Swiss Court Says ProtonMail Isn't A Telecom, Isn't Obligated To Retain Data On Users

from the neutral-good-remains-a-pretty-solid-alignment dept

ProtonMail offers encrypted email, something that suggests it’s more privacy conscious than others operating in the same arena. But, being located in Switzerland, it’s subject to that country’s laws. That has caused some friction between its privacy protection claims and its obligations to the Swiss government, which, earlier this year, rubbed French activists the wrong way when their IP addresses were handed over to French authorities.

The problem here wasn’t necessarily the compliance with local laws. It was Proton’s claim that it did not retain this information. If it truly didn’t, it would not have been able to comply with this request. But it is required by local law to retain a certain amount of information. This incident coming to light resulted in ProtonMail altering the wording on its site to reflect this fact. It no longer claimed it did not retain this info. The new statement merely says this info “belongs” to users and Proton’s encryption ensures it won’t end up in the hands of advertisers.

Proton’s retention of this data was the result of a Swiss data retention law and, more recently, a revocation of its ability to operate largely outside the confines of this law. Terry Ang of Jurist explains the how and why behind Proton’s relinquishment of IP addresses to French authorities, which resulted in its challenge of the applicability of the local data retention law.

The company lodged an appeal last month after the PTSS [Swiss Post and Telecommunications Surveillance Service) abruptly revoked Proton’s limited surveillance obligations in September 2020. Before that order, they were only required to provide IP addresses to surveillance departments in situations of “extreme criminal cases.” The company was also protected by article 271 of the Swiss Criminal Code, which means that data submission for surveillance purposes is supposed to be approved by the Swiss government.

But as a result of the sudden policy change, the company was forced to surrender IP addresses of climate activists, leading to several arrests by the French authorities. The company was also subjected to new data retention obligations for future surveillance purposes.

It’s these retention obligations that have been challenged. These obligations undercut earlier promises made by Proton to its users — the ones that resulted in a rewrite of its privacy guarantees as well as its cooperation with French authorities.

Fortunately for ProtonMail and its users, surveillance of the service will go back to being more limited. The Swiss Federal Administrative Court has sided with Proton, finding that it is not a service provider under the definitions included in the data retention law.

The Court on Friday concluded that email services are different from conventional telecommunication providers in Switzerland, and thus, should not be subject to the same kinds of data storage requirements. The Court followed a recent Swiss Supreme Court ruling in April that clarifies the status of instant messaging, video and telephone app services such as WhatsApp, Threema, Zoom and Skype. In that case, the Supreme Court stated that such applications and services are not considered telecom service providers, but classified as “over-the-top” (OTT) service providers.

This should allow ProtonMail to go back to offering users the privacy protections they thought they had until news reports indicated otherwise. But users should be aware that email services generate a lot more data and metadata than encrypted chat services, which means there’s more stuff laying around for investigators (and oppressive governments) to demand or utilize should the opportunity arise. But it’s still a significant win for the service — one that also reaffirms that not all communication service providers are telecom service providers, and shouldn’t be subject to the same data retention obligations.

Filed Under: , , , , , , ,
Companies: proton mail

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Swiss Court Says ProtonMail Isn't A Telecom, Isn't Obligated To Retain Data On Users”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Another promise of privacy … another lie … another user betrayed … another "principle" established. Wash and repeat. Internet companies will never run out of legalistic explanations to give about why they screwed you over this time, and why you’re TOTALLY SAFE for the next.

Rot13 is probably safer than the strongest encrypted site on the planet. Because the strongest encrypted site on the planet will fold and hand over your data, or be hacked or betrayed from inside, or was run by spies from the beginning. But spies might not think of Rot13.

Anonymous Coward says:

Using Tor, combined with a VPN, is the best way to go. All they will get is the Tor exit node you came out of.

When I am going to post something here that might pique the interest of the Feds, I combine Tor with a VPN.

Remember, the FBI, Surete, or whatever, can break into the database backend of any website, get the info they need, the the site operators will never know any LEOs were in their database, because popular sever based databases have no logging.

That is why whenever I post something here that might interest the Feds, I use VPN and Tor, so that I cannot be traced

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...