I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
The true value of a company can be measured by our ability to communicate with them. If we can't communicate except after public outrage, then what does that say about the company?
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
Can proton even win here? The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals.
Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time. If I can’t rely on my email / messaging / phone / communications provider to keep an open line for as long as I need it – whether that’s one year or two years or twenty years, then I’m not going to use it. And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
And this is why I host my own email server, even if I am not a journalist investigating governments or anything of the sort. It's a matter of control over my computing.
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
Hmm going to wait and see how this plays out, maybe it's time to look at alternatives, assuming that my custom domain email isn't somehow locked to them.
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
Proton Mail suspended journalist accounts at request of cybersecurity agency
(theintercept.com)181 points by lehi 5 hours ago | 84 comments
Comments
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
I’d like more details about the initial CERT contact if anyone knows anything
While I like the idea of a safe and uncompromising service, proton seems less so now.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.