You need to understand a few things. In order to keep email service usable, Proton need to fight any malicious activity. If they didn’t do it, ProtonMail would be quickly blacklisted by other mail providers as it will be interpreted as source of spam. At the same time, they have very limited capabilities to verify this activity by themselves as they cannot read contents of their user’s emails (it is encrypted) and they keep limited logs.
As an article states, here is what happened:
Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled. Our team is now reviewing these cases individually to determine if any can be restored.” Proton then stated that they “stand with journalists” but “cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.”
While Proton does have an obligation to stop spread of SPAM mail, this incident is a bit different. Let’s see -
Proton was not approached by other Email providers (Gmail/Outlook) about suspected email SPAM campaign originating from their network.
This matter is NOT even related to SPAM mails.
krCERT - a Govt agency approached Proton and asked them to disable the account.
Proton simply complied to that without verification.
Appeal made by Owner of that email id was rejected.
Subsequently follow ups were also ghosted.
Until the tweet from the journalist went viral, Proton was not in mood to reinstate the account.
Note that while Proton Mail (server) is E2E encrypted, but once email exits their network it no longer remains as such. So, whoever (other email provider or incident reporter) reported the incident, should have a copy of unencrypted email to prove abuse of Proton Mail service.
Given that proton now reinstated the account, that proves Proton initially froze that account based on “Trust me, Bro” proof only from krCERT.
In ideal world, any service provider should require a court order to comply with Govt request to remain unbiased in such situation.
So they simply suspend accounts because “they are evil, trust me bro” and only maybe investigate after? This is either stupid, negligent and/or bullshit.
Maybe I am misunderstanding something here, but this does seem like it could be ripe for abuse. Say I disliked a journalist and knew their proton mail. Could I report it as abuse and have them suspended?
Yes and then the journalist appeal and shows that he is not using his account for abuse and get reinstated. Even a privacy and a security product like Proton has terms of service.
You need to understand a few things. In order to keep email service usable, Proton need to fight any malicious activity. If they didn’t do it, ProtonMail would be quickly blacklisted by other mail providers as it will be interpreted as source of spam. At the same time, they have very limited capabilities to verify this activity by themselves as they cannot read contents of their user’s emails (it is encrypted) and they keep limited logs.
As an article states, here is what happened:
While Proton does have an obligation to stop spread of SPAM mail, this incident is a bit different. Let’s see -
Note that while Proton Mail (server) is E2E encrypted, but once email exits their network it no longer remains as such. So, whoever (other email provider or incident reporter) reported the incident, should have a copy of unencrypted email to prove abuse of Proton Mail service.
Given that proton now reinstated the account, that proves Proton initially froze that account based on “Trust me, Bro” proof only from krCERT.
In ideal world, any service provider should require a court order to comply with Govt request to remain unbiased in such situation.
So they simply suspend accounts because “they are evil, trust me bro” and only maybe investigate after? This is either stupid, negligent and/or bullshit.
Maybe I am misunderstanding something here, but this does seem like it could be ripe for abuse. Say I disliked a journalist and knew their proton mail. Could I report it as abuse and have them suspended?
Yes and then the journalist appeal and shows that he is not using his account for abuse and get reinstated. Even a privacy and a security product like Proton has terms of service.
If you read through the article, his appeal was originally rejected, and subsequent follow ups were also ignored.
It’s only the tweet, directed at proton for ghosting them, that went viral and eventually forced Proton’s hand to reinstate the account.
If a journalist has to go through this much trouble, what chance a common person from authoritarian or semi-authoritarian country have.
This loophole will certainly be misused by Governments to gag someone temporarily/permanently.