Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
henearkr
Is there any evidence that the mechanism to do that is in place?
I think that would be widely decried especially on HN if that is one day implemented.
The_Goonies1985
>Most of the privacy claims (of all type of apps) are essentially garbage...
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
boramalper
> Most of the privacy claims (of all type of apps) are essentially garbage anyway
I think that’s a sweeping generalisation.
victorbjorklund
I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.
kalaksi
You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back
Imustaskforhelp
I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer)
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
ErroneousBosh
What a shitty website. I got to about the third slowly-fading-in-picture-of-text block and realised that whether or not I wanted to read it, it's more effort than it's worth.
ramon156
May I suggest reader view in FF? It's the first thing I do when I open an article (Ctrl+Alt+R)
a-rbsn
easiest way to private video calls is just to self-host Jitsi Meet anyway
pogue
After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it.
https://talk.brave.com/
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
0x3f
I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia?
niam
When have Proton turned their data over to law enforcement without a Swiss court order?
izacus
What do you mean by "excuse"? What kind of excuse would a company need to comply with the law of it's government?!
Subdivide8452
I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
wallaBBB
I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is.
French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data.
Problem is - under French law, their police would not be able to get that data from local providers.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy".
For a company that is selling essencially trust, they sure are shady as f...
zero0529
Question is will the government learn anything meaningful if they subpoena the LiveKit providers? (Including and excluding HNDL)
surgical_fire
After reading the whole article I was left with the same question.
I think they can know the IP from every participant in the call and some other metadata?
syl5x
The quiz at the end of the article is wild honestly.
q3k
I'm so tired of this particular kind of LLM (-assisted) slop. The engagement bait, the stupid little hacker-style animations, the drawn out text...
Please, people, use your own words, and don't overdo every little thing. It's tiring. When everybody does this, nobody stands out.
jrflowers
This is actually kind of hilarious. “We don’t store your data when you use our service. You hand it over in real time when you use it.”
red_admiral
Is this the web version design of the "moon landings were a hoax" conspiracy poster?
bKHjNaz23wJ
[dead]
avazhi
Pretty funny because a few weeks ago some dude felt compelled to virtue signal about how he was moving off American-controlled services like Gmail, as some ostensible protest against Trump and the Iran War. I pointed out that Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov, and my comment got flagged lol.
Proton being at the behest has been old news for a while.
guilamu
"Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov,"
Would you mind elaborating, pretty please?
beevelop
Especially questionable choice by Proton not to opt for the self-hosted option. LiveKit offers an enterprise tier that even lets you set up your own mesh, so you are not dependent on their hosted infra.
progbits
To be fair, I'm running a selfhosted livekit deployment at work and it's a major pain in the ass.
Obviously proton should selfhost everything but I can understand why they didn't want to.
raverbashing
I just love people who go on their soapbox to complain about a newer alternative when the status quo is worse
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
ashikns
People complain because Proton specifically advertises privacy, mainstream providers don't. Which is pretty reasonable as far as complaining goes.
Your complaint is not at all what the article is about.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
sevg
You’ve missed the point: being deceptive is not ok, regardless of whether “the status quo is worse”.
bootsmann
Yeah this same site did an article on some minor ubuntu bootloader drama some weeks ago and when I recognized the design I just stopped reading. If you have something to say don’t go out of your way to make it hard to parse.
tamimio
Proton is the most shady company out there, especially with the fact that they try to make you put all your eggs into their basket. I stopped using their email (when they used to be an only email company) when they dropped the .ch domain. Same goes with botched security products like grapheneOS and the likes, when the hardware is backdoored, the modem is tracking you more than your psycho ex, yet you are given these illusion of security to buy.. you are not, in fact, you are gonna get more obvious for fingerprinting than using an average iPhone like most people and blend in. Honeypot, hornets nest, whatever the terminology but the concept being used and is still used to lure people in and make the job easier to ID them than going after them in the wild.
mdhen
They definitely still have the .ch domain
arcza
What a truly unreadable website. As another commenter said I see a few of these get churned out with the same annoying dark patterns.
IceDane
This is the worst form of Article I've ever seen. Did the author read this? Is there even really an author or did Chatgpt just write all of it and generate the page?
davzie
Interesting how so much negative sentiment creeps out when there's a true European competitor to the big US tech companies.
draw_down
[dead]
rvnx
Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
henearkr
Is there any evidence that the mechanism to do that is in place?
I think that would be widely decried especially on HN if that is one day implemented.
The_Goonies1985
>Most of the privacy claims (of all type of apps) are essentially garbage...
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
boramalper
> Most of the privacy claims (of all type of apps) are essentially garbage anyway
I think that’s a sweeping generalisation.
victorbjorklund
I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.
kalaksi
You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back
Imustaskforhelp
I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer)
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
ErroneousBosh
What a shitty website. I got to about the third slowly-fading-in-picture-of-text block and realised that whether or not I wanted to read it, it's more effort than it's worth.
ramon156
May I suggest reader view in FF? It's the first thing I do when I open an article (Ctrl+Alt+R)
a-rbsn
easiest way to private video calls is just to self-host Jitsi Meet anyway
pogue
After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it.
https://talk.brave.com/
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
0x3f
I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia?
niam
When have Proton turned their data over to law enforcement without a Swiss court order?
izacus
What do you mean by "excuse"? What kind of excuse would a company need to comply with the law of it's government?!
Subdivide8452
I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
wallaBBB
I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is.
French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data.
Problem is - under French law, their police would not be able to get that data from local providers.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy".
For a company that is selling essencially trust, they sure are shady as f...
zero0529
Question is will the government learn anything meaningful if they subpoena the LiveKit providers? (Including and excluding HNDL)
surgical_fire
After reading the whole article I was left with the same question.
I think they can know the IP from every participant in the call and some other metadata?
syl5x
The quiz at the end of the article is wild honestly.
q3k
I'm so tired of this particular kind of LLM (-assisted) slop. The engagement bait, the stupid little hacker-style animations, the drawn out text...
Please, people, use your own words, and don't overdo every little thing. It's tiring. When everybody does this, nobody stands out.
jrflowers
This is actually kind of hilarious. “We don’t store your data when you use our service. You hand it over in real time when you use it.”
red_admiral
Is this the web version design of the "moon landings were a hoax" conspiracy poster?
bKHjNaz23wJ
[dead]
avazhi
Pretty funny because a few weeks ago some dude felt compelled to virtue signal about how he was moving off American-controlled services like Gmail, as some ostensible protest against Trump and the Iran War. I pointed out that Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov, and my comment got flagged lol.
Proton being at the behest has been old news for a while.
guilamu
"Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov,"
Would you mind elaborating, pretty please?
beevelop
Especially questionable choice by Proton not to opt for the self-hosted option. LiveKit offers an enterprise tier that even lets you set up your own mesh, so you are not dependent on their hosted infra.
progbits
To be fair, I'm running a selfhosted livekit deployment at work and it's a major pain in the ass.
Obviously proton should selfhost everything but I can understand why they didn't want to.
raverbashing
I just love people who go on their soapbox to complain about a newer alternative when the status quo is worse
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
ashikns
People complain because Proton specifically advertises privacy, mainstream providers don't. Which is pretty reasonable as far as complaining goes.
Your complaint is not at all what the article is about.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
sevg
You’ve missed the point: being deceptive is not ok, regardless of whether “the status quo is worse”.
bootsmann
Yeah this same site did an article on some minor ubuntu bootloader drama some weeks ago and when I recognized the design I just stopped reading. If you have something to say don’t go out of your way to make it hard to parse.
tamimio
Proton is the most shady company out there, especially with the fact that they try to make you put all your eggs into their basket. I stopped using their email (when they used to be an only email company) when they dropped the .ch domain. Same goes with botched security products like grapheneOS and the likes, when the hardware is backdoored, the modem is tracking you more than your psycho ex, yet you are given these illusion of security to buy.. you are not, in fact, you are gonna get more obvious for fingerprinting than using an average iPhone like most people and blend in. Honeypot, hornets nest, whatever the terminology but the concept being used and is still used to lure people in and make the job easier to ID them than going after them in the wild.
mdhen
They definitely still have the .ch domain
arcza
What a truly unreadable website. As another commenter said I see a few of these get churned out with the same annoying dark patterns.
IceDane
This is the worst form of Article I've ever seen. Did the author read this? Is there even really an author or did Chatgpt just write all of it and generate the page?
davzie
Interesting how so much negative sentiment creeps out when there's a true European competitor to the big US tech companies.
Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
Is there any evidence that the mechanism to do that is in place?
I think that would be widely decried especially on HN if that is one day implemented.
>Most of the privacy claims (of all type of apps) are essentially garbage...
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
> Most of the privacy claims (of all type of apps) are essentially garbage anyway
I think that’s a sweeping generalisation.
I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.
You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back
I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer)
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
What a shitty website. I got to about the third slowly-fading-in-picture-of-text block and realised that whether or not I wanted to read it, it's more effort than it's worth.
May I suggest reader view in FF? It's the first thing I do when I open an article (Ctrl+Alt+R)
easiest way to private video calls is just to self-host Jitsi Meet anyway
After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it. https://talk.brave.com/
For document collaboration, I'm not aware of much else that's private/encrypted (etc) however. https://www.privacyguides.org/en/document-collaboration/
Privacy and anonymity are not the same.
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia?
When have Proton turned their data over to law enforcement without a Swiss court order?
What do you mean by "excuse"? What kind of excuse would a company need to comply with the law of it's government?!
I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is. French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data. Problem is - under French law, their police would not be able to get that data from local providers.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy". For a company that is selling essencially trust, they sure are shady as f...
Question is will the government learn anything meaningful if they subpoena the LiveKit providers? (Including and excluding HNDL)
After reading the whole article I was left with the same question.
I think they can know the IP from every participant in the call and some other metadata?
The quiz at the end of the article is wild honestly.
I'm so tired of this particular kind of LLM (-assisted) slop. The engagement bait, the stupid little hacker-style animations, the drawn out text...
Please, people, use your own words, and don't overdo every little thing. It's tiring. When everybody does this, nobody stands out.
This is actually kind of hilarious. “We don’t store your data when you use our service. You hand it over in real time when you use it.”
Is this the web version design of the "moon landings were a hoax" conspiracy poster?
[dead]
Pretty funny because a few weeks ago some dude felt compelled to virtue signal about how he was moving off American-controlled services like Gmail, as some ostensible protest against Trump and the Iran War. I pointed out that Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov, and my comment got flagged lol.
Proton being at the behest has been old news for a while.
"Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov,"
Would you mind elaborating, pretty please?
Especially questionable choice by Proton not to opt for the self-hosted option. LiveKit offers an enterprise tier that even lets you set up your own mesh, so you are not dependent on their hosted infra.
To be fair, I'm running a selfhosted livekit deployment at work and it's a major pain in the ass.
Obviously proton should selfhost everything but I can understand why they didn't want to.
I just love people who go on their soapbox to complain about a newer alternative when the status quo is worse
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
People complain because Proton specifically advertises privacy, mainstream providers don't. Which is pretty reasonable as far as complaining goes.
Good job on mocking others though :*
https://en.wikipedia.org/wiki/Deniable_encryption
Your complaint is not at all what the article is about.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
You’ve missed the point: being deceptive is not ok, regardless of whether “the status quo is worse”.
Yeah this same site did an article on some minor ubuntu bootloader drama some weeks ago and when I recognized the design I just stopped reading. If you have something to say don’t go out of your way to make it hard to parse.
Proton is the most shady company out there, especially with the fact that they try to make you put all your eggs into their basket. I stopped using their email (when they used to be an only email company) when they dropped the .ch domain. Same goes with botched security products like grapheneOS and the likes, when the hardware is backdoored, the modem is tracking you more than your psycho ex, yet you are given these illusion of security to buy.. you are not, in fact, you are gonna get more obvious for fingerprinting than using an average iPhone like most people and blend in. Honeypot, hornets nest, whatever the terminology but the concept being used and is still used to lure people in and make the job easier to ID them than going after them in the wild.
They definitely still have the .ch domain
What a truly unreadable website. As another commenter said I see a few of these get churned out with the same annoying dark patterns.
This is the worst form of Article I've ever seen. Did the author read this? Is there even really an author or did Chatgpt just write all of it and generate the page?
Interesting how so much negative sentiment creeps out when there's a true European competitor to the big US tech companies.
[dead]
Most of the privacy claims (of all type of apps) are essentially garbage anyway because realistically, if a website or an app can be compelled to push an update to a specific user, then they can intercept anything they want.
It doesn't even have to be a specific binary, it can be "just turn on this A/B testing / debug flag for that user" or a piece of javascript
Is there any evidence that the mechanism to do that is in place?
I think that would be widely decried especially on HN if that is one day implemented.
>Most of the privacy claims (of all type of apps) are essentially garbage...
True. Everything has backdoored CPUs as its foundation. Consider, for starters: (Intel's 'Management' Engine); AMD's (PSP); Apple/Arm (black-box hardware).
You can layer as much theater as you like on top of the hardware-surveillance-layer in modern computers; it still won't grant you privacy.
> Most of the privacy claims (of all type of apps) are essentially garbage anyway
I think that’s a sweeping generalisation.
I don’t think that is a useful definition even if technically true. With that logic even Linux isn’t privacy because in theory they can push code that will only run for you.
You'll have to be more specific what kind of "privacy claims" you're talking about. Proton is definitely a lot more private than, say, Google. But, as always, you'll have to trust the party delivering the binaries you run. Also, any company operating legally, have to co-operate with court orders etc., but afaik they try to push back
I once did some tinkering with Proton Docs and I was able to find that the comments within Proton Docs when I used it via curl definitely felt like it had something like logs (I feel like I should try doing this again to have more definitive answer)
Either way, the response was encrypted but they hold the encryption key atleast within proton-docs.
I also want to say that Proton allows the ability to change password through OTP, (Something which I sorta appreciate[0]) but that means that their infrastructure can then have the ability to change password and you can toggle that functionality by sending a request to proton to allow OTP and on which number, so proton themselves can do that too. Unless, I am getting it wrong, by default, Proton still has your encryption keys and even if you change them (which 99% including me might not do), even then I definitely feel like there can be some concern.
To be honest, There is nothing like zero trust, that's what I learnt, You are still trusting Proton Aka The swiss laws behind it so that you know that they won't get legally forced to give more data than usual (like US companies for example) but they will still comply with the swiss laws (recent proton incident)
Then, secondly, you have to trust Proton themselves, but with something like this incident where Proton Meet might be omitting somethings, it doesn't paste a clear picture of transparency or trust.
I don't really know why Proton might create something like Meet especially with its infrastructure relying on the CLOUD Act, and then, try to sell it within the idea of privacy. They both are contradictory.
Proton is, creating lots of products, On one hand I can appreciate that, but on the other, as part of community, I feel frustrated/sad because they don't have some core features like proper proton drive rsync support or even some API[1]'s surrounding it. I tried to do the experiment in first place because I wanted to create a commenting engine for static websites which could use proton-drive as its backend. They really could gain a lot from transparency with proper API support and letting the community do things with it, but that's not really the case :/
I am still using Proton but they definitely aren't a bastion recently. I might still recommend Proton, but I sort of hope that companies self host some open source applications themselves, whether self-hosting with hardware or in a proper EU cloud like Hetzner/OVH.
But Incidents like these are making me a little more hesitant to recommend Proton nowadays.
[0]: as someone who had lost one of my previous accounts after my Keepassxc database got deleted because of me accidentally wiping my archlinux with tinkering with it, Now I use Bitwarden with OTP on proton.
[1]: I was able to make something like an API myself by relying on something like puppeteer, even with puppeteer though, it was really hard to make something like that. I couldn't create a public endpoint of it because having puppeteer instances for a commenting engine would be very resource intensive.
What a shitty website. I got to about the third slowly-fading-in-picture-of-text block and realised that whether or not I wanted to read it, it's more effort than it's worth.
May I suggest reader view in FF? It's the first thing I do when I open an article (Ctrl+Alt+R)
easiest way to private video calls is just to self-host Jitsi Meet anyway
After Proton has repeatedly turned over users of their email account to law enforcement, always with many excuses, their claims about no ability for any government to see what's going on on their network ran very hollow.
I know Brave has offered their talk video conferencing service for awhile, but I don't know if any serious network analysis has been performed on it. https://talk.brave.com/
For document collaboration, I'm not aware of much else that's private/encrypted (etc) however. https://www.privacyguides.org/en/document-collaboration/
Privacy and anonymity are not the same.
I am fundamentally against spyware that constantly monitors you and reports anything. Because of the constant and pre crime nature of it.
On the other hand i am actually not fundamentally against turning over data when independent judges sign a warrant.
This is arguably a very tight rope to walk but i think thats the most realistic comporomise between my right to privacy and the right of others to get justice when something is done onto them.
I'm always confused by the conspiratorial takes that think there's some service out there _not_ bound by the legal system where it resides. Obviously Proton obeys the law and gives up data when it has to. Where are the services that don't do that? Somalia?
When have Proton turned their data over to law enforcement without a Swiss court order?
What do you mean by "excuse"? What kind of excuse would a company need to comply with the law of it's government?!
I think this comment deserves some nuance. Every company has to comply to local laws. Unless you want to run something illegal, at which point it's not a very reliable alternative for all your mail and more.
Proton in some cases was forced to turn over whatever they knew of a few accounts, according to Swiss law. They try to obfuscate as much as possible, so they can't turn over complete e-mail conversations. But some info is in there, and they have to turn that over. But (correct me if I'm wrong) they have to only comply to Swiss law, when there's a court order.
I like to point out often the yellow vests protesters being ratted out by Proton as good example of how misleading their marketing is. French police contacted Swiss police to get the id of the accounts, Swiss told proton to hand over the data. Problem is - under French law, their police would not be able to get that data from local providers.
Proton - HK owner, dev team in Bulgaria and marketing with mythical claims of "Swiss company privacy". For a company that is selling essencially trust, they sure are shady as f...
Question is will the government learn anything meaningful if they subpoena the LiveKit providers? (Including and excluding HNDL)
After reading the whole article I was left with the same question.
I think they can know the IP from every participant in the call and some other metadata?
The quiz at the end of the article is wild honestly.
I'm so tired of this particular kind of LLM (-assisted) slop. The engagement bait, the stupid little hacker-style animations, the drawn out text...
Please, people, use your own words, and don't overdo every little thing. It's tiring. When everybody does this, nobody stands out.
This is actually kind of hilarious. “We don’t store your data when you use our service. You hand it over in real time when you use it.”
Is this the web version design of the "moon landings were a hoax" conspiracy poster?
[dead]
Pretty funny because a few weeks ago some dude felt compelled to virtue signal about how he was moving off American-controlled services like Gmail, as some ostensible protest against Trump and the Iran War. I pointed out that Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov, and my comment got flagged lol.
Proton being at the behest has been old news for a while.
"Proton Mail, one of the services he moved to, is ultimately controlled by the US Gov,"
Would you mind elaborating, pretty please?
Especially questionable choice by Proton not to opt for the self-hosted option. LiveKit offers an enterprise tier that even lets you set up your own mesh, so you are not dependent on their hosted infra.
To be fair, I'm running a selfhosted livekit deployment at work and it's a major pain in the ass.
Obviously proton should selfhost everything but I can understand why they didn't want to.
I just love people who go on their soapbox to complain about a newer alternative when the status quo is worse
"nooo but proton mail complies to court orders!!111" wow shocking I know right? Do you think the other providers don't?
These are usually the same people who forget rubber-hose decrypting works
"But they use LiveKitCloud" yes - however we don't know half the story
Can Proton BYOK over their infra?
LiveKit's website TOS with a generic user - not ProtonMail. We don't know if there are any agreements there
> "all disputes are governed by the laws of the State of California"
Yes this is common with TOS.
> Their privacy policy explicitly acknowledges FTC jurisdiction and states the company will "access, preserve, and disclose your information"
This is the important part, not the other one above it
> showed active connections to 161.115.177.32 on port 443, a LiveKit-owned IP block (ARIN OrgId LIVEK) hosted on Oracle Cloud Infrastructure
Good test, but what/where was the originating IP? Was it using Brave's VPN (to the US) by any chance?
TBH I'm still more annoyed about the 90 day cookie - that was just rude
People complain because Proton specifically advertises privacy, mainstream providers don't. Which is pretty reasonable as far as complaining goes.
Good job on mocking others though :*
https://en.wikipedia.org/wiki/Deniable_encryption
Your complaint is not at all what the article is about.
The article is showing that the proton claim that their new service is private from the US government data acquisition, including inability to access call metadata, is a lie (an intentional misrepresentation of the known truth by Proton).
You’ve missed the point: being deceptive is not ok, regardless of whether “the status quo is worse”.
Yeah this same site did an article on some minor ubuntu bootloader drama some weeks ago and when I recognized the design I just stopped reading. If you have something to say don’t go out of your way to make it hard to parse.
Proton is the most shady company out there, especially with the fact that they try to make you put all your eggs into their basket. I stopped using their email (when they used to be an only email company) when they dropped the .ch domain. Same goes with botched security products like grapheneOS and the likes, when the hardware is backdoored, the modem is tracking you more than your psycho ex, yet you are given these illusion of security to buy.. you are not, in fact, you are gonna get more obvious for fingerprinting than using an average iPhone like most people and blend in. Honeypot, hornets nest, whatever the terminology but the concept being used and is still used to lure people in and make the job easier to ID them than going after them in the wild.
They definitely still have the .ch domain
What a truly unreadable website. As another commenter said I see a few of these get churned out with the same annoying dark patterns.
This is the worst form of Article I've ever seen. Did the author read this? Is there even really an author or did Chatgpt just write all of it and generate the page?
Interesting how so much negative sentiment creeps out when there's a true European competitor to the big US tech companies.
[dead]