ProtonMail, a hosted email service focused on end-to-end encrypted communications, faced criticism after it showed a report To the police, the French authorities were able to obtain the IP address of a French activist who was using the service.
The company has communicated extensively about the incident, stating that it does not log IP addresses by default and that it only adheres to local regulations – in this case Swiss law.
While ProtonMail did not cooperate with the French authorities, the French police sent a request to the Swiss police via Europol to force the company to obtain the IP address of one of its users.
During the past year, a group of people acquired a few commercial buildings and apartments in Paris. And they wanted to fight real estate speculation and Airbnb and upscale restaurants.
Beginning of the story
On September 1, the group published an article summarizing the various police investigations and legal cases against some of the group’s members.
according to for the storyFrench police sent a Europol request to ProtonMail in order to reveal the identity of the person who created the ProtonMail account – the group was using this email address to communicate. The address was also shared across several sites.
According to the information, the French police received a letter containing details about the ProtonMail account.
The founder and CEO of the company responded without mentioning the specific circumstances of this particular case.
“The company must comply with Swiss law,” he said. Once a crime has been committed, the protection of privacy can be suspended and we are required by Swiss law to respond to requests from the Swiss authorities.
The CEO of the company wanted to make it clear that his company did not cooperate with the French police or Europol. It appears that Europol acted as a channel of communication between the French and the Swiss authorities.
At some point, the Swiss authorities took over the case and sent a request directly to ProtonMail. The company refers to these requests as foreign requests approved by the Swiss authorities in its transparency report.
It appears likely that ProtonMail was subject to a legal order to delay alerting the account holder for up to eight months, or the service was provided with information by the Swiss authorities leading to the conclusion that the delay in alerting was necessary to avoid the risk of injury, death or irreparable harm to a person or persons .
The level of transparency afforded to individuals by Swiss law requiring mandatory notice when a person’s data is requested is clearly very limited if the legal authorities themselves can block alerts for long periods of time.
ProtonMail’s public disclosures also record a worrying rise in data requests by Swiss authorities.
Read also: Apple forced ProtonMail to change its free app
ProtonMail is subject to an order from the Swiss authorities
According to its transparency report, the service received 13 requests from Swiss authorities in 2017. But that swelled to 3,572 by 2020.
The number of foreign applications to the Swiss authorities that have been approved has also increased. But not sharply. The service reported receiving 13 such requests in 2017, which rose to 195 in 2020.
The company says it is complying with legal requests for user data. But you challenge requests that you don’t think are legal.
As an end-to-end encrypted email provider, it cannot decrypt email data. Therefore it cannot provide information about the contents of the email, even when a legal order is submitted.
The company also mentions in its transparency report an additional layer of data collection that it may be legally obligated to perform.
The service provides users with an Onion address, which means that activists interested in tracking can access the Tor-encrypted email service, making it difficult to trace the IP address.
As a result, the company provides tools for users to protect themselves from IP surveillance. This is despite the fact that its service can, in certain circumstances, be converted into an IP monitoring tool under Swiss law.
Read also: Top 5 email services that support encryption to secure your correspondence