ProtonMail criticized for handing activist's IP address to authorities, leading to their...

midian182

Posts: 7,289   +65
Staff member
Why it matters: ProtonMail prides itself on the privacy offered by its end-to-end encryption email service, but it might not provide as much anonymity as it suggests. The company has come under fire for handing over the IP address of a French climate activist to Swiss police, who then gave it to French authorities.

As reported by TechCrunch, the controversy was unearthed in a French police report. It revealed how ProtonMail was acting on a request sent to Swiss authorities by the French via Interpol, forcing it to hand over the IP address.

The person in question was part of an anti-gentrification group that has taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris this year, making national headlines. The group published an article on an anti-capitalist website on September 1 claiming French police sent a request to ProtonMail through Europol to uncover the identity of the person who created their “jmm18@protonmail.com” email account.

Andy Yen, Proton's CEO, stresses that the Swiss-based company is compelled to obey the country's laws, as stated in its policies. "Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request," he wrote.

Yen adds that it doesn't log IP addresses by default but can be forced to collect information on accounts belonging to users under Swiss criminal investigation. He said that the service's encryption could not be bypassed, and the company does not give data to foreign governments.

Under Swiss law, ProtonMail must inform a user if a third party makes a request for their data for use in a criminal investigation. Yen said "privacy and legal reasons" prevented him from specifying when the person in this case was notified. According to TechCrunch, it appears that eight months passed between the logging being instigated and it being disclosed to the account holder.

ProtonMail suggests using its onion site and VPN if anonymity is a concern. Yen said that going forward, the company would “better clarify ProtonMail’s obligations in cases of criminal prosecution.”

Permalink to story.

 

Theinsanegamer

Posts: 2,843   +4,502
If the company can be forced to log IP addresses then all their encryption is utterly worthless. The whole point of said encryption is the company shouldnt be able to do what they just did. Using their VPN and TOR node isnt going to improve at all when the problem is Proton themselves.....
So, you call commie degenerates climate activists now?
Well when the venn diagram is a circle.....
We need a decentralized e-mail service.
We need a decentralized everything. E-mail, payment processors, forums, everything. Centralization is too easily controlled and manipulated.
 

Dimitriid

Posts: 1,334   +2,607
While I don't think we should be too critical of activists that were probably not tech saavy enough to know better, if a company is selling you encryption or privacy, always assume they're either cops or would immediately bend over backwards if a cop even whispers their way (Which functionally makes them cops anyway)

It's kind of hard that self hosting it's still quite complicated for most people but it's the only way you can even approach secure communications: everything's encrypted before it reaches someone else's network. You just gotta have someone put a server rack on their basement and be on call to take a good old hammer to their hard drives as soon as the cops show up.
 

rrwards

Posts: 206   +374
Regardless of commie status, everyone should be concerned about this. It's not "if", it's "when" will the group you categorize yourself as become a target of some government or corporate interest. No reason to celebrate or diminish the privacy implications just because it's someone you don't like.
 

Puiu

Posts: 5,059   +3,920
TechSpot Elite
If the company can be forced to log IP addresses then all their encryption is utterly worthless. The whole point of said encryption is the company shouldnt be able to do what they just did. Using their VPN and TOR node isnt going to improve at all when the problem is Proton themselves.....

Well when the venn diagram is a circle.....

We need a decentralized everything. E-mail, payment processors, forums, everything. Centralization is too easily controlled and manipulated.
Encryption on the email account and IP address are two entirely different things.

And no, we don't need to decentralise everything. Cryptocurrency proved that when you create the wild west you get all of the crap that comes with it, multiplied many times by the power of the internet.

What we need are proper privacy laws and rules that prevent abuse by both companies and governments.