More and more people are talking about the story. Interested in your opinion:

Who is to blame?

Boosts are appreciated

@hejowhat Fixed that for you:


It is fairly easy to become a target/ victim of the police/state. Should this be a thing? No. I think everyone agrees on this.
It is a long and difficult fight. If we can win in the end is another story.

This in mind:
Could 'the user' protect itself better in the mean time?

Or is it ProtonMail's fault here?

@hejowhat Thanks to ProtonMail's encryption being open-source (meaning trustworthy) and the fact that all user data is encrypted, all one has to worry about are one's IP adress and unencrypted e-mails.

That's why using #Tor to hide one's IP and avoiding plain-text e-mails should be sufficient.

Open-source doesn't equals trustworthy unless you reviewed the code and host it yourself.
+ the backend of ProtonMail is NOT opensource (to my knowledge).

I am aware of this. The fact that 'the user' hadn't been using Tor for this stuff speaks for itself.
I was responding to your new poll in which you'd added 'police' and 'legislator'. .

@hejowhat That's the idea behind open-source.

Encryption happens in the client, we don't need to trust the back-end.


But you need to self-host the client if you want to be 100% certain.

@hejowhat @datenschutzratgeber I wish I had the time to devote to privacy this much. I'm just so busy that anything that doesn't feed my info to ads is good enough.

I use Zoho. It's pretty Indian, and pretty good enough.

@hejowhat You mean self-compiling? I don't think that's necessary if a trustworthy binary source is available such as F-Droid.

@datenschutzratgeber @hejowhat Did you ever try to register a ProtonMail account over Tor? Armchair theories are worthless.

@datenschutzratgeber @hejowhat it was a rhetorical question. And most of the time it does not work.

@datenschutzratgeber @hejowhat
legislation/judicatory/executive are to be blamed first for this, for sure.

But also #ProtonMail has a responsibility in that matter, such as being very transparent against what threats their service can protect, without all that marketing speech that will just mislead people.
The general public does not have that knowledge, but ProtonMail has and they unfortunate continue to mislead them.

I wrote about that here:

@hejowhat I'm still OK with protonmail (awaits fire...)
Sure, ideally they wouldn't have given out the IP, but it's not like they just gave it at the drop of a hat. There was a legal process they were obliged to have to follow, not really a lot they can do about that (except move to another country or the moon).
They only enabled IP logging for that single user after that legal process and didn't/couldn't share any actual email content.

That's the way I understand it anyway. Maybe I'm wrong.

@pswilde I agree with you. I was wondering how 'the community' feels since I saw some outrage over it.

@hejowhat glad to see 67% currently are more or less on the same lines too 👍

@hejowhat important to me, is that I'm sure that my mails are e2e-encrypted (and nobody except the receiver and me can read it). I trust PGP, and as long as I can verify that the PGP implementation PM ships with is trustworthy (Nadim Kobeissi paper), I can trust PM. Yes, they store IP-Addresses. And yes, obviously they have to abide the law (which is good, that's why we have laws after all). But if the only thing they have is my IP (and I don't like them to) it's up to me to hide it from them.

@rarepublic They don't even store the IP by default.
But depending on you threat model, even one 'IP slip' can cause you everything.

Are you using you own PGP key or does PM creates one?

@hejowhat I'm not quite sure under which circumstances they log IPs. But I'd assume they do it all the time (e.g. in the settings you find a list of IPs with failed login attempts for your account). Right, if your threat-vector includes IP, you're fkd,

PM frontend generates the private key for you. It's AES encrypted (with your Mailbox Password) on client-side and sent fully encrypted to the backend. You could just do the same thing through the API with your own keys. (I never did it though)

Sign in to participate in the conversation

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.