• Im_old@lemmy.world
    link
    fedilink
    English
    arrow-up
    31
    arrow-down
    1
    ·
    edit-2
    8 months ago

    Proton a few years ago disclosed the IP address of the user of a certain mailbox upon request by LEA. That was enough to get the person found and arrested (I don’t remember what the case was about). They HAVE to comply with these requests, but they DON’T need to log/retain those info ETA: and I was wrong, thanks @Cheradenine@sh.itjust.works to set me straight. But I think the point still stands. I don’t want to be ALWAYS be tied to a VPN, there are some scenarios where I can’t use a VPN.

    That was the moment I decided to selfhost my email server.

    • Cheradenine@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      28
      ·
      8 months ago

      In that particular case they did need to log the ip because they were compelled to do so by a Swiss court.

      That was an opsec failure on the user, if they used a VPN or Tor they would not have been caught.

      • 0x0@programming.dev
        link
        fedilink
        English
        arrow-up
        7
        ·
        8 months ago

        A VPN would’ve only shifted the “blame” unless it was a decent one like IVPN.

        Tor would’ve been much better, especially considering Proton has an .onion address.

        • Cheradenine@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          13
          ·
          8 months ago

          Yes, by VPN I meant something decent. Not whatever spyware is top on the Play Store for circumventing geoblocks.

          They were already using Proton Mail, they just were probably thinking that was enough. It would have been if the French had not been able to convince a Swiss court that their request was valid.

      • NotMyOldRedditName@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        So couldn’t a court compel the VPN to log all IPs and then use some FISA level shit to prevent the VPN from alerting users?

        There’s been a handful of VPN cases taken to court where they have proved, at that moment in time, that they had no logs to hand over. But why not take it that last step and compel the change then?

          • NotMyOldRedditName@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            8 months ago

            US Gov: Here’s a blank cheque, make it happen.

            But really, the best I can come up with given this is clearly not impossible, is it would destroy the business, but I still think FISA could somehow bypass that given how broad and secret it is.

    • barsoap@lemm.ee
      link
      fedilink
      English
      arrow-up
      16
      ·
      8 months ago

      Posteo doesn’t have to retain IPs and doesn’t, it also doesn’t retain payment info (though if you transfer by wire there’s still a window where a payment can be traced AFAIU).

      They will also absolutely forward any and all traffic for a particular account to law enforcement when given a court order. What’s it with criminals thinking that they can outsource opsec to legitimate businesses. Defending against a state-level actor actively hunting you down, watching closely and pouncing on any and every mistake, is a vastly different beast than making sure google doesn’t know about the butt plug you just bought.

    • pressanykeynow@lemmy.world
      link
      fedilink
      English
      arrow-up
      5
      ·
      8 months ago

      That was the moment I decided to selfhost my email server.

      So now the hosting you use will share the same(or likely much more) data if some government requests it.

      • Im_old@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        They can get my encrypted drive. My domain name is registered to me so that’s clear it’s my email. But no content.