So, @ProtonMail had to give out information about one of their users. Navigating what has happened is a bit tricky, and I'm not going to complain about the fact that Proton handed out the data. Why? Thread.
https://twitter.com/tenacioustek/status/1434604102676271106
First of all, Proton is (probably) not storing people's IP addresses. From what I understand, they have been ordered by authorities to turn on IP logging. That the suspects are a group of youth climate activists is not something Proton can use as a basis to refuse.
Most likely they didn't even know it was a group of youth activists to begin with. Hopefully not - that would mean that they do have more information than they claim on their users. I trust @ProtonMail, and this situation has not changed that.
However, they're based in a country that has a government that can control their actions. That's the main flaw. A lot of activists, technologists and hosters have this idea that certain countries are "bulletproof" when it comes to privacy. That's certainly not the case.
Certain countries protect privacy more than others. Few countries have no laws about when they can order companies to hand over - or collect - certain data. In general this is needed in a working democracy, since it means we can protect in those extreme cases when we need to.
My own experience has been that companies/organisations, especially the ones run by technologists, have failed to understand the need of decentralisation. Even if we do talk about it in technical terms, they fail to do it in their organisation.
My own projects, and the one I help/work with, have an understanding of this. Historically that's been more important than the technical decentralisation or security. The understanding of legal as well as tech is a niche that sets these projects ahead of the game.
That doesn't mean I wouldn't help the government if I can, in cases where it makes sense. Peoples lives are at stake - sure we'll help. But it makes it a cooperation between us and the authorities asking. We can make an ethical decision to help across multiple jurisdictions.
In terms of us vs Proton, I can say that we would have had a choice that Proton doesn't. It doesn't mean that Proton did anything wrong. It just means that their threat model was not working for this particular case. And our model probably has flaws as well.
The shitty situation here is that a group that should have been supported and protected was not granted those rights. It's not the fault of @ProtonMail, it's the fault of the authorities. And I'm sure that Proton will take lessons from this to improve their threat model.
The basic problem here is again that we've centralised things. Organisations, services (e-mail is among the easiest of all services to have decentralised), and trust.
We often get questions from potential partners if we're "bulletproof". We always ignore those partners, since they don't know what they're talking about. We're ethical when it comes to privacy. No serious organisation claim to be "bulletproof".
Now to end this - we need to help the youth climate activists. And it's not going to help by complaining about @ProtonMail. They are still part of the good fight.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
