Privacy experts consider it to be one of the safest email providers on the internet, but ProtonMail’s recent decision to pass sensitive customer information to European law enforcement raises the question of whether the claims of corporate privacy is less of a promise and more of a mirage.
After French law enforcement asked Swiss authorities via Europol to share the IP address of a climate activist, end-to-end encrypted email provider ProtonMail shared user information . (ProtonMail based in Switzerland is not subject to French or European jurisdiction, but ProtonMail is obligated to respond to Swiss authorities.)
French police stumbled upon the email address during an investigation into a group that has been protesting gentrification in a trendy area of Paris since late 2020, and wanted to know who was behind, according to news sources. local. The investigation led to a series of arrests on the ground.
“Proton must comply with Swiss law. As soon as a crime is committed, the protection of privacy can be suspended and Swiss law obliges us to respond to requests from Swiss authorities, ”said the founder of ProtonMail. Andy Yen tweeted.
But on its site, ProtonMail has claimed in the past that “no personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first. And since TechCrunch first reported that the company had shared its users’ sensitive information with law enforcement, some ProtonMail users are starting to question whether the so-called ‘anonymous’ email provider has been double down in its claims that it prioritizes user privacy.
Users can be frustrated with ProtonMail as much as they want, but the company’s compliance with Swiss authorities is beyond the company’s reach, according to Matthew Audibert, a cyber expert working for French law enforcement.
“I see people who are unhappy that ProtonMail has responded but it is because a Swiss court has ruled the request valid and because a crime has indeed been committed in France,” said Audibert.
But it’s still unclear whether ProtonMail has shown bad faith about its privacy policies. Now that it has come under fire for sharing IP address information with authorities, the company has started modifying some of its marketing materials; in recent days, the company has removed the claim that it does not keep IP logs from its website.
What people often miss when signing up for services like ProtonMail is whether the company keeps track of metadata, such as IP addresses, or the content of emails, according to Eva Galperin, chief executive officer. Cyber Frontier Foundation cybersecurity.
User information that the company may share with Swiss authorities includes email address, email subject lines, sender or recipient email addresses, time of receipt. last connection and the IP addresses of incoming messages, in accordance with ProtonMail policy.
“Privacy and security isn’t some sort of magic wand where you just use the right tools and wave the wand and it’s all secure and private ‘forever and ever, amen,'” Galperin told The Daily Beast.
As an end-to-end encrypted email provider, however, ProtonMail cannot share email content with law enforcement.
End-to-end encryption won’t always protect email content in cases where recipients take a screenshot or forward emails to other parties, of course. End-to-end encryption – and its ability to keep users’ messages completely private – is only as good as the trust users have in other people they communicate with, security experts warn.
Other end-to-end encrypted service providers are starting to weigh in on the outcry. Stretching the truth into privacy marketing materials is by no means helpful, warns popular end-to-end encrypted email provider Tutanota.
“Privacy-focused services need to be very specific when it comes to marketing, especially so as not to overdo their promises,” Tutanota chief marketing officer Hanna Bozakov told The Daily Beast. “That’s why, in our opinion, confidentiality and security go hand in hand with transparency. As a privacy-focused service, you need to be very transparent, especially when things go wrong. “
While ProtonMail has always made it clear that it is a Swiss-based company and will respond to court orders, its privacy publicity has failed, Galperin said.
“If you take a look at ProtonMail’s marketing and advertising, you’ll see that they market themselves as a privacy-protecting messaging service….
Other concerns abound. ProtonMail said in a press release on the incident that “the only law that matters is Swiss law”, a claim that is not entirely true. The Swiss authorities are clearly working with other governments, as this case shows.
Galperin said that when choosing an email service provider, email platform or VPN, people should consider the risks they are willing to take and should take into account that governments are cooperating. the ones with the others.
“It is very important to understand that some governments cooperate with other governments,” Galperin told the Daily Beast. “If you are using a service that you know is not responding to injunctions from a particular government and are concerned about injunctions from a particular government, then this is a safe place for your threat model.
ProtonMail declined to comment for this story.
ProtonMail is no stranger to tools that help users bypass surveillance. The company allows customers to use Tor to access their ProtonMail accounts and possibly avoid surveillance. The company also has a VPN service that could hide users’ IP addresses. If the climate activist had taken advantage of these tools, they might not have been discovered and arrested.
“This particular user would never have been de-anonymized if he had always logged into his account using Tor,” Galperin theorized at The Daily Beast.
ProtonMail is also handling some of the requests from the Swiss authorities and challenging them. Last year alone, the company disputed 750 claims, according to figures the company listed in a transparency report.
This is almost certainly not the end of these kinds of incidents, according to Tresorit, another Swiss end-to-end encrypted platform. It is likely that the number of these types of incidents – in which vendors share information about users with law enforcement – will only increase in the coming months, according to Gyorgy Szilagyi, product manager at Treasury.
“While luckily more people are turning to end-to-end encrypted services to protect their data, the number of law enforcement requests to these services is also increasing,” Szilagyi told The Daily Beast. . “As these services are unable to deliver content, metadata is going to be even more important.”
The news comes at a time when government officials around the world are looking for various ways to push back end-to-end encryption providers and degrade encryption. Law enforcement officials have been calling for the elimination of end-to-end encryption for years, saying it hinders their investigations of criminals.
“End-to-end encryption is always under attack… Every day we see new proposals trying to put pressure on platforms that provide end-to-end encrypted communications and allow backdoors for the forces of the United States. order, ”said Galperin. “But it’s very important to resist those pressures to create backdoors because… once you create that backdoor, it can and will be found by people you don’t want to use. You cannot uncreate this backdoor once it’s already there. The risk of abuse is very high.