Proton Meet Isn't What They Told You It Was

Eduardo06sp

https://www.sambent.com/proton-meet-isnt-what-they-told-you/

I've seen this shared a few times, and it seems pretty concerning..

Voyager

Eduardo06sp but it's end-to-end encrypted, so even Proton can't access your data. Do I misunderstand how that works?

Developer-Dude

Interesting. I'll keep using Jitsi anyway. :)

de0u

Voyager but it's end-to-end encrypted, so even Proton can't access your data. Do I misunderstand how that works?

As I see read the article, the key allegation is that the metadata (which IP address is calling which IP address, when, for how long) for Proton Meet is easily within the grasp of various governments, and especially within easy reach of the U.S. government via the "CLOUD Act". If metadata are available, that might make Proton Meet "like WhatsApp" with respect to privacy... some people might decide they may as well just use WhatsApp instead.

Also, if Proton Meet metadata are available via the "CLOUD Act", and if Proton had been marketing Proton Meet as a response to the "Cloud Act"... I guess I can see how some people might be bothered by that.

meowijuana

de0u is that similar to how proton mail handles it? I remember someone got arrested because proton handed over an IP address and it turned out they didn't pair it with a VPN, so is the solution a VPN and meet is fine? Or would you say it's more of a problem than that?

de0u

meowijuana I don't think I'm really in a position to make opsec recommendations about Proton products. I was mostly responding to the notion that "E2EE means it's fine", when the claims in the article were about ways that E2EE might not be enough.

thmf

meowijuana someone got arrested because proton handed over an IP address and it turned out they didn't pair it with a VPN

If I remember correctly Proton said they (obviously) must comply with laws, so they have no access to the user's data (actual emails), but they had access to metadata, i.e. the IP of the user who used the mailbox from government's request. So since the user didn't use Proton's Tor endpoint to check their email, and used regular internet connection, Proton had that IP and was forced to comply and hand it over, since they had that data. Then it's easy, IP -> ISP -> physical connection address.

meowijuana is the solution a VPN and meet is fine

As always, it depends on your threat model. If you're an average Joe and just want some privacy in general sense (as in not anonymity), then Meet over a reputable VPN with no leaks is probably fine, since E2EE is still in place. Probably using some other VPN that Proton's would be better for risk diversification. E.g. Mullvad VPN + GrapheneOS VPN kill switch + Proton Meet.