What is the expectation here? That the companies would refuse to comply with an (apparently legal) governmental information request? What justification would they use?
Wire and especially Proton seem to have gone to the limits of their ability to enable their users to be anonymous, and the weak link was the user's own inclusion of the recovery address.
Obviously Apple (and Google, and Meta, and Microsoft, etc) will have more information about their users, but I don't think it's a common expectation that those kinds of services are anonymous.
If we're unhappy with the outcome here, I think it's a legislative question, not a technical one.
I was just thinking about this relative to another post. I think people push companies to solve this problem because Government is slow moving, and often well-resourced interests can get traction when the average citizen cannot.
This should absolutely be solved by government. But with collective action (noisy social media, mostly) people can often have quicker effect on a company.
In my experience, a lot of people are distrustful of logical arguments about what may happen. If it has never happened, then it doesn't happen in practice - that's how they reason I suppose. This article shows that it does happen in practice.
When will people learn. You simply cannot rely on centralized services if your goal is to threaten power. "Incorporated in Switzerland" is not going to protect you from a king.
HN had a big discussion on this already last week [0]. Frankly it's a nothingburger and "encrypted services" is pretty irrelevant, beyond yet another reminder that technical privacy and security measures are tools that make opsec possible; they're not opsec all by themselves. Businesses or individuals offering encrypted services aren't breaking the law and somehow actively rebelling against the government of their jurisdiction(s), they're offering tools that others can use for their work/lives in a more privacy preserving manner within the limits of their own abilities. The services and technical measures did their job, in that they did in fact make law enforcement go through the legal path with a specific inquiry vs warrantless mass harvesting, and depend on metadata vs clear text. But the absolute most paranoid fully encrypted anonymous leeching public wifi into Tor into a VPN into Tor again scheme wouldn't somehow prevent a person from just going ahead creating an account leaking their real world information. And recoverability vs side-channel balances will always present tradeoffs.
> Proton provides privacy by default and not anonymity by default because anonymity requires certain user actions to ensure proper [operational security] such as not adding your Apple account as an optional recovery method, which it appears was done by the alleged terror suspect.
I mean, fair enough. It sounds like Proton had a legal obligation to provide the recovery address under Swiss law. I am not 100% sure whether or not they could have refused, but Apple is the company that provided names and home address.
"Once the Guardia Civil obtained the iCloud email address, the documents show that it requested information from Apple, which in turn provided a full name, two home addresses and a linked Gmail account."
Basically everything but their favorite colors, TV shows and emojis.
casual reminder: privacy and opsec are personal responsibilities and not something that can be tendered to you in the marketplace. when you use FAANG there is, regardless of the company marketing, ZERO expectation of privacy.
corporations have every fealty to government first. use closed source cloud services and tooling sparingly as you're the product and not the consumer under surveillance capitalism.
It does make sense; it's just that expecting a business like Apple to protect you is a side-splitting fairytale. They don't want to empower you, they want to enslave you.
Wire and especially Proton seem to have gone to the limits of their ability to enable their users to be anonymous, and the weak link was the user's own inclusion of the recovery address.
Obviously Apple (and Google, and Meta, and Microsoft, etc) will have more information about their users, but I don't think it's a common expectation that those kinds of services are anonymous.
If we're unhappy with the outcome here, I think it's a legislative question, not a technical one.