ProtonMail, an anonymous email service, handed over the IP address and browser fingerprint of a French climate activist to Swiss authorities this weekend. This seemed to be in direct contradiction to ProtonMail's privacy-focused policies. Last week, the company stated that "By default we don't keep any IP logs which could be linked to your anonymous mail account."
Ars Technica. This article originally appeared on Ars Technica. It is a trusted source of technology news, analysis, reviews and other information. Cond Nast, WIRED's parent company owns Ars.
ProtonMail replaced the section that promised no IP logs with one that stated, "ProtonMail respects privacy and places people (not advertisers), first."
No Logging By Default
The devil is always in the details. ProtonMail's original policy stated that it does not keep IP logs by default. ProtonMail, a Swiss company was forced to comply with a Swiss court's request that it start logging IP addresses and browser fingerprint information for each ProtonMail account.
This account was managed by the Parisian Chapter of Youth for Climate. Wikipedia describes it as a Greta Thunberg-inspired movement that focuses on students who attend protests and skip Friday classes.
Multiple statements ProtonMail made Monday indicate that it could not appeal the Swiss demand to log IP addresses on this account. ProtonMail believes that the legal tools for serious crimes were inappropriate to the case, and therefore could not appeal to it.
Get out your Tor Browser
ProtonMail also removed the misleading, but technically correct, reference to the "default" log policy. They also promised to encourage activists use the Tor network. ProtonMail's new section "Your Data, Your Rules", links directly to a landing page that aggregates information about Tor access to ProtonMail.
Tor may be used to access ProtonMail, which could allow it to do what ProtonMail cannot legally: obfuscate its users' IP addresses. Because the Tor network conceals the origin of a user's network before packets reach ProtonMail it doesn't receive it. Even a valid subpoena won't be able to get this information from ProtonMail.
It is important to note that Tor anonymity relies on technical measures, not policies. This could make Tor a dangerous double-edged sword. There is no policy that prevents a government agency, or any other threat, from compromising Tor nodes traffic passes through to track origins.
ProtonMail also offers a VPN service, ProtonVPN. ProtonMail points out that Swiss law forbids courts from requiring VPN services to log IP addresses. The Swiss court cannot have forced ProtonVPN to reveal its "real" IP address if Youth for Climate had accessed ProtonMail via ProtonVPN. The company seems to favor recommending Tor for this purpose.
An email service can only encrypt so much
ProtonMail also points out that although Interpol collected the IP address and browser fingerprint of its users, ProtonMail's privacy guarantees regarding email content were not violated.
The service uses end to end encryption and does not have the key required to decrypt an email body or attachment. It is impossible to collect this data, unlike the source IP address or browser fingerprint. This information cannot be changed on the company's servers unless a court order requires.
ProtonMail is able to encrypt email bodies with keys that are not available to servers, but the SMTP protocol requires email sender, recipient and timestamps to remain server-accessible. Although Tor and VPN can be used to access the service, it is possible to hide IP addresses or browser fingerprints. However, the service can still legally be required to disclose any of these fields to Swiss law enforcement.
Additionally, subject lines in email could be encrypted without breaking SMTP protocol, but ProtonMail does not do this. This means that the courts can order the service to disclose the data.
This story first appeared on Ars Technica.
Here are more great WIRED stories