> On one hand, there's anonymous websites, competing VPN companies, and hundreds of Twitter bots pushing a story that is demonstratively false (just check public records).
I agree, the VPN industry is rife with shady business practices. But the story being pushed isn't 'demonstratively false'.
* TesoNet offers data mining services
* You did contract TesoNet employees
* Due to an error and unyielding policies by Google TesoNet holds your Android app signing keys in name
* There is a lot of intermingling between TesoNet and NordVPN and to a lesser extent TesoNet and ProtonVPN.
Like I already stated, it's very unlikely you are compromised. But unlike, say, a billing company that handles my energy or water provider (where I care much less if they have tenuous links to data mining) my standard is extremely high for a VPN. Internet traffic is supremely personal and for me to trust a company handling that there cannot even be the slightest sheen of misconduct.
For me to trust you you would have to completely cut out your Lithuanian subsidiary and any employees, board members, etc. that were or are related to TesoNet, as well as any reliance on their infrastructure. Obviously businesses don't operate with such 'scorched earth' policies and I don't expect you to gut your company based on a HN comment, but it is what it would take for me and many other privacy-conscious individuals to regain our trust.
Definitely appreciate your concern here, but there's still a lot which is being confused.
Proton does not today, and has never, used contracted (outsourced) employees. As is common with startups, in the past we did not always do all our HR in house (it's all in house today), but employees were always working on Proton and for Proton.
There are no board members, directors, shareholders, or employees, related to Tesonet beyond the fact that a couple employees might have been employed there previously. This in itself is not strange, we also have some employees who previously worked at Google, the ultimate data mining company, but clearly decided they preferred to work for the other side. People can and do change jobs.
Proton has also always run our own infrastructure, and for ProtonVPN, this is publicly verifiable.
So, we don't have to "gut our company" to remove any "intermingling" because there was little to none to begin with, and certainly nothing today.
Indeed trust is super important, but it seems odd to trust anonymous internet accusers or those with a clearly vested interest in harming Proton, as opposed to reputable third parties like the EU or Mozilla who don't have a vested interest here and are independent.
Proton is still to this day, the only VPN company that has an address clearly published on our website, where you can show up, and find company management and board members, and that means something.
Slightly off-topic but I am delighted by the generally non-abrasive way this thread is going. Dialogue is good!
I realized another way that would work for you guys (but is out of your hands) is fighting a court case about this. You'd be legally compelled to tell the truth and very screwed if you deny but then it comes out there is logging or mining going on. It's not ironclad but it is how most VPNs end up being considered 'solid'.
We have indeed retained lawyers to look into our options to fight the online defamation, but its hard to take anonymous accusers to court. However, as we have discussed here (https://protonvpn.com/blog/is-protonvpn-trustworthy/) there is already a lot of ironclad legal evidence.
First, were we to lie in our privacy policy, we would be subject to GDPR fines of up to 20 million Euros, since we have both European customers, and a presence in the EU.
Second, there has already been a court case. We were ordered by a Swiss court to hand over logs, and we stated truthfully (under penalty of perjury) that we did not have the logs requested. This case was previously disclosed here: https://protonvpn.com/blog/transparency-report/
'January 2019 – A data request from a foreign country was approved by the Swiss court system. However, as we do not have any customer IP information, we could not provide the requested information and this was explained to the requesting party.'
I'm not terribly well-versed in the international (or Swiss) legal system but are portions of that request public record, or would it be possible to put portions of it online, verbatim?
It would really strengthen the case to your customers because whilst claiming you had a request when you didn't isn't illegal, falsifying court documents definitely is.
No public indictment was issued because in this case the accused could not be charged since they couldn't be identified. Generally there are only documents if police decide to move forward with a prosecution, which is unlikely since we do not have logs that can identify users.
I agree, the VPN industry is rife with shady business practices. But the story being pushed isn't 'demonstratively false'.
* TesoNet offers data mining services
* You did contract TesoNet employees
* Due to an error and unyielding policies by Google TesoNet holds your Android app signing keys in name
* There is a lot of intermingling between TesoNet and NordVPN and to a lesser extent TesoNet and ProtonVPN.
Like I already stated, it's very unlikely you are compromised. But unlike, say, a billing company that handles my energy or water provider (where I care much less if they have tenuous links to data mining) my standard is extremely high for a VPN. Internet traffic is supremely personal and for me to trust a company handling that there cannot even be the slightest sheen of misconduct.
For me to trust you you would have to completely cut out your Lithuanian subsidiary and any employees, board members, etc. that were or are related to TesoNet, as well as any reliance on their infrastructure. Obviously businesses don't operate with such 'scorched earth' policies and I don't expect you to gut your company based on a HN comment, but it is what it would take for me and many other privacy-conscious individuals to regain our trust.