along with another America dev). That being
said please review this discussion where several core contributors admit to
not even reading an extremely important path from arguably one of the best PHP
developers in the world (certainly in terms of security):
[https://core.trac.wordpress.org/ticket/39309](https://core.trac.wordpress.org/ticket/39309)

------
rossmohax
I'd prefer to see them spending time on polishing their mobile app, which
lacks in UX in important areas. For instance offline access to received, but
yet unopened emails simply doesn't work. There is a (mis)feature where email
bodies are downloaded only on notification, but in my case emails remain
unavailable offline and Protonmail support was unhelpful.

But even if email-via-notification worked, it is still pretty much unusable.
My usecase is to get to wifi, download emails and get offline, but with Proton
mail I'd have to be super careful not to have my app open when enabling
connection to wifi, otherwise it instantly downloads all headers and shows no
notification, because app is in a foreground, after that there is simply no
way to download message bodies other than opening them one by one in all
folders. Surprisingly support saw not problem with this UX either.

~~~
doesnt_know
This comment comes across as particularly callous. They are saying a part of
why they may support the Huawei app store is to continue to provide access to
the app to those in developing countries, and your response is to say you'd
prefer them spend time on your personal UX pet peeve...

~~~
stedaniels
I don't use ProtonMail but this seems like a fairly fundamental issue rather
than a personal pet peeve. In my naivety, it also seems like the kind of issue
that would cause considerable pain in developing countries who might likely
have spotty internet connections, which would lead them straight into said
issue.

So whilst it might have been meant callously, from my third party glance it
seems quite important.

