Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

In account creation, requiring a phone number for “spam prevention” on Tor

There was some deanonymizing like that, phone or credit card



KYC for a business is the smart legal move IMO whether it's technically required or not. Yes Proton is required to cooperate with law enforcement and government requests. Mullvad has been raided and Tutanota servers have been seized before too. Nobody is going to jail for you.


Knowing as little as legally possible about your customer is the actually smart move if your entire selling point is privacy.

Mail providers aren't bound to specific KYC regulation, proton could simply collect... Nothing. But they still do, why? The only legitimate reason they've given is to prevent spam. Fair enough, spammers using them will impact all users. But then why not impose a captcha when sending emails until you provide/validate your phone number? Possibly laziness, possibly complacency, possibly because it's a honeypot.

When it comes to mullvad I'm not sure what you're trying to say? That Proton collecting personally identifiable information will prevent a raid/downtime? Feels like wishful thinking. Or are you suggesting that mullvad gave personal info to the police? Because they didn't. They couldn't. BECAUSE THEY DON'T FORCE YOU TO PROVIDE ANY.


> Knowing as little as legally possible about your customer is the actually smart move if your entire selling point is privacy.

Yes I agree, but Proton also provides paid services and it is often the law that you must retain certain records in cases of audits, fraud etc., so there is some necessary KYC in that sense, but perhaps you're right in that they could keep less information, possibly at the cost of increased spam and decreased reputation though, so I understand the struggle.

> But then why not impose a captcha when sending emails

I suppose you could, but perhaps they weighed that possibility against it turning people off to using the service entirely? Not sure.

> When it comes to mullvad I'm not sure what you're trying to say

I was not trying to imply any of those things, just pointing out that companies still have to answer to law enforcement sometimes, that they are not immune from the laws of their country... because I have seen that some people who are staunch privacy enthusiasts seem to think companies have the luxury or practical ability (without detriment to their business) to simply not know their customer at all, and I don't think that is often the case. There is also a balance between simplicity and privacy. If you want anonymous payments that's fine, but crypto isn't as easy to use as a credit card. But if you handle credit cards, you must keep some data by law usually. Things like that.

And some people might just want to sell your info to advertisers or data brokers, there's always that.


it is possible to get google captchas as verification on some nodes however it is rare and was easier in the past.

I'm disappointed that they haven't used there own captchas but maybe they will in the future.


We (Proton) have had our own CAPTCHA for a year or more now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: