ProtonMail and WhatsApp under pressure over user privacy failings
A couple of investigations have revealed that some services that pride themselves on user privacy might not be nearly as secure as they claim.
TechCrunch has done a great job of summarising the case against Switzerland-based ProtonMail, which positions itself as one of the most secure email platforms available. Apparently, having been requested to do so by Europol, the Swiss authorities revealed the IP address of the person who created the ProtonMail account of a French activist to the French police, who was subsequently arrested.
ProtonMail itself has written a blog addressing the matter. “In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request,” it says. The most awkward part of this story, which isn’t really addressed in the blog, is the fact that ProtonMail was even logging user IP addresses in the first place.
? @ProtonMail has given its Privacy policy a slight but essential refresh on Sept. 6.
“If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.”
⤵️https://t.co/tFlnS6UAzY pic.twitter.com/gZ9ODgFugm— Open Terms Archive (@OpenTerms) September 7, 2021
Meanwhile ProPublica has published an investigation that alleges Facebook-owned WhatsApp has teams of contractors that sift through the private messages of its users and that it regularly shares such information with prosecutors. If true, this contradicts claims that WhatsApp messages are subject to strict end-to-end encryption that prevents anyone being able to intercept messages.
‘WhatsApp’s director of communications, Carl Woog, acknowledged that teams of contractors in Austin and elsewhere review WhatsApp messages to identify and remove “the worst” abusers,” says the accompanying article. ‘But Woog told ProPublica that the company does not consider this work to be content moderation, saying: “We actually don’t typically use the term for WhatsApp.”’
Sounds like mere semantics to us. These revelations come on the back of Apple deciding not to spy on its users photos after significant backlash. This is unlikely to be a coincidence and there is a growing body of evidence that digital service providers are under increasing pressure from governments around the world to help them spy on their citizens. If even ProtonMail can’t be trusted then it’s not clear where privacy-conscious consumers can turn.
Hello, long(ish) time podcast listener, and first time commenter here.
Congratulations on the site and the podcast. It’s very refreshing to hear people freely speak their minds.
While I very much agree on Mr. Bicheno’s general opinion regarding privacy, we should not confuse privacy with the Rule of Law. It’s a very interesting debate: if the police can legally wiretap someone’s telephone calls with proper judicial authorisation and the collaboration of the telephone companies, is it not also arguable that the police may plant a keylogger or other spyware in a mobile phone or computer with judicial authorisation and the collaboration of the device manufacturers and service providers?
If we care about privacy, it’s not big tech we should stare at but the legislator, the executive and the judicial.
Thanks and agreed. Extrajudicial censorship by platforms is one thing, the law is another, but that should still be subject to scrutiny and criticism. France using Europol to circumvent ProtonMail’s user protections is worrying, as is WhatsApp moderating supposedly encrypted private communications.
Bernardo, what happens when the authorities call mere protestors “insurrectionists” and claim someone violated the law simply by walking into a government building when the door was literally being held open for them by police officers? Or when the authorities claim that somebody who had more than 5 family members or friends over to their house during a pandemic are guilty of negligent homicide because one of that person’s guests passed a virus to someone who passed a virus to someone who died from it?
Imagine what Hitler or Mao could’ve done with Protonmail’s database of all our private info. Just because something is “legal” does not make it right; and just because something is “illegal” does not make it wrong. Unconstitutional decrees can be created at the drop of a hat, and laws can be interpreted differently and/or selectively enforced depending on who is in power.
These private companies should do everything they can to not become a tool of oppression for an authoritarian state. Not saying that’s what happened here, but we can’t simply deny that these tech companies have a moral obligation to protect our private data from that kind of corruption, especially when they advertise privacy as one of their primary benefits.
Can someone recommend the next best thing? What should I use if I can’t use proton?