ProtonMail Is in the News for Complying With Law Enforcement

ProtonMail’s cooperation with law enforcement resulted in the arrest of an activist in France.

ProtonMail, as a company in Switzerland, abides by Swiss laws, including court orders that result in arrest. This is, of course, not something ProtonMail keeps secret or obfuscates. The company appears relatively transparent about the way it handles requests from law enforcement agencies. The company states that it only complies with two types of court orders: orders from Swiss authorities and foreign requests validated by Swiss authorities.

In practice, as revealed in the company’s transparency report, the company seemingly complies with law enforcement requests without a court order in certain cases. One high-profile example is the case involving the fictitious “Black Death Group” and the Instagram model Chloe Ayling. ProtonMail provided police with information on the defendant before receiving a court order. Their stated rationale is “the fact that the first 48 hours are the most critical in kidnapping cases.”

Notably, though, ProtonMail regularly fights requests from law enforcement. In some cases, ProtonMail rejects requests from foreign law enforcement even after approval from a Swiss court. The company claimed it fought more than 700 requests in 2020.

This recent incident seems largely insignificant as it follows the company’s protocol for complying with law enforcement requests. Law enforcement agencies in France wanted the I.P. address of a French ProtonMail user. According to RT, the investigation targetted people illegally occupying flats and other properties in Paris (activism).

French police, with help from Europol, requested the I.P. address of a user of ProtonMail in France. A Swiss court approved the request and ordered ProtonMail to comply with the request. ProtonMail logged the I.P. address of the user and provided the I.P. address to law enforcement in France. French police arrested the suspect after receiving the information from ProtonMail.

ProtonMail rightfully encouraged users to access their accounts through Tor. They also pointed out that there is a limit to what kind of assistance they can provide to law enforcement. Encrypted content such as emails, attachments, and files remain encrypted and useless to law enforcement.

The company’s blog post (hyperlinks expanded to reveal destination by this author):

Important clarifications regarding arrest of climate activist

We would like to provide important clarifications regarding the case of the climate activist who was recently arrested by French police on criminal charges. We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way. In the interest of transparency, we would like to provide additional context.

In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.

As detailed in our transparency report (https://protonmail.com/blog/transparency-report/), our published threat model (https://protonmail.com/blog/protonmail-threat-model/), and also our privacy policy (https://protonmail.com/privacy-policy) under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account.

We would like to provide the following clarifications:

  1. Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders.

  2. ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities.

  3. Swiss authorities will only approve requests which meet Swiss legal standards (the only law that matters is Swiss law)

  4. Transparency with our user community is extremely important to us. Since 2015, we have published a transparency report publicizing how we handle Swiss law enforcement requests: https://protonmail.com/blog/transparency-report/

  5. Under Swiss law, it is obligatory for a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding. More information can be found here https://protonmail.com/law-enforcement.

  6. Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data.

  7. Due to Proton’s strict privacy, we do not know the identity of our users, and at no point were we aware that the targeted users were climate activists. We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.

  8. There was no legal possibility to resist or fight this particular request.

What we are changing

We will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution and we apologize if this was not clear. As a Swiss company, we must follow Swiss laws. We will also clarify that the use of our onion site (details below) is highly recommended for users with heightened privacy needs. Finally, we will also be updating our privacy policy to make clearer our legal obligations under Swiss law.

What does this mean for activists using ProtonMail?

We understand your concerns and we stand with you – we are activists, too. There are a couple things we want to share.

Proton does fight for users

Unlike other providers, we do fight on behalf of our users. Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone. Whenever possible, we will fight requests, but it is not always possible.

Use Tor for anonymous access

There is a difference between security/privacy, and anonymity. As we wrote in our public threat model (https://protonmail.com/blog/protonmail-threat-model/) (published back in 2014), “The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.” This cannot be changed due to how the internet works. However, we understand this is concerning for individuals with certain threat models, which is why since 2017, we also provide an onion site (http://protonmail.com/tor) for anonymous access (we are one of the only email providers that supports this).

There are worse laws than Swiss law

No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that’s a fairly high bar which prevents most (but obviously not all) abuse of the system. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries. Finally, Switzerland generally will not assist prosecutions from countries without fair justice systems.

What should we do?

We need to help the youth activists, but ProtonMail cannot do that by breaking the law and ignoring court orders. We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used).

We will continue to campaign against such laws and abuses, and we will continue to challenge unjustified government requests whenever possible.

Do you really want to comment here? not rules
e26c1310 Wed, Sep 8, 2021

wow people still use proton

7703b660 Wed, Sep 8, 2021

try their onion it has required javascript forever

ccf027f0 Sat, Sep 18, 2021

The purpose of life is to keep it real, but to thy own self be true

800c3a50 Wed, Sep 8, 2021

why require JS? surely people as intelligent as the ones operating proton know that it is a security risk. if they truly cared about privacy, they would make a non-JS option. Then theres that whole thing about requiring a phone number or a non-cryptocurrency payment…. hmmmm….

a2a04890 Sat, Sep 11, 2021

JS is required to do client-side encryption of emails sent to other Protonmail users.

I agree it’s sketchy to claim you are a private service and make it so hard to pay privately.

3480ce70 Thu, Sep 9, 2021

Main login page also does 3+ types of fingerprinting. Audio, canvas, and webgl + more.

2cc03bf0 Thu, Sep 9, 2021

What do u mean it’s like Wickr? What’s wrong with Wickr? And if u can’t use these what can u use?

64f7e420 Thu, Sep 9, 2021

Wickr is a a CIA honeypot, c’mon people. Closed source encrypted chat application headquartered in the USA. Major contracts with US military. They can fuck right off

fefbc510 Thu, Sep 9, 2021

open source on github but hasn’t been audited to confirm they are running the same source

67cd6d50 Thu, Sep 9, 2021

So how do u u buy and sell shit mr big shot… bc this honey pot has been going on for 7 years with not one person going down via Wickr

f1029410 Sun, Sep 26, 2021

As far as I’m aware only way people have gone down through wickr was because of google android backdoors, just install graphite os you fucktards
source on github
any real information is of course appreciated but dont throw bs like this in here to confuse niggas

03043580 Fri, Sep 10, 2021

The fuck you talking about, simple people have VPN3 and leak their IPs across every frame, in every router, across the entire God damn world… and they don’t get caught like Corona. III

033e5850 Fri, Sep 10, 2021

The fuck you talking about, simple people have VPN3 and leak their IPs across every frame, in every router, across the entire God damn world… and they don’t get caught like Corona. III

0c35c190 Sat, Sep 11, 2021

Signal is the best atm

a505be50 Sun, Sep 12, 2021

Signal requires a phone number.

e9a46710 Wed, Sep 15, 2021

security depends in the weakest component or step. Fake security or anonymous services such as proton and tg often involve phone number or inaccessibility without IP in some cases

884829e0 Fri, Sep 17, 2021

Sketchy af that proton or tuta dont take crypto for payments. how can you even claim privacy service and refuse to take crypto???
sessions messenger is good, signal code base, improvements, no damn phone #!!!!, and ip masking

3f534cf0 Fri, Sep 17, 2021

Nobody listened to me. Drugbuyersguide is actively co operating with law enforcement and protonmail is the same. do not trust . And their Tor site runs javascript. Fc protonmail

08668260 Fri, Sep 17, 2021

Ya ya proton still works pretty good, just like those eBay shops dogg? The world is not what we sometimes expect it to be. Peace to those who seek it

b94e1530 Sat, Sep 18, 2021

Protonmail’s ’tor site’ fucking redirects to the clear web link and requires JS. people on the protonmail subreddit suck off the corp like their life depends on it, completely refusing to acknowledge how PM advertised anonymity and no logging ips and shit, and then removed it from their site when it turns out thats what theyve been doing the whole time.
protonmail is full of shit

22fd02b0 Sun, Oct 3, 2021

What should i use instead of protonmail and tutanota ?

New comments are disabled after ten days in an attempt to limit spam.