Awesome…
This instance really wants to dislike Proton.
Proton did some PR for Trump a while ago that didn’t get them on everyones good side.
Use monero.
They have a .onion site. Use it always.
And don’t pay with a credit card if you’re committing crimes lmao
Proton was legally ordered by the Swiss justice department to hand over the (severely limited) information about a law breaking organization’s account. They had paid for Proton using a credit card instead of the anonymous payment methods Proton offers, and that is what Proton was forced to hand over. It was the organization’s bad OpSec, not Proton willingly deanonymizing users.
Hopefully people like you will be able to nip this in the bud before yet another joke of a controversy starts…
You must be new here…
On the one hand, I really like how often Proton’s shortcomings are highlighted. This SHOULD be a wake up call that you should never rely on a company to protect you and should instead focus on what you can do to ptorect yourself. And Proton… actually are pretty good in that regard. Connect from a burner/live image computer over public wifi using tor (or something similar) and their free accounts are STILL the gold standard for journalism and whistleblowers.
But the problem is that people are stupid and lazy (and many outlets actively benefit from "Eww, proton is bad. If only they had paid for NordVPN to really protect them from the FBI! ~Note, NordVPN provides no guarantees of protection~ ". So we just get stupidity.
OP’s title certainly doesn’t help.
Why do you think Proton stores the association between accounts and payment identity?
Many privacy-oriented companies actually accept credit card payments and simply don’t store that information.
answer:
proton is snake oil
B…But…Swiss evil?
Really, this headline should be “Organization so poorly organized that they messed up having high-security email.”
Not at all. Proton doesn’t require any personal info at all. But if you pay with a credit card… That has your personal info tied to it. It’s their fuck up paying with a credit card. Proton accepts other payment methods that aren’t tied to your identity.
Proton is required by law to provide information they have when the courts say so.
Are they required to keep the data?
Not sure about Swiss laws regarding merchant payment card data retention… But they aren’t really going to matter with this situation either way. Even if Proton doesn’t keep any identifying information directly, the payment processor for sure is going to keep identifying data. Proton will have a confirmation number for the payment being processed, which can be correlated via the payment processor anyway.
So I’m not a criminal organization as far as I know, but if I did pay with a credit card originally can that be rectified without deleting and starting over?
Proton uses Chargebee for payments, which has its own data retention policy of essentially “as long as we want to”, but Proton does themselves keep limited data like the billing name, and last 4 digits.
Proton’s privacy policy says nothing about a pre-set time delay after which they’d delete that data. They only claim that they “reserve our right” to remove your payment information if they think it’s no longer valid. So theoretically, that might mean if your card’s expiry date has passed, but that’s not a confirmation.
The best way to reliably make sure Proton wouldn’t have any info on you is to not have ever tied any real information about yourself or your payment info to that account.
Thank you for the information.
Yeah, exactly. They don’t make it hard to not tie personal data to them if you want, you just have to actually DO the thing to take advantage of it. These people seemed to think it was magic, which seems to be how a lot of people think Proton or Tuta works.
@Charger8232 @jrcruciani The bug is between keyboard and chair. It is always a problem to use crédit card.
I like services like PIA that let you pay in gift cards.
Owned by Kape technologies, and uses Google analytics. Big nope. Any VPN service worth its money support anon payments (including gift cards) anyways.
Does Proton Mail?
Yup
Is there a link you could share?
Gift cards don’t work for me. Guess I need one ordered from outside the US.
Mullvad accepts cash.
And Monero.
Some people in the comment section are really dumb switching to other alternatives thinking that Proton isn’t trustworthy because they gave the information despite the organisation not using anonymous currency. What’s ironic is that some of these people are switching to those alternatives where you can’t even use anonymous currency.
Also, kind of a clickbait title.
article in case you can’t read it:
lemmy.ml/post/44086795edit: better link in a reply.proton coulda put up a fight, a loud one, for optics sake if nothing else. rolling over on any (and by implication, all) request should be the last straw in their long line of snafus; by way of “death by a thousand cuts”, I would never entrust them with anything of importance.
signal demonstrated that you could decouple payment info from user data and a shop that touts the privacy part of their offerings coulda at least mimic such a thing.
edit 2: fuck any and all pay-with-crypto shills and the horse they rode in on.
You cannot put up a fight when ordered to do something by a judge who has jurisdiction over you. You either comply or you’re committing a crime.
article in case you can’t read it: https://lemmy.ml/post/44086795
that link only has two paragraphs of the article; there are 8 more in the full article here on archive.org
I’ve been a paid protonmail user for years. What should I use instead?
Create a new account in Tor Browser. Pay with monero.
Never link your old account to your new account. Never write your name. Never email anyone off proton mail, unless you setup PGP first. Never login to your new account in a browser other than Tor Browser.
Proton is the best option, but tech can’t fix stupid.
If you don’t give information to Proton AG which they can be legally forced to hand over, you’re alright.
I’m not saying Proton was right or wrong to hand over data, who knows how much if a fight they really out up, but it seems more like an OpSec thing, where they found the account because they used that email to create a user account somewhere that they then posted about being a part of this group rhe FBI was going after.
I’d say your best bet to avoid this would be to create a free account that doesn’t have any payment info and doesn’t use your premium account as a recovery method of any kind if you’re going to use it as the email associated with a social media account. Or like someone else mentioned, if there’s an anonymous payment method, always use that.
Again, not a great look for Proton, but doesn’t really go against any of their claims as far as data encryption is concerned. Not sure if they could encrypt that payment info.
Your technical and legal understanding seems limited. I personally work in the IT space and am a hobbyist in legal matters, in particular data protection.
I’m pretty sure there was nothing they could’ve legally done to protect the payment information.
It’s not a “bad look” for Proton; instead, it’s just people being confronted with reality.
If you commit a crime, law enforcement will be after you, and if your operational security sucks, there will be no service that can counter that.
If you’re worried Proton could identify you to authorities, either just make a new Proton account and pay anonymously (cryptocurrency or cash by mail), since that’s the only way this person was identified, or you could use what I’d consider to be the next-best, which is Tuta.
Nowhere near as slick a UI, less overall offerings (only email and calendar), but it costs less and generally provides similar security and privacy to Proton. Though again, you’d have to pay via private means, otherwise you’re gonna get identified by the same mechanism this person was if the government really decided to come after you by your account.
this person said it once, but I’ll say it again.
the same thing can happen on Tuta unless you pay with an anonymous method. these are privacy focused email providers, they are not anonymous email providers. they keep as little data on you as they need, but if you’re paying with a credit card then obviously you have your real name tied to the account.
Posteo has an anonymized payment system, so you could pay with credit card and your payment information won’t be linked to your account.
Being secure online and being anonymous online is not the same. Proton only promises one of those.
I just switched from proton to mailbox. Mailbox gives you a say so over what happens when law enforcement asks for your account info.
Mailbox.org doesn’t have the option for anonymous payments beyond payments in cash, which was the reason for the article in the first place.
It does t matter if you have the ability to simply delete all of your account info.
You do realize that you don’t get time, generally speaking, to delete things, when a government legally demands your info, right?
As soon as any company sees a lawful order demanding information, deleting it becomes a crime.
If this same thing happened to mailbox.org, you heard about it immediately, and hit all the delete buttons you can find, mailbox.org will still hand over your info to them, as they’re legally obligated to do so. It’s not a gdpr violation or anything like that.
You’re not understanding. It’s a preemptive option.
You’re not understanding. They can order whenever.
And the Germans don’t give a fuck.
Their transparency report says otherwise…
the germans share intelligence with US agencies. you’re more likely to have your data given to the US government if your email provider is in germany than you are if they are most other places in europe.
they also keep trying to pass laws to force all tech companies to backdoor encryption in germany. when that happens, your data would be safer literally anywhere else, including currently the US.
It’s preemptive for when you DIE. That’s why in the screenshot you sent it says “in the event of my death”, not “if the government comes knocking, violate the law and delete my data first”.
You can delete your data from Proton, too, but the payment information, which was how this person was identified, is stored regardless by their third-party payment provider.
Mailbox only erases your payment info 4 weeks after you’ve last paid, and ended your contract with them, and they use Ayden for payments, which also has no set date at which they’ll delete your payment information.
It doesn’t matter if they keep it anyways. Always assume anything you put on someone else’s servers is there forever.
That image doesn’t say anything about law enforcement tho?
That image only says what to do when you die. Not when law enforcement requests information about your account?
