“So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police https://t.co/KtKF4wn3wv”
Really what is the average person suppose to do to have a private email? I heard Edward Snowden say that email is fundamentally flawed and will never be secure. I’ve thought about hosting my own email server, but even then i need to buy a domain name likely with my own card, buy a VPS with my own card and it traces back to me.
Just in case, perhaps one can get away with dynamic DNS sort of pseudo domain, not a full domain, so that you can access services you host at home, without having to know the IP. At any rate, whether pseudo DDNS or full DNS, the IP is fully recognizable.
The advantage of a VPS might be some protection against home blackouts and internet lost every now and then, depending where you live. However, self hosting poses several issues. Isolating your network (firewalls plus kernel hardening), hardening the servers,protect against common attacks such as denial of services, as well as infiltrating the services. All than not to mention dealing with spam and much more.
However, I’m tending towards the idea the we have to self host, now a days. Trusting providers is not wise. Granted email is not secure, neither private, however the same applies to other services. FB is even looking at ways to extract information from whatsapp without decrypting messages… Signal leaks quite some information about its users, and though the advertise themselves about not able to decrypt messages, they can and probably do share all metadata they grab.
I’d really like distributed mechanisms, to take over, and become mainstream, not just decentralized, because then there are no servers to depend upon, and the information is just shared among those whom the information was generated for, no trusting in servers, not even your own.
I like the idea of self hosting email - it just seems to be a total pain however. I’ve done it a few times but the process is so fragmented and I just don’t have the time to dedicate to maintaining it.
You can protect privacy with encryption, and I believe ProtonMail does work for that, but trying to protect anonymity is an entirely different beast. I’m not convienced it’s possible at all in any way that’s reliable (not just email but also even simple web browsing) unless there’s a change in how routing works in the internet, or a new layer is developed (like I2P, but even that’s not really a warranty).
True. Someone can have high standard for privacy and at the same time have no desire for anonymity. The thing is that what was compromised in this case is the identity of the person who owns the email. The emails themselves were kept private.
What the email provider snitched is the IP address (which wasn’t “tori-fied”). So it was anonymity what was compromised in this case.
The email was openly used for activism so the police was already investigating it, they only wanted to know the identity of the physical person behind it, and that’s what ProtonMail helped with, since the activist didn’t use anonymizers. The police didn’t need to decrypt the contents of the account or compromise its privacy (which is what using ProtonMail would have protected against), just its anonymity.
If you need secure communication a good solution is E2EE which is enabled by default in signal and in element. Ideally, you should use e-mail to receive newsletter, sign in to sites and nothing more.
That being said, the whole situation about ProtonMail is quite overblown. As detailed in their transparency report, and privacy policy they MUST provide account’s information like the IP address if the Swiss criminal investigation requires them. By default, they don’t log the IP of the users.
Now, if this is a real concern for you, then you should not using their service. Otherwise, go for it. ProtonMail is still a valid choice.
Edit: However, it’s important to understand that every time you visit a website, you automatically send a set of features to it , including your IP address. It’s just how internet works. The whole “no log policy” is not something you can verify. You have to fully and blindly trust the provider whether it is located in a 5 Eyes country or in Iceland.
Edit: self hosting a email server it’s actually really, really difficult. It’s not something that a unskilled person could do.
Really what is the average person suppose to do to have a private email? I heard Edward Snowden say that email is fundamentally flawed and will never be secure. I’ve thought about hosting my own email server, but even then i need to buy a domain name likely with my own card, buy a VPS with my own card and it traces back to me.
Just in case, perhaps one can get away with dynamic DNS sort of pseudo domain, not a full domain, so that you can access services you host at home, without having to know the IP. At any rate, whether pseudo DDNS or full DNS, the IP is fully recognizable.
The advantage of a VPS might be some protection against home blackouts and internet lost every now and then, depending where you live. However, self hosting poses several issues. Isolating your network (firewalls plus kernel hardening), hardening the servers,protect against common attacks such as denial of services, as well as infiltrating the services. All than not to mention dealing with spam and much more.
However, I’m tending towards the idea the we have to self host, now a days. Trusting providers is not wise. Granted email is not secure, neither private, however the same applies to other services. FB is even looking at ways to extract information from whatsapp without decrypting messages… Signal leaks quite some information about its users, and though the advertise themselves about not able to decrypt messages, they can and probably do share all metadata they grab.
I’d really like distributed mechanisms, to take over, and become mainstream, not just decentralized, because then there are no servers to depend upon, and the information is just shared among those whom the information was generated for, no trusting in servers, not even your own.
I like the idea of self hosting email - it just seems to be a total pain however. I’ve done it a few times but the process is so fragmented and I just don’t have the time to dedicate to maintaining it.
“Private” and “Anonymous” are different things.
You can protect privacy with encryption, and I believe ProtonMail does work for that, but trying to protect anonymity is an entirely different beast. I’m not convienced it’s possible at all in any way that’s reliable (not just email but also even simple web browsing) unless there’s a change in how routing works in the internet, or a new layer is developed (like I2P, but even that’s not really a warranty).
deleted by creator
True. Someone can have high standard for privacy and at the same time have no desire for anonymity. The thing is that what was compromised in this case is the identity of the person who owns the email. The emails themselves were kept private.
deleted by creator
What the email provider snitched is the IP address (which wasn’t “tori-fied”). So it was anonymity what was compromised in this case.
The email was openly used for activism so the police was already investigating it, they only wanted to know the identity of the physical person behind it, and that’s what ProtonMail helped with, since the activist didn’t use anonymizers. The police didn’t need to decrypt the contents of the account or compromise its privacy (which is what using ProtonMail would have protected against), just its anonymity.
Email has not been designed with security in mind. Even if the content is encrypted, email still leaks a lot of metadata, including:
Using PGP is not helping since it is a phased out - and obsolete - technology which has a lot of problems:
The PGP Problem
More PGP Problems
Whonix article about PGP
If you need secure communication a good solution is E2EE which is enabled by default in signal and in element. Ideally, you should use e-mail to receive newsletter, sign in to sites and nothing more.
That being said, the whole situation about ProtonMail is quite overblown. As detailed in their transparency report, and privacy policy they MUST provide account’s information like the IP address if the Swiss criminal investigation requires them. By default, they don’t log the IP of the users.
Now, if this is a real concern for you, then you should not using their service. Otherwise, go for it. ProtonMail is still a valid choice.
Edit: However, it’s important to understand that every time you visit a website, you automatically send a set of features to it , including your IP address. It’s just how internet works. The whole “no log policy” is not something you can verify. You have to fully and blindly trust the provider whether it is located in a 5 Eyes country or in Iceland.
Edit: self hosting a email server it’s actually really, really difficult. It’s not something that a unskilled person could do.