ProtonMail shares user IP address with authorities
ProtonMail, an end-to-end encrypted email service provider, has recently logged and shared an activist’s IP address with the authorities, complying with a legal request.
Swiss-based Proton Technologies, the company behind ProtonMail and ProtonVPN, was recently forced to log and share the IP address of an anti-gentrification climate activist that was using the company’s encrypted email service. This lead to the activist’s recent arrest in France.
In response, ProtonMail and ProtonVPN users, as well as privacy and security experts started to question the company’s reliability and devotion to online security, anonymity, and freedom.
La société @ProtonMail a livré à la police les IP de militants pour le climat, suite à quoi ces militants ont été arrêtés et perquisitionnés. ProtonMail prétend pourtant sur son site web ne pas conserver les adresses IP de ses utilisateurs. https://t.co/TlarH9DD9F
— onestla.tech (@OnEstLaTech) September 5, 2021
So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police https://t.co/KtKF4wn3wv
— Etienne – Tek (@tenacioustek) September 5, 2021
According to Proton’s representatives, even though the service does not keep logs or require any personal user information, and even though it is illegal for the company to hand out any user-related data to foreign entities, it would be forced to comply with local Swiss authorities if they choose to assist international investigations.
And in the case of the Youth for Climate activist, the Swiss government ruled in favor of aiding Europol in its investigation.
The company’s response on Reddit states, that they, in fact, had no chance to fight the authorities on this ruling and were forced to comply with the decision:
“There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did in fact take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case)”.
This could create a dangerous precedent for Proton Technologies, a company that prides itself on providing reliable and accessible privacy solutions. It seems that, whenever Swiss authorities request personal user data from the company, it will be forced to adhere to the inquiry.
This situation has shown, that even though the service does not log any user information by default, the service can always be modified to provide requested information in individual cases:
“… by law, [ProtonMail] must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.”
What’s more, the company could be forced to apply the same approach to their VPN service. This would prove that even a proven and respected no-logging policy can no longer be any kind of guarantee for the user.
“By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.”
ProtonMail has been widely regarded as one of the leading encrypted email services, even endorsed by the United Nations as means to securely and privately report human rights violations during the civil war in Myanmar.