Hacker News new | past | comments | ask | show | jobs | submit login
Proton wins appeal in Swiss court over surveillance laws (swissinfo.ch)
420 points by dane-pgp 34 days ago | hide | past | favorite | 69 comments

> The court confirmed that email services can’t be considered telecommunications providers in Switzerland, and therefore are not subject to data retention requirements.

That's a great development. I think I read previously that their VPN service was also not covered by the data retention requirement, which meant that they were in the odd position of hiding your IP address from themselves. Bootstrapping the sign-up process for that using Tor and cryptocurrency might have been a bit difficult though.

It's good to see even if they're not willing to take risks for their users, they're still dedicating some resources to fight unjust laws (in court not in real life, but that's still something).

> email services can’t be considered telecommunications providers

It's nice that they won the case, but now I wonder if this ruling may deprive them of other rights, that seems like a broad category that may be used in other laws.

ProtonMail needs to come up with technologies such that it’s not in possession of user’s data in the first place.

Instead of, being in possession of user’s data and sometimes providing data to governments sometimes appealing.

As an example, can you implement a VPN service such that you don’t hold IP or DNS records at all (ie, not both simultaneously)?

> ProtonMail needs to come up with technologies such that it’s not in possession of user’s data in the first place.

I believe it has them already? There's no reason they can't put an inline transparent Tor bridge in front of their mail infra to anonymise all inbound traffic i.e. TCP/IP->Tor Node->Tor Node->ProtonMail so it could only ever capture IPs coming from it's own Tor-node if compelled to do so. However it would still have an ability to log on the TCP/IP transparent endpoint. This risk could be mitigated by using their onion address [2] and using someone else's tor nodes.

The data-at-rest already is zero-access[1]. There is encryption of data-in-transit but no zero-knowledge network layer.. maybe they could work on this since they have support for tor [2]?

[1] https://protonmail.com/blog/zero-access-encryption/

[2] https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...

[3] https://protonmail.com/tor

This is exactly what I alluded to. See Apple’s private relay feature.

But PM needs to lead the tech world in privacy technologies instead of spending efforts in justifying why it should be trusted.

Another thing, data at rest is not quite end to end encrypted. If an email comes from a non-PM account to PM account, it’s received in plaintext and then encrypted. Thus PM has that data.

My point was I think they have already the ability to do this (cited sources) but they don't.

Apple's private relay feature is good but they also suffer from recent trust issues.

Regarding the last point, yes if you send PM-Non-PM there will be plaintext email sitting in the Non-PM's inbox/sent items. But you do have the ability to send non-PM recipients password protected email where they have to read the email over at PM in their browser. Only a link to it sent by email and they need to know the password to access it.

Obviously it depends on your threat model, but if you're doing anything that sensitive you should probably not be using email as there's no way of truly making it secure to use.

Some people will be using protonmail just because they don't want their provider scanning their emails or targeting them with ads. PM do offer a free tier so they're not a bad choice for that use case.

Just to be clear, if you send an email from a non-PM to PM account, the email is plaintext in BOTH accounts!

That’s because, PM servers receive plaintext data. Then, they encrypt it. But there is no proof that plaintext is not logged.

It’s same as in VPN: trust us, we don’t log your data. No, invest in zero knowledge technologies please.

I can point out to many other possibilities for improvements in their email and VPN service. But they should lead us not other way around.

> That’s because, PM servers receive plaintext data. Then, they encrypt it. But there is no proof that plaintext is not logged.

Ah yes this is a good point. The only way to be sure is to client side end-to-end encrypt your data before you send it to any upstream mail service. E.g. using S/MIME or PGP. At this point you can then use any free mail service as you now “only” need to worry about leaked mail header meta-data.

We must be fair. Citing that plain text is readable before proton mail encryption is.... unfair.

A bad actor could place a proxy upstream, the problem has nothing to do with protonmail.

What protonmail tries to solve is your mail being encrypted at rest. It succeeds there.

Statements about "but they can read it" or "they can capture everything before..." is a separate issue, one of trust and different methods of state interference.

> Citing that plain text is readable before proton mail encryption is.... unfair.

Firstly it wasn’t me that made that observation but..

I don’t think fairness comes into it. If you’re concerned with that risk, use something else. All security comes with a set of trade offs and knowing which risks you’re protected from and which you are not, helps you make that choice.

ProtonMail are also very good at publishing their threat model, architecture and technical implementation as well as large parts being open-source.

> What protonmail tries to solve is your mail being encrypted at rest.

Actually it does better than that. It uses message-level encryption using PGP keys to provide that encryption at rest. Which in theory gives them zero access. Lots of services which tout encryption at rest are actually encrypting the block storage which mitigates against fewer and less likely threats.

That will just hide the IP, but not user's authentication and data. There are more simpler ways to proxy if you assume that the proxy front end is secure.

The law can mandate that ProtonMail is forbidden to use such technologies - if the court ruling would have went in the other direction and asserted that the data retention requirements apply, then it would be illegal for Protonmail to offer their service without explicitly collecting and holding the records, even if they technically could do without them.

You can't(as a single company/entity) find a work around something like this. Proton had a court order from the country they operate from. You can fight court orders but you can't usually disclose them(gag orders and all).

The only reasonable way(i can think of) to make it a bit harder for this to happen would be to have a second(and maybe a 3rd)unrelated entity/company in an adversarial country that you can use as a relay. In this case use it as a VPN service to access the e-mail on Proton servers.

Anonimity is inconvenient these days... and next to impossible if any govt agency is out to get you. The only way you can make it hard(er) is to spread over multiple jurisdiction and rotate accounts/discard them after a few uses. A system similar to one time pads of sorts combined with PGP.

> can't usually disclose them(gag orders and all).

Switzerland has no "gag orders", that's a exclusive US-open-democracy-thing ;-)

:) I didn't know that. I though most/all countries in the west have an equivalent.

In UK we have something like that(can't remember the name of it though). The courts can forbid all parties involved to have any public discussions, They can ban topics from reaching the public through normal mass media means. To make it even worse, they can prevent individuals to do this sort of thing too. Prison time and/or fines if you don't comply. Democracy at it's finest.

>I though most/all countries in the west have an equivalent.

Well there is no direct gag-thing (because it would undermine free speech) BUT it could be interpreted ~sometimes and in "theory" as "obstruction of a police investigation", so it's a case to case thing and not direct law.

Aaah.. I see what you mean. Tbh that sounds reasonable as long as it's applied without political pressure and such.

> In UK we have something like that(can't remember the name of it though).

Super-injunction: https://en.wikipedia.org/wiki/Super-injunctions_in_English_l...

>ProtonVPN does not log DNS queries, and by Swiss law cannot be forced to start logging them. We also do not log the IP addresses of our users.


Big PR win for Proton in the aftermath of https://www.swissinfo.ch/eng/protonmail-scandal-tarnishes-sw...

To save you a click:

> Encrypted email service ProtonMail has been at the centre of a social media storm ever since a police report revealed that the company shared the IP address of one of its users as part of a French investigation that led to the arrest of climate activists.

Hardly. The company still has not owned up to their major fuck up in my book. They are willing to save themselves on the account of their customers. Dead company in the world of security, but might drag on in the scam world.

Swiss courts are not something to be taken likely... since ProtonMail and its founders are based in Switzerland the employees themselves could have faced criminal charges for non-compliance.

A different argument could be made that they could be using more privacy-preserving tech that would make compliance not possible... but even then a court order + gag order could compel them to start logging.

Why this ruling is so important is it sets legal precedent that Protonmail is in the right to not turn over user data to the government. The Swiss legal system tends to be pretty firm about things and this will likely make it next to impossible for a repeat of their past fiasco to happen.

Again, for the millionth time, the issue is not that they had to comply with the law. Stop pretending to misunderstand, all this bullshit is quite obvious.

Proton mail lied, and then pretended like they didn’t. They decided it makes sense to sacrifice a customer on the account of their own fuck up and false promise.

Proton mail is a shit company, and more and more I’m convinced they’ve bought shills to go out and divert attention.

In the world of security, proton mail is a less than a zero. Their main clientele will be in the same scam business they are.

What should have been their policy, according to you?

Which service or solution (if any) has your favour?

What Lavabit did should be followed as an example imho.

> The court documents stated that on July 13 Levison sent an open letter to the assistant US attorney, offering to give email metadata (without email content, usernames or passwords) to the FBI if it paid him $2,000 "to cover the cost of the development time and equipment necessary to implement my solution" and $1,500 to give data "intermittently during the collection period".

So what Protonmail did wrong was to not ask for payment while handing out the metadata?

Source: https://en.m.wikipedia.org/wiki/Lavabit

Lavabit gave the feds the decryption key, and contents to every email for every user on their server.

I disagree with your position that this is what protonmail should have done.

From wikipedia:

> The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day.[28] Levison closed down Lavabit 3 days later.

From wikipedia:

>Before the Snowden incident, Lavabit had complied with previous search warrants. For example, in June 2013 a search warrant was executed against a Lavabit account for suspected possession of child pornography.

From the register:

> After much wrangling, Levison eventually handed over Lavabit's cryptographic key in digital form, after earlier trying to satisfy a court order by printing out and handing over a copy of the key in 4-point type, a move that irked the judge handling the case.

From vice / the US Attorneys Office / Eastern District of Virginia:

> At approximately 1:30pm CDT on August 2, 2013, Mr. Levison gave the FBI a printout of what he represented to be the encryption keys needed to operate the pen register," a motion for sanctions signed by James L. Trump from the US Attorney's Office reads. According to the case docket, the documents were unsealed on March 4.

That doesn't answer the question of what currently available service is an acceptable alternative if Protonmail isn't palatable.

No email provider seems palatable.

> ProtonMail, in fact, had to comply with a Swiss court order, which came after the French police had requested Swiss cooperation through Europol, making use of international judicial assistance.

What exactly did / do you expect Proton to do here? They were given a legal mandate to comply and they complied. Did you have a fantasy that they would fight the Swiss and French governments (and apparently Europol) when given a valid court order and risk their entire existence?

Stop intentionally missing the point. It's not about them complying with the law or not, it's about them promising something that they did not deliver on, regardless of whether they couldn't because they didn't know or the lied, it doesn't matter. Customer confidence won't be partially restored without them owning up to it. First by fighting it in court, not pretending like it's all been out of their hand, then by having their system implemented in a way where they could even start secretly logging their users (even to comply legally). Hiding behind fine print and ambiguous wording (like "oh, we said only by default").

ProtonMail fucked up. Badly and majorly. So far the only thing they've proved is that it's not a their main tag line "Secure Email. Based in Switzerland" is basically meaningless bullshit. It's not secure, and they'll backstab their customers without even putting up a fight. There's no sugar coating it, and there's no way to take it back, there's no way to distract the community form.

Their reputation is as good as dead. I feel bad for people who still use it as a "secure" email.

They could and should have communicated more honestly about it. https://news.ycombinator.com/item?id=28427996

You're really making the Nuremberg defense?


By complying they also risked their entire existence.

Their brand seems destroyed already.

Since we're tossing around wikipedia links,


Lol, dude, you're missing the entire point. I understand it hurts to learn that a company you've been paying turned out not to be what it claims to be, but no one is "tossing around" wikipedia links other than you. And you're doing it sort of badly, the link you tossed is equivalent to just throwing: https://en.wikipedia.org/wiki/Security in an argument.

For someone who wasn't really buying in into the whole secure email thing and wasn't that surprised they caved in initially this was a net positive for me now that it was tested in court. Not massively so, but still.

Calling that "caving in" is problematic, even defamation. They had a legal order from the court to log the IP next time that user logged in. If they hadn't complied who knows what the swiss government would've done to Proton. Proton is a company afterall and has to adhere to jts legal boundaries, if it doesnt it soon won't have legak boundaries because the government uses its tools to make sure there is no Proton anymore.

Proton should design their software and services to “fail closed” and utilize technology and policies to prevent ever being exposed to user IPs to prevent holding this data in the first place. They could daisy chain TOR nodes, perhaps. I’m open to ideas on that front.

tl;dr: Proton failed their customer by designing their service in such a way that this PII disclosure was possible. That they folded under legal pressure instead of calling any government’s bluff shows that they are willing to compromise their own systems at their users’ expense, and get paid for the privilege. Their customers deserve better.

Your wording "Calling any government’s bluff" implies that this was a bluff, however, that's not the case - if the cards come to table, it's obvious that "their cards" are weaker and the government can actually force them to compromise their systems, it's not a bluff, it's not a winnable contest.

In this case, after receiving a valid order, implementing any technology or policies to thwart it would be a felony, you're required to cooperate. If you appeal the ruling, you're still required to comply with the ruling and collect data during the appeal process.

Also, technical solutions don't fix social problems. They could daisy chain TOR nodes to avoid collecting information by default, however, a valid warrant for a specific user (as in that previous case you seem to allude to) can easily require them to avoid all those technical solutions, add extra information collection and intentionally circumvent these TOR nodes for this one particular user to break their privacy - no matter if they're willing or not.

If they're not willing to compromise their own systems, then the only solution is to not run those systems at all and shut down the service e.g. as Lavabit did, because you can be (both legally and practically) forced to compromise your systems.

Yes, it is a government bluff. What will they do? When was the last time you heard a sysadmin got in jail for not keeping logs? Worst they risk is having a few machines seized and a fine. Unless of course they actively promote their services to the mafia or terrorist groups, which is definitely not the case.

Also related, it's very important to not respect unjust laws. Laws are designed by lawmakers to oppress the people, and it takes popular organizing/revolt to make them slightly fairer. Without civil disobedience and popular self-defense, USA folks would still have legal slavery and apartheid.

In the tech world, standing up to unjust laws is not uncommon. Mail providers such as Riseup are famous for standing up for their users (unless they're cryptoscammers which is not covered by the ToS). Lavabit also notoriously committed seppuku rather than rat on users. In Germany, Freifunk ISP defied all data retention laws and went all the way up to the supreme court to uphold privacy rights and not keep logs on their users. That's what i expect from a privacy-oriented service provider.

In France, where data retention laws have been deemed illegal by the european court of justice , the government still insists ISPs and other service providers must spy on users. In that case, are you supposed to respect the laws of your local corrupt government, or abide by the constitution and declaration of human rights in accordance with the highest legal courts?

If you're a small provider who doesn't intend to get into legal trouble, don't pretend you can protect users' privacy against unjust abuses of power. If you're a big corp like Proton, you definitely have enough resources to stand up to an obvious case of political repression. I understand and to some extent respect their decision, but it should not be framed as if they didn't have a choice!

Lavabit is really the key reference here, no reason to point to revolutions, that goes a bit far. But instead of providing the government with user data Proton had the option to stop operating the compromised email service, or if necessary to fold the company. That is what was necessary to do in this situation. Instead the caved to the (now clear to be illegal!) government request and ratted out their user. That's unacceptable for this kind of service.

Also, iirc, the problem with Proton is that they did not only hand over the data, they collected the data in advance to later possibly hand them over. That would be a systemic failure.

> no reason to point to revolutions

I did not exactly mention revolution, but that's an important topic. The government needs to keep tabs on everyone because they're unjust and therefore fear the mob. The only way to deal with this problem entirely is not via legal/technical means but via a global revolution that does away with "government" entirely.

> they collected the data in advance to later possibly hand them over.

My understanding (from previous reads) is that they had to enable IP logging precisely for this user that was targeted. If they had just done nothing, there would have been no data to give away or seize.

> Proton should design their software and services to “fail closed”

They do have this design for their VPN if you enable their killswitch feature.

That is client side. I meant server side, as well.

No it’s not, caved in is the exact perfect word that should be used. Specifically considering the language they used in their promotional material. It is exactly because they’re a company and they must know that they will have to comply with laws that apply on them that they should’ve either not used that wording in their promos or not cave in to legal requirements.

Saying they caved in is putting it mildly. You can even say the purposely misled their customers, and as of now, have not exactly owned up to it yet.

Edit: I’m also sick of the usage of the word problematic. Using problematic is problematic itself.

What action would you have not considered "caving in"?

Stick by their supposed principles, or at least spend money to defend the dude they exposed. Basically they fucked up majorly regarding this specific person and they should spend however much to fight the chaos they have caused.

“We’ll see you in court.”

Call me anything you want but I feel this is little more than a feel good ruling.

We know for a fact that the CIA operated Crypto AG for more than 30 years. No way the Swiss government wasn't on it from the very start. And we know every government with ability the spy on its subjects had been doing it for as long as it's been possible/affordable.

Now, I am not saying this ruling is meaningless. It's not. But if "they" really want your data, they will get it, legally or not.

In other words, I think they are simply trying to attract some new business

If your threat actor is the CIA, or any three-letter agency for that matter, you ought to be bright enough not to trust a company. Companies are inherently focused on profit and growth, nothing bad about that, that's what companies do. However, companies also still operate within political and legal environments which means they have to adhere to the laws of the jursidiction they reside in. A company won't risk going bankrupt or being shut down to save a customer's privacy and anonymity, which it would if it just denied the government its legal processes.

If your threat actor is a nation-state intelligence community you might want to consider using higher level security systems like PGP.

For ever other threat actor, this ruling is a great win for privacy. As long as your threat actor is your ISP, (anti-) social media as I've begun to call it, or your employer, ProtonMail (or Proton services) are really at the forefront of digital privacy.

Again, if you're up against the government, use PGP to communicate securely.

Whilst you're completely right (don't trust companies, pgp if you need to), I feel obliged to point out Lavabit [1] and Silent Circle [2].

Of course, you should still not trust companies, but exceptions to the rule have existed.

[1]: https://en.wikipedia.org/wiki/Lavabit [2]: https://en.wikipedia.org/wiki/Silent_Circle_(software)

While what you say is correct, it’s not the main point here.

I’m sick of seeing blind Proton defenders on HN, has the company bought some shills to defend them by diluting and misdirecting the community’s attention? I wonder!

The issue is that Proton lied. Plain and simple. Their marketing and promos were targeting everyone, specifically non tech savvy people, aka those who don’t know or can’t use pgp.

It’s not the end of the world, and mistakes happen, but Proton purposefully mislead their customers, and they should own up to it to even recover a tiny bit of their reputation. Otherwise the company is dead in my book and I would never ever recommend them.

Fair point.

I am not a shill...

They advertised themselves with a 'no-log policy'. This policy however used the phrase "by default, [...]" and and said that they don't store IP data. This is true, that statement was never breached as far as we know. The court requested Proton to start logging data for this single account in question for the investigation, because the account owners had broken swiss national law.

"[Proton] could not appeal because a Swiss law had actually been broken and because "legal tools for serious crimes" were used. ProtonMail does not believe the tools were appropriate for the case at hand, but the company was legally responsible to comply with their use nonetheless." [0]

What would you want Proton to do in this case? Close down shop and not give out PII or rather comply and keep operating? You can't just discard an entire operation of this size bcause one of one account.

We are on the same side here, we both want Proton to do better and to have an email service that is actually secure. As long as any company or organization operating an email service is inside any jurisdiction it will face these issues. But the jurisdiction is also the enabler to these companies or organizations like this. I don't think we are ever going to get the perfectly secure mail service that protects our privacy, resists governments and threat actors to an absolute degree, and operates servers and services at the same time like Proton does. If anything, FOSS self-hosted options are probably the closest to the above we are going to get.

edit: If Proton designed their services to not collect data from the start, like a lot of commenters here are proposing, that could be a real opportunity. This strategy however only works in very stable democratic systems, as unstable ones are always at the mercy of their governments and as such are vulnerable to privacy intrusions.

[0] https://arstechnica.com/information-technology/2021/09/priva...

The Swiss government and police, with unchecked limitless powers, can use the new anti-terrorism laws where they can target Proton employees without charge or trial (even 12 year olds):


For anyone wanting to read the actual court decision (in French): http://links.weblaw.ch/BVGer-A-5373/2020

The judgments are customarily anonymized, but everything points to this being the correct one. Note that this decision is not final; an appeal to the Swiss Federal Tribunal may still be filed.

Can anyone provide any additional info on what exactly these "climate activists" were responsible for doing?

From what I remember, the suspect is believed to be the leader of an anarchist group responsible for squatting places, to struggle against the move of wealthy people to North-Eastern Paris.

They have made the news for squatting one place in particular: the restaurant "Le Petit Cambodge", as it is one of the restaurants targetted by terrorists on November 13, 2015.

Here is an article in French about them: https://www.lefigaro.fr/societes/a-paris-un-local-du-restaur...

Watch HN turn this into a negative because the hard-core ProtonMail haters going to hate

This gets turned into a negative because HN is chock full of leftist authoritarians that don't like privacy from government prying eyes.

Oooo edgy straw man.... delicious.

What do you mean by "leftist authoritarian" exactly?

Can you give some examples of notable American "leftist authoritarians?"

I am arguably a leftist, but probably not an authoritarian. I am all for privacy. In fact, one could argue that Proton could have gone further in basic system architecture to provide that than they seem to have to.

But, the flip side of that is that the more complicated you make your tech stack, the longer it takes to getting it running, and to fix it when it inevitably breaks.

On the other hand, they seem to have recommended using a VPN to access them, if you were concerned about IP metadata being disclosed.

On the gripping hand, they were also served with a subpoena, and depending on exactly how it was formulated, it may well have been no scope to fight the subpoena in court, and as I think that "follow the law" is generally a good thing, I think that on the balance Proton may be culpable of negligence, but not actual malice here.

Yeah you can't even go one thread on HN without some Maoist telling you to let your employees unionize /s

It will lead to people blindly trusting the Swiss honeypot to store all information.

Here I was, thinking that the Large Hadron Collider violated the plaintiff’s GDPR rights

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact