ProtonMail Turned Over French Activist's IP Address To Law Enforcement Following A Request From Swiss Authorities
from the vet-your-secure-providers,-folks dept
ProtonMail has long advertised itself as a particularly privacy-conscious email service. The free end-to-end encrypted email service promises more privacy and security than many of its competitors. But there are limits. ProtonMail operates out of Switzerland, making it subject to that country’s laws (which, to be fair, are hardly draconian). It also (at least temporarily) retains a certain amount of information about users’ emails — metadata that can be used to verify accounts in the case of a lost password.
And while email between ProtonMail accounts is encrypted, the same protection isn’t applied to emails between services, like communications sent to or from ProtonMail from other email services. This is an understandable limitation, which is why many seeking secure communications have moved to encrypted messaging services, rather than email offerings that collect metadata about communications.
These inherent weaknesses have been exploited by French law enforcement to obtain information about a French activist — something it achieved with the assistance of Swiss authorities.
ProtonMail, a hosted email service with a focus on end-to-end encrypted communications, has been facing criticism after a police report showed that French authorities managed to obtain the IP address of a French activist who was using the online service. The company has communicated widely about the incident, stating that it doesn’t log IP addresses by default and it only complies with local regulation — in that case Swiss law. While ProtonMail didn’t cooperate with French authorities, French police sent a request to Swiss police via Europol to force the company to obtain the IP address of one of its users.
ProtonMail wasn’t able to hand over much information due to its refusal to gather much information about its users. But it did hand over some, which made it clear that ProtonMail not only collects some email metadata, but will actively collect more metadata if forced to do so by local law. French law may not apply to the Swiss-based email company, but Swiss law certainly does.
Proton’s founder, Andy Yen, offered up this explanation, which said local law supersedes the privacy ProtonMail claims it offers its users.
Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.
And that’s how foreign governments can extract information from an encrypted email service that gives users the impression that it’s capable of protecting even the limited information it collects from nosy officials. The message going forward, however, is that ProtonMail is subject to the laws of multiple countries in the European Union and will comply with Europol orders if issued/forwarded by Swiss authorities.
As Karl Bode (hey, I know that guy!) points out in his article for Motherboard, there are two problems here. The first is that what’s advertised appears to exceed what ProtonMail can actually guarantee its users. The other problem is the communication method itself, which generates a lot of information that other communication methods don’t, creating a metadata paper trail that can be scooped up/gathered in bulk by law enforcement and intelligence agencies.
While ProtonMail does take some steps to protect user privacy better than other email service providers, the fact remains that email is inherently a protocol that requires a lot of information to be shared between parties, and is notoriously difficult to encrypt.
Ultimately, many of the security and privacy weaknesses are not necessarily ProtonMail’s fault but are weaknesses with email itself. Security experts have pointed out that for highly sensitive communications, email is almost never the best option.
These unavoidable facts — along with its cooperation with French and Swiss authorities — have led ProtonMail to revise its claims about user data. It no longer claims it does not collect personal information to create accounts or log IP information “by default.”
It now says simply:
ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that.
Well, except for when your data is subject to Swiss government demands for data, either directly or by proxy. User beware is the rule going forward now that this successful metadata grab has been exposed.