ProtonMail It has become one of the most recognized emails today for its privacy options. The platform is used by politicians, journalists, and security experts, among many others who also take advantage of end-to-end encryption, among other features. However, in recent days the service was involved in a controversy, after confirming that registered the IP address of a French climate activist and shared it with the Police of his country.
TechCrunch published the original report late last week and it sparked an international uproar that has now forced ProtonMail officials to clarify what happened, and why. In this way, the company behind the secure email has tried to clarify the situation, indicating that it was a specific case in which had no choice but to obey a “legally binding order” issued by the Swiss authorities.
The story began with a group of French activists who are investigated by the Police of their country for occupying commercial spaces and apartments in Paris. Most of its members remain anonymous, but one used an @ protonmail.com account to post on the web, and French law enforcement focused on that specific piece of information to try to identify the person (or persons). ) with which said e-mail address is related.
One of the things ProtonMail stands out for compared to other email services is that does not record the IP addresses of its users by default. However, in this specific case, those responsible for the platform assure that they have been forced to do so.
ProtonMail could not ignore a “legally binding” order from Switzerland
Under “normal” circumstances, the French Police could not have accessed the IP address of the activist under investigation. As ProtonMail is based in Switzerland, it is not governed by French or other European Union law. However, it does have to respond to the requirements of the Swiss authorities.
That is what happened in this case. The French Police, via Europol, sent a request to the Swiss justice to force ProtonMail to act as it finally did. Thus, the secure mail service recorded and shared the activist’s IP address, and that information was used in order to obtain his identification and arrest.
Andy Yen, founder and CEO of ProtonMail, referred to the incident on his Twitter account. “It is regrettable that legal tools for serious crimes are used in this way. But by law, ProtonMail must comply with Swiss criminal investigations. Obviously, this is not done by default, but only if it is legally mandatory,” he posted.
The content of emails is safe, according to Andy Yen
Yen published an extensive note on the blog from ProtonMail to clarify various doubts regarding the scope of the request from the Swiss authorities. These are some of the most important points of its clarification:
1. Under no circumstances can you evade our encryption, which means that emails, attachments, calendars, files, etc., cannot be compromised by legal orders.
2. ProtonMail does not provide data to foreign governments; that is illegal according to article 271 of the Swiss Penal Code. We only comply with the legally binding orders of the Swiss authorities.
[…]
7. Due to the strict privacy of Proton, we do not know the identity of our users and at no point did we know that the targets were climate activists. We only know that the Swiss government’s request for data was made through channels normally reserved for serious crimes.
8. There was no legal possibility to resist or fight this particular request.
Andy Yen, founder and CEO of ProtonMail
Another point clarified by the manager in his publication is related to ProtonVPN. According to Yen, email services and VPNs have different considerations under Swiss law. This means that it is impossible to force the company to register data from ProtonVPN users.
From ProtonMail they have committed to updating their website so that the obligations of the service in “criminal prosecution cases” are more easily understood. Finally, Yen pointed out that, despite everything, the laws of Switzerland are much better than those of other countries.
“Regardless of the service you use, unless it is located 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, provides a series of checks and balances; and it is worth noting that even in this case, the approval of 3 authorities in 2 countries was required. That is a fairly high barrier that prevents most (but obviously not all) from abusing the system, “he argued.