There's also the PBC (Public Benefit Corporation), which in addition to profit / shareholder value explicitly defines positive impact on society as a goal, and exists since 2010 in some states, while in others only since 2022 [1]. But as far as I understand there are no legal requirements or audits that ensure those goals are followed.
Kagi (the search engine, popular in the HN community and I'm a happy customer myself) is one example of a PBC [2].
My experience interacting with Novo Nordisk is that, in their case, this model has led to massive inefficiencies.
The non-profit aspect has led to lots of internal politics and rigged hires. They are much more inefficient than a classical pharma.
They are now an "AI company" and Firefox isn't a concern anymore.
I expect Mozilla to die within the next few years and the web to become Chromium only, finally solving my chronic online-ness.
> Among other members of the Foundation's board is Sir Tim Berners-Lee, inventor of HTML, HTTP, and almost everything else about the web.
Well that's good news!
(Whether it's slamming a rogue exec up against a pillar in a parking garage whilst cursing corrective instructions, or deploying his vast power to destroy his enemies from a distance, or whatever skills and resolve are required.)
Find a different anti-spam measure
More discussion on official post: https://news.ycombinator.com/item?id=40704191
From their own transparency page:
Number of legal orders: 6,378
Contested orders: 407
Orders complied with: 5,971
They did this to expose protestors and people who upset the powers that be, rarely real criminals.
They could choose to operate in a country that respects rights and design their tech so that there's nothing valuable to hand over. This is what Mullvad did.
*Edit: HN has been overwhelmed with poor quality users and bots growing in the last few years. Same as reddit there are paid services used to manipulate voting. HN needs to migrate away from this in order for real discussions to return.
I believe it was stated on the page you copied those stats from https://proton.me/legal/transparency
> As stated in our Privacy Policy, all emails, files and invites are encrypted and we have no means to decrypt them.
They're all encrypted except when you pay more for dedicated smtp.
They're all encrypted except when they give up logs they promised they didn't have.
And so on.
They have every means to decrypt, they control both the client software, server, and data. You would never know if they logged your key, and they can be compelled to by flimsy order.
It seems like the next time you log in they would be able to capture your password and decrypt your emails.
Don’t get me wrong, I have multiple ‘Visionary Accounts’ but I have just no expectation of them protecting my data completely.
How do they get peoples passwords / keys? Easy. They just wait for you to log in and they swipe it then. It’s targeted.
They are a perfect example of why you cannot really trust any company selling ‘privacy’, like Apple, Mozilla and whoever else fakes it. Even TOR to a degree is a pile of pish because all the relays can be hosted on mostly American VPS companies… so although the rest of the world would struggle detecting who people are, five eyes are in an excellent position to be able to unmask. It’s intended for the Five Eyes spies to hide among - they need the randomers on there or it’s a useless tool for their global spies to use - I don’t think enough people actually realise that.
Under Swiss law, Proton cannot be compelled to do this. Nor is this "easy" to execute if you are using the open source mobile or desktop apps.
Source? How exactly do you know what cases of people the legal orders were about?
As well, emails and files are encrypted. And their VPN is a no-log VPN.
Lastly, they can comply with an order and just give them nothing, because they don't have anything they can give. No files (E2EE), no VPN network info (No-logging), no emails (E2EE), etc. That's still, legally, an order they complied with.
1. Government entity (usually the US or EU country) pressures the host country's government
2. Host country's government makes a legal request to the company for info on this user.
3. Company adds logging for that specific user.
4. Logging is provided to all those interested.
5. Host country prosecutes (potentially extradites).
There's a public accounting of this happening for Proton and Mullvad too iirc.
> HN has been overwhelmed with poor quality users and bots growing in the last few years. Same as reddit there are paid services used to manipulate voting. HN needs to migrate away from this in order for real discussions to return.
is absurd. Is it really the only way you can explain why you're downvoted? Could it not be because you've made several unsubstantiated claims?
DON LAFONTAINE: In a world...
Where the Internet was betrayed...
One man...
Is called to serve again.
And he's dispensing his own brand of standard.But, do you have a method which results in the data being accessible to anyone other than the account owner?
I don’t know exactly what you provide. Or how you do it. But it does feel secretive, and that in itself makes people think the worst.
But I do know how NDA’s work, so that might be a part of it.
Your decrypted key isn't sent off your local computer. So it's not a case of waiting for you to log in and swipe your key. They never get the key.
In the past you could have a separate login password and decryption password. You still can in the advanced settings if you want.
Second, I am not talking about swiping the key, but the password. When you log in, you send your password to their server. They presumably hash the password and compare the hashes then send you the decryption key if the hash is correct.
The problem with that is they could keep the password you entered (pre hash). If hashes are good then use the password you entered themselves with the key to decrypt your email.
It sounds like the separate decryption password may work around this, but is not the default meaning a large chunk of the users are vulnerable to proton logging passwords.
They explain what they do here : https://proton.me/blog/encrypted-email-authentication
It may be true, it may not be, but there needs to be more information or facts before we get to the original comments statement that Proton gives data to expose protestors to protect "the powers that be".
That's the flow of how government legal requests work with no-log vpn services.
What do you think "Orders complied with" means then?
Here's an instance of Proton adding logging of an activist's IP Address and Device ID after a request from the French authorities:
https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...
> French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.
It's right there in the police report.
Granted, I don't know much of how Swiss legal processes work, but I do know Switzerland has the best privacy laws when it comes to VPNs (which is why a lot of VPNs use Switzerland). Switzerland even has laws on their books that prevent them from compelling no-log VPNs based in Switzerland to log specific users.
Proton does not claim no logs and has never claimed no logs. We do not retain logs by default, but our privacy policy has always been clear that we are legally obligated to follow Swiss court orders, which can ask for IP logging on specific accounts.
I am not an activist so I don’t need to jump through such loopholes.
I don’t despise proton as much as I despise most of Silicon Vally though. I just hope they fight every single court order, because there will be lots of good people being targeted. However, I reckon that is wishful thinking.
Smells like tax evasion, but what do i know. Isn't IKEAs founder one of the richest people in Swiss?
Novo Nordisk might return to a more realistic market cap once other GLP-1 agonists enter the market, e.g. Lilly's.
In their own policy:
> “In addition to the items listed in our privacy policy, in extreme criminal cases, ProtonMail may also be obligated to monitor the IP addresses which are being used to access the ProtonMail accounts which are engaged in criminal activities.”
So there's no question whether or not they do it, it's more of how often they do it and for what. The French case was a big deal because it didn't seem to meet the "extreme criminal case" threshold, and yet the logging was still carried out.
Proton is extremely transparent and said:
If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation. This obligation however does not extend to ProtonVPN (see VPN privacy policy here). Additional details can be found in our transparency report.
What others are doing doesn't matter, that's whataboutism. Yes there's many shittier services, and Proton is much better than them.
What matters is if you can trust Proton to be private, and the answer is... mostly.
Yes I like Proton and I use Proton as my daily email driver, because I don't expect privacy from governments, I just don't want Google tracking.
But a lot of people see the "no logs" thing and think that there's never any logs, which is not true, they add them on request, and they've done it based on foreign government requests, for questionable searches, as I've linked above.
If you want privacy in your hands, use Tor when accessing Proton and pay in crypto obviously.
Those are techniques needed for privacy because they can access that data and you can't trust them to safeguard any data they can access because they legally can't.
It's not their fault, it's just the system, but you must expect it.
I saw in the article that Proton also offers an onion address, which will make the IP Address monitoring useless anyway. So they, legally, have to do the monitoring, but provide a tool that makes their "monitoring" useless.
Here’s their recovery process: https://proton.me/support/set-account-recovery-methods
I don’t see there customer support call as a recovery method. I‘d expect that for paid accounts you could theoretically verify your identity to CS via payment, but in that case you lose the data anyway.
Some searching finds this comment. [1] I would be interested if such a password reset were possible against someone who for instance had 2FA enabled, no recovery information and only accessed their account using the Tor onion-service. ;-)
The number of tutorials I have seen about spinning up a tor relay on a VPS is crazy. These tutorials are probably written by three letter agencies - though I have no proof.
Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment. You will have to give up something which identifies you, and so it really doesn’t matter when you connect with Tor after you have already registered - there is a way to connect who you are.
It doesn't matter if you lose data. If you control an email address, you get all future email including forgot-my-password emails.
And yes, signing up to Home Depot's email newsletter and other services so that they could tell the customer service agent "my last few emails were from Home Depot and ..." was successful against their customer support system. That's just how amazing it is.
Finally, I don't expect the social media guy running protonmail's HN account to give us much insight into protonmail's customer support security issues, but if you're going to show up, I would've at least expected you to forward my email somewhere for follow up.
> Regardless, protonmail doesn’t let people register when connecting with Tor unless you use phone number or card to make a payment
Actually if you attempt enough times you will get the option to verify the registration with an e-mail. And they are rather liberal with which options they accept. So it is not exactly a circular dependency.
From there is it an exercise to the reader to create an account not linked to any other identity.