Proton AG – the Swiss company behind Proton Mail, the postal service – has been hit

Proton AG – the Swiss company behind Proton Mail, the popular encrypted email service – came under fire in April for complying with a request from Spanish police for information about one of its users – a Catalan pro-independence activist.

It is clear why this was a controversial move. It’s disgusting when the “good guys” are “sold out” by a company that promises privacy. But if you’re angry at Proton for complying with legal requests, you need to reevaluate your fantasies about privacy technology.

We all love crypto and the ideals associated with it. But encryption is not a silver bullet, and the more we encrypt, the more important metadata becomes. When it comes to privacy, metadata is an exercise in minimization – but centralized services have natural limits on how small their metadata collection can be.

Related: Big miners pose a growing existential threat to Bitcoin

Proton has done a great job of restricting access to user metadata. They should get a pat on the back for building a system where all they can offer is an optional recovery email. (In this case, the company provided the user’s assigned email address, which led police to his Apple account.) Instead, they were confronted by anonymous people online brandishing “unsubscribe” buttons and ominous headlines that began with “Is Proton…” and ended with signs Interrogative.

The platonic ideal of privacy technology

The fantasy goes like this: The privacy company receives a formal legal request from the authorities, the privacy company turns on the authorities, and the privacy company delivers news of victory to the frenzied cheers of its fans. This prediction has reared its head several times, including another ProtonMail case just two years ago.

But fantasy is illusory and self-destructive.

If Proton goes this route, it will face crippling legal pressure that would set the sun on the entire company very quickly – hence we only have a handful of approved encrypted email providers. This is not a beneficial outcome for Proton, Proton users, or privacy in general.

FreedomTech editor SethForPrivacy defended Proton Mail in a post on X, writing that the case “proved” that Proton’s architecture “minimizes the amount of data on any given user.”

Proton is well aware of this, so the reality is that it has complied with nearly 6,000 legal requests in 2023 alone. Once the shock of the news wore off and steady hands like SethForPrivacy showed up, more people accepted that the anger wasn’t really justified and wasn’t helpful.

Blame opsec is the withdrawal

As the story cooled, Proton’s defenders pointed out that de-identification was only possible in this case because a recovery email was provided. They say it’s actually the activist’s fault for the operational security (opsec) leak — but that’s just another fruitless iteration of the blame game.

We can’t end this story by saying, “Well, you’ve just got to get a better job than that.”

The fundamental question is: Can we do better?

Encryption is our baseline. We must use it, we must defend it, we must protect it. Proton has this And Minimal metadata collection, so we have a good foundation to work from here.

Furthermore, the wise advice is to access Proton using a VPN/Tor (and more importantly, no ProtonVPN) and pay for your subscription using encryption. This message has spread widely over the past two weeks – but it is not new advice, and we continue to see cases like our Catalan activist. People will be left behind if services require manual user hardening, and sometimes they will be the same vulnerable people we are trying to protect.

In the Catalan case, the email provided to register for the E2EE messaging app, the recovery email provided to a secure email service, and the iCloud email were the pieces of the puzzle required for de-identification. These are small mistakes that anyone can make, but together they create a metadata breadcrumb path that can be followed with relative ease.

The possibility of applying decentralization to limit the collection of metadata

Our goal should be to create enhanced tools outside the box, and ensure that any options that may compromise privacy are clearly described in place.

Perhaps decentralizing parts of the system will help us take things a step further than Proton. Decentralization is a useful way to reduce the amount of data that the central company actually needs to process in order to provide the service.

For example, building applications on top of decentralized networks capable of storing or forwarding data required for the service. For an email service, this means storing and forwarding the mail itself – including weak metadata like subject lines and timestamps of the mail. This decentralized network layer will use more advanced privacy-preserving techniques like onion routing as well. This way, the user’s IP address will be better protected even if they are not using a VPN. Some networks like this already exist – like Tor – but we have similar networks that are secured and incentivized by blockchain, like the Nym mixnet.

RELATED: Welcome to the UK – Please Hand over Your Cryptocurrencies

Networks like Nym are generalizable for data routing needs, and already provide software development kits (SDKs) for integration into third-party applications. Mixnets is very slow, so this may not be a good solution for instant messaging or conferencing services, but for email – it might work.

The storage side of things is more complicated, application-specific networks, such as the session network (used by the messaging app I’m working on), provide message caching in a decentralized way, but that wouldn’t work for email – which is very difficult. The benefit of actual record keeping is for many people.

This limitation, combined with spam filters and the email mafia, might make top-down decentralized email service impractical – although it wouldn’t stop people from trying – but we certainly can. Make this work with other communication tools, such as messaging, video and audio conferencing, and team communication platforms (such as Slack and Discord).

Ultimately, legal demands will persist, and companies will continue to comply. It’s the way things should be. But in cases where safety and security are paramount, purposeful decentralization can provide an additional layer of protection that is vital for people at risk.

Proton — People have already designed and built solutions that can be beneficial to you and your users. We can help, all you have to do is call (or, I guess, email).

Alexander Linton He is the director of the encrypted messaging app Session and its non-profit organization OPTF. He earned a BA in Journalism from RMIT University before enrolling at the University of Melbourne for postgraduate studies.

This article is for general information purposes and is not intended and should not be taken as legal or investment advice. The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

I am HAKAM web developer. From here you will get a lot of valuable information for free and a call for updates to WordPress and Blogger so that your sites are accepted in Google AdSense and also proper mastery of SEO and the best for the easiest.

Leave a Reply

Your email address will not be published. Required fields are marked *