Hacker News new | comments | show | ask | jobs | submit login

The company that ‘’officially’' operates ProtonVPN is ProtonVPN AG, a Switzerland based company[1]. However, the business is in reality operated by PROTONVPN LT, UAB a Lithuania based company, which has the same office address as Tesonet, UAB. Both company offices are located at: J. Jasinskio g. 16C, Vilnius 03163, Lithuania[2][3]. PROTONVPN LT, UAB is a separate company that ProtonMail outsources the protection of its users information to - ultimately run by Tesonet out of Lithuania[4]. Furthermore, Tesonet is operating a data mining operation out of Lithuania[5]. TesoNet also operates NordVPN[6], which claims to be based in Panama, not Lithuania[7]. This is specifically the type of situation that ProtonMail themselves say not to trust[8]. It’s appalling. In short NordVPN and ProtonVPN are operated by the same people/team/company. It's likely a joint venture between ProtonMail and Tesonet.

[1] https://protonvpn.com/about [2] https://rekvizitai.vz.lt/imone/protonvpn_lt/ [3] https://tesonet.com/contact-us/ [4]http://apkforandroid.org/com.protonvpn.android/34784450-prot... [5] http://oxylabs.io.cutestat.com/ [6] https://translate.google.com/translate?hl=en&sl=de&u=https:/... [7] https://trademarks.justia.com/871/90/nordvpn-87190896.html [8] https://protonmail.com/blog/trusted-vpn/




You aren't doing much in terms of brand ambassadorship for PIA by muck raking and bickering with a competitor. It's quite petty. The comment about PIA wasn't put forth by ProtonVPN. They clarified the discrepancy you raised and did so in a civil manner.

I wasn't that familiar with your company before today but I can tell you that I won't be a customer at any time in the future based on your comments.


We've unfortunately had to deal with a lot of this recently. The issue is that we have turned the VPN industry upside down by providing a free service, and that is likely hurting profit margins across the entire sector so everybody is trying to hit ProtonVPN now. We just aren't very profit driven, and that's the type of competition that brings down prices (and profit margins).


We used Tesonet as a local partner before we had an official Lithuanian subsidiary, and rented office space from them. We don't share employees, infrastructure, etc. We have had a similar temporary arrangements with local companies when we opened offices in other jurisdictions where we didn't have an official presence yet.


Your Android APK has a certificate signed by Tesonet[1]. So do they control your Android VPN application or do you?

[1] http://apkforandroid.org/com.protonvpn.android/34007825-prot...


We do. That was an error made during the time Tesonet was doing our HR which we are attempting to correct.


Your most recent update (yesterday) was still like this. Was this something decided today?


This is an unfortunate mistake made by Algirdas, our first (and amazing) Vilnius team member. Back when he first joined us several years ago, we outsourced HR to a third party as it didn't make sense to incorporate a new company for just a single employee.

As Algirdas was formally employed through Tesonet, he put Tesonet into the cert, and nobody noticed it until recently. Unfortunately Google does not permit the cert to EVER be changed, so we are stuck with this cert forever: https://stackoverflow.com/questions/18357909/anyway-to-chang...

Google says it is a "feature", but most likely it is a "bug" especially when considering how many 1024-bit certs are still out there...


Why was something so critical (managing your code signing key) outsourced to someone you specifically called a competitor [1]? Basically, what I'm asking is are you incompetent or are you the same developer team?

[1] https://news.ycombinator.com/reply?id=17259627&goto=item%3Fi...


> This is actually explained above. In the early days of Proton, none of our employees outside of Switzerland were directly employed by us. This includes some key employees, including a co-founder. Third party IT companies were used to handle payroll and HR in these cases, and in Vilnius, it was done by Tesonet.

So you, a privacy company, outsourced your IT to countless third parties in all sorts of countries? "Sounds secure," said nobody ever.

> I'll take this opportunity to dispute Bart's contention that we compete with Tesonet. I prefer to say that instead of buying IT infrastructure from them, we built our own :)

I want to take this time to let everyone know that the facts I am providing contradict protonmail's statement[1].

[1] https://bgpview.io/prefix/185.159.157.0/24#whois


Now that last part IS a super interesting find. You guys really did a lot of digging. Proton NOC did some digging also and 185.159.157.0/24 is the IP block we use for our Zurich servers, which is now announced by AS59898 by AllSafe Sarl (Switzerland).

Turns out there was a plan to use Tesonet infra in Switzerland for this before we built our own infra in the Zurich area. What's interesting is that they weren't removed in RIPE when we decided to use our own infra instead, and this definitely needs to be corrected.

> So you, a privacy company, outsourced your IT to countless third parties in all sorts of countries?

You might have misread: "Third party IT companies were used to handle payroll and HR." This is not an uncommon practice for small companies and we still do this in countries where we have just 1 or 2 employees. It's a way to ensure employees get full benefits instead of being contractors with no benefits: https://en.wikipedia.org/wiki/Professional_employer_organiza...


This is actually explained above. In the early days of Proton, none of our employees outside of Switzerland were directly employed by us. This includes some key employees, including a co-founder. Third party IT companies were used to handle payroll and HR in these cases, and in Vilnius, it was done by Tesonet.

I'll take this opportunity to dispute Bart's contention that we compete with Tesonet. I prefer to say that instead of buying IT infrastructure from them, we built our own :)


I feel like the PIA guy is providing a lot of sources for his position. I feel like the counter arguments aren't providing anything, but words.


I checked out the provided links. It is weird. Even if it were a wrong conclusion, it seems fishy.


What PIA co-founder proofed in this thread so far:

- ProtonVPN UAB lists Tesonet's CEO as a director

- ProtonVPN UAB is operated from Tesonet HQ in Vilnius, Lithuania

- ProtonVPN UAB uses previous Tesonet's technical employees

- ProtonVPN uses IP address blocks that belong to Tesonet

- ProtonVPN mobile app is signed by Tesonet

It seems, that ProtonVPN is a free VPN service by a data mining company from Lithuania.


That is what I mean. It looks like these things are facts and combined it doesn't look good.


I wasn't aware that ProtonVPN was not run by ProtonMail, even though I happen to be from Vilnius, Lithuania myself and even have a close friend working at Tesonet. If this is true, that makes me question how much anything branded Proton* can be trusted in general.


ProtonMail team here. The above is not correct. ProtonVPN is developed and operated by ProtonMail. However, it exists as a separate legal entity for security reasons. This is to avoid ProtonMail getting banned in jurisdictions where VPNs are illegal. An example is China where ProtonVPN is banned, but ProtonMail is permitted. Had they been the same company, both would have been banned together. So from the legal standpoint, we put as much separation as possible between ProtonMail and ProtonVPN.

Like ProtonMail, the ProtonVPN team is distributed, split between Geneva, Skopje, Vilnius, and San Francisco. Tesonet (one of the biggest IT firms in Vilnius) was previously used as outsourced HR before we incorporated our own entity in Vilnius. We have similar arrangements for our staff in San Francisco, Prague, and Skopje. The above poster's intentions are a bit suspect, given that he's the co-founder of PIA...


> Tesonet was previously used as outsourced HR before we incorporated our own entity in Vilnius

But your entity's business address in Lithuania is still Tesonet's HQ. And Tesonet runs the entire technical infrastructure needed for a VPN service. So, are you partners or competitors?


If it helps, Tesonet lists itself as a business that helps "collect business intelligence data" and has "machine learning solutions" [1]. They also say they do "cybersecurity."[1]

[1] https://tesonet.com/about/


The address probably hasn't been changed since the time of incorporation. We plan to update everything all at once later this summer when all of Proton consolidates under the ProtonLabs name. We save a bit of money this way by not using the lawyers multiple times.

Tesonet is actually a massive network and connectivity provider with a LOT of IP addresses, and we did in fact consider renting some servers from them. Like most VPN services, most of our servers are rented. In fact, we only completely own the VPN servers within our Secure Core network (we do this for security reasons as part of the rationale behind Secure Core, but that's another topic).

In the end though, Tesonet wasn't selected to provide servers and IPs. Our biggest server and IP provider is actually Leaseweb, which is also a popular choice among many VPN providers. However, we have some concerns about Leaseweb so we are reducing the number of servers we rent from them. Generally speaking, our VPN threat model does not trust ANY servers outside of our own Secure Core network.


We still lease office space from Tesonet at the moment, though that is changing soon. We don't have a business relationship with their VPN unit--we are competitors there.


[flagged]


Actually Proton and Tesonet still have ties to this day, some company administration services like accounting is still outsourced to Tesonet. That is simply not a role we have taken in house yet (it's actually still outsourced in all countries that we operate in).

It's a bit of a stretch to go from that to Proton == Tesonet. It's not like the group of us that left CERN to create ProtonMail were also able to go to Macedonia, Lithuanian, Czechia, and the US and just employ people. HR is not exactly our expertise, so we had assistance from local partners in each country.


[flagged]


> We don't share personal information with third parties. Furthermore, all user data (payment details, etc) resides on servers in Switzerland, controlled by our Swiss entities, under Swiss legal protection. This is why in our opinion, ProtonVPN is safer than PIA which is under US jurisdiction.

I would like to take this moment to show that, once again, you are trying to sell privacy under false pretenses and have no idea what you are doing both in terms of jurisdictional privacy nor technological privacy.

Switzerland is a BAD place for e-mail.[1] Any actual cypherpunk knows that [2]. I'm not sure they teach privacy and activism at "CERN," [3] so I'm not sure why that's ever relevant yet you keep talking about it.[4] It's like that Fresh Prince episode where the guy kept saying "I'm from Harvard."

[1] https://arstechnica.com/tech-policy/2013/12/switzerland- wont-save-you-either-why-e-mail-might-still-be-safer-in-us/ [2] https://en.wikipedia.org/wiki/Data_retention#Email [3] https://home.cern/search/node/privacy%20language%3Aen (lol) [4] https://news.ycombinator.com/reply?id=17260425&goto=item%3Fi...


We don't share personal information with third parties. Furthermore, all user data (payment details, etc) resides on servers in Switzerland, controlled by our Swiss entities, under Swiss legal protection. This is why in our opinion, ProtonVPN is safer than PIA which is under US jurisdiction.


Yet, the fact is, that the entire ProtonVPN mobile traffic passes through an app signed by a dating mining company from Lithuania.


What does me being the co-founder of PIA have to do with anything other than I'm trying to protect the people from shady f*s? Facts are facts.


They may be separate “legal” entities, but they share the same exact office. Both ProtonVPN and ProtonMail’s Swiss entities are purportedly located here[1][2]:

Chemin du Pré-Fleuri, 3 CH-1228 Plan-les-Ouates, Genève, Switzerland

Furthermore, ProtonVPN UAB was created by Tesonet, and has Tesonet’s CEO Darius Bereika listed as director.[3]

[1] https://protonmail.com/imprint [2] https://protonvpn.com/support/ [3] https://www.visalietuva.lt/imone/protonvpn-lt-uab


This is correct, both Swiss companies are colocated in the same office building, which is home actually to 60 other companies as part of FONGIT (fongit.ch)

Because we are a small startup, we don't have our own dedicated office space in most of the countries we operate in, and instead have office in shared spaces.

Vilnius is no different, and the incorporation of ProtonVPN LT was outsourced to Tesonet due to their experience in handling these types of matters. Of course, now that our Vilnius office (and Proton as a whole) has grown, most things are now done internally.




Applications are open for YC Winter 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: