A few days ago a story broke about Proton Mail being given a court order to hand over the data of a Spanish dissident. As the headlines read, Proton gave the authorities the information they had and the user got his online privacy violated by Spanish law enforcements.That’s not the entire story, though.
What is Proton Mail?
Proton is a Swiss-based privacy focused company that provides secure email, vpn, calendar, digital keychain, and cloud storage. Proton use open source code so there’s really no reason for anyone to distrust the code. Anyone can verify that the code actually is safe.
Is Proton compromised?
Many privacy aware people jumped on the story and proclaimed that this is the end of Proton and their services. “They are no longer safe to use!” But what data did Proton actually give out?
Making the leap from being a safe and private alternative to other email providers, to freely giving out information about dissidents to officials is a rather big step. A step that would severely damage the company’s reputation in an incredibly scrutinising field. Privacy activists are certainly not forgiving when it comes to breach of trust.
As it turns out, however, Proton really didn’t give out any sensitive information, despite the very sensational headlines.
Enter the Backup Email
Unfortunately, it’s not enough to use a secure service and stop there. One must also make sure to secure anything that may lead back to it. In this specific case, the authorities gained access to the user’s Proton account by forcing Apple to give them access to the iCloud email. The user, unfortunately, used a non-secure recovery email for the Proton account.
OPSEC, OPSEC, and OPSEC…
If you, like this Spanish dissident, have sensitive information in your email account, do make sure that there’s no other way in. Operational security is key. This means that you cannot have any other way of gaining access to the account but for your long password, made up of random numbers, letters, and signs. If you forget the password, you’re locked out of your account, but this is the whole point.
IF YOU DON’T HAVE THE PASSWORD YOU CAN’T ACCESS THE INFORMATION, NEITHER CAN ANYONE ELSE!
The Disclosed Data
So, Proton didn’t give the authorities any encrypted data, email contents, or anything else that might give them an idea of what the dissident was up to. The information they gave out, according to a statement made by Proton, was limited to the IP address.
After forcing Apple to provide them with the login credentials to the iCloud account, they could then reset the password of the Proton account, using the iCloud email recovery function.
Proton’s response
While Proton can’t disclose additional information about the specific request from the authorities, they did give an answer via email to Restore Privacy. In their response, they concluded that the case involved alleged threats to the King of Spain, and that the access to the Proton account was gained via an Apple account as recovery email. To create a free Proton account you do not have to provide any recovery email, phone number, or credit card. These are all optional.
Conclusion
You can safely continue to use Proton’s services. They do answer the requests of authorities for data, but this data is limited to IPs. Everything else is encrypted and cannot be read by Proton.
Steps for safety
- Make sure you don’t use any compromised services for backup email. Google, Apple, Microsoft, etc. are all no-go.
- Keep a long password that you can remember in your head and rely on that for access to the account. Any way of retrieving the account if the password is lost is a potential way in for others as well.
…and privacy
- Use VPN to hide your IP when accessing your Proton account
- Don’t use your real phone number, credit card number or anything else that can be traced back to you. Pay for, and verify your Proton account using anonymous cards and numbers. This information will be stored by Proton.
Leave a Reply