 Welcome back everyone. Today we're talking about proton mail and recently it was in the news that proton mail logged IP addresses of a French activist and handed that information over to the Swiss authorities and a lot of people are really upset about that. I think that most people are actually shocked that proton mail actually could find that information or had that information available to give to the Swiss authorities. So today I want to talk a little bit about how proton mail works technically and address some of the concerns about privacy. First off, proton mail is end-to-end encrypted. They had no ability to share things like the contents of email. What was shared was what we call metadata, any communication data, and specifically this French activist connected to proton mail directly. So this isn't the first time that something like this has happened and I'm not sure why this particular case is getting more traction than others, except maybe that the case file I think was openly available. So if we look at proton mail's own transparency reports, we can see the statistics about requests that have come into proton mail from the Swiss authorities, what was approved, and then just requests from countries coming in. So in their reports, we can see that a lot more countries are making requests in 2020 and we don't have the 2021 data yet. But requests are ramping up very quickly. Now, does this mean that countries are being more aggressive? It probably just means that proton mail is a lot more popular than it used to be. Proton mail's had a lot of growth in the past few years. That means more users and with more users, you're going to have more requests associated with that. Now look how many they've actually contested legally and tried not to fulfill and then the orders complied with just this last year, sorry, was 3,000, which is fairly low like other service providers have way bigger numbers than this. That's something to think about this is on proton mail's own website. So Swiss authorities can make requests to proton mail basically to divulge any information that they have about the user. All right, so let's see technically what was kind of going on here. Okay, so imagine that we have proton mail and we're trying to connect. We have our computer on the internet, proton mail has an IP address that's unique to it. That way we can identify where it's at and talk to that IP address. Our computer also has a unique IP address. And this IP address is assigned from our service provider. And that IP address associated with our service provider lets us identify the location of the service provider specifically the country and which service provider owns it. Okay, so these IP addresses, we can tell where they're coming from because of the service provider. If I try to connect proton mail directly, I'm going through my internet service provider through proton mail service provider, and then I'm talking to proton mail server. And of course, whenever they're replying to me, they basically do the same thing coming back. We have two way communication between proton mail server and my computer. Proton mail itself, on this side, it can see or it has to see all of these connections that are coming in because you're trying to talk to their server. Well, what IP address does the proton mail server see? It sees your original IP address because that's what you're connecting from. And of course, the service provider like your service provider and proton mail service provider can also see your IP address communicating with proton mail's IP address and vice versa. They can see that that communication is taking place. They can see that those two IP addresses are talking to each other, but they can't see the contents theoretically. They're not supposed to be able to see the contents. First off, this connection, although they can see the IP addresses, this connection should be encrypted between the server and the computer. Along with that encryption, the contents of the email is also encrypted using PGP, which is what proton mail is using. So the service providers and proton mail and your computer can see the IP addresses that are talking to each other. They can see that some traffic is being sent, but they can't tell how much or they can't tell what that traffic actually is or it's not very clear what that traffic is. Okay, so next, if you're connecting from your phone, it's the same idea. You have a proton mail app probably installed on your phone. Your phone also has an IP address also associated with your phone's service provider or if it's your home Wi-Fi, it's similar to your computer. And your phone is also doing the same connection through your service provider, through proton mail service provider and then connecting to the service. Whether you're using the app, whether you're using the browser, it doesn't really matter whatever the IP address you're using to connect. That's the IP address that proton mail will see. Now, proton mail is doing everything it can to encrypt all of that, but we cannot encrypt those IP addresses, otherwise we don't know where to send the traffic. So what proton mail recommends instead of connecting to the server directly, they have provided a tour onion address. So the idea basically is that you connect from your computer to the tour network, and then we set up a tunnel in the tour network. Our data gets routed through the tour network, and then it basically goes through another tunnel to proton mail. So we can make a connection through tour and cryptic connection through tour and through proton mail. Now, the thing about tour is that it's hiding our original IP address from proton mail. So proton mail cannot see our original IP address because we've routed it through tour. A very similar thing would happen if you use like a VPN or a proxy, but proton mail provides a tour node directly. So they recommend using that. Now, your service provider can still see that some connection is being made, but they don't know where that connection is going. Because proton mail is in the tour network, you don't have any exit nodes or anything that can spy on your traffic, you're just going directly through tour to proton mail. Proton mail cannot see your IP address, but they can see like what you're doing and what account is logged in, and they can tell that you've logged in from tour, but they don't know about your original location. So in this whole discussion, what people seem to be upset about is that proton mail does not by default keep track of the IP addresses that a certain account is using. But in this particular case, IP addresses were logged. Now, that's because the local authorities in Switzerland told proton mail to log those IP addresses. To make any type of connection to proton mail, you have to connect via your IP address or route your connection through something similar to tour. And proton mail specifically said used or if you're going to access this, especially if you're a very sensitive group, for example, like a journalist. So a lot of people, as far as I can tell, just didn't read proton mail's documents closely. In the documents, they talk about tour, they talk about the Swiss government making certain requests and what they have to turn over whenever they have those requests. So is proton mail secure? Well, proton mail is as secure as basically any other cloud-based service provider. You are trusting a company with your data. Now, the big differentiator for proton mail is that they do use end-to-end encryption and they don't have access to the email contents. If you're attempting to secure email contents, then proton mail is very secure. If you're attempting to connect completely anonymously, you have to go through some sort of tunnel like tour. Otherwise, everyone can see where you're coming from. They don't normally log IP addresses, but their documentation says that if they're requested to, they will. If that's a concern for you, for example, if you're a very sensitive subject like a journalist or something like that, then you probably should be using tour and connecting to services that are directly hosted on tour, not through an exit node, for example. So this is kind of a quick description. Metadata is really interesting for investigation. So from my investigator hat, looking at this case is super interesting because we can see what kind of information we can potentially get from proton mail. From my privacy hat, it's looking at what were the limitations of proton mail, and in my opinion, they're working exactly as advertised. There's nothing controversial here, really, because they already told everyone that that's how it works, and that's how the internet works. This is a little explainer on how they work, and let me know below if you have any questions. Thank you very much.