1159 words
August 27, 2024
6 minutes read
Decrypting Proton Privacy Policy
Introduction
If you read some of my posts on this website you might have seen that I like Proton. However, every now and then, there is a new controversy about Proton handing out data to feds. My take on that is that peoples should be more careful of their opsec and try to understand why Proton need some data unencrypted and which.
However, to be fair, Proton are also not really been open about this, they have a Privacy Policy for each of their services with walls of text. That’s why I wanted in this article to present the metadata they collect in a simpler way.
PS : For this article we will concentrate on a “basic” Proton account meaning not using any insecure extra features like easy-switch, referral, chat support, scribe, in order to keep it simple.
Proton Account
| Email adress | Verification Email | Verification Phone number | IP |
|---|---|---|---|
| anon@pm.me or anon@gmail.com | verifemail@gmail.com | +1 3370000 | Depends (read bellow) |
They state in their privacy policy that both the email or phone number used for verification or account recovery are stored hashed. Hashing is a one way encryption that if given the same parameters and same text always gives the same result. This mean that it can be brute forced by feds. Proton has also already been found giving those out as the result of a court order. To make it clear I left them in clear text on the table.
By default, IP logs are not kept. However, they might be in those cases :
- Combat abuse and fraud (this is extremely vague)
- Are engaged in activities that breach our terms and conditions (extremely vague too, is this malicious at this point ?)
- If you enable authentication logging for your Account
- If you voluntarily participate in Proton’s advanced security program
- If they receive a court order they will turn on IP logging on your account
Proton Mail :
About an email
| sender and recipient email addresses | IP of sending server | attachment names | message subject | message sent and received times |
|---|---|---|---|---|
| jane.doe@pm.me to anon@pm.me | 8.8.8.8 | pdf for John Doe.pdf | Hi John Doe, I hope no one found your real name yet :):):) | 2024-04-20 07:13:37 and 2024-01-69 07:15:35 |
This is a lot of informations that can be used but this is also pretty much the minimum of informations they need unencrypted in order to be able to process an email with the implementation of PGP.
PS: Email cotent, if sent unencrypted to a Proton Mail address is processed unencrypted by Proton Mail (to encrypt it but also to check for spam). They claim to never store it on disk but this is a limitation of email that has to be known. It also seems that Proton is sending some email metadata to spamhaus for spam detection which mean that some informations about your emails is sent to spamhaus (a Company that can be hated for a lot of reasons).
About an email account
| number of messages sent | amount of storage space used | total number of messages | last login time |
|---|---|---|---|
| 135 | 2.56gb | 1265 | 2024-04-20 01:33:07 |
Proton Drive
About a file
| size of the encrypted file | file/folder creation and modification times | permissions | username of uploader |
|---|---|---|---|
| 2.6gb | 2024-04-20 01:33:07 | Edit | jane.doe@pm.me |
About a shared file
| size of the encrypted file | file/folder creation and modification times | permissions | username of uploader | last access time | number of times accessed | creator |
|---|---|---|---|---|---|---|
| 2.6gb | Edit | jane.doe@pm.me | 2024-04-20 01:33:07 | 13 | jane.doe@pm.me |
Proton Calendar
About an event
| event start and end time | time zone | repetition rule | event creation | last event update | event status |
|---|---|---|---|---|---|
| 2024-04-20 01:33:07 to 2024-04-20 02:33:07 | Europe/Zurich | Repeat Weekly | 2024-04-10 13:33:07 | 2024-04-11 14:09:00 | active |
Proton VPN
There is not much information on what is collected. If we trust their privacy policy it means that they keep no log of any action. However, payment and account data are still collected (see bellow).
Proton Pass
About an entry
Everything seems to be encrypted except alias email adresses. It means that by a hack or court order a bad actor could get all the emails on every website you registered to (and link those easelly because the default alias generation add the website URL at the start).
Proton Wallet
All of your TXIDS, wallets, exchange rates for transactions and even notes you wrote are saved unencrypted. You are also limited on the number of wallets you can create with a limit of two wallets and 4 adresses. It is also stated in their privacy policy that they may use the data they have (everything) to track fraud at their discretion (do they check the txids with chain analysis firms ? this is not clear but not denied). There is no Privacy in any way there.
PS : There is external services to buy, sell and exchange crypto on Proton Wallet. If you want privacy I would advise against using those and check on orangefren, trocador or kycnot.me for kyc-free options.
Payment
Proton Mail always had a problem of payment methods. You cannot pay in Monero or any other Privacy Coin for that matter. Even their bitcoin payment option (which is not private in any way if not made using mixers, coinjoins, etc) is managed by a third party.
If you pay with credit card then your payment information will be sent to a third party but not your account information (this might work with a txid only ? Not clear on how your transaction and account are linked). The last 4 digits of your credit card are saved.
IOS and Android apps
- Analytics and statistics using external services (“e.g. fabric.io").
- Crash reporting via Play Store app statistics, App Store app statistics, or self-hosted (Sentry). It is not stated in the Privacy Policy but you should be able to deactivate both the analytics and crash reporting on the app settings page.
Others considerations
- Backups from all of Proton services are kept for up to 30 days.
- I wouldn’t expect the fact that they only accept Swiss court orders to protect anyone, they seem to not be to hard to get (Proton transparency page)
- Proton employ a local installation of self-developed analytics tools. Analytics are anonymized whenever possible and stored locally. This is very much not clear on what they collect, when and how.
- They use external CDN(s) (like https://cloudinary.com for their landing page). Those might collect your informations too.
- Simple Login and Proton Pass are not hosted on Proton owned servers and infrastructure but rather on some rented/owned servers on external data-centers.
Conclusion
Most of the data collected by Proton is data that needs to be collected in order for their services to work. However, there is also a lot of data that,for a privacy service, should not be collected (like billing, recovery / verification email and number and ips).
Wallet, their last product, seems to offer no benefit and even be a really bad way to use bitcoin as it will link your crypto payments, transactions and balance to your other accounts (email, pass, drive, etc).
Leet
i[a]sy.st
I’m ██████████ █████, a ██ years old working at ████████ ███████████.