[o8r3oFTZPE]

"Their homepage says..."

Is the parent suggesting that no one should bother to read the Terms and Privacy Policy, linked to from the homepage. https://protonmail.com/privacy-policy

Despite the parent's claim, the Privacy Policy says the company may log IP address. Temporarily. Irrespective of any request from local authorities regarding a specific user. IOW, they may log anyone's IP address temporarily regardless of whether the particular user is casuing trouble; they can log IP address for everyone. The policy says they log this data for the purposes of preventing fraud and abuse. The problem for privacy-conscious users is that if they log the data, then that entices authorities to try to successfully request it.

The policy, which imposes no obligations on the company BTW, reads as follows:

"IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."

There is nothing that says "By default we do not retain any logs". This clearly states they may be expected to retain IP logs. ("IP logs may be kept temporarily...")

But wait there's more.

"We will only disclose the limited user data we possess if we are instructed to do so by a fully binding request coming from the competent Swiss authorities (legal obligation)."

This clearly states the company may disclose the data they possess, e.g., IP logs collected to combat fraud and abuse, if in response to a request from competent local authorities.

Further down is a curious statement about decrypting messages.

"If a request is made for encrypted message content that we do not possess the ability to decrypt, the fully encrypted message content may be turned over."

Why include a statement such as this, specifically the part that says "that we do not possess the ability to decrypt". The company already specified it may disclose the data it possesses. This further statement suggests there could be some situation where they may have the ability to decrypt some messages. Besides their own communications with customers, why would they ever have encrypted messages that they can decrypt. They could state something like "If the request is made for encrypted communications addressed to us or sent by us, ...", but they do not. As such, their statement must include other messages, too.

[OrvalWintermute]

> "IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities."

Just how transient do logs need to be to fit this criteria?

Am guessing the 7 years or so we need for some of our specific logs might fit the temporary definition too.....

[o8r3oFTZPE]

Nothing is even defined. There is nothing in this policy that obligates the company to do, or restricts the company from doing, anything.

This is the way most tech company "Privacy Policies" are written.

There is a significant difference between a statement such as "We (Company) do not do X" versus a promise such as "Company shall not do X" or a statement such as "We do Y. We may do Z" versus a promise such as "Company shall do Y."

Why not have our own "Policies" as users that we publish for tech companies to read. In them, we could describe what we do and what we do not do, and what we may or may not do. Tech companies could rely on these statements. You can see how silly that sounds. Yet users are expected to read and rely on hundreds of different "privacy policies", collection of non-binding statements like "We take privacy seriously".

[istingray]

Solid points. A report card for various privacy policies would be useful. Seen anything like that?

[o8r3oFTZPE]

I wouldnt trust any of them to be honest. Privacy policies really arent worth anything.

I would look for websites that generally do not ask for data. Then send them the minimum data you can get away with. I would avoid "signing in" or "signing up" to any website. There is an immense amount of data and information available from free from the web, no "account" is necessary.

For example I dont send any extra HTTP headers like Cookies or User-Agent, I dont use Javascript. I dont request images, CSS. I dont automatically follow links in src tags. Yet I can still read and comment on HN and I can read every website posted to HN. Thats a lot of websites. I can read them just fine while not sending them any more data than is needed. Because I do not use a large, complex graphical browser sponsored by an online ad-supported vendor to make HTTP requests, I can easily control what I send. This is far better IMO than sending unknown amounts of data (letting the websites control what the browser sends via headers, Javascript and src tags) and then hoping the websites dont do things with the data that we dont like.

Privacy policies do not limit websites from collecting data nor do they limit how the data can be used. They are "policies" not agreements. If a website operator does things behind the scenes that violate privacy but that it does not disclose in a "privacy policy" what can a user do. How would the user even know. Or the website could clearly violate their own "privacy policy", but no one outside the website's operators would know. Even if users discover the violation, what would be the repurcussions. Its too late, because a violation means privacy has been blown.

Show me a case where a tech company got sued for violating a privacy policy. How can anyone prove a violation if the operations of the website are not open for public inspection.

[sunsetonsaturn]

The GDPR is meant to address this problem, check out https://www.enforcementtracker.com/ to see what the most recent rulings are.

Your observations are correct, the regulation is able to deal with the damage after it was done, and apply some form of punishment after the fact. It takes whistleblowers and activists to reveal some of the wrongdoings, otherwise the violations remain unknown to us.

Therefore there has to be a greater push towards proactive measures - letting people vote with their wallet by making informed choices; the prerequisite for that is for the relevant information to be available to them.

Have a look at some of the research I've been involved in, we're trying to solve this exact problem: http://privacy-facts.eu/

[istingray]

Wow neat how do you browse the web, Lynx?

[o8r3oFTZPE]

Generally I use custom utilities for HTTP generation, URL extraction, chunked transfer decoding, URL encoding/decoding, GZIP/ZIP/PDF/MP4 extraction, etc. Thus I can use any TCP client I want to make HTTP requests from the command line. I do not need a browser to request content. Nor do I need projects like curl or projects that use libcurl like youtube-dl. For large downloads I use tnftp. The shell script I use to download YouTube videos is 424 bytes.

For reading HTML I prefer links. It has the best rendering of HTML tables, IMO, and is for me the easiest source code to work with. I did use lynx back in the late 90's but would never go back to it. Its bloated. Its slow. Im not sure why anyone interested in text-only browsers would use it other than they are unaware of or have not tried alternatives.

[neltnerb]

Kind of limited since it's only evaluating websites, but https://tosdr.org/ attempts to implement this as a plugin.

Edit: And amusingly it only gives protonmail.com a B.

[sunsetonsaturn]

There is a project for bringing relevant privacy facts closer to users, so they can make informed decisions before choosing to buy a specific product or service. Check out the second screenshot on this page: http://privacy-facts.eu/features/

The idea is to express everything in unambiguous terms, so there's no way to weasel out of it with "yeah, but not by default" or, "well, it depends", etc.

[istingray]

I pasted an email I sent to Protonmail above. If they can't come up with language that's clear, use text from their privacy policy verbatim. Start educating users not to trust anything but what's in the policy, and even treat that as adversarial.

[o8r3oFTZPE]

Devils advocate: Why trust the policy. Can you enforce it. If yes, then how.

[istingray]

Agreed -- "even treat that as adversarial".