As of May 2022, ProtonMail has rebranded itself as simply Proton, and Proton Mail is now a service provided by Proton. I’ve edited the name in the title, but left the rest of the article as-is.
On 2021-09-01, a French anarchist Twitter account accused Swiss privacy-focused mail provider ProtonMail of giving up the IP address of at least one militant activist in Paris, who was subsequently arrested by French police:
The police investigation seeks the identity of social media accounts belonging to “potential militant squatters”.
What did ProtonMail do?
ProtonMail’s response, in the form of a blog post by CEO Andy Yen, sets out that Protonmail only co-operated with Swiss authorities – not French police. The Swiss had in turn received a request from the French police via Europol. ProtonMail claim that they had no legal means to avoid complying, because the court order could not be appealed.
ProtonMail also denied that they knew that the user in question was a climate activist.
I don’t know exactly what “serious crime” the French climate activist is accused of. I’m not a reporter and my French is only so-so, and there’s only so much of Article 75 of the French penal code I’m willing to struggle through before I conclude that it’s generic and I’m wasting my life.
However, it would be easy to assume that the offence is something which is a threat to politicians and police more than it is a threat to the general public.
The ProtonMail blog post includes a three-part advisory for activists:
- ProtonMail do fight court cases (700 in 2020 alone). They claim that this is “unlike other providers”, although it’s not hard to find instances of Google, Apple, and Microsoft pushing back on government requests for user information.
- Use Tor if you need enhanced privacy!
- Service providers have to comply with the law, unless they are based 15 miles offshore in international waters.
Perhaps unsurprisingly, the third point attracted some attention. In what is certainly my favourite commentary on the issue, one redditor asked the obvious question, only to have their Alps handed to them by another redditor:
“In that case can you put a floating service 15 miles offshore?”
“Switzerland is landlocked”“Climate activist arrested after ProtonMail provided his IP address”
If only Switzerland had its own international waters!
But did ProtonMail do anything wrong?
Depends on your point of view.
Legally? I am not a lawyer, but it looks as though ProtonMail complied with Swiss law, as they are required to, when they handed over IP address and browser fingerprint.
Semantically, maybe a little bit. They didn’t volunteer to dox climate activists, but they did get two little words to do a big amount of work:
Turns out that “by default” simply means that ProtonMail don’t typically hang on to your IP address for a long time unless they are compelled to by law in specific cases. However, most of the internet (me included, probably) saw what we wanted to see, i.e. they don’t retain our IP addresses. In practice, once the law compels them, they will do exactly that.
- If ProtonMail fails to comply with court orders (once appeals are exhausted), they will eventually cease to be a viable business. The people who work there will lose their livelihood. Even if you don’t care about that, the ProtonMail service would simply stop operating if the organization failed to comply with enough court orders.
- ProtonMail has offered a Tor onion site for anonymous-ish email access since at least January 2017.
That’s ProtonMail anticipating the French government’s Europol request and giving explicit instructions on how to avoid having your true IP logged – over four years ago.
On balance, I see no reason to doubt that ProtonMail are who they say they are. A good chunk of the anger and disappointment which some people are directing towards ProtonMail should perhaps more properly be aimed at the French establishment.
Does any of this matter?
Yes, it matters, even if the specifics of this case don’t affect most people immediately or directly. We all place an incredible amount of trust into our tech and the online service providers who enable it all. We probably trust more than we should.
My own use of ProtonMail – as a paid user with a custom domain – is for some of the most dry and dull email I’ve ever sent or received, largely related to professional certifications. I’m certainly not using it for anything illegal. Still, this isn’t about me, and a constant concern with data gathering is scope creep and change of laws: today’s legal pastime could always be tomorrow’s criminal activity.
Never mind the future, anyway. What if I do something today which isn’t a crime where I live, but which is illegal under Swiss law?
If there are three lessons to take away here, I think they might look like this:
- For service providers. Be precise in the language you use to describe privacy or anonymity features. If you are draping yourself in the mantle of security/privacy, maybe make it really clear that people vulnerable to government or corporate surveillance (e.g. climate activists) should always use the extra optional privacy features you may offer but don’t necessarily publicize on the front page, like your Tor onion site.
- For users. Assume your use of any service could be exposed. If a service provider claims not to keep logs, you should
believe themlaugh. If you’re going up against governments and corporations, opsec is everything. Defense in depth will do more to keep you safe than marketing. The less you say, the less your words can be used against you.
- For governments. Lean on tech companies hard enough and they’ll hand over data, because they don’t have much choice.
I suspect that last one is something most governments already know.