Post Ahf2NtMcCWcNtZhbBA by doomy@mastodon.social
(DIR) More posts by doomy@mastodon.social
(DIR) Post #AhepbMoei7hbbHufSa by protonprivacy@mastodon.social
2024-05-07T19:29:45Z
1 likes, 2 repeats
The name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can't decrypt data, but in terror cases Swiss courts can obtain recovery email.
(DIR) Post #Aheq26PToeicXKsyPI by lx@swiss.social
2024-05-07T19:34:32Z
0 likes, 0 repeats
@protonprivacy Do you also store IP addresses? Can’t they be linked to real identities as well?
(DIR) Post #Aheqh1vnNB0cWEW6V6 by protonprivacy@mastodon.social
2024-05-07T19:41:57Z
0 likes, 0 repeats
@lx We provide an official Proton Mail onion site for use with the Tor network for those seeking anonymity. It’s also important to differentiate that VPN is not classified as a communication tool in Switzerland — Proton VPN does not log IPs and there are no existing Swiss laws that can compel us to do so.
(DIR) Post #Aher1DvkTAt7We7kFU by JSharp1436@mstdn.social
2024-05-07T19:45:34Z
0 likes, 0 repeats
@protonprivacy Sensible.
(DIR) Post #AherLdbeiV3CwwSZhA by martijn@ieji.de
2024-05-07T19:49:18Z
0 likes, 0 repeats
@protonprivacy seems like you're getting all the heat. So thanks for providing your services, still a happy customer 🩷
(DIR) Post #AherWNlbwojv0gEvg0 by lx@swiss.social
2024-05-07T19:51:13Z
0 likes, 0 repeats
@protonprivacy I thought I read somewhere in Proton’s docs that the last seen IP address is logged? Does that only apply to Proton Mail but not VPN?
(DIR) Post #Ahes6kPFFjjLeK7PO4 by alihan_banan@mastodon.world
2024-05-07T19:57:48Z
0 likes, 0 repeats
@protonprivacy i love you guys
(DIR) Post #AhesPe70sVWpdAbOgS by leberschnitzel@existiert.ch
2024-05-07T20:01:08Z
0 likes, 0 repeats
@protonprivacy maybe instead of a list what you can't give out you should publish a list of what you have to hand out if requested by court
(DIR) Post #AheueKajwA5XLCdXii by chrisdoestech@fosstodon.org
2024-05-07T20:26:11Z
1 likes, 0 repeats
@protonprivacy to be fair, its not like you guys handed over message content. Just account recovery address It's that person's opsec failure to link the proton account to a real world identity. Like anyone should trust Apple, Google etcI'm not up to anything dodgy but I use an always on VPN & my proton account uses recovery keys not email address Encrypted email is just one tool in your threat model not your entire threat model but I can't say I'm sad if it was a terrorist being caught
(DIR) Post #AhexeW3ZbsnilHu3jU by protonprivacy@mastodon.social
2024-05-07T20:59:52Z
0 likes, 0 repeats
@lx Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders.We also provide an official Proton Mail onion site for use with the Tor network for those seeking anonymity. It’s also important to differentiate that VPN is not classified as a communication tool in Switzerland — Proton VPN does not log IPs and there are no existing Swiss laws that can compel us to do so.
(DIR) Post #Ahf2NtMcCWcNtZhbBA by doomy@mastodon.social
2024-05-07T21:52:58Z
0 likes, 0 repeats
@protonprivacy proton unlimited subscriber here 👋 is there a reason the recovery email address was not hashed?
(DIR) Post #AhfArP6C5Z8YLqbY6C by leny@social.linux.pizza
2024-05-07T23:27:55Z
0 likes, 0 repeats
@protonprivacy I haven't seen any communication on this case. So PM actually didn't provide anything to the authorities, that was done by Apple? Therefore didn't even receive a court order from Switzerland?
(DIR) Post #AhfJOgfaa4Y42IXfdI by cyastis@mastodon.social
2024-05-08T01:03:36Z
0 likes, 0 repeats
@protonprivacy Thanks for the very specific information on what information you may or may not be compelled to provide here. Let us know if anything changes!
(DIR) Post #AhfOonnxAwPNSrj6Lg by Drew@urbanists.social
2024-05-08T02:04:20Z
0 likes, 0 repeats
@protonprivacy what is this in reference to?
(DIR) Post #AhfcbPYlPBbzrc88yO by lapesanta@mastodont.cat
2024-05-08T04:38:47Z
0 likes, 0 repeats
@protonprivacy Protesting is not terrorism https://www.statewatch.org/news/2024/february/spain-terrorism-charges-against-protesters-undermine-international-human-rights-and-democratic-standards/
(DIR) Post #AhfkQwNbq8Mi6LQnQm by pacogens@masto.es
2024-05-08T06:06:31Z
0 likes, 0 repeats
@protonprivacy can you tell us what other information can you provide so easy from our accounts? Or what is not encrypted?Now I know I need to delete my recovery mail.My phone number?If I use the easy switch option I am exposed?What about the new security options like proton sentinel or the dark web monitoring?
(DIR) Post #AhgY1TgKOg07Z3Eqw4 by myrix@mastodon.pnpde.social
2024-05-08T15:22:09Z
0 likes, 0 repeats
@protonprivacy "but in terror cases Swiss courts can obtain recovery email"Also for users own domains? (Ask for a friend)
(DIR) Post #AhgYCbUThiVYy708GG by myrix@mastodon.pnpde.social
2024-05-08T15:24:09Z
0 likes, 0 repeats
@protonprivacy "but in terror cases Swiss courts can obtain recovery email"Also from users own domains? (Ask for a friend)
(DIR) Post #Ahgho1cMQTeeIobgm0 by protonprivacy@mastodon.social
2024-05-08T17:11:48Z
0 likes, 0 repeats
@myrix A recovery email is optional and not required for a Proton account, more here: https://proton.me/support/set-account-recovery-methods
(DIR) Post #AhgigdZFXt4HdhC11E by protonprivacy@mastodon.social
2024-05-08T17:21:41Z
0 likes, 0 repeats
@pacogens Hi there, setting a recovery method is optional, more on this here: https://proton.me/support/set-account-recovery-methods
(DIR) Post #AhgiuPDThR5JBTZgeG by doomy@mastodon.social
2024-05-08T02:28:41Z
0 likes, 0 repeats
@vale @protonprivacy thats my best guess here: ergonomics. which i get. its hard to strike a balance between secure and easy to use.
(DIR) Post #AhgiuQ64QSklun7Hk0 by protonprivacy@mastodon.social
2024-05-08T17:24:00Z
0 likes, 0 repeats
@doomy @vale Setting a recovery email is optional, and we we provide several other options here: https://proton.me/support/set-account-recovery-methods
(DIR) Post #Ahgj7vofnylK3VQDy4 by jonah@mastodon.neat.computer
2024-05-07T22:36:24Z
0 likes, 0 repeats
@doomy how would @protonprivacy “un-hash” it if they needed to send you a recovery email? A hash is one way.All they can do is encrypt it (which I’m sure they do), but in that case they’ll have the keys to decrypt it like they did here.
(DIR) Post #Ahgj7x5j43zs0gPMBc by AIBrain@mastodon.social
2024-05-07T22:57:49Z
0 likes, 0 repeats
@jonah @doomy @protonprivacy Not all hashes are one-way.
(DIR) Post #Ahgj7xzNj8W4nIRnw8 by jik@federate.social
2024-05-07T23:03:46Z
0 likes, 0 repeats
@AIBrain @jonah @doomy @protonprivacy 1) If the hash isn't one-way then Proton can be compelled to unhash it so there's no point.2) They could require the user to reenter the recovery address if it's needed for recovery, confirm that it matches the hash, send the recovery message to the address, and then discard the unhashed address.If they're not doing it that way then they screwed up, or they decided convenience outweighs privacy, or they want to be able to cough it up if asked legally. 🤷
(DIR) Post #Ahgj7yerEvh2rvqvaK by jonah@mastodon.neat.computer
2024-05-08T02:11:44Z
0 likes, 0 repeats
@jik asking people who’ve forgotten their password to remember their recovery email seems like a very bad move.@AIBrain @doomy @protonprivacy
(DIR) Post #Ahgj7z9hOGMaPaHYem by jik@federate.social
2024-05-08T02:29:23Z
0 likes, 0 repeats
@jonah @AIBrain @doomy @protonprivacy In fact, people are significantly more likely to forget a password than to forget their email address.And if they have multiple addresses and don't remember which they used, they can try all of them.As I said, this is a privacy vs. convenience trade-off.Other apps do this (require recovery email to be verified by user before it can be used for recovery). Proton would not be breaking new ground here.
(DIR) Post #Ahgj7zwyR3mKsPKuSe by protonprivacy@mastodon.social
2024-05-08T17:26:28Z
0 likes, 0 repeats
@jik @jonah @AIBrain @doomy Setting a recovery email is also optional, more info here: https://proton.me/support/set-account-recovery-methods
(DIR) Post #AhglzqFeuWBILIsWNU by jik@federate.social
2024-05-08T17:58:44Z
0 likes, 0 repeats
@protonprivacy @jonah @AIBrain @doomy I don't understand why you keep making excuses instead of at least acknowledging that you could choose to handle recovery emails in a way that keeps them private.
(DIR) Post #AhgmpBeX6KMRUBzpYm by protonprivacy@mastodon.social
2024-05-08T18:08:00Z
0 likes, 0 repeats
@jik @jonah @AIBrain @doomy Hi Jonathan, email is just one of several recovery options, rest assured your feedback has been passed along to the team.
(DIR) Post #AhhzeaLISSPXR8EXw0 by pacogens@masto.es
2024-05-09T08:06:29Z
0 likes, 0 repeats
@protonprivacy that's not what I asked.I want to know what other personal information you deliver so easy to authorities.
(DIR) Post #AhiOSrZn3TyKGVWJ7I by protonprivacy@mastodon.social
2024-05-09T12:44:31Z
0 likes, 0 repeats
@pacogens Thanks for clarifying! We outline this in the first paragraph here: https://proton.me/mail/privacy-policyNote that It’s also important to differentiate that VPN is not classified as a communication tool in Switzerland — Proton VPN does not log IPs and there are no existing Swiss laws that can compel us to do so.
(DIR) Post #AhiOUOLugCJqCyl4Ay by protonprivacy@mastodon.social
2024-05-09T12:44:47Z
0 likes, 0 repeats
@leberschnitzel Proton stores minimal data and almost all data is end to end encrypted. You can find details in our privacy policy: https://proton.me/legal/privacy You can also check this article to see which data is stored encrypted and which cannot be: https://proton.me/support/proton-mail-encryption-explained
(DIR) Post #AhiOwtWIORXoysCoBE by protonprivacy@mastodon.social
2024-05-09T12:49:56Z
0 likes, 0 repeats
@marley @chrisdoestech @bughuntercat It seems that you're conflating a verification and a recovery email. Verification email is sometimes required upon signup, but it is not tied to the account you created and it's stored in a way that makes it inaccessible to us: https://proton.me/support/human-verification. So, we cannot share your verification email even if we want to.A recovery email is an optional recovery method that you don't have to have, or can replace with a recovery phrase https://proton.me/support/set-account-recovery-methods1/2
(DIR) Post #AhiP3neEciCmnRDBya by protonprivacy@mastodon.social
2024-05-09T12:51:12Z
0 likes, 0 repeats
@marley @chrisdoestech @bughuntercat So, yes, you can use your recovery phrase, as well as you recovery phone number to recover the account access (reset password). As you pointed out yourself, recovery phrase is also used for data recovery, but it's applicable in account recovery too. 2/2
(DIR) Post #AhiQ1spMUlR4Ee4Aym by protonprivacy@mastodon.social
2024-05-09T13:02:02Z
0 likes, 0 repeats
@doomy From a technical perspective, one can't end-to-end encrypt or hash a recovery email as it needs to be accessible to send the recovery email, which is typically initiated by an unauthenticated user who has lost their password. In brief, if we did that, one wouldn't be able to use the recovery address for its intended purpose.
(DIR) Post #AhiROQXBxDbd6HsgQi by leberschnitzel@existiert.ch
2024-05-09T13:17:18Z
0 likes, 0 repeats
@protonprivacy from what I'm reading there it means that ALL data that you log will be handed over if account information is legally requested? And the Sentinal Program means that your IP gets logged and also handed over to authorities, if requested (which seems counterintuitive)? Also support tickets get stored and will be handed out if requested?
(DIR) Post #AhieE5LVB0s7tSoPZI by protonprivacy@mastodon.social
2024-05-09T15:41:01Z
0 likes, 0 repeats
@Orca Hi there, we provide other options to configure account recovery without having to provide an email at all: https://proton.me/support/set-account-recovery-methods
(DIR) Post #AhieVsFGcgGgTXNVU8 by protonprivacy@mastodon.social
2024-05-09T15:44:20Z
0 likes, 0 repeats
@marley Thank you for the feedback, it's a bit difficult to organize in way that would immediately make sense, because one method is available for both actions, while other methods are only used for one of them. But we are looking into it.
(DIR) Post #Ahigp3yDSBmUFZgFU0 by Orca@nya.one
2024-05-09T15:45:46.102Z
0 likes, 0 repeats
@protonprivacy@mastodon.social Yeah, but if you provide the possibility to set up account recovery with Email, people will use it, right? People use phone number for account recovery and 2FA all the time, even when TOTP/HOTP is an option (just like Twitter...)🤔
(DIR) Post #Ahigp4te0fib7gY6zo by protonprivacy@mastodon.social
2024-05-09T16:10:06Z
0 likes, 0 repeats
@Orca From a technical perspective, one can't end-to-end encrypt a recovery email as it needs to be accessible to send the recovery email, which is typically initiated by an unauthenticated user who has lost their password which is necessary to decrypt client side.
(DIR) Post #AhiuvLvyyYFd3nWrgG by doomy@mastodon.social
2024-05-09T18:48:13Z
0 likes, 0 repeats
@protonprivacy Thank you for the response, but I don't think that is correct. You can still store only the hash of the email. For example: When user requests recovery, they can input their recovery email. The server would then check that the hash of the user provided email matches the stored hash. If it does, the server sends the recovery email to the provided address (or keeps the email for as long as needed for operations before scrubbing).
(DIR) Post #AhjEAtViJukAfUMmVk by a000d4f7a91939d0e71df1646d7a48@anticapitalist.party
2024-05-09T22:23:55Z
0 likes, 0 repeats
@protonprivacy @Orca looks like you have a thing or two to learn from Riseup. Handle that recovery email like a password, hash+salt it. When the user wants to recover their account, ask for the recovery email, if it matches what you have, proceed, otherwise, don't.
(DIR) Post #Ahk52xcMSdiEf0Zsem by protonprivacy@mastodon.social
2024-05-10T08:16:22Z
0 likes, 0 repeats
@doomy Recovery addresses are also used to inform users in case suspicious login attempts or something of that sort has occurred, and for that we need to have access to the address itself. For the majority of users, anonymity is not a priority, but keeping attackers out is.
(DIR) Post #Ahk6EYhR221eo72rZI by protonprivacy@mastodon.social
2024-05-10T08:29:39Z
0 likes, 0 repeats
@a000d4f7a91939d0e71df1646d7a48 Recovery addresses are also used to inform users in case suspicious login attempts or something of that sort has occurred, and for that we need to have access to the address itself. For the majority of users, anonymity is not a priority, but keeping attackers out is.
(DIR) Post #AhkhjRIsHEcz9L94qm by protonprivacy@mastodon.social
2024-05-10T15:29:50Z
0 likes, 0 repeats
@leberschnitzel The swiss law has limits which are quite strict, especially after our 2021 court victory: https://proton.me/blog/court-strengthens-email-privacy. We limit data retention, so support tickets are not stored forever, either. They have also never been requested.