from the neutral-good-remains-a-pretty-solid-alignment dept
ProtonMail offers encrypted email, something that suggests it’s more privacy conscious than others operating in the same arena. But, being located in Switzerland, it’s subject to that country’s laws. That has caused some friction between its privacy protection claims and its obligations to the Swiss government, which, earlier this year, rubbed French activists the wrong way when their IP addresses were handed over to French authorities.
The problem here wasn’t necessarily the compliance with local laws. It was Proton’s claim that it did not retain this information. If it truly didn’t, it would not have been able to comply with this request. But it is required by local law to retain a certain amount of information. This incident coming to light resulted in ProtonMail altering the wording on its site to reflect this fact. It no longer claimed it did not retain this info. The new statement merely says this info “belongs” to users and Proton’s encryption ensures it won’t end up in the hands of advertisers.
Proton’s retention of this data was the result of a Swiss data retention law and, more recently, a revocation of its ability to operate largely outside the confines of this law. Terry Ang of Jurist explains the how and why behind Proton’s relinquishment of IP addresses to French authorities, which resulted in its challenge of the applicability of the local data retention law.
The company lodged an appeal last month after the PTSS [Swiss Post and Telecommunications Surveillance Service) abruptly revoked Proton’s limited surveillance obligations in September 2020. Before that order, they were only required to provide IP addresses to surveillance departments in situations of “extreme criminal cases.” The company was also protected by article 271 of the Swiss Criminal Code, which means that data submission for surveillance purposes is supposed to be approved by the Swiss government.
But as a result of the sudden policy change, the company was forced to surrender IP addresses of climate activists, leading to several arrests by the French authorities. The company was also subjected to new data retention obligations for future surveillance purposes.
It’s these retention obligations that have been challenged. These obligations undercut earlier promises made by Proton to its users — the ones that resulted in a rewrite of its privacy guarantees as well as its cooperation with French authorities.
Fortunately for ProtonMail and its users, surveillance of the service will go back to being more limited. The Swiss Federal Administrative Court has sided with Proton, finding that it is not a service provider under the definitions included in the data retention law.
The Court on Friday concluded that email services are different from conventional telecommunication providers in Switzerland, and thus, should not be subject to the same kinds of data storage requirements. The Court followed a recent Swiss Supreme Court ruling in April that clarifies the status of instant messaging, video and telephone app services such as WhatsApp, Threema, Zoom and Skype. In that case, the Supreme Court stated that such applications and services are not considered telecom service providers, but classified as “over-the-top” (OTT) service providers.
This should allow ProtonMail to go back to offering users the privacy protections they thought they had until news reports indicated otherwise. But users should be aware that email services generate a lot more data and metadata than encrypted chat services, which means there’s more stuff laying around for investigators (and oppressive governments) to demand or utilize should the opportunity arise. But it’s still a significant win for the service — one that also reaffirms that not all communication service providers are telecom service providers, and shouldn’t be subject to the same data retention obligations.