"Earlier this year, the Spanish police Guardia Civil sent legal requests through Swiss police to #Wire and #Proton, which are both based in Switzerland. (..)
Wire responded providing the email address used to register the Wire account, which was a Protonmail address.
@protonprivacy responded providing the recovery email for that Protonmail account, which was an iCloud email address, according to the documents."
"In the request, which listed “organised crime” and “terrorism” as the nature of the investigation, Spanish police wrote that it wanted to “find out who were the perpetrators of the facts taking place in the street riots in Catalonia in 2019.”
Once the Guardia Civil obtained the iCloud email address, the documents show that it requested information from Apple, which in turn provided a full name, two home addresses and a linked Gmail account."
@anneroth The question is why should I pay extra money for security when there is none? Long story short: when a government knocks at a company's door, no data is secure at all ...
The recovery address that was provided in this case is an optional recovery method, which the user could have omitted (or used a different one, not the Apple ID).
@protonprivacy@anneroth Well, when you, as a company, give the user data to any authority, which might be within the borders of the European laws, then what is encryption worth in the end? ...
@AndyGER It protects the content of your inbox, i.e. prevents us, and therefore any third parties (authorities included) from accessing it. We protect our users' data not by refusing to comply (which is not possible for any legally operating company anyway) but by not having access to the users' content.
@protonprivacy That is not what I meant. You gave personal data to Spanish authorities and the question is, why is that the case and why should I pay extra money for enhanced safety when in the end governments/authorities get my data no matter what.
And I point this out not only to you as a company but to every company/organisation that advertises with "secure data" and sells this as a unique selling preposition (USP).
Security is highly subjective. I know this. I don't see the + in security.
@AndyGER The name/address of the terrorism suspect was actually given to police by Apple, not Proton. The terror suspect added their real-life Apple email as an optional recovery address in Proton Mail. Proton can't decrypt data, but in terror cases Swiss courts can obtain recovery email.
@AndyGER No legally operating company can refuse to comply with the local legislation. What we can do (and do all the time) is keep all the user data that can be kept inaccessible, inaccessible to us. Therefore, we cannot share it even when presented with a legal data request we have no grounds to contest.
@ntt@AndyGER You seem to be conflating the recovery email address with the verification one.
Verification addresses are sometimes required upon signup, but they are not tied to the particular Proton Mail account, and are stored in a way that makes them inaccessible to us: https://proton.me/support/human-verification
@protonprivacy@AndyGER
Thanks for the clarification, yes I've mixed up the two emailsb purpose.
So you confirm that the initial verification email isn't kept or accessible to Proton after its initial use?
I still believe that some sort of captcha would be preferable to requiring a verification email, though.
Thanks
@ntt@AndyGER Usually it is a captcha. The verification email is only requested in case our systems detect something suspicious about the network. And no, we cannot derive the verification email from the hash, and it's not in any way tied to the account you have created.
Add comment