ProtonMail and Anonymity
Michał Górny
mgorny at gentoo.org
Sun May 5 22:20:58 CEST 2019
On Sun, 2019-05-05 at 14:32 -0400, Jeff Allen wrote:
> On 5/5/19 1:36 PM, Stefan Claas wrote:
> > On Sun, 5 May 2019 11:22:56 -0400
> > Tony Lane <codeguro at gmail.com> wrote:
> >
> > > Isn't it obvious?
> >
> > I don't think so! Users new to privacy related
> > services may think when visiting the ProtonMail
> > site that they are anonymous, when seeing their
> > main page:
> >
> > https://protonmail.com/
> >
>
> I suppose like anything else it all comes down to whether you believe
> them or not. I do.
>
> Here is ProtonMail's explanation of what they do with the personally
> identifiable information collected during registration:
>
> "If you are presented with Email or SMS verification, we only save a
> cryptographic hash of your email or phone number which is not
> permanently associated with the account that you create. Because hash
> functions are one way functions, it is impossible to derive your phone
> number or email from that hash. However, using the same phone number
> will result in obtaining the same cryptographic hash, so by comparing
> hashes, we can detect re-use of phone number or email addresses for
> human verification."
>
Don't you think that brute-forcing a hash of a phone number would be
trivial?
--
Best regards,
Michał Górny
More information about the Gnupg-users
mailing list