After a French police report revealed that ProtonMail, an email service hosted by ProtonMail with an emphasis on encrypted communications, was able to get the IP address for a French activist using the service, the company has come under fire. The company communicated extensively about the incident, explaining that it does not log IP addresses automatically and that it only follows local regulations in this case Swiss law. ProtonMail did not cooperate with French authorities. However, Europol sent a request from French police to the Swiss police to force ProtonMail to get the IP address for one of its users.
A group of people has taken over several commercial properties and apartments in Paris' Place Sainte Marthe area. They are fighting against gentrification and real estate speculation, as well as Airbnb and high-end restaurant chains. It started out as a local conflict but quickly turned into a symbolic campaign. When they began occupying Le Petit Cambodge's premises, a Parisian restaurant which was the target of terrorist attacks on November 13, 2015, newspaper headlines were generated.
The group published an article on Paris–luttes.info (an anticapitalist news site) that summarized various police investigations and legal cases against members of the group. Their story claims that ProtonMail received a Europol request from France to discover the identity of the person who set up the ProtonMail account. The group was communicating using this email address. This address was also shared on several anarchist websites.
On Twitter, @MuArF shared an abstract from a police report that detailed ProtonMails' reply the next day. According to @MuArF the police report is connected to ongoing investigations against the group that occupied several premises in Place Sainte-Marthe. It states that the message was sent by Europol to French police. It also contains information about ProtonMail.
Here's the report:
PROTONMAIL informs that an email address was created by The IP address associated with the account is:
Device used must be identified by the number
Andy Yen, founder and CEO of ProtonMails, reacted on Twitter to the police report without mentioning any specific circumstances. Proton must adhere to Swiss law. Proton must comply with Swiss law as soon as a crime has been committed. Privacy protections can be suspended immediately and are required by Swiss law, to answer any requests from Swiss authorities.
Andy Yen, in particular, wants to emphasize that his company did not cooperate with Europol nor the French police. It appears that Europol was the channel for communication between French and Swiss authorities. Swiss authorities eventually took control of the case and directly requested ProtonMail. In its transparency report, the company refers to these requests as foreign requests that were approved by Swiss authorities.
Swiss law must be respected by Proton. Privacy protections can be suspended as soon as a crime has been committed. We are required by Swiss law, to respond to requests from Swiss authorities. Andy Yen (@andyyen) September 5, 2021
TechCrunch reached out to Andy Yen, CEO of ProtonMail, with questions regarding the case.
It is important to know when the target account holder was notified by Swiss authorities that they had requested their data. ProtonMail notification under Swiss law is mandatory.
However, Yen said that he cannot comment on the specific details of the case, or provide information about active investigations. He added: These inquiries would need to be directed to the Swiss authorities.
He also pointed us to this page, which contains information about ProtonMail users and a ProtonMail notification policy.
The company reminds users that Swiss law requires them to be notified when a third party requests their private data. This is true even if the data are being used in criminal proceedings. However, it notes that notification may be delayed in certain situations.
Proton states that delays could affect notifications in the following situations: If there is a temporary ban on notice by Swiss legal process, Swiss court order, or applicable Swiss law, or if we, based on information provided by law enforcement, believe that giving notice could cause injury, death or irreparable harm to an identifiable person or group.
The policy states that targeted users will be informed about the request and given the chance to object by ProtonMail, Swiss authorities or as a rule of thumb.
In this particular case, ProtonMail may have been under legal order to delay notifying the account holder because it took up to eight months for the log to be initiated and disclosed. Or it might have received information from the Swiss authorities that led it to conclude delaying notice was necessary to avoid injury, death or irreparable harm to any person/groups. (NB: It is unclear what irreparable means in this context and whether it could be taken to mean damage to persons/groups interests such as to a criminal investigation or just bodily hurt, which would be much more comprehensive.
Either way, the transparency afforded individuals by Swiss law, which has a mandatory notification requirement for the request of data, is severely limited. However, the same law authorities can, essentially and potentially, gag notifications for long periods (seemingly over half a year in this particular case).
ProtonMails public disclosures also show an alarming increase in data requests from Swiss authorities.
ProtonMail received 13 orders back in 2017, but that number had risen to more than three and a quarter thousand (3,572!). By 2020
Although the number of foreign requests to Swiss authorities that are being approved has increased, it is not as dramatic with ProtonMail reporting receiving 13 such requests last year and rising to 195 by 2020.
Although the company claims it responds to lawful requests for user information, it says that it will also contest orders it doesn't believe are lawful. ProtonMail reported an increase in contested requests, contesting three of them in 2017, but pushing back against 750 in 2020.
This case was deemed to have met Swiss legal standards by the Swiss government. This ruling was final and cannot be appealed. We fight whenever we can, and in 2020 we fought more than 700 cases for users. Andy Yen (@andyyen) September 6, 2021
ProtonMails privacy policies state that it may provide information on user accounts in response to valid requests under Swiss law. This information can include account information (such an email address), account activity/metadata (such sender, recipient email names; IP addresses from which incoming messages originated; times messages were sent and received, subject matter, etc), total number of messages, storage use, last login time, and unencrypted messages from third-party providers to ProtonMail. It cannot decrypt email data and is therefore unable to give information about the content of emails, even if served with a warrant.
The company signals an additional layer in data collection in its transparency report. ProtonMail may have to write this in extreme criminal cases. ProtonMail may be required to monitor IP addresses that are used to access ProtonMail accounts involved in criminal activity.
However, Andy Yen's court orders are generally not ignored unless you are located 15 miles off the coast in international waters.
Protons' marketing claims that they are a privacy-centric company have been criticized for their IP monitoring component.
It was criticized for its marketing claims that it provides anonymous email, and the caveat in the transparency disclosure which talks about IP logging only in extreme criminal cases.
Few would disagree that anti-gentrification campaigners have met that standard.
Proton also provides users with an onion account. This allows activists who are concerned about tracking to access Proton's encrypted email service via Tor, which makes it more difficult for their IP address being tracked. It provides tools to users to protect themselves from IP monitoring and protect their emails from being snooped upon. However, Swiss law enforcement can turn its service into an IP monitoring tool in certain situations.
Yen stated via Twitter that ProtonMail would provide a prominent link to its onion address in the wake of the IP logging revelations of French activists.
Yes, this page will be updated today to link to Tor. Andy Yen (@andyyen) September 6, 2021
Proton also offers a VPN service, but Yen claims that Swiss law doesn't allow it to log VPN users' IP addresses. It is interesting to speculate about whether activists could have evaded the IP logging if they used both Protons encrypted end-to-end email and its VPN service.
According to Swiss law, VPN logging is not legal. Andy Yen (@andyyen) September 6, 2021
We would have been able provide an IP if they were using Tor and ProtonVPN. However, it would be either the IP address of the VPN server or the Tor exit node. TechCrunch asked Yen about this.
We do protect against this threat model via our Onion site (protonmail.com/tor), he added. It is generally impossible to ignore court orders unless you are located 15 miles offshore in international waterways.
Although the Swiss legal system is not perfect, it does have a few checks and balances. It's also worth noting that approval was required from three authorities in two different countries. This is a pretty high bar that prevents most, but not all, abuse of the system.
Here are some thoughts about the French "climate activist” incident. It is a shame that serious crimes can be prosecuted with legal tools in this manner. @ProtonMail must follow Swiss criminal investigations by law. This can be done only if it is legally required. Andy Yen (@andyyen) September 5, 2021
Proton wrote in a Reddit public response that it was deeply concerned by the case and reiterated that it could not contest the order.
It added that the prosecution in this case seemed quite aggressive. This is a pattern that we have seen more often in recent years (e.g. in France, where terror laws are not used properly). We will continue to fight against these laws and abuses.
We are actively involved in fighting against unjust laws in the US, EU and CH. It is not possible to refuse government orders. You can be shut down and even jailed. The only way to fix the law is through democratic processes. Andy Yen (@andyyen) September 6, 2021
Zooming in, another worrying development could endanger the privacy of European internet users is that European Union legislators have indicated they are open to working with other countries to allow lawful access to encrypted data, even though they support strong encryption.
Privacy campaigners are again concerned.
ProtonMail and other end-to–end encrypted services warned that EU lawmakers could set the region on a dangerous track toward backdooring encryption in an open letter sent in January.