Swiss secure messaging provider Proton Technologies AG was forced to defend itself after providing authorities with the Internet address of a French climate activist, despite a policy of no IP address registration.
ProtonMail, founded in 2014, is one of the leading online messaging services focused on privacy and promotes itself as secure communication via email. The service offers end-to-end encryption associated with “Swiss privacy”, as strict Swiss privacy laws also protect the service.
The problem here is that part of ProtonMail’s privacy commitment is that it doesn’t log IP addresses. TechCrunch reported today that despite ProntonMail’s policy of not logging IP addresses, an IP address of a ProtonMail user ended up in the hands of the French police and led to the arrest of an activist for the weather.
In a extended post, Andy Yen, founder and CEO of ProtonMail, explained what happened and noted that he is deeply concerned about this matter and laments that legal tools for serious crimes are being used in this way.
The explanation was basically quite simple. ProtonMail was forced to provide the IP address after receiving a legally binding order from the Swiss authorities. However, this does not mean that ProtonMail was and continues to register users’ IP addresses, but was forced to register the climate activist’s IP address after receiving the court order.
“Under Swiss law, Proton may be compelled to collect information on accounts belonging to users under Swiss criminal investigation,” Yen said. “This is obviously not done by default, but only if Proton obtains a legal order for a specific account.”
Yen said that under no circumstances can ProtonMail’s encryption be bypassed and that the company does not provide data to foreign governments as this is illegal under Swiss law. “We only comply with legally binding orders from the Swiss authorities,” Yen added. “The Swiss authorities will only approve requests that meet Swiss legal standards (the only law that matters is Swiss law). “
Although unable to change Swiss law, ProtonMail will update its website to clarify its obligations in the event of criminal prosecution.
To avoid any potential for generating a traceable IP address, Yen recommends that users use the service through ProtonMail’s “onion” site, the site accessible only through the Tor browser. The site sits on an overlay network that an ordinary browser cannot access in an area of the Internet perhaps better known as the dark web. More importantly, due to the overlay network, IP addresses are not tied to an individual.