The phrase in the title is a common trope that comes up when VPN services are discussed. While this statement is technically correct, it can be misleading, as it implies that all providers handle law enforcement requests and prepare for worst case scenarios similarly, so their conduct cannot be a differentiating factor when you evaluate them.
It is something to always take into consideration and not forget.
Considering this is straight from a VPN provider, take this with a boulder-sized grain of salt.
And I say that as someone who believes using a VPN is generally more beneficial than not. And espouses most of that advice regarding the VPN.
Even if a VPN were totally benevolent and gave daily tours of its office, there’s still no 100% guarantee their claims can be verified at all times. So there’s always an element of trust. (I trust most of the ones outside of the Eyes countries more than my home ISP, though. )
See the last points in the article: run by activists, and would rather shut down than cooperate with law enforcement.
I don’t know if proton is run by activists, but I do know they’ve cooperated with law enforcement by inserting code to log user requests when coming from a specific user. Plenty of articles about the court case, and it’s also why they did away with their no-log policy.
Also, are their logins token based or username based and connected to the protonmail account?
I think they only did the login thing with their mail service and email was never a protocol ment for privacy and email and vpn laws vary wildly. Feel free to correct me tho .
Sure here’s the correction, and why I’d never trust them with anything sensitive.
They had a no-log policy, and all mail is PGP encrypted on their servers and proton to proton is encrypted in transit and at rest (it doesn’t travel), decrypted only client-side in the browser or with proton bridge, with your account password acting as the PGP key password.
They could have designed the system so they couldn’t be forced to add that backdoor, or at least automatically notified all users when an unauthorized change was detected, or they could have shutdown, or they could have revoked their warrant canary, but instead they were caught when the court case came to light and they were caught with their pants down, and revoked their no-log policy. https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/
This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service’s policies, which as recently as last week stated that “by default, we do not keep any IP logs which can be linked to your anonymous email account.”
That’s why I asked if the proton VPN is token-based and completely disconnected from the proton email account, or if they’re the same login. If the latter, it’s trivial to request the IP address of email account xxx@proton.me
As others have said, Mullvad is pretty close to (if not at) 100% guarantee… No personal info whatsoever is required to be given when you sign up (including email address or payment information; you can use Monero if you want), so there isn’t really anything that they could give to authorities even if they wanted.
Even if they did keep logs (which im 99.9% sure they don’t), all that would show is an IP address, and from what I understand based on past precedent, that is not enough to identify a person on its own. But IANAL.
The purpose of these corporate white papers is to inform (impress) potential customers of actual issues. It demonstrates knowledge and implies that the company has the ability to leverage their product or service to meet whatever the challenge is.
I wouldn’t say boulder-sized because the meat of the article is true, but yes a bit of skepticism is always useful.
Considering this is straight from a VPN provider, take this with a boulder-sized grain of salt.
And I say that as someone who believes using a VPN is generally more beneficial than not. And espouses most of that advice regarding the VPN.
Even if a VPN were totally benevolent and gave daily tours of its office, there’s still no 100% guarantee their claims can be verified at all times. So there’s always an element of trust. (I trust most of the ones outside of the Eyes countries more than my home ISP, though. )
I would put Mullvad and IVPN up there as the two VPNs I’d trust most to do things right, but I still agree with everything you’ve said.
I’d put proton there too
See the last points in the article: run by activists, and would rather shut down than cooperate with law enforcement.
I don’t know if proton is run by activists, but I do know they’ve cooperated with law enforcement by inserting code to log user requests when coming from a specific user. Plenty of articles about the court case, and it’s also why they did away with their no-log policy.
Also, are their logins token based or username based and connected to the protonmail account?
I think they only did the login thing with their mail service and email was never a protocol ment for privacy and email and vpn laws vary wildly. Feel free to correct me tho .
Sure here’s the correction, and why I’d never trust them with anything sensitive.
They had a no-log policy, and all mail is PGP encrypted on their servers and proton to proton is encrypted in transit and at rest (it doesn’t travel), decrypted only client-side in the browser or with proton bridge, with your account password acting as the PGP key password.
They could have designed the system so they couldn’t be forced to add that backdoor, or at least automatically notified all users when an unauthorized change was detected, or they could have shutdown, or they could have revoked their warrant canary, but instead they were caught when the court case came to light and they were caught with their pants down, and revoked their no-log policy. https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/
That’s why I asked if the proton VPN is token-based and completely disconnected from the proton email account, or if they’re the same login. If the latter, it’s trivial to request the IP address of email account xxx@proton.me
deleted by creator
After the changes to their TOS I lost any trust I had in Proton
I’d put cryptostorm up there too
As others have said, Mullvad is pretty close to (if not at) 100% guarantee… No personal info whatsoever is required to be given when you sign up (including email address or payment information; you can use Monero if you want), so there isn’t really anything that they could give to authorities even if they wanted.
Even if they did keep logs (which im 99.9% sure they don’t), all that would show is an IP address, and from what I understand based on past precedent, that is not enough to identify a person on its own. But IANAL.
The purpose of these corporate white papers is to inform (impress) potential customers of actual issues. It demonstrates knowledge and implies that the company has the ability to leverage their product or service to meet whatever the challenge is.
I wouldn’t say boulder-sized because the meat of the article is true, but yes a bit of skepticism is always useful.