Protonmail Secure? Not So Fast.
From The Hacker News,
ProtonMail Logs Activist’s IP Address With Authorities After Swiss Court Order
Yes, the Swiss email provider that many activists use on all sides of the political spectrum has exposed itself. This is coming on the heels of a German court rendering Tutanota in the same boat.
On its website, ProtonMail advertises that: “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.”
Yeah, ok. First problem here is that people tend to want to rely on technology to supplement tradecraft. Doesn’t work that way. Nothing in the electronic realm should be considered 100% secure unless you physically own the protocol by which it operates (and to that end, built it). This means physical encryption via analog. You can get it, but you can’t make any sense of it.
The second problem, which dovetails on the first, is that if something of a sensitive nature needs passing, its done in person. Its called compartmentalization. This is, of course, an alien concept in the era of social media groups supplanting physical human contact. When everyone only lives online they reap the results. There’s a reason groups like the Taliban and the old moonshiner network in Appalachia are notoriously hard to infiltrate, and its because they primarily operate in the human domain.
The third issue is that by its nature the tools used in online tradecraft do not remain in stasis. Its a constantly evolving game and we, with it. When it comes to surveillance, everything revolves around patterns of life. If you have any doubt, there is no doubt. Assume its compromised and work within those parameters.