ProtonMail revises its policy after discarding activist data


This weekend, news Break the anonymous email service ProtonMail flip over The IP address and browser fingerprint of a French climate activist were given to the Swiss authorities.This move seems to contradict the company’s own privacy-centric policy, which was launched last week statement, “By default, we will not keep any IP logs that can be linked to your anonymous email account.”

After providing the activist’s metadata to the Swiss authorities, ProtonMail deleted the part that promised no IP logs and replaced it with “ProtonMail is an email that respects privacy and puts people (not advertisers) first.”

No record “default”

As usual, the problem lies in the details-ProtonMail’s original policy simply says that the service does not keep IP logs “by default”.However, as a Swiss company, ProtonMail is obliged to comply with the requirements of the Swiss court, namely Start Record the IP address and browser fingerprint information of a specific ProtonMail account.

The account is operated by the Paris Chapter Climate Youth, Wikipedia describes it as Greta Thunberg’s source of inspiration The focus of the campaign is on students who skipped class on Friday to participate in the protests.

According to more statement Proton mail release On Monday, it was unable to appeal Switzerland’s IP login requirements for the account. The service cannot appeal because it actually violated Swiss law and because it used “serious criminal legal tools”-ProtonMail believes these tools are not suitable for the case at hand, but the law requires compliance with these tools.

Break your Tor browser

In addition to removing technically correct misleading references to the “default” logging policy, ProtonMail also promises to encourage activists to use Tor networkThe new “Your Data, Your Rules” section on the ProtonMail homepage directly links to a landing page that aggregates information about the use of Tor Right to use Proton mail.

Using Tor to access ProtonMail may accomplish something that ProtonMail itself cannot do legally: obfuscating the IP addresses of its users. Since the Tor network hides the user’s network source before the packet reaches ProtonMail, even a valid subpoena cannot obtain this information from ProtonMail-because it has never received it from the beginning.

It’s worth noting that the anonymity provided by Tor relies on Technical means, Not policy-this may be a double-edged sword.If government agencies or other threats were able Destroy the Tor nodes through which the traffic passes to track the source, and there is no policy to prevent the government from doing so-or use this data for law enforcement purposes.

ProtonMail also operates one VPN service Called ProtonVPN, and pointed out that Swiss law prohibits that country’s courts from compulsory VPN services to record IP addresses. In theory, if the Youth Climate Group uses ProtonVPN to access ProtonMail, the Swiss court cannot force the service to disclose its “real” IP address. However, the company seems to be more inclined to recommend Tor for this specific purpose.

Only so many email services can be encrypted

ProtonMail is also careful to point out that although its users’ IP addresses and browser fingerprints are collected by Swiss authorities on behalf of Interpol, the company’s guarantee for email content Privacy has not been violated.

The service uses end-to-end encryption And deliberately does not possess the key needed to decrypt the user’s email body or attachments. Unlike the source IP address and browser fingerprint, the data cannot be collected simply by changing the configuration on the company’s own server as required by the court order.

Although ProtonMail can and does encrypt the email body itself with a key that is not available to the server that handles them, the SMTP protocol requires that the email sender, email recipient, and message timestamp be server accessible. Accessing the service through Tor or VPN may help hide IP addresses and browser fingerprints, but the service can still legally enforce the provision of any of these fields to Swiss law enforcement.

In addition, the email subject line Can It can also be encrypted without breaking the SMTP protocol-but in fact, ProtonMail’s service does not, which means that the relevant court may also force the service to provide the data.

This story originally appeared in Ars Technica.

More exciting connection stories


Source link