this post was submitted on 08 Mar 2026
189 points (79.3% liked)

Technology

82989 readers
2696 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
189
Privacy-Focused Proton Mail Aids FBI in Uncovering ‘Stop Cop City’ Protester’s True Identity (www.gadgetreview.com)
submitted 2 weeks ago by schizoidman@lemmy.zip to c/technology@lemmy.world
53 comments fedilink hide all child comments
 

cross-posted from : https://lemmy.zip/post/60387297

Proton Mail provided Swiss authorities with payment data for defendtheatlantaforest@protonmail.com — the account linked to Stop Cop City protests in Atlanta. The FBI obtained this information through a Mutual Legal Assistance Treaty request on January 25, 2024, identifying the activist behind the anonymous account through their credit card identifier.

top 50 comments
sorted by: hot top controversial new old
[–] floquant@lemmy.dbzer0.com 123 points 2 weeks ago (5 children)

Again, they did not "aid" nor "give" that information. They were legally obliged to do so. There was never a choice. This could've happened with literally any company, E2EE stops them from being forced to turn over the emails themselves, but basic account metadata (creation date, payment methods, contact details, potentially IP access logs) will always be available. What you can do is limit the amount of information a provider requires/saves (for which Proton is a good choice) or don't rely on a company at all and roll your own email server.

[–] idlesheep@piefed.blahaj.zone 47 points 2 weeks ago* (last edited 2 weeks ago)

In fact, knowing that the only thing Proton was able to hand over was the credit card identifier is pretty solid proof that they in fact cannot access (and thus provide access to) your email account and its contents.

If full anonimity is the goal then stick to crypto or cash payments, because credit card always leaves a trail and not a single email provider is above the law in that regard.

This case is entirely the fault of the user's bad opsec.

[–] joe@lemmy.world 28 points 2 weeks ago

Yeah, it's the distinction between "anonymous" and "private".

[–] Venator@lemmy.nz 11 points 2 weeks ago (1 children)

In this case, wouldn't rolling your own email server make it even easier to find you, since they'll just have to look up who registered the domain you used for your email address?

[–] floquant@lemmy.dbzer0.com 4 points 2 weeks ago

Depending on how you register the domain, there are some registrars that require no info at all. One of those paid with Monero creates no links to your identity.

But yes, self-hosting does not shield you from court orders. If they find you they can still access your shit, depending on how much your country's infosec police gives a shit and/or how closely they cooperate with US agencies.

[–] RIotingPacifist@lemmy.world 6 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

They litterally gave information they were legally required to

E2EE stops them from being forced to turn over the emails themselves

Except it doesn't, E2EE in browser is pointless, they send your browser the code that does the dycription, they can just as easily send your browser code that does decyption & uploads the contents to themselves.

Yes doing actual E2EE emails is harder because both ends need to use an email client and configure it to do encryption, but for amost all scenarios protonmail is no more technically secure than any other webmail provider.

Scenario Gmail protonmail
Legally required to hand over your emails can comply can comply the next time you use the account
Datacenter breach emails encrypted at rest emails encrypted at rest
Persistent threat within supplier can read your emails requires code injection capability

I think offering per-user encryption that makes it harder for the company to data mine your emails is good, I just wish people would stop believing companies selling you "secure solutions".

In this case defendtheatlantaforest would have been more secure if they used any free email provider and GPG, yet there's a cult-of-produce around protonmail as if it's offering you a level of security that it can't.

[–] HyperfocusSurfer@lemmy.dbzer0.com 2 points 1 week ago

Except you don't have to use their browser version and can instead use their apps or their bridge or even a 3rd-party bridge like hydroxide, which makes injections quite a bit harder. They can still get incoming and outgoing plaintext (i.e. not pmail ←→ pmail) emails, tho

[–] tb_@lemmy.world 2 points 2 weeks ago (1 children)

Furthermore, you can pay with bitcoin or even cash (sent to their HQ by mail). That way they'd have even less on you.

[–] veniasilente@lemmy.dbzer0.com 3 points 2 weeks ago (1 children)

Furthermore, you can pay with bitcoin or even cash (sent to their HQ by mail). That way they’d have even less on you.

With the caveat that in some of their procedures they (seem to?) require to append account information in the mail, so if the postage can be traced back to you that's an issue.

[–] tb_@lemmy.world 2 points 2 weeks ago (1 children)

Yeah, not sure how it'd work with return addresses and whatnot. But if the letter itself is intercepted there's probably more that can be used to trace back to you, unless you only handled the money and paper in a clean room.

[–] veniasilente@lemmy.dbzer0.com 1 points 2 weeks ago (1 children)

Well, the entire procedure requires you to first trust the snail mail chain in the first place, so it's a different category of trust that "trust a CC provider". Snail mail used to be sacred, but it's been known not-to for a long while now. And at the point that you can expect the acabs are willing to inkdust and laser your mail for biological traces, that means you are facing a nation-state adversary with nation-state power, so you should be looking into nation-state level defenses instead.

[–] tb_@lemmy.world 2 points 1 week ago

Yeah. Bitcoin is probably safer and easier.

I'm just saying the option exists, and that I think it's neat.

[–] LodeMike@lemmy.today 58 points 2 weeks ago (1 children)

No, they responded to a legal request by the swiss government to provide banking details.

[–] SnoringEarthworm@sh.itjust.works 17 points 2 weeks ago (2 children)

Sounds just like Proton in the article:

Proton AG clarified they shared no data directly with the FBI — technically accurate but missing the point.

[–] LodeMike@lemmy.today 14 points 2 weeks ago (1 children)

The fuck is the point? That banking details are subpeonable?

[–] SnoringEarthworm@sh.itjust.works 14 points 2 weeks ago (2 children)

The point is that the headline is true. Proton helped the FBI uncover that person's identity, by revealing their banking information.

Yes, it was legal for the Swiss government to request that information and for Proton to release it when asked.

Those facts aren't mutually exclusive.

I don't understand why you're responding so aggressively.

[–] LodeMike@lemmy.today 12 points 2 weeks ago* (last edited 2 weeks ago) (3 children)

Because people are like "OMG proton is such a snitch time to switch to <other service that will do the exact same thing>"

[–] prole@lemmy.blahaj.zone 3 points 2 weeks ago (1 children)

I am pretty sure Mullvad couldn't do it even if they wanted to.

[–] LodeMike@lemmy.today 1 points 2 weeks ago

They can do it up to 6 weeks or something.

load more comments (2 replies)
[–] Ibisalt@lemmy.world 6 points 2 weeks ago

not directly related but on top of this, wasnt it the massive campaining and political pressure from us and eu that forced swiss banks to lift the swiss bank secrecy? maybe people start to understand this law exist(ed) for other reasons than tax evasion.

[–] billwashere@lemmy.world 2 points 1 week ago

Proton AG clarified they shared no data directly with the FBI

“I’m gonna put this data in this box right here, the one labeled ‘Private Data’. If the FBI takes that data and does something with it, I had nothing to do with it and didn’t give them the data directly”

[–] coalie@piefed.zip 57 points 2 weeks ago (1 children)

They complied with Swiss law. Only the name on the credit card was given.

[–] BlackLaZoR@lemmy.world 13 points 2 weeks ago (2 children)

Could've paid with crypto, choose not to.

[–] RIotingPacifist@lemmy.world 5 points 2 weeks ago

Yeah using a public ledger would have saved the FBI having to get a warrant, especially given how in bed crypto-exchanges are with Trump

[–] veniasilente@lemmy.dbzer0.com 4 points 2 weeks ago (1 children)

I'm not sure entering the ponzi scheme that is cryptocurrencies would have helped in this case.

[–] Canonical_Warlock@lemmy.dbzer0.com 1 points 2 weeks ago

You don't need to hold crypto to pay with crypto. You just only buy exactly enough to make your payment right when you are going to do so. Yes you're still buying crypto but you're also immediately cashing out so there's no risk of being caught holding the bag.

[–] Fizz@lemmy.nz 46 points 2 weeks ago (1 children)

Proton is clear that they complie with legsl government requests and post stats about how many they fight and handover. They offer private ways to use the service and if you dont take them thats on you.

[–] hector@lemmy.today 2 points 2 weeks ago

Europe bullied them out of their tax haven status a decade or so back. Germany and others made them hand over tax scofflaw account details. It was in the papers don't remember the year.

[–] Ulrich@feddit.org 32 points 2 weeks ago

Sad to see the Swiss are still complying with demands from a fascist regime.

If you're going to be doing illegal shit in your activism, you should consider using anonymous communication methods like SimpleX.

[–] EncryptKeeper@lemmy.world 19 points 2 weeks ago

We still blaming basic OpSec mistakes on Proton?

[–] unclellama@lemmy.dbzer0.com 11 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

My question is what's the legal requirements for payments? How long do they have to keep transaction records and do they have to connect this to accounts? This should be available in the ToS(but cannot find this). Compare with Mullvad (https://mullvad.net/en/help/no-logging-data-policy) (Edit: spelling)

[–] potatoguy@mbin.potato-guy.space 7 points 2 weeks ago

If I remember correctly, payment data is required to be logged for 10 years.

Edit: This varies from jurisdiction to jurisdiction, but it's normally 5-10 years.

[–] greatwhitebuffalo41@slrpnk.net 7 points 2 weeks ago* (last edited 2 weeks ago)

I'm pretty sure proton offers a crypto payment of some form. Which would mean if this person had used that instead of a credit card, theoretically there wouldn't be anything to subpoena.

Either way, email isn't exactly safe.

[–] arcine@jlai.lu 8 points 2 weeks ago (1 children)

Switzerland is not a safe jurisdiction.

[–] fenrasulfr@lemmy.world 6 points 1 week ago

There is no safe jurisdiction.

[–] dr_robotBones@reddthat.com 7 points 2 weeks ago (1 children)

Remember when Switzerland was neutral?

[–] veniasilente@lemmy.dbzer0.com 16 points 2 weeks ago

When was that? They took in the Nazi gold.

[–] cyberpunk007@lemmy.ca 1 points 2 weeks ago (1 children)

More and more I consider just self hosting. Does have obvious drawbacks though 😅

[–] davidagain@lemmy.world 7 points 2 weeks ago (2 children)

Even some commercial less well known mail providers are sometimes blocked by big players like gmail and outlook for anti-spam reasons.

[–] cyberpunk007@lemmy.ca 3 points 2 weeks ago (1 children)

Just set up dkim, SPF, and dmarc properly and you should be good.

[–] axum@lemmy.blahaj.zone 5 points 2 weeks ago (1 children)

Nope. Take for example Gmx.

Due to the heuristics some of the providers have, such as Microsoft, they will start classifying mail sent from gmx as spam and auto move it to people's spam folder. They have developed their own internal trust metrics and these periodically just spambin low trust servers

[–] cyberpunk007@lemmy.ca 1 points 2 weeks ago

I can't say either way, I manage dozens of M365 tenants myself and usually what trips it is lack of SPF/dkim/dmarc or bulk senders. But again, not common to have independent mail providers these days but even Microsoft still makes Microsoft exchange server...

[–] RIotingPacifist@lemmy.world 2 points 2 weeks ago (1 children)

Self hosted my mail for decades, the only issue i've had is Hotmail/outlook, who have blacklisted my IP with no way to unblock it.

Gmail is pretty good

[–] davidagain@lemmy.world 1 points 2 weeks ago (1 children)

My mail provider isn't that big. We got blocked by both outlook and gmail, but I duckduckwent a workaround which worked. Something about editing some mail record somewhere. Can't remember what, I'm afraid.

[–] RIotingPacifist@lemmy.world 2 points 2 weeks ago

Yeah you need a bunch of "optional" records SPF DMARC DKIM PTR (if possible)

[–] hector@lemmy.today 0 points 2 weeks ago

I signed up for a proton account and they immediately suspended it for "suspicious activity."

My IP is on some foreign blacklist I found out. No option to appeal or anything, no explanation, I would have to verify my account with personal information which defeats the purpose.

Garbage company, 100% handing information to the cia and israel I bet.

load more comments
view more: next ›