[notaustinpowers]

From the same transparency report page, they refuse any requests from countries that are not Switzerland, and only provide information to Swiss authorities when necessary (I.E. valid international legal assistance, violations of Swiss law, etc).

As well, emails and files are encrypted. And their VPN is a no-log VPN.

Lastly, they can comply with an order and just give them nothing, because they don't have anything they can give. No files (E2EE), no VPN network info (No-logging), no emails (E2EE), etc. That's still, legally, an order they complied with.

[theultdev]

Generally it goes like this:

1. Government entity (usually the US or EU country) pressures the host country's government

2. Host country's government makes a legal request to the company for info on this user.

3. Company adds logging for that specific user.

4. Logging is provided to all those interested.

5. Host country prosecutes (potentially extradites).

There's a public accounting of this happening for Proton and Mullvad too iirc.

[notaustinpowers]

You're making multiple conjectures to get to that conclusion, of which the only evidence presented is another company based in a different country than Proton.

It may be true, it may not be, but there needs to be more information or facts before we get to the original comments statement that Proton gives data to expose protestors to protect "the powers that be".

[theultdev]

I'm not making conjectures, these events happened.

That's the flow of how government legal requests work with no-log vpn services.

What do you think "Orders complied with" means then?

Here's an instance of Proton adding logging of an activist's IP Address and Device ID after a request from the French authorities:

https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...

> French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.

It's right there in the police report.

[notaustinpowers]

If a government says "Give us everything you have on this user", and Proton gives them a sheet of paper that says "Here's the primary email for the account, we don't have access to anything else", the order is legally complied with.

Granted, I don't know much of how Swiss legal processes work, but I do know Switzerland has the best privacy laws when it comes to VPNs (which is why a lot of VPNs use Switzerland). Switzerland even has laws on their books that prevent them from compelling no-log VPNs based in Switzerland to log specific users.

[theultdev]

I provided an instance of Proton giving the IP address and Device ID of a user after the French authorities requested it.

In their own policy:

> “In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.”

So there's no question whether or not they do it, it's more of how often they do it and for what. The French case was a big deal because it didn't seem to meet the "extreme criminal case" threshold, and yet the logging was still carried out.

[ni10c]

Feels to me after reading the article they earnestly try to do their best to offer privacy enhancing alternatives and push back often. What percent of these requests do Meta, Google or Microsoft fight? Ratios like that matter

Proton is extremely transparent and said:

If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation. This obligation however does not extend to ProtonVPN (see VPN privacy policy here). Additional details can be found in our transparency report.

[notaustinpowers]

Yeah, that's shitty, and it's no excuse, but I understand that, as a company, Proton will still have to comply with Swiss law, and if Swiss law requires IP Address monitoring in "extreme criminal cases" which I doubt Proton has the ability to decide whether it fits that or not.

I saw in the article that Proton also offers an onion address, which will make the IP Address monitoring useless anyway. So they, legally, have to do the monitoring, but provide a tool that makes their "monitoring" useless.

[xandrius]

Switzerland is one of the few countries not instantly putting up with US demands, so it's not that clear and obvious.