Image: Getty Images
Encrypted email provider ProtonMail is under intense scrutiny for sharing the IP address and device details of a French climate activist with French authorities, and for marketing and transparency reports critics say provided users with a false sense of anonymity and security.
A French police report, first spotted by Techcrunch, indicates ProtonMail provided law enforcement the IP address and device details of a French activist protesting gentrification and climate inaction in Paris. The group drew significant attention for occupying Le Petit Cambodge—a restaurant targeted in the November 2015 terrorist attacks on the French city.Last week, the group issued a statement on Paris-luttes.info, an anticapitalist news site, outlining various police inquiries into the group. One inquiry involved French police sending a Europol request to ProtonMail, demanding the name of the creator of an email account used by the group for public communications. Switzerland-based ProtonMail isn’t traditionally subject to French or European law enforcement requests. But the service does have to comply with demands from the Swiss court system, which required it to begin logging user IP information after receiving a request from Europol. Once that data was collected, the activist was identified and arrested.“Proton must comply with Swiss law,” Protonmail founder and CEO Andy Yen said on Twitter. “As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities.”
Yen and ProtonMail also issued a blog post explaining their decision, noting that the request applied to metadata (IP addresses, email subjects, send and receive times) but not the actual content of the encrypted communications. The company also noted this metadata isn’t provided for users of its VPN service, since VPNs are classified differently under Swiss law.
“The prosecution in this particular case was very aggressive,” the company said. “Unfortunately, this is a pattern we have increasingly seen in recent years around the world. There was no legal possibility to resist or fight this particular request,” the company added.A recent ProtonMail transparency report highlights a growing surge in Swiss authority requests, as law enforcement and government intelligence agencies around the world wage a growing battle against encryption, VPN use, and essential privacy and security tools. The company says it disputed 700 such inquiries in 2020 alone. While ProtonMail may have been simply complying with a valid legal request, critics say the bigger issue is the way the company markets itself, which often creates a false sense of security among the service’s users. Particularly activists who may believe they’re shielded from the prying eyes of intelligence agencies and law enforcement.
ProtonMail is specifically being criticized for marketing material that promises “anonymous email,” and past transparency disclosures that claimed IP address logging only occurred in “extreme criminal cases.” While ProtonMail does take some steps to protect user privacy better than other email service providers, the fact remains that email is inherently a protocol that requires a lot of information to be shared between parties, and is notoriously difficult to encrypt. While ProtonMail encrypts emails sent between two ProtonMail account holders, it doesn't (and can't) end-to-end encrypt emails sent to or received by other email service providers (for example, an email sent from a ProtonMail address to a Gmail address would not be encrypted), unless special "encrypt for outside" protocols are selected. Ultimately, many of the security and privacy weaknesses are not necessarily ProtonMail's fault but are weaknesses with email itself. Security experts have pointed out that for highly sensitive communications, email is almost never the best option.In the wake of the incident the company has quickly taken to revising both its user privacy policy and statements made on the company’s website. As of last January, the company’s website insisted that "no personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."
After this recent dust up, that language has been watered down significantly.
"ProtonMail is email that respects privacy and puts people (not advertisers) first,” the website now says. “Your data belongs to you, and our encryption ensures that."
A French police report, first spotted by Techcrunch, indicates ProtonMail provided law enforcement the IP address and device details of a French activist protesting gentrification and climate inaction in Paris. The group drew significant attention for occupying Le Petit Cambodge—a restaurant targeted in the November 2015 terrorist attacks on the French city.
Advertisement
Yen and ProtonMail also issued a blog post explaining their decision, noting that the request applied to metadata (IP addresses, email subjects, send and receive times) but not the actual content of the encrypted communications. The company also noted this metadata isn’t provided for users of its VPN service, since VPNs are classified differently under Swiss law.
“The prosecution in this particular case was very aggressive,” the company said. “Unfortunately, this is a pattern we have increasingly seen in recent years around the world. There was no legal possibility to resist or fight this particular request,” the company added.
Advertisement
ProtonMail is specifically being criticized for marketing material that promises “anonymous email,” and past transparency disclosures that claimed IP address logging only occurred in “extreme criminal cases.” While ProtonMail does take some steps to protect user privacy better than other email service providers, the fact remains that email is inherently a protocol that requires a lot of information to be shared between parties, and is notoriously difficult to encrypt. While ProtonMail encrypts emails sent between two ProtonMail account holders, it doesn't (and can't) end-to-end encrypt emails sent to or received by other email service providers (for example, an email sent from a ProtonMail address to a Gmail address would not be encrypted), unless special "encrypt for outside" protocols are selected. Ultimately, many of the security and privacy weaknesses are not necessarily ProtonMail's fault but are weaknesses with email itself. Security experts have pointed out that for highly sensitive communications, email is almost never the best option.In the wake of the incident the company has quickly taken to revising both its user privacy policy and statements made on the company’s website. As of last January, the company’s website insisted that "no personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."
After this recent dust up, that language has been watered down significantly.
"ProtonMail is email that respects privacy and puts people (not advertisers) first,” the website now says. “Your data belongs to you, and our encryption ensures that."