Proton rebrand
As of May 2022, ProtonMail has rebranded itself as simply Proton, and Proton Mail is now a service provided by Proton. I’ve edited the name in the title, but left the rest of the article as-is.
On 2021-09-01, a French anarchist Twitter account accused Swiss privacy-focused mail provider ProtonMail of giving up the IP address of at least one militant activist in Paris, who was subsequently arrested by French police:
The police investigation seeks the identity of social media accounts belonging to “potential militant squatters”.
What did ProtonMail do?
ProtonMail’s response, in the form of a blog post by CEO Andy Yen, sets out that Protonmail only co-operated with Swiss authorities – not French police. The Swiss had in turn received a request from the French police via Europol. ProtonMail claim that they had no legal means to avoid complying, because the court order could not be appealed.
ProtonMail also denied that they knew that the user in question was a climate activist.
“Due to Proton’s strict privacy, we do not know the identity of our users, and at no point were we aware that the targeted users were climate activists. We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.”
Important clarifications regarding arrest of climate activist
I don’t know exactly what “serious crime” the French climate activist is accused of. I’m not a reporter and my French is only so-so, and there’s only so much of Article 75 of the French penal code I’m willing to struggle through before I conclude that it’s generic and I’m wasting my life.
However, it would be easy to assume that the offence is something which is a threat to politicians and police more than it is a threat to the general public.
The ProtonMail blog post includes a three-part advisory for activists:
- ProtonMail do fight court cases (700 in 2020 alone). They claim that this is “unlike other providers”, although it’s not hard to find instances of Google, Apple, and Microsoft pushing back on government requests for user information.
- Use Tor if you need enhanced privacy!
- Service providers have to comply with the law, unless they are based 15 miles offshore in international waters.
Perhaps unsurprisingly, the third point attracted some attention. In what is certainly my favourite commentary on the issue, one redditor asked the obvious question, only to have their Alps handed to them by another redditor:
“In that case can you put a floating service 15 miles offshore?”
“Switzerland is landlocked”
“Climate activist arrested after ProtonMail provided his IP address”
If only Switzerland had its own international waters!
But did ProtonMail do anything wrong?
Depends on your point of view.
Legally? I am not a lawyer, but it looks as though ProtonMail complied with Swiss law, as they are required to, when they handed over IP address and browser fingerprint.
Semantically, maybe a little bit. They didn’t volunteer to dox climate activists, but they did get two little words to do a big amount of work:
By default, we do not keep any IP logs which can be linked to your anonymous email account.
ProtonMail home page, 2021-07-29
Turns out that “by default” simply means that ProtonMail don’t typically hang on to your IP address for a long time unless they are compelled to by law in specific cases. However, most of the internet (me included, probably) saw what we wanted to see, i.e. they don’t retain our IP addresses. In practice, once the law compels them, they will do exactly that.
The ProtonMail privacy policy was a lot less certain about not logging IP addresses than the home page:
By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities.
ProtonMail Privacy Policy, 2021-07-29
No mention of government compulsion – they’ve since amended their home page and their privacy policy – but that is a clear statement that you shouldn’t expect complete immunity to IP logging when using ProtonMail.
Did ProtonMail do something morally wrong? That’s a tough one. Sure, the ProtonMail home page wrote cheques which their privacy policy couldn’t cash. However, I’m just not seeing ProtonMail as the bad guys here, because:
- If ProtonMail fails to comply with court orders (once appeals are exhausted), they will eventually cease to be a viable business. The people who work there will lose their livelihood. Even if you don’t care about that, the ProtonMail service would simply stop operating if the organization failed to comply with enough court orders.
- ProtonMail has offered a Tor onion site for anonymous-ish email access since at least January 2017.
Tor applies extra encryption layers on top of your connection, making it more difficult for an advanced attacker to perform a man-in-the-middle attack on your connection to us. Tor also makes your connections to ProtonMail anonymous as we will not be able to see the true IP address of your connection to ProtonMail.
Fighting Censorship with ProtonMail Encrypted Email Over Tor, ProtonMail blog
That’s ProtonMail anticipating the French government’s Europol request and giving explicit instructions on how to avoid having your true IP logged – over four years ago.
On balance, I see no reason to doubt that ProtonMail are who they say they are. A good chunk of the anger and disappointment which some people are directing towards ProtonMail should perhaps more properly be aimed at the French establishment.
Does any of this matter?
Yes, it matters, even if the specifics of this case don’t affect most people immediately or directly. We all place an incredible amount of trust into our tech and the online service providers who enable it all. We probably trust more than we should.
My own use of ProtonMail – as a paid user with a custom domain – is for some of the most dry and dull email I’ve ever sent or received, largely related to professional certifications. I’m certainly not using it for anything illegal. Still, this isn’t about me, and a constant concern with data gathering is scope creep and change of laws: today’s legal pastime could always be tomorrow’s criminal activity.
Never mind the future, anyway. What if I do something today which isn’t a crime where I live, but which is illegal under Swiss law?
If there are three lessons to take away here, I think they might look like this:
- For service providers. Be precise in the language you use to describe privacy or anonymity features. If you are draping yourself in the mantle of security/privacy, maybe make it really clear that people vulnerable to government or corporate surveillance (e.g. climate activists) should always use the extra optional privacy features you may offer but don’t necessarily publicize on the front page, like your Tor onion site.
- For users. Assume your use of any service could be exposed. If a service provider claims not to keep logs, you should
believe themlaugh. If you’re going up against governments and corporations, opsec is everything. Defense in depth will do more to keep you safe than marketing. The less you say, the less your words can be used against you. - For governments. Lean on tech companies hard enough and they’ll hand over data, because they don’t have much choice.
I suspect that last one is something most governments already know.
