The actual content of the meeting (the audio, video, screen sharing, chat messages) is encrypted, even though it is processed on computer located in the U.S. So this is a little dishonest to say is outside of the CLOUD Act, because the data is literally subject to the act. But then, it’s encrypted, so that’s not so bad since it’s basically impossible for the gov to make sense of the data even if they do requisition it.

But the real problem is that other data is not encrypted, yet still is handled on U.S infrastructure: everyone’s IP addresses in the meeting (which can be used to guess their location down to the city more or less), when the meeting started, how long it lasted, which address initiated the call, and some other more technical (and less severe) things. As the author points out, U.S prosecutors have won cases in the past using only phone records that show Alice called Bob, without at all needing to know what they talked about. So since the whole point of this is to avoid government troublemaking, leaving this data not only exposed (not much they could technically do there) but worst of all on U.S computers is just such a facepalm move.

Its clear (to me, the author doesn’t comment on this) that they use U.S companies’ computers because these companies have basically the best and easiest-to-use infrastructure for handling heavy duty stuff like video conferencing. As a developer, I get it, it sucks not to be able to use these powerful and convenient tools. But when your products ENTIRE value is that it doesn’t expose your data to the U.S government, building it in such a way that it… Literally does do that, with enough data for prosecution…Seems like blatant dishonesty to me.

Bonus stupid thing: There’s an anonymous call join function where you can call without a Proton account, which they call anonymous because it hides your IP address from the person you’re calling with and which they criticize competitors for not implementing. So this makes it clear that they understand the importance of hiding the callers IP - they’re using it as a point of marketing. But the way this hides your IP is, rather than you and the person you’re calling knowing each other’s IP, both of your IPs are plainly known by Oracle’s computers in Arizona… Which is like…worse, if the thing you’re worried about is governments more than the person whose meeting you’re joining. And again since that’s the main selling point of the product… Just seems very dishonest and lazy.

There are ways that they could have done this properly, mostly by simply just not using U.S tech companies at all, but that would have been more expensive from a development time standpoint, and maybe for maintenance too. But this is the whole reason for the company’s existence. So to see them cheesing out on it seems to me like they’re thinking their customers aren’t that savvy. Looks bad.