Martin Steiger also responded. Addendum 2 in his blog article [1]:<p>Tonight, on 29 May 2019, ProtonMail responded to this article with a blog post entitled „Response to false statements on surveillance made by Martin Steiger“. (This article was published on 23 May 2019 and not „earlier today“ as claimed by ProtonMail.)<p>ProtonMail claims that this article is „factually incorrect“ and states first and foremost that it does not voluntarily offer assistance for real-time surveillance. Apart from that, ProtonMail does not respond to the many points raised in this article.<p>ProtonMail essentially refers to my addendum, where I point out that the public prosecutor in question contacted me, saying he had been misquoted. ProtonMail of course „forgets“ to quote my full addendum and shows an incomplete screenshot of my addendum. ProtonMail quotes only the part with the public prosecutor’s claim and not my explanation why I am confident that the public prosecutor was not misquoted. ProtonMail also claims that the addendum is „hidden at the bottom of Mr. Steiger’s article“, although it is linked right at the beginning of this article.<p>In a direct email to me, ProtonMail’s legal department confirmed that real-time monitoring could be carried out. The legal counsel of ProtonMail now argues that ProtonMail is after all a provider of derived communication services and that having to tolerate surveillance carried out by the Swiss Federal Post and Telecommunications Surveillance Service (PTSS) according to Art. 27 para. 1 SPTA is equal to an obligation for real-time surveillance. In addition, ProtonMail threatens to take legal action for defamation pursuant to art. 174 of the Swiss Criminal Code.<p>As mentioned above, the SPTA provides neither for providers of derived communications services without more extensive surveillance obligations nor for telecommunications service providers with reduced surveillance obligations an obligation for real-time surveillance. As also mentioned above, ProtonMail used to claim to be a telecommunications service provider with reduced surveillance obligations. In either case, there is no obligation for real-time surveillance, i.e., any real-time surveillance is performed voluntarily by ProtonMail.<p>ProtonMail once again argues contradictorily and inconsistently. Every user of ProtonMail must still decide for himself whether the email service is trustworthy.<p>[1] <a href="https://steigerlegal.ch/2019/05/23/protonmail-real-time-surveillance/" rel="nofollow">https://steigerlegal.ch/2019/05/23/protonmail-real-time-surv...</a>
It's absolutely necessary in today's outrage fueled world to get your statement out as quickly as possible. The longer it takes to get a response out, the more the outraged masses dig in, and the less likely the truth will stand in peoples minds after the dust settles.
The conversation we had yesterday on this topic was not very productive. One thing I'd like to see is a clarification about what surveillance actually means to a user. Does it mean:<p>- Providing IP address details?<p>- Providing message contents?<p>- The police compelling you to provide your password?<p>- Anything else I'm missing?<p>It would be nice to avoid equivocating "surveillance" and stick to a common definition so we can argue the merits of each potential practice.
I'm not going to get into the meat of the drama here but I do want to say, and I hope the protonmail team is reading, the value of protonmail for me isn't even in protecting me from state actors and whatever they're proud about for being in Switzerland etc.<p>The value of their service to me is primarily:<p>- they aren't mining my communication for ad revenue or the enabling of any convenience features which indirectly leads to ad revenue<p>- should someone (perhaps not nation state) gain access to their storage, that attacker can't see the plaintext of my past mail. Perhaps this doesn't stop them from monitoring incoming/outgoing unencrypted mail, but at least my life history is secure.<p>I guess they're trying to get this across with their marketing/branding but it always felt a little more over the top to me than the more practical feelings I have about it if that makes sense.<p>I know some people will say "go with google because their security team is the best" and maybe that's true but my threat model here is googles business model, not nation states. Would it bother me if I found out Protonmail was colluding with nation states etc, yeah, maybe enough to switch providers should one of similar quality exist. Now to read into this kerfluffle...<p>edited for formatting<p>edit post read (quote from Steigers second addendum regarding protonmail response):<p>> ProtonMail once again argues contradictorily and inconsistently. Every user of ProtonMail must still decide for himself whether the email service is trustworthy.<p>The decision I'm making, and this shouldn't be surprising given my initial comment above, is that I will continue to be a happy paying user. I agree the advertising is kind of misleading, but I always had the pessimist view that the service might give away more than their marketing/branding tries to let on, whether voluntarily/knowingly or not.<p>I am a little disappointed that protonmail didn't respond more directly to some accusations, I guess they might not want to if they're suing for defamation (according to Steiger?). Am also a little disappointed that both in their response and in their HN comment they said he "hid" something on the bottom which was clearly linked. Though I think he could have done a better job of highlighting the content of that addendum where it was relevant in the article, I wouldn't call it hiding given the link.<p>I would be happy to see the marketing/branding take a shift towards my more practical viewpoint of it and maybe this incident will encourage that. I have friends/family creeped out by google/yahoo but when they go to the home page for protonmail they tell me (in different words) that the branding is too tin foil hat. The value is there for them otherwise but hard to get past that.<p>Anyway back to work...
They have metadata (ips, ports, date, time, bytes, etc.) and can be compelled to release it. This can be (and is) used to correlate activities and make accusations, obtain warrants, etc.<p>Metadata is very powerful and is captured on every network. It's a byproduct of the requirements of the network and its protocols. How many bytes were sent? To where from where? How long was the session? etc. They may not know what the data contained, but they'll know everything else down to the second.
Can someone answer simple question regarding privacy value.<p>What exactly protonmail has/can disclose by law obligation? Only encrypted message? "Envelope" meta data? Something else?<p>I think this is important to understand this to assess their service before calling alarm bells that it's useless or storing criminal correspodence there. I couldn't grasp it clearly from the message.
The original blog post from Steiger did seem suspect to me when I read it earlier today when this story broke. What's still unclear is what the motive would be to make up or exaggerate such a story.
And what about the statement in their own transparency report that corroborates it, which is a major part of Steiger's case? This response is pure bluster and indicates Steiger is right.
For more context, see <a href="https://news.ycombinator.com/item?id=20044336" rel="nofollow">https://news.ycombinator.com/item?id=20044336</a> and its parent.
Your snail mail’s “metadata” is inspected and saved. Your snail mail can be intercepted. The snail mail system is a public good if ever there was one, and managing it is done with the whole in mind.<p>If the s-mail system were used to deliver viruses daily, and in large volumes, I wonder what the reaction would be? Would we say, “Those individuals have every right to utilize the s-mail system to deliver deadly viruses as they like. It is the receiver’s responsibility to not open those packages.” How many people that disproved of e-mail “surveillance” also disapproved of s-mail surveillance during post 9-11 anthrax attacks? I wonder.