ProtonMail founder and CEO Andy Yen explains that it only started logging the specific users’ IP addresses after it was legally forced to do so by Swiss authorities.
In case it contributes with anything to the debate.
Obviously it would be better to not have access/know the IPs at all (if possible) but I apprechate the extra information, thanks for posting it.
On the one hand, ProtonMail isn’t really exempt from Swiss laws even as it promises to continue fighting against data requests as much as it can. On the other hand, it probably does need to clarify the nitty-gritty of its privacy terms, especially for paying subscribers that have expected more from ProtonMail.
At this point I basically treat it as better than Gmail/Outlook but not as secure as it might be advertised as (which is fine for my use case). Definitely would like to see them step up and update their info pages or better yet change their data handling so they have as little as possible while still remaining functional.
ProtonMail has an onion address, that would have hidden their IP’s better. https://protonmail.com/tor.
Here is the response from ProtonMail to this incident. (The link came via the SANS Network Security podcast.) Note the different Swiss laws pertaining to e-mail vs. the VPN.
:
The Berners-Lee semantic web has for its goal the automation of the treatment of information by computational models though no form of knowledge is ‘reducible to the computational treatment of information’.
- cf . Bernard Stiegler.
- privacy != anonymity
- protonmail serves over tor - in that case it will not able be able to record your ip (as long as you are using tor only entry-point)
- in order to be able keep off the record your identity, use free version, otherwise you will be traceable over payment method. Even with bitcoin, you can be tracked.
- you wish to have bulletproof email, set it up on your own… (but ouch you need isp/hosting provider, they will directly point to you) …
I use the free version of ProtonMail, with NordVPN, and try to always use the TOR browser. As Rob Braxman says repeatedly, no email is 100% private unless you host your own, but even then it is generally not enroute or on the other end.
VPN is just someone else’s network. Just like ProtonMail, any commercial VPN provider will comply with legal requirements and have the capability to log your activity and might even be required by law to do just that. So, using a VPN does not protect your identity in the web. It arguably makes you easier identifiable because you might have paid for the service but also because you probably connect to it directly from your device with the IP your ISP assigned to you.
Exactly. I tell people this all the time. When you use a VPN through an ISP, you’re still identifiable. You’re just changing the company who can identify you: from ISP to your VPN provider.
So are VPN’s useless?
VPNs are still good at anonymizing what you do online but your VPN provider will still know details to trace it back to you. That’s why it’s important to choose a VPN provider that you trust with the information and hopefully will not give it out if pressured by some other authority.
VPNs are helpful:
.for masking your detailed internet activity from your ISP or mobile provider
.for preventing data abusing companies (Evil-Corp) from acquiring your real IP address (also requires a de-Eviled mobile OS and non-Eviled apps)
.for protecting your personal and financial data over public WiFi networks, and
.for changing your apparent location/region/country/jurisdiction when expedient.