What I don‘t understand is how they differentiate this sort of „insult“ from “satire”. There are some protections around artistic freedom and you should be allowed to make fun of someone. There was a well-known [“Böhmermann vs. Erdogan”](https://de.wikipedia.org/wiki/Böhmermann-Affäre) case, where more serious insults than “Pimmel” were used, but the prosecution was terminated - probably due to a huge amount of public pressure - but it’s still strange and feels arbitrary.
I assume what they mean is that - they might have to log connections to their service (like with ProtonMail), but they won't have to provide what data that user account has accessed through the service, same as they didn't provide the actual emails of the account in question, but "just" the connecting IP.
Well, yes and no. Currently, Swiss law doesn't support this and providing the IP is based on specific requirements for telecommunication providers as far as I know. But yes, the law could be changed. However, keep in mind that Switzerland is a direct democracy and people here frequently actually vote on such issues directly (if one can gather enough support from the public).
As far as I know Tresorit has actual offices and staff in Zurich, Switzerland. They also appeared clear to me in the past that they have multiple offices around the world (I listened to a presentation from them recently at a conference).
I was referring to pcloud and pcloud also have an office in Switzerland. But similar applies to Tresorit I believe, thy just have it for tax and marketing reasons.
The issue is both Tresorit and pcloud store the data outside of Switzerland. If you start using pcloud on the expectation that it's stored in Switzerland you are wrong, it will be stored in Texas or in Luxemburg. So, how can Swiss law really apply once it really matter? And secondly, who cares if it's Swiss law, it's nothing special with that.
People seem to believe there is some kind of banking secrecy that applies to data storage. On top of that, the Swiss banking secrecy does actually not exist anymore.
And looking at the Terms & Conditions from pcloud, it says:
"If a European Union user of the Site or Services is located outside of Switzerland, then, for the purposes of any claim or action relating to these Terms, the Privacy Policy, the Site, or any Services, the applicable jurisdiction will be the courts that are located in the territory of residence of such European User."
So what is the point to highlight they are in Switzerland, if Swiss laws do not apply if you do not live in Switzerland? It's just false marketing.
I got you - I was just replying to kylehotchkiss. Either way, if the data is properly client-side encrypted, it shouldn't really matter much where the data is stored, since they would need access to your device to decrypt the data. So I don't see how this is an issue.
My expectation here would typically be that the company itself is governed by a stable, democratic government. It matters, because different legislations can impose different requirements (see recent changes in Australia for example).
Yes, banking secrecy has nothing to do with this and doesn't really apply, since that is more about someone not spilling your information, while here you already ensure on your device that the data is not visible to anyone.
I think you are right - it's a marketing element, but most companies do that, don't they? See for example Apple with "Designed in California", which is really just trying to not only say "Made in China". People have known associations with certain countries (such as Switzerland), which are used for marketing, yes.
Well, depending on legislation, they could be ordered to change the code to send the user password to them on next login for that account and then decrypt everything…
The architecture of Ente (https://ente.io/architecture) prevents your unencrypted master key from being exposed to the server. The password authentication appears to be client-side, which means that the data could not be compromised solely by a malicious server-side change.
Now, Ente could still change its web application to somehow leak the master key and not disclose the changes in the source repo. One solution for this vulnerability is to package the entire web client as a browser extension, which is what Mega is doing:
There are a couple of other ways to mitigate the problem for web applications. If you're willing to install a browser extension, then it might make more sense to use the Signed Pages extension[0] which applies PGP signature checking to web pages. The other solution is to use Secure Bookmarks[1], which combine SRI integrity hashes with Data URIs to ensure that a fixed bundle of JavaScript is running in the page.
Since it‘s a paid service with user accounts. You would be able to ban users that have been reported to use this service for illegal means. The same question can be asked to WhatsApp / iMessage / Signal / etc.
Looks great - congratulations! Could you please add if / how you store a hash of the user password of authentication - it‘s not discussed on the architecture page. Thank you.
We don't store your password's hash. Since we use authenticated encryption, clients can identify when the decryption of your masterKey fails because you used a key generated from a wrong password.
Ok, that‘s cool! But the client get‘s to download the encrypted master key without authentication, right? Doesn’t that enable easy offline attacks or is the decryption too time-consuming?
No, the client has to first verify their email address and 2FA (if configured) to receive the encrypted keys. In addition to this the decryption is time-consuming.
Yes, but I assume the rationale here is that they will only have to refund that month and can reset the clock for the next month. So if they have serious downtime it won't cost them for the full year - just for that one month.
Yes, the same could and has been said about YouTube-dl. It depends what you do with the tool. If you are using it to download videos that specifically allow this, then there is nothing illegal about it. It's the same thing with a hammer. You can use it for legal or illegal actions, but that doesn't make the hammer an illegal tool...
By watching videos or listening to videos, you make a non-digital copy of it in your mind! Is that legal? If you hum the song, is it illegal reproduction? If you describe the video to a friend, is that unauthorized reproduction? If you formulate a critique of it, is it an illegal derieved work? Who gets payed in these cases?
