All the Protonmail customers out there, what did you do about this?
For starters, I emailed Protonmail support.
Here's mine:
Hi,
Your homepage reads "By default, we do not keep any IP logs..."
This language is soft and misleading. Maybe in 2018 when I first began using ProtonMail it was good enough. But in 2021 it's not. I expect better from ProtonMail.
Replace immediately with something clearer. "By default we don't log IP, but may be required to by law enforcement. We recommend all customers connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
If you can't come up with anything better for users, just fall back on your privacy statement verbatim and avoid any marketing language.
Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities.
I advocate on behalf such people by supporting services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
I expect Protonmail to educate users like this about how Protonmail itself can be turned into an adversary. Educate users about how to use Tor. Do better. Improve the internet.
I look forward to your reply.
Also, registering a new account through Tor requires a phone number for verification, even though Proton says no unique identification is required to register. If this requirement isn't removed by the time I renew my account I will no longer renew.
From my understanding it depends on how naughty your current exit node has been. Most tor exits in my experience allow creation and you just need to verify another email (just use a random burner- they only block a few. Supposedly some well behaved exits require just a captcha but I've never seen it.
Sad to say, Proton's onion service is for their old version. Proton has recently rolled out a new updated version of their service, and as far as I'm aware they don't offer a Tor onion service for that newer version.
So Proton users who like to connect via Tor onion services have been faced with a choice of either staying on the old version of ProtonMail, or giving up on connecting via a Tor onion service. It definitely leaves the impression that they don't care much about Tor anymore, or that it's at best an afterthought for them.
I tested this, and you're right: Their Tor service runs the (in my opinion nearly as usable) older version.
It's plausible that Proton does not care about their Tor service, but there may be another reason: The new version relies more on Javascript code than their old version, and a Tor user is more likely to browse with scripts disabled than a regular user. Proton may be holding back the rollout of the newer version until they have tested it more without Javascript. This is only a hypothesis, and I came up with it just now; take it for what it is.
Using Tor to access a regular web site, ie: through an exit node, is (nearly) no different than using a proxy. Just assume all exit nodes are "naughty" and do your thing accordingly.
Their page is full of what are now obviously lies. They admit that in the cases of "extreme crimes" they might be forced to give up information. _By no stretch of the imagination are these peaceful political protests "extreme crimes"._
I specifically advocate for the sorts of people that Protonmail ratted out and had arrested - climate change activists.
From what I gathered from a (French) blog posting by a squatting collective, posted elsewhere in this thread, the arrests are in relation to an eviction.
The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
I myself am a middle-aged "have" , but I do worry about climate and I do empathize with those that "have not".
However, violence during an eviction is not peaceful. People were hurt, and a legal response was due. Seems to me that arresting someone after the fact, and dealing with the matter in a court of law is the peaceful thing to do?
When I read "extreme crimes", I don't think of a scuffle with the cops over what started as a misdemeanor arrest or non-criminal enforcement action. Protonmail should change their wording to be clear that governments can and do compel them to collect such information for ordinary crimes.
Yup, fully agree: Protonmail should just say "we comply with the law". Though at this point the security reputation of the Swiss should have given anyone pause to think (Crypto AG, Omnisec AG, etc)
My point was just that 1) the arrest was related to squatting, not the climate 2) these people, idealist and well-intentioned as they were, were not "peaceful" (at least, not when faced with a brigade of police officers)
> The eviction was legally sanctioned, and violence was used on the officers. Several officers had to stop work for a few days, one officer for two weeks.
Usually they need to stop work for a few days because their hands/wrists are aching due to hitting too hard on protestors. Anti-riot are perfectly equipped and physically trained to be in fights, it's literally their job. And while there are generally at least a few "semi-pro" violent protestors on the other side, they are not so well equipped like the police.
FWIW, what they were accused of was squatting, not protesting climate change. I still think that's a ludicrous abuse of police powers, but it's worth being accurate.
And in the spirit of accuracy : the reason for the arrest was the violence during an eviction (several injured police officers), not the squatting itself.
That's fine in my "paying ProtonMail customer" view. Use VPN + Tor if you don't want your IP address be known. I use ProtonMail to reduce my exposure to Google tracking/possibility of business execution leaks they might use in their favor and keep alternatives alive.
I didn't do anything about this, because I expect any commercial service to log IPs at least for a short period of time to fight abuse. I'm using this service because I don't want the service provider's staff or someone that hacks their servers to be able to read my mails. Ideally I would like to also have privacy (through E2EE) when e-mailing other PM users, but I'm not counting on that. As the Tutanota case shows, such secure e-mail providers can be forced by law to intercept e-mails.
For starters, I emailed Protonmail support.
Here's mine: Hi, Your homepage reads "By default, we do not keep any IP logs..."
This language is soft and misleading. Maybe in 2018 when I first began using ProtonMail it was good enough. But in 2021 it's not. I expect better from ProtonMail.
Replace immediately with something clearer. "By default we don't log IP, but may be required to by law enforcement. We recommend all customers connect through Protonmail through Tor. This month, 60% of our users connected through Tor".
If you can't come up with anything better for users, just fall back on your privacy statement verbatim and avoid any marketing language.
Think about a journalist in Afghanistan, a whistleblower in the USA, or a human rights activist in China. They're all engaging in potentially dangerous activities.
I advocate on behalf such people by supporting services like Protonmail with my money. If Protonmail isn't supporting these users, why should I bother supporting Protonmail?
I expect Protonmail to educate users like this about how Protonmail itself can be turned into an adversary. Educate users about how to use Tor. Do better. Improve the internet.
I look forward to your reply.
Also, registering a new account through Tor requires a phone number for verification, even though Proton says no unique identification is required to register. If this requirement isn't removed by the time I renew my account I will no longer renew.