Protonmail, Privacy, and Trust

So part of the internet is in an uproar about Protonmail proving IP addresses for a climate activist after receiving a court order forcing them to do so. (Link is in French). The last line (translated) is important: "It is therefore imperative to use the tor network (or at least a VPN) when using a Protonmail mailbox (or any other secure mailbox) if you want to guarantee sufficient security." This applies to all providers, not just Protonmail. If you want to ensure that a service can't turn over your IP address, never access the server with your IP address!

Protonmail's response says that they were given a court order to do so so all they could do is begin logging IP addresses for that account. They were unable to challenge the court order for whatever reason (IANAL, especially not in Swiss law), so they had to follow what orders given if at all possible.

Either outrage went around the world before nuance could put its pants on or the internet, as normal, is being unrealistic. This may blow some people's minds, but companies have to obey court orders that they can't successfully challenge to save their own hides! If you expect them to operate like Lavabit, you're going to be disappointed. They're by far the exception, not the rule. If a service says they don't respond to warrants/court orders from their own country, they're either lying or they're not going to be around for long. They can try to contest them to get the court to determine if what's asked for is really needed, but when all options are exhausted, it's comply or suffer the consequences. Said consequences could be fines, imprisonment, and/or seizure of servers/assets.

Switzerland, where Protonmail is hosted, may have some strong privacy laws, but they're not absolute and can change at any time. Given the course of recent history, they're more likely to become weaker than stronger. If what's happened is an issue for you, I advise you to hightail it out of there because it's not going to get any better. Take your chances with another country and their laws/legal system.

This expands out to a more general view of privacy and trust. If you rely on a provider for privacy, you're trusting them to keep your information private. They have terms and conditions they claim to abide by and laws that they have to follow. They can change terms and conditions at any time and laws can change at any time. Both of them can change your information exposure so you have to keep up to date with them in case one or the other suddenly causes your data to be exposed to data harvesting/authorities with lower levels of restrictions. You can just say "screw providers, I'm rolling all my own stuff and hosting it myself", but then you're relying on the laws of your own country, your own hardware/software not to tell on you (sadly), and the terms and conditions of your own ISP.

This seems bleak, but my intention is not for you to throw your hands up and say "fuck it!" The intention is for people to be constantly vigilant. There's no perfect solution out there but you have to find the best solution for your own situation and keep track just in case things go south. If you can find a provider out there willing to die for the privacy of their users, please spread the word, but keep in mind that such services may be fleeting. Almost no one else is going to take the heat to cover your ass when the cops come calling.

Day 46 of #100DaysToOffload

Tags: De-Googling