Expecting everyone to be good at opsec is not a practical solution - making it the problem of the company that can and should hire people to be good at opsec, is.

[–] stoy@lemmy.zip 1 points 12 hours ago (1 children)

Well, not everyone needs to be good at opsec, most people are fine as is.

Most people are not working against the government either.

But if you are going against the government, or any large and powerful entity, you absolutely need good, reliable opsec.

When the police comes knocking on your door, you can't just blame Proton for not informing you about not using your own CC to sign up for your service.

This isn't a playground, you are dealing with the big boys now, and they have far more tools than you have, unless you learn and adapt, you will get burnt.

So while you are right that bot everyone can be expected to be good at opsec, that isn't the issue.

The issue is that this was an opsec failure of the guy, it wasn't Proton messing up.

[–] ChristerMLB@piefed.social 0 points 8 hours ago (1 children)

"When the police comes knocking on your door, you can't just blame Proton"

obviously, but the ideal we should be working towards is that privacy is the default, right? The more normal it is to have this kind of privacy, the less suspicious it is.

are they legally required to store the credit card information?

[–] stoy@lemmy.zip 1 points 7 hours ago (1 children)

I agree that we should work toward a more private society, but we are not there yet.

And to answer your question, yes, Proton is required to store the CC info.

[–] ChristerMLB@piefed.social 1 points 2 hours ago* (last edited 2 hours ago)

Reply

oh, well in that case I'm not sure what they could have done, aside from being clearer that this was a threat that users had to be aware of

[+] mushroomman_toad@lemmy.dbzer0.com -6 points 1 day ago* (last edited 1 day ago) (2 children)

It's not theoretical. Protonmail should not have handed over the personal data for victims of political persecution, but they did.

The system is broken. The practical next step is to solve the problem.

[–] stoy@lemmy.zip 6 points 1 day ago (1 children)

They clearly give you options to avoid this scenario, this is not on Proton, this is simply an opsec fail of the user.

Don't get me wrong, opsec is hard, exhausting and just annoying, it needs discipline and constant focus, you only need to fail once for it to be ineffective.

The customer signed up for Proton, but didn't follow their guidelines for anonymity, that is not a failure of proton, it is a failure of the user.

[–] mushroomman_toad@lemmy.dbzer0.com -2 points 1 day ago* (last edited 1 day ago) (1 children)

Maybe they've changed the website, but when I started using Proton, they never gave me any warning about paying with a credit card.

Anyways, my point is that both the government and service here need to be changed. Switzerland should not be responding to subpoenas from a fascist regime, protonmail should not be based in Switzerland, and Protonmail is too captured by capitalists that want to be Google to have the morals to give up instead of giving in.

See Mullvad for example of a service that will just not offer services like port forwarding instead of pretending they're secure. They have the same credit card opsec issue but they actively discourage it, and they don't pretend that unencrypted email is secure.

[–] stoy@lemmy.zip 1 points 1 day ago

And that is why you would have failed at opsec.

You can't demand warnings about stuff like that all the time, YOU need to teach yourself these things.

You can't rely on anyone else for your own opsec.

That is the entire argument here.

The guy should have read up on protecting his anonymity before he started his activities.

Opsec fails have brought down many, many people.

From darknet site owners, to government agency operations, to countries at war and more.

Opsec sounds easy at first, but it is extremely difficult, and you can't rely on anyone else doing your job for you.

You need to develop OCD like habits, you need to understand why they are needed, and what you are giving away when breaking them.

You imply that a warning would have prevented the guy from using his credit card, I don't think it would have made any difference, the guy would either not understand at all, or just ignore it

Unless he intuitively understood that Proton was required to retain cc numbers for X years, and that these cc numbers were tied to a specific transaction, his account and his identity, I just don't see him taking a warning serious.

This is the real world, it isn't fair, it doesn't care, you need to care about this for your self preservation.

[–] gravitas@pie.gravitywell.xyz 3 points 1 day ago* (last edited 1 day ago) (1 children)

How do you think it would play out if proton refuses lawful orders from a court in the country they operate in?

I do think proton does a lot of misleading advertising, but its still on the user to research and have good opsec. Paying with a card when crypto is an option, using the same service for both email and a vpn, using that service from a public wifi near where you are known to live while actively doing crimes. A lot of mistakes made on the users part. Proton is running a business not a criminal protection racket, you cant expect them to help you get away with crimes just because they claim to value privacy.

[–] mushroomman_toad@lemmy.dbzer0.com -2 points 1 day ago* (last edited 1 day ago) (1 children)

In Switzerland, privacy is not a crime, nor is protesting.

[–] tuhriel@discuss.tchncs.de 2 points 13 hours ago

Correct, but arson vandalismn and a call for violence is. I couldn't what exactly the charges awere in the MLAT request, so i have to go what 404 wrote

One can argue if the swiss goverment should have honired the MLAT request...unfortunately, that thing was put in place before the USA whent insane, and most countries do honor agreements they sign