Why it matters: ProtonMail prides itself on the privacy offered by its end-to-end encryption email service, but it might not provide as much anonymity as it suggests. The company has come under fire for handing over the IP address of a French climate activist to Swiss police, who then gave it to French authorities.
As reported by TechCrunch, the controversy was unearthed in a French police report. It revealed how ProtonMail was acting on a request sent to Swiss authorities by the French via Interpol, forcing it to hand over the IP address.
The person in question was part of an anti-gentrification group that has taken over a handful of commercial premises and apartments near Place Sainte Marthe in Paris this year, making national headlines. The group published an article on an anti-capitalist website on September 1 claiming French police sent a request to ProtonMail through Europol to uncover the identity of the person who created their “firstname.lastname@example.org” email account.
Andy Yen, Proton's CEO, stresses that the Swiss-based company is compelled to obey the country's laws, as stated in its policies. "Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request," he wrote.
Yen adds that it doesn't log IP addresses by default but can be forced to collect information on accounts belonging to users under Swiss criminal investigation. He said that the service's encryption could not be bypassed, and the company does not give data to foreign governments.
Under Swiss law, ProtonMail must inform a user if a third party makes a request for their data for use in a criminal investigation. Yen said "privacy and legal reasons" prevented him from specifying when the person in this case was notified. According to TechCrunch, it appears that eight months passed between the logging being instigated and it being disclosed to the account holder.
ProtonMail suggests using its onion site and VPN if anonymity is a concern. Yen said that going forward, the company would “better clarify ProtonMail’s obligations in cases of criminal prosecution.”