Proton Mail suspended journalist accounts at request of cybersecurity agency
(theintercept.com)162 points by lehi 5 hours ago
162 points by lehi 5 hours ago
Proton does not require a shred of proof that you are a real human being either, fyi. I'm not actually attacking them for this specifically, because I feel that we need privacy focused tools, however the fact that I was able to create a few hundred proton email addresses in seconds by injecting usernames/passwords was scary, even to me. I'm surprised they aren't on spam block lists worldwide. Their captcha is child's play that a script can defeat with simple image examination. i encourage them to buff up their spam controls, just a bit, and decrease moderation by a lot unless they can promptly deal with cases such as this.
Their controls are buffed up: all of those accounts are linked due to having been created with the same IP address. If one is blocked, they all are. If you try to circumvent this with a well-known proxy (such as Tor or a VPN) you will find that captcha activation will not exist as an option.
> Phrack reached out to Proton in private multiple times, and Proton ghosted them.
According to Proton's response in the linked reddit post: https://news.ycombinator.com/item?id=45227356
They say: "Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels."
You'll note that Proton's PR only mentions the second date - " last one on Sep 6 with a 48-hour deadline."
Proton doesn't mention that the first email from Phrack which Proton ignored was weeks prior to that, which is what led to the second email in the first place.
You'll also note that Proton doesn't mention that their Abuse Team refused to re-anable the account after the article author did the appeals process, as per Phrack's timeline at the top of their article.
To be honest, I've found Proton's public customer service representatives to be very duplicitous, so it's hard to take their word at face value. It's pretty ridiculous to see their response to legitimate concerns start with: "That doesn't sound right..." 80-90% of the time.
Sorry but doubt.
The whole "we have only received two emails" is a classic move of every company caught with their pants down. Considering Proton's history, they don't get the benefit of the doubt on this one.
As for the "company size excuse" sorry but considering the business you claim to be in (the private and secure email), having an on-call skeleton crew legal team available over the weekend for urgent requests is a bare minimum (and I'm pretty sure they have people available to hand over everything the cops request if "the proper process is followed").
Remember that they have turned over information in less than 24 hours before (for what they call an extreme case of course). So the "size" excuse doesn't hold. Doesn't matter how urgent it is, if they are the small bean they claim they are, there is no chance they can have a turnaround of less than 24 hours.
Again, it's not what they did that's the biggest issue, it's the coverup. Just like last time they got in hot water. Because the coverup raises a lot more questions.
well, you can't get the same stuff done that the folks with influence can. like they're working with a better toolbox.
Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time. If I can’t rely on my email / messaging / phone / communications provider to keep an open line for as long as I need it – whether that’s one year or two years or twenty years, then I’m not going to use it. And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
I've been on Zoho for my (and my partner's) email for 4+ years and it has been great. Chose them because there is no per-domain charge, so I have like 12 domains on it.
The configurability is extensive in both web app and ios email app. Service has been fast and stable. They rarely change anything in the UI (no random tinkering is what I mean) so it is predictable and easy to use.
Fastmail is fine. It's somewhat limited in its UX, but technically speaking, everything works, and it's snappy. Very few outages. I really like their integrations with calendars, contacts, and mail for 3rd party sites/services. Not a ton of features or deals re: custom domains or multiple users, but it's fine if it's just for yourself. edit They literally -JUST- turned on Offline support for their app and web interface, so my only real complaint is gone. Go with Fastmail.
For a VPN, what do you need it to do? For tinfoil hat privacy stuff, get a VPS in Estonia or something. If you just want a secure tunnel while working remote, get a WiFi access point with Wireguard and Dynamic DNS at your home (it's free plus you probably have more bandwidth).
This 9-year-old issue me a bad taste for mailbox...
https://userforum-en.mailbox.org/topic/anti-spoofing-for-cus...
I'm using Fastmail and Mullvad. Both seem to work pretty well and are reasonably priced. You could also host your own on VPSs if you're feeling adventurous.
> constant bugginess and jankiness of their offerings
This is something I had not heard (also have been a paying user for a very long time).
I've never encountered a bug, to my knowledge. I did dislike that when they released photo storage they didn't have a proper search feature.
For me the jank is in their billing and the plans I can purchase. I can either have a Business Mail Essentials plan or a Business Password plan, but if i want both at the same time I have to buy a plan that's three times as expensive or drop my custom domain name.
Proton seems to have a lot of cheerleaders that come out of the woodwork when anyone complains. I'm happy that somehow their code is magically bug free for you, since you've somehow never encountered any bugs whatsoever in their code (despite their release notes mentioning literal bugs they've fixed).
I'm glad it works for you, but their offering is frequently buggy and broken for me.
My experience is the apps are missing very fundamental features. Which would be fine... If you could use other clients. But you can't, except for email, kind of.
Like, the calendar on mobile doesnt even have a search function. What if I want to know when an event is happening? I just have to scroll and scroll until I find it? Come on now. Also no storage backup in proton drive??? What??? That's, like, 90% of the purpose of proton drive!
I moved to Fastmail a few years ago. No real complaints, and I’d definitely do it all over again.
That said, because I’ve not experienced any failure, I’ve not experienced how well Fastmail handles failure, which is the real measure of a company.
I moved from Proton to Fastmail (and Mullvad for VPN).
I was a a founding paying member of Proton Mail. I loved them and evangelised them for years. But after a decade, the quality of the offering, especially the mail and calendar, is almost a joke, and the company seems very distracted chasing the next big thing (the half baked password manager being one).
Comparing Fastmail’s UI and feature set with Proton, you quickly realise they are leagues apart.
And no Fastmail doesn’t provide e2e encryption. For that I use Signal, and for the few occasions where I need e2e encryption in email, I use PGP.
My only wish is that there was more client support for JMAP protocol. Even thunderbird doesn’t support it, and I can’t go back to IMAP because I like labels. Thankfully Fastmail’s own web interface is so good it is not a big issue.
> (the half baked password manager being one).
Or a very bizarre LLM offering: https://news.ycombinator.com/item?id=44657556
I've been happy with Startmail, good customer service, they don't offer any of the non-email cloud services though.
Fastmail is a good product with technical chops, contributes to open source and cares generally about being good members of the international email space, standards etc.
Fastmails interface is very plain, and it works very fast and works well.
They support a plethora of ways to do mail and have many advanced users so their mail support is very good, maybe close to running your own mail server without having to deal with rbls and getting spamlisted
> The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals
I think it'd be crazy to make a service worse because of worry over potential hit pieces that might whine about a perfectly reasonable policy. It isn't as if Proton Mail hasn't been accused of those things before anyway (along with accusations of being a honeypot and not private enough).
It's better to have integrity and fight for your users than to cave just to avoid click bait articles by people with irrational views.
Yes.
Most CERT requests are valid and good and should be obliged.. but there should be a manual check involved.
Especially when an appeal is filed. Especially when the content is obviously security reporting.
Both extremes are wrong - don't ignore CERTs and don't mindlessly oblige them. Find one of the many reasonable middlegrounds.
It is very naive to believe that email providers and VPNs do not have to respect the laws.
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
The Reddit response from Proton: https://www.reddit.com/r/ProtonMail/comments/1nd1nrc/comment...
I’d like more details about the initial CERT contact if anyone knows anything
The silence of proton can only be interpreted to their disadvantage. This is not very smart and will make everyone doubt on them.
While I like the idea of a safe and uncompromising service, proton seems less so now.
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
> defines unused in some opaque sense where receiving but not sending emails is “unused”
"You are considered active if you log in and use our services once a year. Simply logging in to any Proton service on our web, desktop, or mobile apps at least once a year is enough."
Do they still use that old shady billing? You could get "credits" from coupon to upgrade your plan, and once it ends, it automatically subscribes and your account bill goes to negative. Unless you pay that, your account is locked. Happened to me some long time ago and haven't used Proton since.
Is this for paid accounts too? If you prepay for 5 years and get lost at sea for 3 years, should you expect your proton to still work?
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
Is refusal realistic? It's nice in the abstract, but in practice, there are plenty of ways to coerce illegitimate compliance.
I thought Proton was a confidentiality / privacy oriented thing. How do they even know who owns the accounts?
You can disable an account without knowing who owns it, although they do have credit card/payment information now, and I don't think new accounts get encryption services unless they pay.
That said, if your inbox is encrypted, protonmail does so on the client side with a second password. They can maybe delete the account, but proton mail doesn't know what the encrypted data is. What happens to new emails sent to a disabled address is anyone's guess though. Honestly I think they're doing the best they can given the circumstances
>and I don't think new accounts get encryption services unless they pay.
source? Their compare plans page specifically lists "End-to-end encryption" as a feature for their free plan.
It is very possible for them to inject custom JS to a specific user.
You are the bosses at Protonmail, do you want police at 6 am shaking your kids, seize all your devices, loose all agreements with PayPal and Visa/MasterCard, because you want to protect a guy who distributes child pornography or plans a terrorist attack ?
No way, so you tap on the shoulder of the CTO and ask him to push a temporary update or turn on a feature flags, in order to collect the missing information.
This is true for all companies who control the client.
Trusting them is almost guaranteed, but it doesn't have to be, sort of. The clients are opensource so you literally clone, audit, and run the clients locally.
Full disclosure, I use Proton and overall trust them so unless I see strong evidence of abuse or lies on their part I'm inclined to post contextualizing comments on stuff like this, b/c well I don't wanna host my own mail server, at least not in prod.
Or just use an open source email client.
I would expect their own apps to be open source, are they not?
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
A related submission a few days ago with similar Proton response on twitter: https://news.ycombinator.com/item?id=45201153
I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.