ProtonMail has been criticised for providing authorities with the IP address of a French climate activist.
How to stay anonymous online Bahrain targets activists with NSO's Pegasus spyware DuckDuckGo launches email privacy service
The company, which is one of the world’s largest secure email services, offers end-to-end encrypted emails which can only be decrypted by the recipient. However, it can log users’ IP addresses in the case of serious crimes.
French authorities, who were denied the request for the activist’s IP address, managed to obtain the information through Swiss law enforcement. ProtonMail, based in Switzerland, prides itself on benefiting from the country’s strict privacy laws, yet was “obligated" to comply with the “legally binding order from Swiss authorities”, according to founder and CEO Andy Yen.
The case has been extensively criticised, with many disagreeing about the severity of the crime. The activist had been involved in taking over apartments and commercial locations in the Paris neighbourhood of Sainte Marthe, in order to protest the rising gentrification in the area. Amnesty International technologist Etienne Maynier stated on Twitter that he has “a hard time seeing how young people squatting buildings in Paris is an extreme criminal case”.
“In any case, I have an issue with this lack of transparency from ProtonMail, if any police service can ask them to log IP addresses, that is not anonymous,” he added.
The ultimate law enforcement agency guide to going mobile
Best practices for implementing a mobile device program
In a company statement published on Tuesday, Yen said that “there was no possibility to appeal this particular request [from the Swiss authorities]”.
However, it has sparked concerns that ProtonMail could be able to give out IP addresses to law enforcement of any country, as long as they file their request through the Swiss authorities.
Security expert Filippo Valsorda said that “the problem with ProtonMail is not that they don't deliver an impossible product (secure email), but that they advertise it”.
“It's a choice, they know it, they benefit from it, their users believe it, and they are responsible for it,” he added.
Yen stated that the company “will be making updates to [its] website to better clarify ProtonMail’s obligations in cases of criminal prosecution”.
“We apologise if this was not clear. As a Swiss company, we must follow Swiss laws,” he said, adding ProtonMail’s privacy policy will also be updated “to make clearer our legal obligations under Swiss law”.
