this post was submitted on 30 Jun 2023
108 points (97.4% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
54781 readers
635 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
💰 Please help cover server costs.
Ko-fi | Liberapay |
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Personally I don't trust Proton. I know I'm paranoid, but can't be too sure about anything these days. To my knowledge MV and IVPN are the only ones with a nice privacy reputation. Shame they are cutting port forwarding
Proton only started logging his IP after they were legally forced to do so, just like any other law abiding company would have to do.
Proton offers an onion site of Protonmail which the activist should have been using since he allegedly committed
this is a case of user error and bad opsec, not a company bending over backwards to share their users information. If you're going to do things that are likely going to get you arrested, no matter how noble the cause, make sure you have excellent OpSec
To add to that, email and vpn are different. It's easy to force logging of a specific email address when forced to by law, but doing that based on vpn ip address only is more problematic
and iirc Proton took the Swiss government to court after that and won a case reclassifying email legally so that they can't be forced to disclose IPs like that again in the future
This is huge, would love to see any other info on this.
Here's an article about it:
https://www.swissinfo.ch/eng/business/proton-wins-appeal-in-swiss-court-over-surveillance-laws/47052196
Can’t they just log your account? You have to have an account with Proton to use their VPN. They can absolutely log your activity such as logging in, when you connected/disconnected, to which servers, and, more importantly, where from exactly (your original IP address)
Proton doesn't keep logs by default unless legally forced to.
Law enforcement would have to know the email account to make them log it. If they know the email account you're using with ProtonVPN then thats user error and bad OpSec.
In the example you linked, if law enforcement didn't know the guys email address then they couldn't have forced Proton to log his IP.
Bad opsec? It’s a bad VPN if it needs an email at all. Look at what IVPN does, they don’t even have a requirement for emails to register. I’m pretty sure Mullvad just recently was raided by authorities seize whatever they want they said, won’t find any user data they said. And they didn’t. Also proton redirects or used to redirect from onion to clearnet when you signed in. It simply isn’t up to par with IVPN and Mullvad. What’s the point of a VPN where a government can just request them to leak your data? No matter how, AT ALL! What constitutes a big enough crime for them? What if next day it’s downloading Frozen II.mkv?
Proton requires an email because they offer a free tier, without some way of regulating users their servers would be overrun with bots and spam...
The difference between what recently happened with Mullvad and what happened in the article you linked about Proton is that with Mullvad they were looking for general user data for VPN usage, not a specific persons email account like with Proton.
If a copyright holder or law enforcement is in a torrent swarm and logs all of the IP addresses of the seeders of Frozen II and then goes looking for the users of those IPs then ProtonVPN and Mullvad VPN would have the same response - No logs, no idea
Sure, not having to register with an email with Mullvad and IVPN is great but they're not offering port forwarding any more so we recommended ProtonVPN and you said you didn't trust them because they followed the law, if Mullvad or IVPN offered email services then they would have to do the same thing Proton did.
If you make a ProtonVPN account with the sole purpose of torrenting then all you have to do is not publicise your Proton email along with the fact that you're torrenting and then nobody can really do anything about that because law enforcement can't go to Proton like they did with that guy because they don't know the account linked to you.
I didn't hear about the onion issues, but again unless Proton was specifically told to log specific users IPs then even if they were redirected, their IPs wouldn't have been logged in those instances.
Its still user error, he must have publicised his Proton account, law enforcement found out about it and his IP was logged under Swiss law, thats user error. Its crappy that thats law but if you're going to do things like that then you should know how to protect yourself properly
Even worse:
So they were probably not using a VPN to connect to Proton Mail, which was the specific target, since e-mail and VPN providers were treated differently under Swiss law until Proton and Threema fought the government on this issue. Tutanota had a similar issue. If you're gonna rely on these services to break their jurisdiction's laws, you should be covering your own ass with bulletproof opsec, because businesses with millions of accounts are not gonna shut down and burn evidence in order to protect one user. In the Proton case, the activist apparently connected to a known Proton Mail account with no VPN or Tor; in the Tutanota case, only e-mails that were not end-to-end encrypted would pose at risk
At least personally to me it goes to show that it’s not out of the question