NHacker Next
  • new
  • past
  • show
  • ask
  • show
  • jobs
  • submit
Proton is trying to become Google without your data (wired.com)
ptero 656 days ago [-]
Proton is not perfect, but nothing is. We need more competition on the internet, and if Proton has a chance to provide an email and storage for an upfront price without trying to distract me with ads or pimp my data to advertisers, I want to support them. As a data point, I have been a very happy user of their plus service for the last 3 years.
Terry_Roll 656 days ago [-]
There is a silent backlash against Proton, the most obvious is the domain is blocked by the US Antivirus company who scans all UK politicians emails through the UK parliament email address parliament.uk or British politicians are ignoring their constituents, some website contact forms reject protonmail email address as well. So I hope they give Google a run for their money.

Edit IF its not politicians ignoring emails, then we have evidence that a private US antivirus companies is illegally interfering in the democratic process of so called allies and you can work this out with mxtoolbox.com, but we all know the US of A views everyone including allies as an enemy, because their actions and occupations speak louder than words! Can send a man to the moon but cant stop a shooter speaks volumes!

kodah 656 days ago [-]
My company VPN also blocks ProtonMail. I'm not sure exactly why, and I have zero evidence, but I suspect it's because it's the email that a whistleblower used a while back that was featured in congressional testimony.
jrockway 656 days ago [-]
I've definitely blocked protonmail domains before. The calculus is that 100% of the accounts from that domain are fraud and 0% are legitimate, so it just saves a lot of time to block it. Stops fraud before it even starts. This is, of course, annoying for the 1 legitimate customer mixed in with the billions of bots. But basically, they have an abuse problem that they need to solve. Gmail also has plenty of fraudulent accounts, but it also has a lot of legitimate accounts, so they avoid the *@gmail.com ban.

It sucks that people use wide swaths like this, but that's how the cookie crumbles when you have a problem at 3 in the morning that you need to fix now and then go back to bed.

throw10920 656 days ago [-]
> Work: https://pachyderm.com/

Well, I know what I'm not using if I ever have a need for an ML pipeline.

jrockway 655 days ago [-]
Yeah, that's fine. If you want to spend 20,000 hours rewriting our 100% open-source product from scratch because we used to have a hosted offering that was overrun by fraud and I made a rash decision in the middle of the night, feel free! Recommend just downloading the source from Github though and using our work for free. That is absolutely the best way to stick it to me for sharing my thought process on HN. (Use the 19,9999 hours you saved to listen to enjoyable music or hang out with friends! It's fun!)

Like I said, I was paged in the middle of the night because protonmail accounts were being created at a rate of hundreds per second to use our hosted free trial to mine crypto. So I blocked the domain name. I'm not saying this is wonderful or anything, but it is what I had to do at the time.

I see that my post got massively downvoted, but this is the thought process for people administering things. You get overrun and then you make a rash decision. I basically had the choice to to block protonmail from using the free trial, eliminate free trials, or require everyone in the Universe to type in a credit card, pay their bill and not dispute the charges for 90 days. I chose the first one. Free trials continued for the vast majority of the world. But hey, we ended up deciding not to do the cloud offering (in part because of this), so maybe I fucked up that decision.

I'll definitely be thinking about fraud/risk from day 1 the next time I do a cloud service, so that innocent users of email domains abused by fraudsters are not unfairly discriminated against. I didn't do it the first time, and that's on me. I just wanted to share the thought process of someone in the trenches; not make a value judgement of your email provider! You as an individual user of some service can't be held accountable for the actions of the other users of that service. I get that and I feel bad about what I did at the time.

But, having been where the UK government is, I totally get where they're coming from. That's all I wanted to say. Protonmail can do some vetting of their customers, so that their emails become more trustworthy, if they feel like it. That would make their product more valuable for all the legitimate users.

wink 655 days ago [-]
All you're really saying 'freemail is bad because of abuse, gmail is just too big to fail', which is not a whole lot of news after 25 years on the internet, I guess that's where some of the downvotes come from.
ping00 655 days ago [-]
Appreciate the thoughtful answer despite the downvotes; I didn't consider how bad fraudulent email creation still is -- would CAPTCHA protection have solved this issue? I'm picturing a web GUI for your product, but I see a console offering on your website too.
jrockway 655 days ago [-]
They weren't actually doing much automation for account creation; we would see accounts created from mobile phone providers using mobile UAs, and then after they had an API key we'd see the accounts used from compromised cloud hosting accounts. (Free CI trials were probably a big chunk of this too, but I can't prove that.) The mistake we made was really being too generous with free trials; you need the compute to test our product, but free compute is something you just can't give out these days because of the crypto gold rush. I signed up for fly.io recently and they just ask you for a credit card as soon as you hit "create account". We were scared of that at the time, but I thought it was completely reasonable.
Terry_Roll 656 days ago [-]
Well the irony is that Shodan.io also blocks protonmail email accounts and yet Shodan is your goto search engine to launch surgical hack attacks on entities.

I known www.urban-automotive.co.uk are losing out on business because they block protonmail accounts as I'm sure many other businesses are!

Hitting those who dont understand privacy in the wallet is an easy accomplishment!

TAKEMYMONEY 655 days ago [-]
Thank you for contributing to the discussion, enjoy downvotes as your reward.

I had similar issues with signups from Proton. I use the service myself so I didn't want to block it at the domain level, I hope they address this soon.

almet 656 days ago [-]
The only thing that bugs me with Proton is that it's still very complicated to integrate with thunderbird (or any mail app?), which makes it practically unusable for my needs.

Having a tab always open in my browser for my mail seems so wrong.

BoyBlunder 656 days ago [-]
Their mobile apps are also very lackluster and devoid of basic features. I understand that they are unable to open up to other mail apps due to the encryption, but for the past few years there have been little to no updates to their iOS suite.
willis936 656 days ago [-]
They did a facelift of their iOS mail app six months ago and this week.
noman-land 656 days ago [-]
I agree it's not perfect but they have some pretty great instructions. I've been using the Bridge with thunderbird for multiple accounts and it works awesome.
precurse 656 days ago [-]
Yep, me too. I have Thunderbird running in the background essentially as an email backup, but I wind up using the web version more. However Thunderbird and Bridge work extremely well that I forget they're running in parallel.

I'm a recent Google GSuite refugee, so it's hard breaking the habit of web based mail I suppose.

adamhearn 656 days ago [-]
Genuine question, how is a browser tab different than thunderbird? Besides storing a local copy of mail (which is obviously a huge win), I don't see a big difference. If anything I like the web UI better.

However, for my uses I simply installed proton bridge + apple mail. It just works with all email services I use.

mr_toad 656 days ago [-]
> Genuine question, how is a browser tab different than thunderbird?

Different protocols for one thing - HTTP vs IMAP and/or POP/SMTP.

Each webmail app does things it’s own way. Webmail conflates the app and the protocol and the provider. Some people prefer to have mail from different providers in a unified app.

blangk 656 days ago [-]
I find it works very well using the bridge on my Manjaro desktop, and was fine on Debian before that.
ptero 656 days ago [-]
I have the same experience, for me it works flawlessly with the bridge, but the bridge itself is a complication. I would prefer a straight imap option (in addition to the bridge option). My 2c.
kataklasm 655 days ago [-]
But then you wouldn't have E2EE anymore, and that's kind of their flagship feature.

I'm very happy with the Bridge integrated with Neomutt on Fedora Linux.

ptero 655 days ago [-]
I agree with that; all I am saying is that I think a fair number of users would be happy with the IMAP access even though it does not provide E2EE benefits, which should not affect those who want to run with the bridge.

I think Protonmail started with a privacy-focused business case (for which E2EE is a key feature), but is now expanding into the broader pool of people who want to pay for an ad-free, no-data-scanning email, but are not concerned about targeted spying and prefer the simplicity of a convenient setup. For that crowd, IMAP would make more sense. My 2c.

Night_Thastus 655 days ago [-]
I use it with Thunderbird. There is an initial step (you need to set up ProtonMail Bridge) but after that it's seamless. And they have really good instructions for how to do that initial setup.
dgellow 655 days ago [-]
You just need to install the bridge locally, the rest is similar to what you would do for other email providers. What is complicated about it?
zhfliz 655 days ago [-]
fwiw, there's an unofficial desktop app: https://github.com/vladimiry/ElectronMail
0daystock 656 days ago [-]
Asserting "private email" is a modern litmus test for someone's technical understanding and capabilities, or lack thereof. Snake oil companies will always hide behind "it's encrypted" and "it's hosted in Switzerland" tropes that mean nothing to anyone who has done a modicum of research. Real privacy is not the result of some product, especially not when its so desperately and obviously shilled.
jacooper 656 days ago [-]
Its the best you can get. Its fully end-to-end encrypted when stored, they don't scan anything, no ADs, no tracking, and they support laws and organization that improve individuals privacy.

Why wouldn't I support them ? If i care about privacy I should support companies that care about it too, no?

Proton is not perfect, the android mobile app currently doesn't have conversion view neither contact sync, and the desktop bridge doesn't implement Dav protocol, but its the best out there for people who want to protect their privacy.

And if you care about privacy, you shouldn't be using anything made in Australia.

almet 656 days ago [-]
Thanks for stating this. It's still good to have people working on tools to help us have better usable solutions though.

Depending who is your enemy (threat model), I guess proton tools can help you protect your intimacy though.

bashinator 656 days ago [-]
Are you suggesting that because the only way to have truly private email (in the U.S. at least), is to own the server hardware, the property it's colocated on, and the Internet connection. Because this is true, but not helpful.
0daystock 655 days ago [-]
There isn't such a thing as "secure/private email" because its design was not conceived with such things even in mind. The "secure" solutions like Protonmail are something other than email, which is probably the way forward, but I wish it was done without twisting language giving others a false sense of security and understanding.
bashinator 655 days ago [-]
I'm more thinking "legally private" than "technically private".
656 days ago [-]
mouzogu 655 days ago [-]
How can I learn more about privacy online.

It seems to me that the only private email would be no email.

0daystock 655 days ago [-]
Threat modeling is the only logical way to reason about privacy and security. It is quite a tedious exercise of listing all the adversaries you're worried about, their capabilities, and data they want to compromise. Such a model will reveal gaps and additional controls you can implement to improve your state.
ziddoap 656 days ago [-]
>Snake oil companies will always hide behind "it's encrypted" and "it's hosted in Switzerland" tropes that mean nothing to anyone who has done a modicum of research.

Do you have evidence that Proton does not actually encrypt their emails?

>Real privacy is not the result of some product,

I do wholeheartedly agree with this, at least. Privacy is a scale and there are many, many pieces which tip the scale one way or the other.

pretext-1 656 days ago [-]
> Do you have evidence that Proton does not actually encrypt their emails?

Their encryption is based on PGP and therefore only message contents are "E2E" encrypted. Subject, From, To, etc. are not. These fields contain most of the information already. For example, Amazon puts the name of the ordered item in the subject line, so they can still see what you ordered.

And I'm putting "E2E" in quotes because if the sender does not send encrypted emails, then they can read the full content at delivery time, obviously. They immediately encrypt them with your public key and they claim that they discard the unencrypted version after that but there is no way we can verify that.

Long story short: you still have to trust your email provider after all. If I'd want to switch away from Google, I'd probably switch to some "normal" email provider (Fastmail, Apple, etc.). The benefits of "E2E" encryption for email are questionable and the drawbacks huge (for example search is very limited). But competition is good and I'm glad they are advancing.

ziddoap 656 days ago [-]
>Subject, From, To, etc. are not.

I never claimed they were.

>These fields contain most of the information already

Except, you know, the body of the email.

>Amazon puts the name of the ordered item in the subject line, so they can still see what you ordered.

Yes, Proton is not a panacea. Again, never claimed it was. You can't just abandon all opsec because you use Proton, I agree.

>Long story short: you still have to trust your email provider after all. If I'd want to switch away from Google, I'd probably switch to some "normal" email provider (Fastmail, Apple, etc.). The benefits of "E2E" encryption for email are questionable and the drawbacks huge (for example search is very limited).

I agree with the point about trust. You have to trust your hardware wasn't backdoored on the way out of the factory, too. Security and privacy are about trade-offs and weighing risks. I've weighed my risks and made my choices.

Tijdreiziger 656 days ago [-]
> Do you have evidence that Proton does not actually encrypt their emails?

It doesn't matter. Proton supplies the client software, so if they want (or are forced to by law enforcement), they can easily push an update that exfiltrates decrypted data back to their server.

ziddoap 656 days ago [-]
It seems rather harsh to brand them as pure snake oil based on a hypothetical situation that applies to basically every single piece of software and hardware ever invented, but fair enough.
tediousdemise 656 days ago [-]
I like to see it as an unsolved problem. Similar to when Diffie and Hellman revolutionized cryptography with the concept of public/private keys, I like to think that one day, a revolutionary proof will drop that demonstrates a true trustless privacy model where backdooring isn't even a remote possibility.
Tijdreiziger 656 days ago [-]
I suppose you always have to trust someone. (I'm not the one who branded them as snake oil, BTW)
0daystock 656 days ago [-]
What does "encrypting" an email mean to you? If a Gmail user contacts me on Protonmail and Protonmail "encrypts" the message to me after receipt - what problem have we solved?
ziddoap 656 days ago [-]
I wonder why you used quotes around encryption? They encrypt the email. That very obviously does not mean Proton somehow encrypted the sent email in the senders Gmail account.

However, lacking the other data point (e.g. knowing who has sent me an email from a service that does not encrypt their emails, and being able to access that email from that account), my emails are not readable without my secret.

I never claimed that Proton can encrypt someone else's emails.

0daystock 656 days ago [-]
I think the point of contention is exactly how obvious this is to most Protonmail users. I worry too many read "it's encrypted" and make dangerous assumptions about what can actually be guaranteed rather than investigating first-hand; this is the real risk of such services, in my opinion.

I put "encryption" in quotes to indicate nuance in the characterization. A locksmith installs an amazing door and lock at my home, but keeps a copy of the key at the shop - I think a fitting analogy for what Protonmail is essentially doing here. This isn't a value judgement - such a setup is perfectly reasonable for most people's threat model - rather an honest apprehension of actual trust boundaries.

ziddoap 656 days ago [-]
I absolutely agree that the marketing and branding around almost every service that either does (or claims to) promote privacy and security leaves a lot to be desired.

It's a hard problem, and a problem applicable to many domains. How do you communicate nuance that requires multiple years of education to people who don't have multiple years of education? I don't know.

tediousdemise 656 days ago [-]
Couldn't have said it better myself! Privacy is first and foremost a discipline and a practice, just like security. It's a form of self-respect, in my eyes. Some would say it's even a natural human right.

Commoditizing it is a recipe for disaster.

Edit: Expansion of the self-respect tidbit. Lack of privacy enables others to have control over you. Feeling like you are not in control, or actually being controlled by someone (shame, blackmail, etc.) can be very damaging to your mental health. Respect yourself, strive for privacy. You deserve it as much as anyone else.

randomhodler84 656 days ago [-]
I don’t know. I don’t think all “commoditization” of privacy is a bad thing. WhatsApp commoditized it, Signal; SSL/TLS; Tor; Privacy Coins; these all vastly improved the privacy of comms on the planet. One needs to determine outcomes rather than declaring it app disasters.

maybe democratizing privacy is a better way to phrase than commoditization — which implies some cost savings rather than the just consumer availability.

tediousdemise 656 days ago [-]
Thanks for chiming in. I've been having some difficulty expressing my thoughts lately so sometimes I don't make the most sense.

Yes, I definitely agree with you--democratization is a much better way to put it.

randomhodler84 656 days ago [-]
Please write and express yourself! You made sense to me and I wanted to add the conversation. I’ve thrown around many crazy ideas and the best ones seem to stir conversation and evolve or die. Ideas are better discussed in a room with many dissenting opinions.
Ansil849 656 days ago [-]
It's kind of disingenuous to keep touting "Swiss privacy laws" as some sort of selling point on their homepage, when shit like this happens https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...

Why's a privacy-first service logging IPs in the first place?

emendation 656 days ago [-]
As the article states, they were forced to by Swiss authorities. They tried to fight against it, but in the end no reputable provider is going to put the whole company on the line for 1 user against a lawful order from their government.
Ansil849 656 days ago [-]
Uh-huh. Then perhaps they shouldn't be touting Swiss privacy laws like they're some holy golden shield. And once again:

> Why's a privacy-first service logging IPs in the first place?

emendation 656 days ago [-]
Did you read the article you yourself linked?

> French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users

They weren't logging until they were forced to.

CyanBird 655 days ago [-]
And since then they have been logging thousands upon thousands of other addresses

A while back on the very hackernews thread when the news of the French activist being jailed it was highly discussed, the source of the data being ProtonMail themselves

rusk 656 days ago [-]
You always have the option of connecting to PM over tor [0] if you are concerned about this. You can also use any of the VPN services that are available. Get yourself an anonymous mulvad account, and pay with some laundered btc good luck to anyone that wants to track down your IP.

[0] https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7...

Ansil849 651 days ago [-]
> You always have the option of connecting to PM over tor [0] if you are concerned about this. You can also use any of the VPN services that are available. Get yourself an anonymous mulvad account, and pay with some laundered btc good luck to anyone that wants to track down your IP.

Yes, you could do all that. But if you're doing all that, you can also just use Gmail.

pete_nic 656 days ago [-]
> We believe the best way to protect user data is to not have it in the first place

I like the exchange of value that comes from paying money for a service. With free products from companies like Google you do not pay for the service and there is no exchange of value. This results in the myriad of HN threads discussing how Google Docs did them wrong (locked out, privacy violation, etc.)

tlogan 656 days ago [-]
The problem with Proton email is that is full of fraudulent accounts this they domain and emails send via proton are blocked by many companies, ISPs and firewalls. I tried it and it was unable to send email to my wife’s work.

In short alot of dickheads use it for spam/scam and ruin it for the rest of us.

I do not know how they can overcome that…

rusk 656 days ago [-]
I have never once in nearly 10 years had any problem with my emails getting through to anyone from PM
dgellow 655 days ago [-]
You should see the @protonmail.com adresses as a demo, people use them for spam so the domain has a bad reputation. If you decide to pay for the service then it’s better to use your own domain, you should have no problem with delivery.
Night_Thastus 655 days ago [-]
Lenovo fully rejects any Protonmail addresses. They won't tell you so, but they won't let you order or make an account with them under one.
tristan957 656 days ago [-]
I use a custom domain and have never once had a problem with delivery.
Havoc 656 days ago [-]
Definitely plan to stick to proton for the long run.

Don't think they'll keep me private & safe...but I do think they'll try harder & more earnestly than the rest of the gang attempting it.

0daystock 656 days ago [-]
> I do think they'll try harder & more earnestly than the rest of the gang attempting it.

Why, though? What do people base this assertion on, other than clever marketing materials which extol virtually meaningless controls like "it's hosted abroad" (which is actually much worse for foreign nationals' privacy, for example)?

Havoc 656 days ago [-]
>Why, though?

Not US based for starters - definitely willing to pay a premium for that.

Nor five eyes or any of the other [0] eyes.

> extol virtually meaningless controls like "it's hosted abroad"

There is no value in abroad in itself, what matters is how trigger happy countries are with warrants etc.

I'd like to be in a jurisdiction where it is possible for law enforcement to get to the data...but I'd like the logistically/legal hurdles to be rather high so that it is only done for serious concerns not trawler net catch all surveilance operations. Switzerland seems to tick those boxes

[0] https://protonvpn.com/blog/5-eyes-global-surveillance/

0daystock 656 days ago [-]
A US Citizen has more legal and practical safeguards with their data hosted in the US than abroad, but unfortunately the widespread privacy anti-marketing has obscured this critical concept entirely in exchange for "Swiss are probably good at privacy stuff".
Havoc 656 days ago [-]
>A US Citizen has more legal and practical safeguards

Indeed. I'm part of the 96% of the world that is not though and I'm very wary of US tendencies to trawler net data collection.

>"Swiss are probably good at privacy stuff".

I think you missed my point if that is what you got from my post. I don't attribute any special merit to Switzerland in the Swiss banking sense...they just aren't in any of the major data sharing agreement from what I can tell. My data needs to be somewhere...so I'm just picking this on a lesser evil basis not perfect basis.

brewdad 656 days ago [-]
>A US Citizen has more legal and practical safeguards with their data hosted in the US than abroad

Citation needed.

I get that, in theory, US state level actors shouldn't be spying on US citizens acting within the US but the vast majority of us are more likely to get caught up in bog standard law enforcement activities. A US based provider will be forced to comply with a lawful court order from a US court. A Swiss based company (for example) can safely ignore such requests.

kmeisthax 655 days ago [-]
What happens is that the US spymasters ask the Swiss spymasters very nicely to spy on this foreigner using their countries' tech services. Legally, there's no real way to contest this, because most rights apply to "citizens" or "residents" and not "people".

If you sue Switzerland for violating your right to privacy, Swiss courts won't do anything, because you're not a Swiss citizen. If you sue American courts for violating your right to privacy, American courts won't do anything, because the US constitution only binds the US[0] and not Switzerland. There is plenty of law, precedent, and/or jurisprudence[1] in both jurisdictions that restricts a country spying on their own citizens, but not a country spying on other countries' citizens. So yes, the Swiss company can technically ignore a US court order, but Switzerland can issue their own court orders that will have far few protections for you.

That's also not to mention that the basis for jurisdiction is actually really broad. Like, some countries will actually use "speaking our language" as a jurisdictional basis. So the likelihood of a Swiss company being able to resist a court order is lower than you think - basically the company would have to cut all ties with the US and forego the entire US market to protect you.

Of course, I'm writing all of the above assuming you are an innocent, privacy-conscious individual, where:

1. The balance of US law is in your favor

2. Swiss law is not

3. Stolen information can be laundered across jurisdictions

If you are actually committing crimes, then both US and Swiss law are against your right to privacy, and adding more jurisdictions will absolutely help you in the sense that it makes it far harder to investigate your crimes. That's the sort of thing that the "Swiss privacy law" hype is trying to market off of. The spymasters generally don't like the idea of letting regular law enforcement agencies (LEAs) touch their tools, if only because the evidence they gathered probably isn't actually admissible. So LEAs have to go through official channels[2], which are actually slower and less efficient than things like Five Eyes.

[0] State Actors doctrine notwithstanding

[1] French for "precedent, but we're not doing that 'common law' thing the filthy English do"

[2] CLOUD Act and parallel construction notwithstanding

floren 656 days ago [-]
> The analogy to terrorism is interesting because, during the Bush-era War on Terror, there was a sense of literally anything being justified in the name of stopping terrorism. The US government was secretly spying on its own citizens.

Yeah, Wired, they only did the spying during the Bush era... edit: I guess it was less secret after the Bush era

> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.

Not a very popular argument at this particular instant in time / news, bold of them to write this without a giant asterisk.

r3trohack3r 656 days ago [-]
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen and people are going to use digital tools to spread it. But at some point, I think you do have to defend the principle that we have to tolerate a certain amount of even the very worst things if we want to have meaningful civil liberties.

This is not how I’d articulate it. We tolerate some terrible things because trying to stop them would be even worse. There are really bad people out there. Unfortunately those bad people can also run for office and/or get hired on to 3 letter agencies.

A pedophile with a camera is less dangerous than a senator without the 4th amendment. A racist on social media is less dangerous than a president without the first amendment.

Fascism doesn’t happen because you elect a fascist president. The seeds of fascism had to be sown long before that. Fascism is the result of eroding protections designed to prevent a leader from over-reaching. The path to fascism is paved in good intentions.

bsder 656 days ago [-]
> It's even harder to say, look, we've got to accept that some amount of child exploitation is going to happen

Except that every big kiddie porn case was cracked by old-fashioned policework--"Get someone inside". And, most of the time, it isn't even that difficult to pull off.

It particularly grinds my gears because the powers that be only trot out kiddie porn when they want to shove legislation down our throats. The rest of the time enforcement against kiddie porn stays heavily underfunded.

r3trohack3r 656 days ago [-]
> Yeah, Wired, they only did the spying during the Bush era... edit: I guess it was less secret after the Bush era

I don’t understand - it never ended. In fact, Obama ran on a platform of protecting whistleblowers and cracking down on government overreach. But, once he took office, he legalized the Presidential Surveillance Program that Snowden whistleblew and doubled down on pursuing Snowden.

floren 656 days ago [-]
I was attempting sarcasm, because as you say, Obama loved that surveillance shit.
656 days ago [-]
_jal 656 days ago [-]
> we've got to accept that some amount of child exploitation is going to happen

Funny, that's the exact deal with have with guns - we accept some amount of mass child murder as the cost of the 2nd Amendment.

Another datapoint that the 2nd is now considered more absolute the 1st.

656 days ago [-]
photochemsyn 656 days ago [-]
This is a rather interesting interview style, it seems as if the interviewer is presenting the viewpoints of the national security state complex ("we need total access to all data to prevent terrorism and child abuse") and of the major tech conglomerates ("competition reduces privacy"), aka Big MAMAA (FAANG is obsolete), but it does provide the interviewee with opportunity to counter those points, so I guess it's a decent interview approach.

I'd add that the solution to child abuse and terrorism is the same it has ever been, i.e. targeted investigations relying on tactics like infiltration of criminal rings with undercover officers. There's no justification for Gestapo/NKVD authoritarianism and mass surveillance tactics.

However, there doesn't seem to be any plausible way to communicate with others using any infrastructure-type system (from postal mail to fiber optic cable) that doesn't reveal the network of communication (i.e. metadata), and Tor is hardly an exception. Tor seems to have been designed to allow remote government agents (aka spies) operating in hostile environments a means to communicate with a known base of operations without revealing their actual remote locations or identity. Similarly it could be used by individuals to communicate with journalists (as Edward Snowden did) without revealing their identity or location, but only if they take a lot of precautions (i.e. not using their device for any other online activity that could be traced to them). I imagine NSA has backdoors into almost all Tor nodes anyway. The content can be securely encrypted, but location/identity? Probably not.

uoaei 656 days ago [-]
What was that in the news a year or so back about the FBI having a significant number of Tor endpoints, making the routing effectively transparent? I would imagine if the FBI pulled that off, so did many other state actors.
unboxingelf 656 days ago [-]

  Big MAMAA 
Microsoft, Alphabet, Meta, Apple, ?
photochemsyn 656 days ago [-]
AWS, or Amazon. According to The Economist, those are now the big five tech players.
656 days ago [-]
daemon_of_chaos 656 days ago [-]
Amazon?
shemtay 656 days ago [-]
...Amazon?
unboxingelf 656 days ago [-]
Lol, oh, right…
airstrike 656 days ago [-]
MAGMA is still a better acronym
photochemsyn 656 days ago [-]
But now we can talk about "the outsized influence of Big MAMAA on the tech industry", which has a nice ring to it. MAGMA has a decent ring as well, though.
lvass 656 days ago [-]
Using Google and Meta in the acronym sounds wrong. I'd rather MAAMA or MAGFA.
airstrike 655 days ago [-]
Why? Everyone calls Google Google. Alphabet is like a holding company.

I'd wager if you scraped most news publications you'd see Meta used across the board, Google used in most cases and a few cases where the writer uses "Alphabet, Google's parent company..." (https://thehill.com/policy/technology/3503534-activists-work...) which IMHO just proves the point I'm trying to make

For the perfect exhibit, look no further than this Tech Crunch article with the headline "Meta and Google's Gradient..." https://techcrunch.com/2022/05/26/meta-and-google-gradient-i...

almet 656 days ago [-]
In french we say GAFAM, I naively though it was the same in the US. Gasp, I'm still too focused on my culture =D
bayindirh 656 days ago [-]
> There's no justification for Gestapo/NKVD authoritarianism and mass surveillance tactics.

I think many people are missing the point and see the issue as "Governments trying to get capabilities".

No, they always had the capability because of lower population, slower communication, more effective mass media and information bubbles. Now, they're losing this capability, and want to keep their abilities while making them automated & cheaper.

Also, there's CryptoAG stuff, which is the same thing, but international.

vzaliva 656 days ago [-]
I have been a ProtonMail user for a long time but have yet to make it my default email provider. The main problem is that I keep an email archive of all my emails: all sent and most received since 1995. It is 17Gb. I've imported it into Gmail, and it is instantly searchable. With ProtonMail, such a search must happen on the client-side due to encryption. I suspect it will not work very well.
metadat 656 days ago [-]
The searching encrypted content problem goes away once you build an MS Outlook-ish standalone desktop (or otherwise offline-first, in the case of mobile) email client app which builds local-only indexes.

The real cost (or long-term benefit) is you'll need a bit more local storage to have your cake and eat it privately.

Nathanael_M 656 days ago [-]
“have your cake and eat it privately” has now permanently entered my lexicon, thank you.
glitchc 656 days ago [-]
The most private option is to delete (most of) that email. Then no one has it and your secrets are safe forever.
stereoradonc 656 days ago [-]
VPN is decent (not as good as Mullvad). I haven't tried "Drive", but am not willing to shift from Dropbox. Email and Calendar from Proton are "perpetually in beta", but I prefer Fastmail (over a decade with them). They are trying to spin debate around "privacy" and overselling the "Swiss experience". Nothing prevents them from changing the privacy policy tomorrow (to "conform" to the rules and regulations). As it is, Proton VPN's credentials are shrouded in controversy.
mid-kid 655 days ago [-]
Does fastmail do anything with encryption?
dgellow 655 days ago [-]
Only drive is still in beta
thomond 656 days ago [-]
There are too many technology products called Proton.
minsc_and_boo 656 days ago [-]
There's already a ton named Electron too - what about Neutron?
verisimi 656 days ago [-]
yeah! And what's wrong with plain old Ron too?!
imwillofficial 656 days ago [-]
But they'll give your data away if asked.
yabones 656 days ago [-]
The value of proton is not that they'll break the law for you -- they absolutely will not. They are bound by the laws of the land, and when compelled will hand over all the data they are required.

The value IS that they simply don't have that much data. All your emails are encrypted at rest with a key they can't read. All your data is stored in such a way that they can't decrypt it on demand.

Think about it. When Microsoft gets served a FISMA warrant, everything they have is stored in plaintext, so they have to hand it all over. With Proton, all they have is your IP, the date you created your account, the last login date, potentially the subject lines of any messages in their mail queue, and that's about it.

Nobody is going to risk their business to help people hide from law enforcement, and anybody that says they will is probably lying to you.

distracted_boy 655 days ago [-]
They can't perhaps decrypt emails sent between proton users, but that is not the case if you are communicating with someone using a different email service.
tristan957 656 days ago [-]
They also know who you send and receive emails to, but your point still stands.
cowtools 656 days ago [-]
I mean, they are legally obligated to. At least they are not selling my data to advertisers or arbitrarily locking me out of my account like google. Hell, i'd pay for their premium service if wasn't so expensive and they accepted anonymous payments through monero or something.

I mean, this is what email has basically come to. I've tried to host my own email server, all my outbound mail ends up in spam. If you want privacy, use PGP

Edit: please don't downvote this parent comment, I think it is still a pretty reasonable concern

charcircuit 656 days ago [-]
>At least they are not selling my data to advertisers

No they don't.

>We do not scan or read your Gmail messages to show you ads

https://support.google.com/mail/answer/10434152

yupper32 656 days ago [-]
> At least they are not selling my data to advertisers

That's almost never what actually happens, though. They sell access to you and use your data internally to target ads.

A law enforcement request does literally release your data.

cowtools 656 days ago [-]
It doesn't matter to me whether or not they only use the advertising data internally. Google is such a large monopoly at this point that I am basically forced to deal with them on a daily basis through the businesses and institutions I work with.

It's not even the surveillance that I am concerned with at this point. I just am trying to disentangle all these services that I use that demand to become linked in difficult ways.

Like let's say you have a gmail account linked to a youtube account, and you upload a video or like something that sets off google's automated spam heuristic. Boom, your google account is deleted and you can no longer access your email or sign into your accounts that require email verification. All this extra surveillance is just going to increase the odds of my account getting falsely flagged as a bot or something.

Let's say you lose your phone. You have to use your phone to login to some institution's service, so you get a new phone and try to reset the 2FA with your email. However you need access to your phone as a 2FA to access your email. (this exact scenario happened to a family member the other day, just goes to show you should NEVER link your accounts with a cell number).

yupper32 656 days ago [-]
> It doesn't matter to me whether or not they only use the advertising data internally.

Okay, but it does matter when you say something significant that isn't true. Do you understand that?

ziddoap 656 days ago [-]
If asked via lawful court order, yes.

Can you provide me the name of any company who does not comply court orders of the country it operates in and continues to operate freely?

Edit: I thought this was a more than fair question, evidently people do not think so.

metadat 656 days ago [-]
> Can you provide me the name of any company who does not comply court orders of the country it operates in and continues to operate freely?

AT&T, Google, Apple, Comcast, Verizon, ...

Oh, did you mean companies who refuse to comply specifically to legal inquiries about their users or customers? No company will (or even should) stick their neck out for you personally.

With sufficient resources and clout, they will risk it for themselves because $$$ and power.

ziddoap 656 days ago [-]
>AT&T, Google, Apple, Comcast, Verizon, ...

Really? I understand that they fight court orders when they feel they need to, which Proton at least claims to do as well (have not verified that, though), but they get away with just... ignoring them? Or not complying after losing an appeal? I stand corrected if that is the case.

>With sufficient resources and clout

Does Proton have the clout to do so? I don't believe they do, which makes me wonder why it's such an unpopular opinion to believe exactly what you said ("No company will (or even should) stick their neck out for you personally.") when it comes to Proton.

metadat 656 days ago [-]
tl;dr: The climate is heading towards the best option being to need as little privacy as possible.

Corporations and their employees have learned clever techniques to get away with "complying" without really complying in instances where they're sufficiently motivated. It's not always politically feasible, but is in many cases.

A quick (and ironic) Google search for "google lawsuit federal compliance" turns up many instances:

https://www.dol.gov/newsroom/releases/ofccp/ofccp20170104

https://www.justice.gov/opa/pr/justice-department-sues-monop...

These violations are all calculated risks on their part. Internally, they intentionally keep certain communications off of email to ensure it will never be discoverable through a legal process.

It's not like Big-G is the only one, do you think this is ubiquitously commonplace across the megacorps in virtually every industry in the United States?

Here's what happens when they come for your / our data:

https://www.nytimes.com/2006/01/20/technology/google-resists...

> even as three of its competitors agreed to provide information

> Rather than seeking data on individuals, it says it is trying to establish a profile of Internet use that will help it defend the Child Online Protection Act, a 1998 law that would impose tough criminal penalties on individuals whose Web sites carried material deemed harmful to minors.

post_break 656 days ago [-]
Exactly, which leads me to the spiral of what's the point? If there is nothing truly encrypted, then what do they really offer?
ziddoap 656 days ago [-]
You're conflating different things. It doesn't help that people who seem to have a bone to pick with companies obeying the laws of the country they operate in continuously leave out the nuance and detail of the event.

The court order that Proton complied with released the IP address of the suspect, not the encrypted contents of the emails in the suspects inbox.

tristan957 656 days ago [-]
The content of your email is encrypted.
k__ 656 days ago [-]
They should take some hints from the Gmail UI.

The last Protonmail UI update was just new styles, but still as clunky as before.

coffeeblack 656 days ago [-]
The one they rolled out yesterday was pretty good. Including phone apps. Now just waiting for the the iOS calendar to finally be released.
k__ 656 days ago [-]
It looked nice, but it was essentially the same UI.

But I didn't try the new phone apps, they were really bad in the past.

_xoo 656 days ago [-]
I'm on android.. phone app is great
coffeeblack 656 days ago [-]
Both, phone and web feel much snappier.
ralston3 656 days ago [-]
Longtime Proton fan and happy customer. Would love to see data-conscious products "go mainstream".
656 days ago [-]
thepra 655 days ago [-]
when you can't add more accounts on the android app without a subscription is where it is still annoying on mobile
hammock 656 days ago [-]
Proton is mired in shenanigans.

Evidence points to ProtonVPN being a white-labeled version of Nord VPN. Source: https://news.ycombinator.com/item?id=23571653 and https://archive.is/iZ2l2 (archive of relevant but broken [2] link @ HN thread)

Protonmail has its own issues that have been discussed on HN. Source: https://encryp.ch/blog/disturbing-facts-about-protonmail/

Obviously Gmail and such are piped directly into global intelligence databases, but Proton is not a panacea, and no guarantee they aren't compromised themselves.

jibcage 656 days ago [-]
As someone who works for Proton VPN, I can assure you we do not resell any white label VPN services, and that the people I work with every day are incredibly smart people who truly, deeply care about users’ online privacy.

I’ll concede that this isn’t much better evidence than the links you provided, but that archived site in your comment really doesn’t read like a reputable source of truth, either.

metadat 656 days ago [-]
How can we really know? At the end of the day, trusting a company to protect your best interests is, on average, a losing proposition.
WithinReason 655 days ago [-]
It seems to be a link to an archived site because the original comment has been retracted by the author.
hammock 655 days ago [-]
Source? What’s the reason for given for the retraction?
WithinReason 655 days ago [-]
Your article links to this as proof:

https://archive.ph/1vaZ8

Direct link:

https://news.ycombinator.com/item?id=17258203

The allegations have been retracted.

dimensionc132 656 days ago [-]
Proton .... the Fed honeypot that nobody wants to talk about, except, some sane and rational people who have looked at the evidence.
ghspoll 656 days ago [-]
Obviously any provider can be a honeypot in theory, but I don't understand the following either:

- How can ProtonVPN be free and why is it in Lithuania?

- Why does a Swiss privacy company get EU funding if the EU wants to erode privacy all the time?

- Why is a cell phone number required for registration?

- In general, how do they make money? Other free providers like gmx are full of cheesy advertisements.

DashAnimal 656 days ago [-]
"Obviously Gmail and such are piped directly into global intelligence databases"

Wait --- 'obviously'?!? Do you have any info on this because that is a wild claim.

charles_kaw 656 days ago [-]
>Do you have any info on this because that is a wild claim.

Not only has the concept and implementation of automated law enforcement portals been around since the 90s, the Snowden docs revealed that major providers were providing such portals. AND that their inter-datacenter communications were being piped directly into global intelligence databases without.

These portals, NSLs, and other mechanisms have also been codified into law for over a decade, and their existence is extremely well documented as well as reinforced.

It sounds like a wild claim, but unfortunately, it is extremely based in reality. And, it's so well documented that to be ignorant of it at this point is akin to incompetence.

mden 656 days ago [-]
You're making a wildly different claim than the initial one. The initial claim is "obviously Gmail and such are piped directly into global intelligence databases". Portals for law enforcement which likely require some kind of warrant and very likely have regular audits are not slightly the same thing as directly piping the data to the intelligence community. As for "their inter-datacenter communications were being piped directly", that was revealed by Snowden and you correctly used the past tense "were". Is there evidence that either Alphabet or Meta are giving direct access to their users' data beyond what the law requires?

(Disclaimer, employee of Google, my opinions are my own and all that. I have no info beyond what is public knowledge.)

bhk 656 days ago [-]
> Portals for law enforcement which likely require some kind of warrant

It was recently reported that major tech companies (including Google) release user data without warrants, and without even authenticating the party requesting the data: https://news.ycombinator.com/item?id=30842757

mden 656 days ago [-]
That's an interesting article, thanks for the link. It doesn't support the original claim very strongly however. It showcases there's a flawed process for obtaining user data (which is still obviously bad) but it's far removed from Microsoft, Google, or Fb directly piping their data over to the NSA.
doliveira 656 days ago [-]
Lots of "likely" and "were" in your comment...

I'll be honest, this is really the first time I've seen a tech circle in which this whole surveillance apparatus is not a common established knowledge.

mden 656 days ago [-]
To be clear I'm not saying there isn't an extensive surveillance apparatus. I'm saying the claim that giant tech companies are willfully providing unrestricted access to user data to the intelligence community is not at all an "obvious" one as claimed and requires evidence. Do you disagree with that?
charles_kaw 654 days ago [-]
> "obviously Gmail and such are piped directly into global intelligence databases"

well, they were. without google's consent :) past tense, obviously

tediousdemise 656 days ago [-]
https://en.wikipedia.org/wiki/XKeyscore

> XKeyscore (XKEYSCORE or XKS) is a secret computer system used by the United States National Security Agency (NSA) for searching and analyzing global Internet data

> XKeyscore is a complicated system, and various authors have different interpretations of its actual capabilities. Edward Snowden and Glenn Greenwald explained XKeyscore as being a system which enables almost unlimited surveillance of anyone anywhere in the world, while the NSA has said that usage of the system is limited and restricted.

Think about that for a split second: anyone, anywhere. Also, who would you trust more: the US government, or a man who sacrificed his life, health and wellbeing to expose this scandal to the world?

Alas, privacy for the masses is dead.

doliveira 656 days ago [-]
We've known it for literally a decade now... How can you be ignorant of the whole Snowden docs?
hosteur 656 days ago [-]
Snowden docs
656 days ago [-]
fsflover 656 days ago [-]
ntoskrnl 656 days ago [-]
Proton Is Trying to Become Google, indeed.
kobieyc 656 days ago [-]
Hmmm, that does seem somewhat suspect.
656 days ago [-]
hammock 656 days ago [-]
Klonoar 656 days ago [-]
Eeeehhhhh, I interviewed and was offered a role there a few years ago. Talked with a number of teams and employees, they were very candid about what they were working on during every step of the interview. I never saw anything to indicate either of these claims.

The safety of encryption/decryption in browser-JS payloads is a different discussion entirely, but you can't make wild claims about it being a front for state-level actors without some reasonable sourcing.

coffeeblack 656 days ago [-]
Then the only explanation is that you are in on it11 *adjusts tinfoil hat*
imwillofficial 656 days ago [-]
glerk 656 days ago [-]
No idea if it's a "front", but if your threat model is state level actors Protonmail is not gonna cut it.
edgyquant 656 days ago [-]
If your threat model is state level actors the only thing that will cut it is another state level actor
stingraycharles 656 days ago [-]
What do you mean with that?

From what I understand, there are legitimate issues around Protonmail and its affiliation with government agencies [1]. It’s not as if it’s impossible to find a different provider that does better in this regard.

[1] This provides a decent summary: https://encryp.ch/blog/disturbing-facts-about-protonmail/

edgyquant 655 days ago [-]
I’m responding to a person saying protonmail wouldn’t cut it against a state level actor. The point is even if there were zero issues with agency affiliation state level actors v an individual is always a losing battle for the individual.
PeterWhittaker 656 days ago [-]
Source? Citation?
loufe 656 days ago [-]
Obviously it's not been exposed, yet. That said, I think it's pretty safe to assume in the post-lavabit world that these companies are fronts for Western intelligence. We clearly don't live in a world that respects privacy anymore, take the recent "anti-csm" bullshit the EU is pushing. Personally, I won't need proof to seriously doubt this, tutanota, etc. Yes, your data may be more hidden, but it would be used as evidence in a parallel-construction case based on what they "illegally" siphon from your data.
ziddoap 656 days ago [-]
>Obviously it's not been exposed, yet.

Then it should not be stated as fact.

kobieyc 656 days ago [-]
I think this is a safe assumption.

Guilty until proven innocent, by making your code open source.

kromem 656 days ago [-]
Do you think the same thing about Signal?
kobieyc 656 days ago [-]
Yes, especially since Moxi cashed out and bought a big mansion after they released their spy-coin cryptocurrency.
qualudeheart 656 days ago [-]
What do you mean by spy-coin?
coffeeblack 656 days ago [-]
And every time it was discussed, the conclusion was the exact opposite of what you are claiming.
notriddle 656 days ago [-]
What can be asserted without proof can be denied without proof.
lawrenceyan 656 days ago [-]
Everything is a front for state-level actors. I think we can still appreciate technology for what it is.
newfonewhodis 656 days ago [-]
> The safety of Protonmail has been discussed many times on HN.

Lol what are you talking about specifically?

uoaei 656 days ago [-]
Probably the whole "oops we actually DO share IP addresses despite our ToS" followed by a rushed revision of the ToS to include that fact, among other recent news stories.
ziddoap 656 days ago [-]
This is such a disingenuous retelling of what happened.

Terms of Service don't trump lawful orders issued by a government. Never have, never will, for any service or company. They were issued a lawful order, did you expect them to just close the company instead?

Whether or not you use Proton before or afterwards is of no matter, but please at least try to be honest with what happened.

uoaei 656 days ago [-]
> Terms of Service don't trump lawful orders issued by a government.

No, obviously they do not. But misrepresenting your policies (i.e., lying) to your users ("we don't track IP addresses" was understood literally at the time) is a serious error and, especially if you're marketing to a privacy-aware crowd, one of your top priorities should be to maintain their trust or else your customer base is going to fall out from under you.

What's disingenuous is implying that lawful orders trump the ethics of lying to your customer base, when saying "we don't track IPs..." but meaning "...until the government asks us to".

ziddoap 656 days ago [-]
To be clear, the part of the original post that I took issue with is this:

>Probably the whole "oops we actually DO share IP addresses despite our ToS"

Which conveniently left out the fact that they shared it when required to by lawful order. The way this is phrased (more, the intentional omission of that detail) implies that Proton is continuously sharing IP addresses with whomever asks for it. If you don't think that is a disingenuous way to relay the incident, I don't know what to say, we're probably at an impasse. They way you've relayed it is a more honest characterization of the incident, and one I don't take much issue with.

I would note that a small amount of networking knowledge would make the "until the government asks us to" part implied. A quick look at the user settings (specifically, the "Advanced logs" toggle) would also make it abundantly clear that Proton has the ability to track IP addresses upon request. Does that mean Proton is entirely off the hook? Of course not. But people should make decisions and come to their own conclusions based on all of the facts, not statements that omit material details.

656 days ago [-]
junon 656 days ago [-]
Hahahahahahaha. This can't be serious.
_xoo 656 days ago [-]
drcongo 656 days ago [-]
Email and calendar aren't the things that keep people on Google, it's Docs etc. You can get good email and calendar anywhere. If their plan is really to take on Google, that's the bits they need to target.
brewdad 656 days ago [-]
Meh. Different users have different needs. GDocs could go away tomorrow and I would hardly miss it. I don't think I've created anything new on the service in over a year. I use email and calendar every day and need them available and accessible.
greazy 656 days ago [-]
I don't agree. The reason why people use Google products is varies. Some rely on docs heavily, others need (like myself) just email + cal + drive
charcircuit 656 days ago [-]
The privacy of GMail is good enough, if not better than ProtonMail. Client side encryption also comes with downsides since they can't allow third party email clients to work and you have to do all processing client side.
ziddoap 656 days ago [-]
>The privacy of GMail is good enough, if not better than ProtonMail.

How do you figure? Google actively scans both email and drive for CSAM. If they can scan it for CSAM, they can scan it for whatever the hell they want.

charcircuit 655 days ago [-]
Just because they can violate your privacy that doesn't mean that they do. By that logic you can say ProtonMail processes your unencrypted email to encrypt it. If they can process your unencrypted email they can process it in any way they want.
ziddoap 655 days ago [-]
Poster said Google provided better privacy. Your hypothetical puts them at equal footing, so I'm still not seeing how Google provides better privacy.
jacooper 656 days ago [-]
And they already do, google and Microsoft both scan emails for ADs and tracking.
charcircuit 655 days ago [-]
>We do not scan or read your Gmail messages to show you ads

https://support.google.com/mail/answer/10434152

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact
Rendered at 14:45:09 GMT+0000 (Coordinated Universal Time) with Vercel.