You 'forgot' to copy the full addendum. It reads as follows:
'Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).
I was live-tweeting the event, including the interesting presentation by public prosecutor Walder. The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement. In its transparency report, ProtonMail – as mentioned above – itself refers to at least one case of real-time surveillance.'
> ProtonMail even mentions a current case of real-time surveillance:
„In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.“
By writing of a „case of clear criminal conduct“ and of „illegal activities which contravene Swiss law“, ProtonMail violates the presumption of innocence against the monitored suspects. Such suspects are of course not informed by ProtonMail about ongoing real-time surveillance measures.
I'm not denying that they complied with the order to enable IP logging.
What I'm saying is that the author claims they voluntarily offer real-time logging without the need for judical intervention - per the prosecutor.
The author of the article at hand later added an addendum saying the prosecutor was mis-quoted in their article [[ and that Protonmail does not voluntarily offer real-time logging.]] (Note: The part inbetween [[]] is misleading - the prosectuor does not say that. I wrote it out rather than quoted it directly, and made an error. I am leaving it in for posterity)
The authors defense regarding the misquote is saying "I live tweeted it, so it happened".
Whether they do or not - I'm just pointing out the weakness of the argument that "I tweeted it, so it happened"
>The author of the article at hand later added an addendum saying the prosecutor was mis-quoted in their article and that Protonmail does not voluntarily offer real-time logging.
That is completely false. The author said that the prosecutor claimed to have been misquoted, not that he was misquoted. The author clearly stands by his quote, and it is therefore untrue that he says that Protonmail does not voluntarily offer real-time logging.
You are correct, my rewording ended up being misleading. My apologies.
I don't think it detracts from the substance of my argument, however. This is a he-said-she-said battle where one says "I tweeted it so it happened" and the other says "no, it doesnt".
> I'm not denying that they complied with the order to enable IP logging.
What 'order'? All their report says is 'request'. If they had meant order, they would have said court order: in all the other cases in the transparency report, they specify if there was a court order.
I think it's a strong argument. It's not 'someone much later with fuzzy memories decided to interpret what they thought they heard', it's 'someone right there and then was so struck by what the revelation they just heard that they broadcast it to the world (and you can check that they did by looking at the Twitter timestamp)'.
Which do you trust more, a witness statement taken a minute after the crime, or made a year later?
That someone said something very revealing and immediately backtracked with an excuse "I didn't say what I said" is, on the other hand, deeply unconvincing.
I think we should not think of "request" in the same way as a court order. This seems the essential difference to me.
By the way: The author of the post is an attorney at law and member of the Chaos Computer Club (CCC), which makes me believe that he wouldn't falsely accuse ProtonMail.
The addendum does not categorically say that ProtonMail does not voluntarily offer real-time logging. The prosecutor correction says he didn’t disclose that at that event. He could have disclosed it anywhere else, he might know it happens but hasn’t disclosed yet. The quoted correction is worded in a way the prosecutor could have certain knowledge they do do that and is not refuting it.
// EDIT (moved word categorically) per comment below.
Fair reading of the addendum, I put my own words to it and it was misleading.
I don't think it detracts from "I tweeted it, so he said it" per:
>The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement.
From what I am seeing in the linked material, the author saw something that made his mind generate the sensational 'news'. Without bothering to check whether it's true or false he posted the generated conjecture as a fact and now is trying to defend the indefensible by attacking ProtonMail instead of posting the clarifications and apologizing.
In other words, pretty much the definition of fake news.
From above, there is a Swiss public prosecutor, who is on the public record as saying that he "had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data."
That is a pretty conclusive statement that the reporting here is false.
> ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.
Yes, if ordered by a court - but not voluntarily, which is the claim of the article, italicized, with exclamation points, repeated several times, etc.
My own definition does not matter. Swiss law matters:
'The order may require real-time surveillance to be carried out and the handover of the retained secondary data of telecommunications from past communications (retroactive surveillance).'
The question is not whether ProtonMail has access to user data. (They have, you are absolutely right.) They question is if they perform real-time surveillance, i.e., lawful surveillance (whether voluntarily or not).
No matter what they actually do, they'd be idiots to reply to this, which is why we won't see a reply from them. Doesn't really say anything meaningful.
+In April 2019, at the request of the Swiss judiciary in a case of clear criminal conduct, we enabled IP logging against a specific user account which is engaged in illegal activities which contravene Swiss law. Pursuant to Swiss law, the user in question will also be notified and afforded the opportunity to defend against this in court before the data can be used in criminal proceedings.
Diff from 2019/04/25 to today: ...
-Updated on 13.03.2019
+Updated on 24.04.2019
-ProtonMail is not required to store communications metadata or IP information, as we are exempted from the Swiss Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and its accompanying ordinance. Therefore, ProtonMail can apply a policy of collecting as little user information as possible to protect user privacy. To know exactly what kind of metadata your use of ProtoMail creates, please refer to our Privacy Policy. Upon receiving a judicial order, ProtonMail is obliged to provide any user information readily available that would help identify a user that is subject to a criminal investigation that has been validated by Swiss authorities.
+ProtonMail is not required to store communications metadata or IP information, as we are exempted from the Swiss Federal Act on the Surveillance of Post and Telecommunications (BÜPF) and its accompanying ordinance. Therefore, ProtonMail can apply a policy of collecting as little user information as possible to protect user privacy. To know exactly what kind of metadata your use of ProtoMail creates, please refer to our Privacy Policy. Upon receiving a judicial order, ProtonMail is obliged to provide any user information readily available that would help identify a user that is subject to a criminal investigation that has been validated by Swiss authorities. In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities. Under no circumstances will ProtonMail be able to provide the contents of end-to-end encrypted messages sent on ProtonMail.
1. a law permits compelling a company to produce real-time data (or anything else),
2. a company has that technical capability, and
3. the company in #2 is in a jurisdiction with a law like #1,
you should assume real-time surveillance data will be provided in cases where it is so ordered. You don't need to wait for them to tell you that it is. It can go without saying.
How could it be otherwise? If the guys with the guns show up to demand that data, what else are they gonna do? The Lavabits of the world are incredibly rare, for the exact same reason that Lavabit doesn't exist any more.
They answered your question, please read more carefully:
> ProtonMail does not voluntarily offer assistance. We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in criminal cases.
'Public prosecutor Walder of the Competence Center Cybercrime contacted me, saying he had been misquoted. He claims that had not divulged at the above-mentioned event that ProtonMail voluntarily releases real-time data. He had merely described ProtonMail as a potential provider of derived communication services (PDCS).
I was live-tweeting the event, including the interesting presentation by public prosecutor Walder. The remark that ProtonMail was a (potential) PDCS would have been too trivial to be live-tweeted. The insight on the other hand that ProtonMail voluntarily offers assistance for real-time surveillance, was spectacular and I therefore live-tweeted the statement. In its transparency report, ProtonMail – as mentioned above – itself refers to at least one case of real-time surveillance.'
https://steigerlegal.ch/2019/05/23/protonmail-real-time-surv...
Important: The English text is just an unofficial translation.