Hacker News new | past | comments | ask | show | jobs | submit login

ProtonMail team here.

These allegations are false. Hidden at the bottom of the article, is this: "Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted". In other words, the alleged source (a public prosecutor) has also supported our denial of these false allegations.

ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.

Furthermore, end-to-end encryption means we cannot be forced by a court to provide message contents.




You 'forgot' to copy the full addendum. It reads as follows:

'Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).

I was live-tweeting the event, including the interesting presentation by public prosecutor Walder. The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement. In its transparency report, ProtonMail – as mentioned above – itself refers to at least one case of real-time surveillance.'

https://steigerlegal.ch/2019/05/23/protonmail-real-time-surv...

Important: The English text is just an unofficial translation.


The evidence that was presented by the author can be summarized as:

"I live-tweeted it, so they said it. If they didn't, I wouldn't have live-tweeted it.".

I'm sorry, but that's a pretty weak argument, even when it's a he-said-she-said type conversation.


Quote from the post:

> ProtonMail even mentions a current case of real-time surveillance:

„In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“

By writing of a „case of clear criminal conduct“ and of „illegal activities which contravene Swiss law“, ProtonMail violates the presumption of innocence against the monitored suspects. Such suspects are of course not informed by ProtonMail about ongoing real-time surveillance measures.


I'm not denying that they complied with the order to enable IP logging.

What I'm saying is that the author claims they voluntarily offer real-time logging without the need for judical intervention - per the prosecutor.

The author of the article at hand later added an addendum saying the prosecutor was mis-quoted in their article [[ and that Protonmail does not voluntarily offer real-time logging.]] (Note: The part inbetween [[]] is misleading - the prosectuor does not say that. I wrote it out rather than quoted it directly, and made an error. I am leaving it in for posterity)

The authors defense regarding the misquote is saying "I live tweeted it, so it happened".

Whether they do or not - I'm just pointing out the weakness of the argument that "I tweeted it, so it happened"


>The author of the article at hand later added an addendum saying the prosecutor was mis-quoted in their article and that Protonmail does not voluntarily offer real-time logging.

That is completely false. The author said that the prosecutor claimed to have been misquoted, not that he was misquoted. The author clearly stands by his quote, and it is therefore untrue that he says that Protonmail does not voluntarily offer real-time logging.


You are correct, my rewording ended up being misleading. My apologies.

I don't think it detracts from the substance of my argument, however. This is a he-said-she-said battle where one says "I tweeted it so it happened" and the other says "no, it doesnt".

Neither side is particularily convincing.


> Neither side is particularily convincing.

That's true of all he said she said arguments. The next step is gathering proof, not begging for more of the same he said, she said.


> I'm not denying that they complied with the order to enable IP logging.

What 'order'? All their report says is 'request'. If they had meant order, they would have said court order: in all the other cases in the transparency report, they specify if there was a court order.


Okay - fair.

How does that change the fact that saying "I tweeted it so it's true" is not a strong argument in a he-said-she-said debate?


I think it's a strong argument. It's not 'someone much later with fuzzy memories decided to interpret what they thought they heard', it's 'someone right there and then was so struck by what the revelation they just heard that they broadcast it to the world (and you can check that they did by looking at the Twitter timestamp)'.

Which do you trust more, a witness statement taken a minute after the crime, or made a year later?

That someone said something very revealing and immediately backtracked with an excuse "I didn't say what I said" is, on the other hand, deeply unconvincing.


I think we should not think of "request" in the same way as a court order. This seems the essential difference to me.

By the way: The author of the post is an attorney at law and member of the Chaos Computer Club (CCC), which makes me believe that he wouldn't falsely accuse ProtonMail.


As an attorney, I would expect a better substantiation than "I tweeted it, so it's true".

But, fair enough regarding request vs. order. I am not familiar with Swiss law terminology.

And he might be right! But to claim he is right because "I tweeted it during the conference" is, as I said, not swaying me either way.


The addendum does not categorically say that ProtonMail does not voluntarily offer real-time logging. The prosecutor correction says he didn’t disclose that at that event. He could have disclosed it anywhere else, he might know it happens but hasn’t disclosed yet. The quoted correction is worded in a way the prosecutor could have certain knowledge they do do that and is not refuting it.

// EDIT (moved word categorically) per comment below.


Fair reading of the addendum, I put my own words to it and it was misleading.

I don't think it detracts from "I tweeted it, so he said it" per:

>The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement.


> The addendum does not categorically say that ProtonMail does not voluntarily offer real-time logging.

Took me a second to calculate your meaning, this may help others.


From what I am seeing in the linked material, the author saw something that made his mind generate the sensational 'news'. Without bothering to check whether it's true or false he posted the generated conjecture as a fact and now is trying to defend the indefensible by attacking ProtonMail instead of posting the clarifications and apologizing.

In other words, pretty much the definition of fake news.


From above, there is a Swiss public prosecutor, who is on the public record as saying that he "had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data."

That is a pretty conclusive statement that the reporting here is false.


Please answer one simple question: Do you perform real-time surveillance of users? Yes or no?


They answered that above, did they not?

> ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.

Yes, if ordered by a court - but not voluntarily, which is the claim of the article, italicized, with exclamation points, repeated several times, etc.


What does real-time surveillance mean to you?

You're asking a loaded question. Of course they have access to some real-time data re users.


My own definition does not matter. Swiss law matters:

'The order may require real-time surveillance to be carried out and the handover of the retained secondary data of telecommunications from past communications (retroactive surveillance).'

https://www.admin.ch/opc/en/classified-compilation/20122728/...

The question is not whether ProtonMail has access to user data. (They have, you are absolutely right.) They question is if they perform real-time surveillance, i.e., lawful surveillance (whether voluntarily or not).


So you're asking if they'll comply with legal court orders? They've already said they will.


This.

No matter what they actually do, they'd be idiots to reply to this, which is why we won't see a reply from them. Doesn't really say anything meaningful.


The answer appears to be yes though involuntarily.


We can see that by ourselves from their transparency report.

https://web.archive.org/web/*/https://protonmail.com/blog/tr...

- 2019/04/20 https://web.archive.org/web/20190420195556/https://protonmai...

- 2019/04/25 https://web.archive.org/web/20190425155330/https://protonmai...

The diff is simple and clear: ...

+In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.

Diff from 2019/04/25 to today: ...

-Updated on 13.03.2019 +Updated on 24.04.2019

-ProtonMail is not required to store communications metadata or IP information, as we are exempted from the Swiss Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and its accompanying ordinance. Therefore, ProtonMail can apply a policy of collecting as little user information as possible to protect user privacy. To know exactly what kind of metadata your use of ProtoMail creates, please refer to our Privacy Policy. Upon receiving a judicial order, ProtonMail is obliged to provide any user information readily available that would help identify a user that is subject to a criminal investigation that has been validated by Swiss authorities.

+ProtonMail is not required to store communications metadata or IP information, as we are exempted from the Swiss Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and its accompanying ordinance. Therefore, ProtonMail can apply a policy of collecting as little user information as possible to protect user privacy. To know exactly what kind of metadata your use of ProtoMail creates, please refer to our Privacy Policy. Upon receiving a judicial order, ProtonMail is obliged to provide any user information readily available that would help identify a user that is subject to a criminal investigation that has been validated by Swiss authorities. In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. Under no circumstances will ProtonMail be able to provide the contents of end-to-end encrypted messages sent on ProtonMail.


In a nutshell: No data retention (yet) but real-time surveillance of metadata.


The answer to this is yes.


> Do you perform real-time surveillance of users? Yes or no?

Hey ProtonMail, I'd like to see a very clear, no bullshit, Yes or No to that question.

Your creditibility is being lit on fire in real-time. It'd be a good idea to clarify whether any real-time surveillence ever occurs.


If the following conditions obtain:

1. a law permits compelling a company to produce real-time data (or anything else),

2. a company has that technical capability, and

3. the company in #2 is in a jurisdiction with a law like #1,

you should assume real-time surveillance data will be provided in cases where it is so ordered. You don't need to wait for them to tell you that it is. It can go without saying.

How could it be otherwise? If the guys with the guns show up to demand that data, what else are they gonna do? The Lavabits of the world are incredibly rare, for the exact same reason that Lavabit doesn't exist any more.


They answered your question, please read more carefully:

> ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.


The full addendum you posted doesn't offer anything more than the Protonmail person posted - really don't see how it changes anything.


These types of allegations keep on appearing. I know we all generally trust CERN scientists (after all, they must be smart people who care), but to keep everyone’s trust I suspect nothing less than full transparency will do.

Where is ProtonMail’s data stored? Where are its web servers? Who has physical access? Who has login keys/credentials to storage and server machines? Who does security audits, how are they done, when we’re they done last, what were the results, and what steps are you taking to improve your system’s security? And most importantly, what exactly does ProtonMail do when dealing with authorities and other entities that want access to user data?

Security is a process, not a destination - that’s a mantra everyone in the security world learns early on. But trust is also a process, not a destination. As an example of a company that treats both as a process, consider AgileBits, the developer of 1Password. Their white papers are case studies in transparency.


Ideally, what you say makes sense, but at some point you're just going to have to place your trust in someone, or something. Realistically, a vendor won't be able to satisfy every single curiosity. Someone else might ask how do we know the data is actually stored where they claim its stored. How do we know if such and such employee even works there. How do we know the OS that their developers use isn't updated and/or compromised, What if they get a new employee who is incompetent and doesn't follow the established protocols, etc, etc. You can only go down one level of abstraction here. Otherwise you'll probably be writing a treatise on belief, knowledge and justified true-beliefs.


This is well articulated and reflects my current feelings as a customer.


We have a transparency report, a privacy policy, terms and conditions, and a threat model document, which clearly covers many of these points.

Much of our code is also open source, and has been audited by third parties, with published audit reports available online.

Some items, like precisely who has access to what, we obviously cannot publish for security reasons, as individual employees may be targeted if this is disclosed too clearly.


I see a lot of "much of" and "many of", etc.

Sorry, I'm a user, and I largely trust you all, but this doesn't exactly lay to rest the issue you were given. Security and trust are a chain, and if you don't know every link in that chain than the whole thing is largely useless.

As another pointed out, at some point you just have to trust something and I agree with this. But I wanted to point out that your answer is not sufficient for what you were trying to answer.


After having met numerous scientists, I haven't observed any increase in trustworthiness compared to the general population.

If anything, they are more apt to plagiarize and steal other people's ideas.

When they leave science to do something else, they frequently morph into ruthless businessmen.


Problem ist once these allegations are out there is literally no way to dispelled them. Keep up the good works. My assumption is that you could be compelled by Swiss law to give access (a la Lavabit), but that the same would be true for literally any non-shady email provider. You get either someone trustworthy or someone who can avoid the rules, but there's no middle ground. Any of the providers sitting in Dutch bunkers or island tax havens can really be geld accountable or their trustability be verified. And any proper honest provider like posted or mailbox or Lavabit will necessarily have to comply with local laws. Swiss laws or German laws will certainly offer better legal security than American or Australian legal contexts - but everything has a limit.

So please don't be disheartened by the undeserved hate here.



This "article" is absolutely ridiculous. There is clear repudiation by the "source" and instead of modifying or deleting the article, the author put it in an addendum at the bottom. Lowest of the low behaviours, aiming to cause shock, alarm and attract gullible internet readers.


The end to end encryption you provide only works for 2 parties within your service, no?

Doesn't that mean the courts could compel you to just alter the JS payload to capture keystrokes for these folks? If not, how do you prove that to us?


"Doesn't that mean the courts could compel you to just alter the JS payload to capture keystrokes for these folks? If not, how do you prove that to us?"

Swiss law is very clear in stating that this is not permissible, and this can be verified by checking the law itself.


This ignores half the problem and it's telling you tried to slide past it. You certainly can and probably will deliver message content sent from a protonmail account to a non-protonmail account.

I'm not an expert in Swiss law, so I have no idea. I'll wait for a 3rd party I trust to vet your claim.


What's the allegation here? The mail stored on proton's servers is encrypted. If you send that mail elsewhere, it's subject to the security of the receiving server and any intermediary servers.

That's not secret, or hidden by them.


ProtonMail will almost certainly send mail you receive from a non-protonmail sources to law enforcement if they're required to.

They're pointedly not denying they do so in every otherwise detailed response they've given on the subject so far.


They are not denying that, they clearly stated it:

> ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.


"ProtonMail will almost certainly send mail you receive from a non-protonmail sources to law enforcement if they're required to."

That wouldn't be ProtonMail'fault. Which email provider could refuse to comply with their own government orders and get away with it?


Apple and Google have made good shows of it. But also, ProtonMail could refuse to do non-encrypted email and then we wouldn't have this problem.


Source in Swiss law?


I too am interested in the source. Mostly out of curiosity, here in the US our laws definitely don't exclude things like building in backdoors, adding js payloads, etc (Although a few political lines have been drawn, such as Apple refusing to unlock iPhones, but these aren't written in law, they've been decided in courts and are very wishy-washy).


Any time you run someone else's code you either have to trust them or trust their auditors.

Solving this problem is the reason I built this:

https://github.com/Spark-Innovations/SC4


> or trust their auditors

if it's open source and you can build it yourself, sure


No, that's the whole point of having an auditor, so that you can have some grounds for placing trust in a system without having to trust the provider or having to audit the product yourself.


I think I'm thinking of security audit, while you're thinking about regulation/fiscal audit. Not sure what GP was talking about.


No, I was referring to a security audit.


Then no it doesn't work like that. (I do security audits for a living btw and happen to have audited many e2e encrypted messaging apps.)


There is more than one kind of security audit. The kind you do looks at the code and determines if it contains bugs. The kind I'm talking about looks at what is being served by a server and determines if it conforms to published invariants. (I hire security auditors for a living ;-)

[UPDATE] Now that I think about it some more, I guess that kind of auditor is analogous to a financial auditor, as you said. I didn't really make that connection before because the nature of the work is very different, but it's a fair analogy.

[UPDATE2] Looking back at your previous comment I see that the word "regulation" is in there. I'm not sure if you edited your comment or if I just missed it before, but my recollection of reading that comment is that it said "financial audit". Either way, I apologize for the misunderstanding and subsequent confusion.


You also have to trace the actual live code, to see if its actually running the code you think it should run. And not just with N=1, maybe with N=100 or a sufficiently high number.


> These allegations are false. Hidden at the bottom of the article, is this: "Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted". In other words, the alleged source (a public prosecutor) has also supported our denial of these false allegations.

Ah, what a brave new world of clickbait and amateur "journalism" we live in... The "source" was probably asked for a quote five minutes before the article went live and the "publisher" has no incentive to correct it because all they care about is that people visit the site and load the ads so they get a few cents per 1000 views.

Good luck ProtonMail or any other entity caught in these "reporters" and "journalists" antics.


From the addendum:

> I was live-tweeting the event, including the interesting presentation by public prosecutor Walder. The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement. In its transparency report, ProtonMail – as mentioned above – itself refers to at least one case of real-time surveillance.


The prosecutor in question has come on the record and said he was misrepresented. ProtonMail is also on the record as saying the "voluntary assistance" claim is false and untrue.

Unless there is some massive conspiracy/cover-up involving a Swiss public prosecutor, the most likely explanation (the article is wrong) is probably the correct one.


Isn't it more likely that the state prosecutor spilled the beans?

The statement even matches your own transparency report where you describe a case of IP logging, a typical real-time surveillance measure:

'In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.'

https://protonmail.com/blog/transparency-report/

(You mention April 2019, the statement by the state prosecutor was made at the beginning of May, i.e., he was probably really happy about your cooperation.)


So you’re saying that it’s more likely that there is a secret conspiracy, and a prosecutor in a public televised event for which they almost certainly had pre prepared their remarks, accidentally spilled the beans, than someone who is live tweeting an event mishearing, misinterpreting, or misunderstanding those remarks?


There is no need for a conspiracy. The Swiss surveillance state is a fact. It is also a fact that the relevant laws were recently updated with a focus on services like ProtonMail.

We are not talking about a public televised event. We are talking about a statement during a presentation. It happens all time time: People talk, sometimes they talk too much.


>Isn't it more likely that the state prosecutor spilled the beans?

No, why would it be? As you point out, they've disclosed turning on logging in response to a legal request. Why then deny the event?


Okay now explain why I can't make a protonmail account without:

- disabling javascript

- verifying with a phone number that is pretty picky

- getting stuck in captcha hell if I'm on TOR

and if I want to pay with Bitcoin, it already needs to be an existing account


> Okay now explain why I can't make a protonmail account without:

> - disabling javascript

ProtonMail encrypts/decrypts messages in the JavaScript client, which is how messages are encrypted without the server ever having access to the plaintext. If you must disable JavaScript, then ProtonMail isn't the mail service for you(unless you use their mobile app).


> - disabling javascript

Another commenter put it aptly when he said something to this effect: "It is [2019]. If you lobotomize your browser, you might find that a lot of the web doesn't work for you."


All of those sound like reasonable anti-spam/anti-fraud measures to me.

If you know a JS-free captcha approach that is of similar quality to Recaptcha, I'm sure the Protonmail folks would love to hear about it.


> - disabling javascript

How do you want to decrypt your data client-side without running a software to do just that?


> disabling javascript

Unsurprisingly, HTML cannot encrypt your data.

> verifying with a phone number

I never had to do that.

> getting stuck in captcha hell if I'm on TOR

Applies to pretty much all websites that use captcha. The purpose of captcha is to stop spammers; just suck it up or switch browsers.

> and if I want to pay with Bitcoin

Why would you want to do that?


Where does proton mail advertise or promise to offer a service that fulfills those obligations?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: