Matt Donahue

@reidjjackson @bhalligan If I were reacting to 2 day old post I’d at least skim the comments to get a sense of the broader context.

@donkodex @bhalligan It’s literally the second bullet point of his argument.

“Only 1 of the top 50 ai companies are in MA” ???

@reidjjackson @bhalligan I guess that’s the hazard of reacting to a headline rather than the substance/context

The original tweet said only 1 of the 50 AI companies are in Boston. This is not accurate by any measure and ignores that some of the world’s most cutting edge AI research is being conducted here (fact, not opinion). I have no opinion on the relative strength of the startup ecosystem here (don’t know enough), simply the misleading first claim.

@reidjjackson that’s like saying Ireland is one of the top AI countries in the world because all those companies you mentioned have a significant presence there. It’s a commentary on the relative startup ecosystem in Boston compared to other tech hubs, not wherever tech incumbents decide to set up an office.

@reidjjackson forbes.com/lists/ai50/

I think I’d break the character limit on X if you get me going on resource allocation. I agree, that’s a huge issue. The teams tasked with handling these data requests are often the red headed stepchild of their company and too often viewed as a cost center. Re: admin errors - companies actually make an effort to dumb it down for LE so they can limit the amount of shitty requests they have to deal with. Proton’s categories of “complied” and “contested” are too vague to provide meaningful insight into what actually qualifies under each bucket. It’s not a matter of “folding” vs “not folding”…Proton, like every company across the world, needs to legally comply with the laws they are subject to. That’d be like saying I “folded” because I used the restroom instead of pissing in the middle of the street…I didn’t fold, it’s literally illegal to go in the street. The 6% of cases where they “contested” isn’t about “not folding” it’s saying “nope something is wrong with this one, I’m not ignoring the laws but this isn’t right”…to further the analogy, that 6% is realizing ya gotta go, knowing you can’t piss in the street, so you pull off the side of the highway for the public restroom but there is something horribly wrong with that restroom so you don’t want to use it but you still can’t go in the street…instead you do the next reasonable thing without breaking the law and go drive to the next rest stop…I thought of that analogy on the spot so bare with me I’m tired 😂

I may be just misunderstanding, but it seems you're explaining variance, not the trend. Random legal errors would create noise around a baseline, not a steady collapse from 21% to 6% over four years while volume doubles. The simplest explanation for that pattern is still resource allocation and PR pressure, not governments suddenly getting better at paperwork. The Telegram example actually reinforces the point Durov pushed back and faced consequences. Proton folds 94% of the time and gets praised for the 6%. The question isn't whether companies can be forced to comply, I would absolutely say they can. It's why Proton fights three times harder when journalists are watching, according to the numbers. I know who you are; I looked you up and commented on one of your posts, so I appreciate you taking the time to explain it, if you wouldn't mind clerifying how that position is false.

Proton has handed over 32,076 users' data to governments since 2017. Their own transparency report states a 94% compliance rate in 2024. "Swiss privacy" is a marketing slogan, not a protection.

I actually think that is exactly why there needs to be more awareness on this space. Can’t hold the govt (or companies) accountable unless we understand the bounds by which they operate…and in 2025 they literally cannot operate without lawful access to data yet the average person doesn’t even realize to raise the question. The transparency reports are a nice first step towards accountability but there needs to be standards, and legal expectations, set across industries and borders instead of voluntary reports that are too vague to convey any meaningful context. The state might be immune from prosecution but they are not immune from policy changes…but policy changes won’t come if people aren’t aware enough about a topic to effectively hold the public sector accountable to the (shitty) systems/processes currently in place. Sunshine is th great disinfectant as they say.

@donkodex Understandable, it was pretty vague. The state already gave itself this protection. Absolute immunity for prosecutors and judges. Qualified immunity for cops. Sovereign immunity for agencies. Even Congress exempts itself. The debate is whether peasants deserve it too.

Imagine making a PB&J at home, then someone walks in, grabs it, and throws it at a person with a nut allergy. Suddenly, you’re the asshole because you made the sandwich? That’s how absurd it is to blame companies for third-party abuse of their products. They should be willing and able to use the proverbial EpiPen—aka working with law enforcement to stop harm—but it’s good to see courts reject nonsense claims outright.

@DoingFedTime Ugh, what* not why 🫠

@DoingFedTime lol I’m not following why you mean

I think what sums up your frustrations, and subsequently leads to common misconceptions like this, is that things are a lot more nuanced and complex than most people realize. Lawful access is like the legal equivalent of Aristotle thinking the sun revolves around the earth; it may appear that way and make sense the way you view it, but that doesn’t make it true. A steady contest rate would assume a level of predictability in LE requests that just does not exist in real life (hence the variations in annual volume). Companies have to comply with valid legal orders if they want to stay in business. The French govt saga with Telegram CEO kinda sums that up. Not sure if you keep up on what the latest crop of dark web trolls are in to, but they have realized this truth and take prey of it (wired.com/story/doxers-p…) I’m not saying there isn’t a lot to clean up, and clear up, regarding how our data is accessed…there certainly is…but it’s not as black and white as one might assume. There is way too much to unpack on this topic for a comment thread on X, but I’d be happy to chat on the topic any time. I live in this space every day.

Do you see my username? I'm definitely not going to argue that LE and prosecutors make mistakes (or that they are outright criminals in their own right many times ). But, if it was about invalid paperwork, the contest rate would hold steady as a percentage. It didn't. 21% in 2021 when everyone was watching, 6% in 2024 when they weren't. Either governments got three times better at filling out forms, or Proton fights harder with cameras on.

@DoingFedTime @mattplourde__ Also “32,076” refers to the number of legal orders complied with, but you’re assuming there is a 1:1 ratio of user to legal order. Legal orders can very frequently cover many accounts under a single order…too much and they might start contesting the legal validity.

@donkodex @mattplourde__ Proton's report separates "complied" from "contested." Contested means they fought. If the account didn't exist, that's not a contest, that's nothing to give. Two different categories.

@DoingFedTime @mattplourde__ Compliance % is not about whether they just decided to comply or not. It is about whether they were even able to comply in the first place. Just because it’s legal, doesn’t make it valid. Often companies get legal orders for info they dont even hold (i.e. no account found, etc.)

Notice how the compliance % is not 100? Why is that? I thought they HAD to comply? If I email a proton user from another one, that isn't proton there is no encryption PROTON encrypts it, when they get it, it's not already that way. Proton collects and can hand over the following metadata under Swiss court order: Email metadata (always accessible to Proton): sender and recipient email addresses, IP addresses of incoming messages, attachment names, message subjects, message sent and received timestamps, number of messages sent, storage space used, total number of messages, last login time. Account information: any recovery email address or phone number you provided, account creation date, device identifiers. Prospective logging: Under Swiss court order, Proton can be compelled to begin logging your IP address going forward. Under Swiss law, Proton can be forced to collect info on accounts belonging to users under Swiss criminal investigation. This is not done by default, but only if Proton gets a legal order for a specific account.

@vilebin @DarkWebInformer Oh sweetie, you still don’t get how it works. It’s okay, you can learn how that’s not possible, and more, by visiting our website at kodexglobal.com

@DarkWebInformer If the registrar was a Kodex customer. Kodex would probably go against a legal order for themselves. So why would a registrar do such thing.

🚨Kodex provided the following update about today's outage. Stating the following: ▪️No credentials were compromised, no customer data was accessed, and Kodex itself was never breached. ▪️The registrar is not a Kodex customer. ▪️The incident was the result of a globally known domain registrar being socially engineered into complying with a fraudulent legal order to seize the kodexglobal[.]com domain.

Earlier today the FBI informed @NYPDnews of a threat to life involving the Benjamin Cardozo High School in Queens. The NYPD deployed to the high school to address this potential threat, which led to a successful outcome. This swift response demonstrates the importance of close partnerships and the critical need for information-sharing to ensure our city and students are protected against unnecessary acts of violence.

🛑FBI New York assisted the U.S Embassy in New Delhi with revoking and denying U.S. visas for certain business executives involved in trafficking lethal fentanyl precursors. This significant disruption helps stem the supply of fentanyl into the United States, thus protecting our citizens from this lethal drug. Read more here: in.usembassy.gov/u-s-visa-revoc…

@vilebin reddit.com/r/unpopularopi…

@donkodex Because we love you so much at Vilebin. I decided to buy a Lexus IS Sport and getting vanity plates with “Kodex” on them. ❤️

“… if you think about it, a good new idea has to seem bad to most people, or someone would have already explored it. So what you're looking for is ideas that seem crazy, but the right kind of crazy.” Paul Graham on how to find new ideas:

@govmailgary @KodexInc

@KodexInc Does it come with a kodex account so I can edr skids on discord 👉👈

🛡️ We're hiring a Full Stack Engineer to help protect real people. Build systems that stop fraudulent law enforcement requests & ensure legitimate investigations get the data they need. Get competitive equity, remote-first, unlimited PTO. Info here: bit.ly/4kNpVY1

From his time at TikTok, AJ Iafrate knows that collaboration with Fusion Centers is one of the most important ways to stop cybercrime. 🛡️ Which is why we're so excited to say we'll be at the 2025 NFCA Annual Training Event in D.C.. Event info: nfcausa.org/annual-trainin…

Government data requests were a time-consuming, risky, necessary evil. Not anymore! @DonKodex joins experts to share how @Coinbase is transforming its approach to financial crime prevention with the structured data in gov data requests in during #Disruption25. Don't miss this!

@paulg This official system is unusably bad in that it doesn’t even exist. The @FBI’s unofficial IT motto is “yesterday’s technology tomorrow”. Unless they have a travel sized SCIF in their toiletry bag (spoiler, those don’t exist), you’d have to be in a specific physical location.

Why did Walz and Hegseth use Signal to discuss their plans for the attack instead of whatever official secure system they were supposed to use? Is the official system unusably bad, or too restrictive? Or were they just lazy?