This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
They are bound Swiss law and should not be retaining any identifying information.
If they are going to give up everything they have on you when the feds come knocking, they shouldn’t keep anything or they shouldn’t market themselves as private and secure .
Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.
The user specifically requested that Proton retain this PII for account recovery.
Speaking of which, how do they implement recovery emails? Do they save your private keys only if account recovery is enabled?
Recovery email only restores access to the account, so you can get future emails. But all data is lost, emails sent in the past (saved emails) are not recovered.
But if you use their service for free, you do not have to provide any identifying info. As far as I am aware there is no check what you enter is legit and there is no requirement to supply a backup address. So the whole solution for a user to stay anonymous as much as they can with Protonmail is simply to not enter any identifying info.
No, Proton does get a free ride here. The information they provided was the recovery email address, which they were required to do by law.
The only data they don’t encrypt (can see) is that which they absolutely need to store unencrypted. If they encrypt your recovery email address, then… they can’t send you any recovery emails to it since they can’t see it.
This is 100% the fault of the user.
All any service can do is give you the best tools available to maintain your privacy, but they can’t stop you from shooting yourself in the foot.
Firefox is also great for privacy, but if I use it to fill out some info on some phishing sites then that’s not a them problem.
How do you imagine a recovery email to work, if the provider doesn’t store it, and you lost access to your email by definition in the moment you need it?
Recovery email is not needed, you can totally use your account without and proton doesn’t ask for it. It’s a feature where you obviously are disclosing that piece of information and link two accounts. It’s either that or not using that feature.
Proton’s mails are encrypted… between proton accounts. Send an email to a hotmail account and bye-bye encryption. Proton does rely on PGP so you can use that if the recipient supports it.
A Password-protected Email is an email that requires a password to open it. It’s a way you can send a secure, end-to-end encrypted email to anyone who isn’t on Proton Mail.
This is non-news, like all tech companies, they are bound by law to do this. It happens more than 6000 times per year for Proton. However, this user just had bad opsec. Proton emails are all encrypted and cannot be read unless law enforcement gets your password, which Proton does not have access to. Even if Proton hands over all data.
Proton doesn’t get a free ride here.
They are bound Swiss law and should not be retaining any identifying information.
If they are going to give up everything they have on you when the feds come knocking, they shouldn’t keep anything or they shouldn’t market themselves as private and secure .
The user specifically requested that Proton retain this PII for account recovery.
Speaking of which, how do they implement recovery emails? Do they save your private keys only if account recovery is enabled?
Recovery email only restores access to the account, so you can get future emails. But all data is lost, emails sent in the past (saved emails) are not recovered.
https://proton.me/support/set-account-recovery-methods
But if you use their service for free, you do not have to provide any identifying info. As far as I am aware there is no check what you enter is legit and there is no requirement to supply a backup address. So the whole solution for a user to stay anonymous as much as they can with Protonmail is simply to not enter any identifying info.
No, Proton does get a free ride here. The information they provided was the recovery email address, which they were required to do by law.
The only data they don’t encrypt (can see) is that which they absolutely need to store unencrypted. If they encrypt your recovery email address, then… they can’t send you any recovery emails to it since they can’t see it.
This is 100% the fault of the user.
All any service can do is give you the best tools available to maintain your privacy, but they can’t stop you from shooting yourself in the foot.
Firefox is also great for privacy, but if I use it to fill out some info on some phishing sites then that’s not a them problem.
How do you imagine a recovery email to work, if the provider doesn’t store it, and you lost access to your email by definition in the moment you need it? Recovery email is not needed, you can totally use your account without and proton doesn’t ask for it. It’s a feature where you obviously are disclosing that piece of information and link two accounts. It’s either that or not using that feature.
Proton’s mails are encrypted… between proton accounts. Send an email to a hotmail account and bye-bye encryption. Proton does rely on PGP so you can use that if the recipient supports it.
Mail stored in proton is encrypted
https://proton.me/support/password-protected-emails