Discussion | ProtonMail, ProtonVPN and ProtonMail are called out by vpnscam.com

[allo-]

Description

There are blog posts about the companies behind ProtonMail, ProtonVPN and apparently NordVPN. Have a look at these articles, regarding how these services may belong to a data mining company:

• http://vpnscam.com/heres-why-you-cant-trust-nordvpn-and-protonvpn-protonmail/
• http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-mining-bot-network/
• http://vpnscam.com/is-nordvpn-a-honeypot/

Company network:

It would be good if someone could fact check some of the claims in the blog posts. The posts contain all information needed to verify the claims, so it seems to be plausible, but double checking some facts may be a good idea.

What to do

All affected services should be removed from privacytools.io, when these claims are true.

[blacklight447]

Looked into this a while ago, seemed to be nothing more then yet another smear campaign by PIA to boost their own services.

[allo-]

Is there another thread for it? I think this should be worth some fact checking, because when half of it is true, this is a huge issue. I am especially worried when recommending a mail provider, because you cannot easily change a mail address.

I am not super convinced by the articles, i.e., I would need to do some fact checking myself, but I am concerned as long as no one points out an obvious flaw in them.

[atomGit]

skeptical - vpnscam.com was apparently registered by Privacy Protect, LLC (which is fine, just sayin') - server is non-SSL (at least i can't load over https) and located in the British Virgin Islands - the server runs Phusion Passenger which is some sort of commercial server framework or whatever that runs from a min. of $228/yr. up to 10s of thousands/yr., however this may be paid for by the host (IPs on either side of vpnscam.com also run this s/w) - the site runs WordPress with a commercial theme

seem a bit extravagant for a simple blog about VPNs?

on the other hand, i'm not sure a VPN competitor would go through the trouble of creating the flow chart in the OP

on the other, other hand, at least some of the info in the blog post, as well as another that is linked to ( HolaVPN and NordVPN Partners in Data Mining Bot Network? ), seems to check out after a quick peek

on the other, other, other hand, i'm sure we all know that no VPN is trustworthy, so now what???

besides that, 'encryption is useless' <-- guy who had worked for the gov with a crypto clearance told me that and i think Snowden reaffirmed it in so many words when he said it would 'buy us some time' - i also think that simple logic affirms the same given the massive computing power of the intel community (if it takes 3,000 years to break with a PC, how long with the power of 300,000 PCs?)

i don't think we can't trust any VPN (unless you know the guy running it i suppose) and so i think the question is, WHO are we trying to protect ourselves from? if it's an ISP or a MITM script-kiddy, then most any VPN is good enough perhaps???

in the end, i have no opinion as to whether to to dump the services mentioned

[atomGit]

also, potentially in vpnscam.com's favor, that flow chart appears only on their website (and possibly on a forum post elsewhere) according to reverse image searches - you'd think maybe if a VPN competitor went through all the trouble to write those posts and create that graphic that they'd use it elsewhere perhaps??? also the post content seems unique after a quick search (doesn't appear to be a cut-n-paste)

[allo-]

On the other hand, the site has only a few articles, when it looks like it tries to report on as many VPNs as possible. But if they try to seriously write about them, there are only a few articles, because they have no facts about the others (or they are just fine).

skeptical - vpnscam.com was apparently registered by Privacy Protect, LLC (which is fine, just sayin') - server is non-SSL (at least i can't load over https) and located in the British Virgin Islands - the server runs Phusion Passenger which is some sort of commercial server framework or whatever that runs from a min. of $228/yr. up to 10s of thousands/yr., however this may be paid for by the host (IPs on either side of vpnscam.com also run this s/w) - the site runs WordPress with a commercial theme

This might be a shared (blog) hosting. Whois-Protection is not unusual for privacy aware people (OTOH the VPNs themself should be as transparent as possible) and the site may have some enemies with serious commercial interest to silence the author(s).

I think in the end you cannot get around fact checking some parts of the diagram.

[allo-]

More URLs with pro and contra arguments: https://restoreprivacy.com/lawsuit-names-nordvpn-tesonet/ https://news.ycombinator.com/item?id=18010648 https://news.ycombinator.com/item?id=17254113 https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/ https://medium.com/@gaetanosabin/did-nordvpn-and-protonmail-violate-gdpr-and-us-privacy-laws-by-doxing-vpn-affiliate-2fe7b0d51d1f https://www.reddit.com/r/privacytoolsIO/comments/9ax8xa/nordvpn_and_hola_shocking_business_practices_to/

Especially the first link tells, that the third-party audit of NordVPN seems to be in response to the accusations.

[allo-]

Feel free to change the Tag from "Software removal" to "Discussion".

[danarel]

Looked into this a while ago, seemed to be nothing more then yet another smear campaign by PIA to boost their own services.

So many sites and activists have looked into this and reported on it and you're 100% correct.

[five-c-d]

you cannot easily change a mail address

This is true, if you don't have your own domain-name. You can signup for alice AT protonmail DOT com ... and then tell all your friends and contacts, okay here is my new email. That is easy enough, but when you want to shift over to a new webmail, you have to do it all over again, which means it is harder (switching-costs).

The workaround is to get your own domain-name, and then, signup for protonmail, but with one of the paid plans, so that your email is alice AT aliceAwesome DOT com, but your mail-provider is protonmail. You get all the benefits of being a protonmail enduser, including end2end crypto with other protonmail endusers (the ones with protonmail in their addresses and also the ones just using protonmail as their provider under the hood of their own unique domain). But you don't have switching-costs as severely, you can "port your address" over to using tutanota as your webmail-provider without telling all your contacts 'okay now I have a tutanota address'.

There is still a severe switching-cost however: protonmail and tutanota are not interoperable at the crypto-layer, so formerly when your protonmail-contacts sent something to alice AT aliceAwesome DOT com it was end2end encrypted... but if you switch provider-backends to use tutanota, suddenly it won't be encrypted anymore! The email will still go through, because both services support fallback to unencrypted SMTP, but here on privacyToolsIO methinks there is a strong sentiment to always encrypt :-)

i'm sure we all know that no VPN is trustworthy, so now what???

That's the wrong way to pose the question. Some VPNs are more worthy of trust than others, and in particular, some VPNs are more worthy of trust than

1. the ISP which has a monopoly where you happen to reside
2. the workplace which controls the network where you happen to be employed
3. sysadmin of the random hotel/cafe/etc wifi hotspot when you are on vacation

This big old diagram seems to be an attack of the guilt-by-association sort, which makes a lot of assertions and then concludes "use the competition".

I think in the end you cannot get around fact checking some parts of the diagram.

I think the burden of proof is on the person making the extraordinary claims. "NordVPN and protonVPN are untrustworthy data-mining honeypots" is an extraordinary claim, and requires more evidence than an infographic of dubious origin. But they go wwwaaaayyyy beyond THAT mere assertion, and well off the deep end: "Every company and name you see here has betrayed the trust of everyone in the world"

Everyone. In. The. World. Betrayed! :-) Sounds very serious. Show me the evidence please. There is evidence that nordVPN's default client APK contains a tracker, that is true, but they are an openVPN-compatible network so you don't have to use their provider-APK, is my understanding. Other firms don't have trackers though, so you can use their APKs instead. Protonmail has a cookie, that is true, it lets you login the next time, like everyday endusers expect webmail providers to permit. If you don't wanna save your protomail-password into your browser, do not do so! ;-) And there are a lot of other webmail providers out there. But this kind of diagram is not a useful tool for deciding between VPN#1 versus the competitors or webmail#A versus the competitors.

change the Tag from "Software removal" to "Discussion"

@allo- ...you should just be able to hit the grey [Edit] button up near the title, and change the title yourself to say "Discussion" ...because you opened this issue. If you cannot find the button or something, we can ping a project-maintainer to fix it, but most of us commenting here are just participants without necessarily having maintainer-powers :-)

[allo-]

@five-c-d Nope, I cannot change the labels, because I am not a team member. I could only add the label, because the repo uses github templates, that allow to post with an initial tag. So it need a maintainer to change it now.

[five-c-d]

@Mikaela , unless you think this label belongs, can you please change it?

• "...added the x software removal label 3 days ago"

See request above, and above-above from the OP

[allo-]

I think the burden of proof is on the person making the extraordinary claims. "NordVPN and protonVPN are untrustworthy data-mining honeypots" is an extraordinary claim, and requires more evidence than an infographic of dubious origin. Yes and no.

You need to proof something to go to court. But you only need a small hint, to get suspicious. When you cannot proof that the NSA is targeting you, you may still want to make it hard for the NSA to read your e-mails. And some hints that a VPN and its associated services may be insecure are a reason to think twice before becoming a customer.

On the other hand, this is the same reason why a smear campaign against a competitor can be very effective. Just tell some half-truth and imply wrong conclusions and the people get suspicious of the competitor and may use your service instead.

That's why I said this needs some fact checking. I cannot tell you if the diagram is right or wrong. They give quite a few sources, but to check even if the sources contains what the article claims that follows from the source needs to be done before you can be sure. I may look into this a bit more, when I have the time for it.

There is evidence that nordVPN's default client APK contains a tracker, that is true,

And that's a bad sign for a VPN. There are quite a few VPNs with bad apps, that contain trackers and may leak information. That's nothing unique to NordVPN, but still a bad sign for any VPN.

but they are an openVPN-compatible network so you don't have to use their provider-APK, is my understanding.

Yes, they provide OpenVPN and PPTP. That's find.

Protonmail has a cookie, that is true, it lets you login the next time, like everyday endusers expect webmail providers to permit. If you don't wanna save your protomail-password into your browser, do not do so! ;-)

I did not look at this. The question is, if it is just the login/remember-me cookie or a cookie likes facebook uses, that recognizes your device even after logout. Even these have a legitimation, because they can be used to warn you when someone logins from a "new" device, but you can object that this is not appropriate for a privacy-friendly service. And annoyinng for people who delete their cookies ;-).

[Mikaela]

@Mikaela , unless you think this label belongs, can you please change it?

Sure, but you may be more likely to get responses from team members who are already contributing to the specific discussion, in this case @blacklight447-ptio (https://github.com/privacytoolsIO/privacytools.io/issues/928#issuecomment-491941437).

[five-c-d]

Thanks :-) And I knew that blacklight was listed as a DiscourseForum moderator, but I didn't know they had commit-access to github. See also, #848 ... hint hint :-) Is there going to be an "Official List" sometime? @allo- the label says discussion now, if you can please edit the title? Then everything will match and we can go back to, you know, discussing.

bereika ... tesonet

Searching for those on protonmail and protonvpn websites, turns up nada. The primary claim (of all the many extraordinary claims of the block-diagram of guilt-by-association) is that Bereika is somehow "linked" to protonmail, and thus, protonmail has betrayed everyone on planet earth. Because of what other stuff Bereika is linked to, which, something? The diagram's author is clear they want me to believe there is a link but I'm not sure the link exists. The diagram's author is clear they want me to believe Bereika is the devil, and protonmail is in bed with the devil, but again, they are asserting evil, not showing evidence of "here is evil act#1 and here is evil act#2" or even linking unto such things.

I've never heard of the Bereika person, and other things being equal, tend to believe he is just a normal human no better or worse than other normal humans, not evil incarnate. He doesn't seem to be running protonmail, or running protonvpn. Is he secretly running protonmail and protonvpn and nordvpn and holavpn and cloudvpn and the illuminati because he is the devil? Show me some evidence pls, would be my response to such an assertion.

And, compare that situation, with the way other VPNs listed by privacyToolsIO operate, and other webmail providers listed by privacyToolsIO operate, so I can see where the lesser-of-two-evils can be found. Plus of course, decide for myself on what the definition of "evil" is. When I see a diagram baldly asserting 'every company and name' are pure evil, I tend to immediately toss the diagram in the trash as a smear-campaign.

[Mikaela]

Thanks :-) And I knew that blacklight was listed as a DiscourseForum moderator, but I didn't know they had commit-access to github.

Look for the team flair on the left of the react button.

There is also https://github.com/orgs/privacytoolsIO/people (of which I am not sure if it's publicly visible) and there people can select whether to be publicly visible (I don't know if that flair requires it). In any case the public members are visible on https://github.com/orgs/privacytoolsIO .

[blacklight447]

@Mikaela funny enough, im not visible on that page, nor due I seem to be able to edit tags. But the later might be because im on a mobile client atm.

[five-c-d]

Offtopic: definitely no team-flare, and cannot alter labels, means needs adding?

@blacklight447-ptio ...no it is not you, there is no [Member] thing to the lefthand side of the reaction-emoji-dropdown, like I see for @Mikaela (and that you cannot edit tags/labels confirms). So you are added in the discourse-forum-backend as "official" but you are not yet added to the github-repo-backend as "official" it seems? https://github.com/orgs/privacytoolsIO/people == BurungHantu1605, JonahAragon, Mikaela, Shifterovich, Vincevrp > There is also https://github.com/orgs/privacytoolsIO/people (of which I am not sure if it's publicly visible) This is visible to the internet as a whole, yes. And it matches the list on https://github.com/privacyToolsIO > people can select whether to be publicly visible Yes, blacklight can be an org-member officially, but opt to NOT list themselves in the public-listing for privacy-reasons. But they SHOULD still be able to modify issue-labels, even if they are marked "private member" rather than as a "public member" of the github-org > (I don't know if that flair requires it). Me neither, though I would guess that a "private org-member" would have no flair aka no [Member] thing to the lefthand side of the reaction-emoji-dropdown, because otherwise their very first comment on an issue would violate the "private member" thing! :-) Still, should be able to alter labels/tags, if they are properly a member, either public or private, is my understanding... my friend is setting up a new github org, and they had the same questions, but I don't think we thought of the [Member]-team-flare-thing Anyways, I think blacklight would make a fine commit-access person, and if they have it I hope they will commit THIS for code-review in particular :-) https://github.com/privacytoolsIO/privacytools.io/issues/914#issuecomment-493147212 But being a member of the privacyToolsIO team, and having commit-access to this specific repo, are not necessarily identical, it could be a venn diagram, it depends on how the project is being run and whether there are layers-of-protections or a very flat structure. Up to you folks what the correct outcome is, in other words. But from a reader-perspective, it says on their github-profile comment "member of privacyToolsIO team" but there is no team-flare, as yet anyways

@allo- much better title thankyou :-) https://www.reddit.com/r/privacytoolsIO/comments/8xnvxc/remove_protonvpn_from_privacytoolsio/ is the forum-discussion where the author of the diagram, from what I can tell, first attempted removal. They claim not to be the co-founder of PIA, and are portraying themselves as just a normal protonVPN paid-account enduser, angry about the "deeplink to Lithuania". This was October 2018. Proton-somebody says that they used Tesolink as a supplier (e.g. for corporation-formation in an EU country which  presumably has some kind of tax advantage  is not tied to protonmail and thus will not get protonmail banned in China compared to Switzerland ? ) but don't go into much detail. The accuser on reddit, who may or may not be the diagram-author, sees this as horribly evil ...but is light on detailing why it is evil. And on whether the linkage is actually, you know, resulting in some privacy-downside, in the now?

(Edit: the reason for incorporating protonVpn separately was explained at yCombinator == "...exists as a separate legal entity for security reasons. This is to avoid ProtonMail getting banned in jurisdictions where VPNs are illegal. An example is China where ProtonVPN is banned, but ProtonMail is permitted...")

I don't want to discount business-models, they do really matter, and protonmail / protonvpn does have a business-model (freemium and to some degree keeping their codebase closed-source), just like nordVPN does have a business-model (monthly fees which they supplement with a tracker in the apk). But as the old saying goes, There Ain't No Such Thing As A Free Lunch, what matters is how nordVPN compares to the competition -- woo mullvad :-) yeah -- and how protonmail compares to their competition e.g. tutanota. The business-model is important, but it has to be compared to the alternative... the person in the reddit thread is planning to "just stop using VPNs altogether" supposedly, which seems unwise-or-maybe-a-calculated-falsehood.

The question is, if it is just the login/remember-me cookie or a cookie likes facebook uses, that recognizes your device even after logout. Even these have a legitimation

From my reading about three months ago, protonmail has a "basic cookie" for the remember-me purpose, but they were getting a lot of requests (and if memory serves were working on implementing) the more invasive but in-some-ways-legit option of a "super-cookie" that was able to still smooth the re-login-pathway. I understand why people like the basic cookies, but I login to my webmail by hand each time, cause how else will I remember the password? ;-) Use it or lose it

[five-c-d]

Now I can see [Member] aka team-flare :-)

@blacklight447-ptio if you think it is a good idea, can you merge 886 with 928, or maybe 928 with 886, please?

[blacklight447]

@five-c-d Well i want to , but they forgot to add me to the editorial team, so i gotta wait for that to be resolved.

[blacklight447]

I would just close this issue. This is because there has no has been no real solid evidence provided to start distrusting protonmail or Protonvpn. And it seems most claims originated from a smear campaign by PIA. Anyone from @privacytoolsIO/editorial objections against me closing this?