ProtonMail Is in the News for Complying With Law Enforcement

ProtonMail’s cooperation with law enforcement resulted in the arrest of an activist in France.
ProtonMail, as a company in Switzerland, abides by Swiss laws, including court orders that result in arrest. This is, of course, not something ProtonMail keeps secret or obfuscates. The company appears relatively transparent about the way it handles requests from law enforcement agencies. The company states that it only complies with two types of court orders: orders from Swiss authorities and foreign requests validated by Swiss authorities.
In practice, as revealed in the company’s transparency report, the company seemingly complies with law enforcement requests without a court order in certain cases. One high-profile example is the case involving the fictitious “Black Death Group” and the Instagram model Chloe Ayling. ProtonMail provided police with information on the defendant before receiving a court order. Their stated rationale is “the fact that the first 48 hours are the most critical in kidnapping cases.”
Notably, though, ProtonMail regularly fights requests from law enforcement. In some cases, ProtonMail rejects requests from foreign law enforcement even after approval from a Swiss court. The company claimed it fought more than 700 requests in 2020.
This recent incident seems largely insignificant as it follows the company’s protocol for complying with law enforcement requests. Law enforcement agencies in France wanted the I.P. address of a French ProtonMail user. According to RT, the investigation targetted people illegally occupying flats and other properties in Paris (activism).
French police, with help from Europol, requested the I.P. address of a user of ProtonMail in France. A Swiss court approved the request and ordered ProtonMail to comply with the request. ProtonMail logged the I.P. address of the user and provided the I.P. address to law enforcement in France. French police arrested the suspect after receiving the information from ProtonMail.
ProtonMail rightfully encouraged users to access their accounts through Tor. They also pointed out that there is a limit to what kind of assistance they can provide to law enforcement. Encrypted content such as emails, attachments, and files remain encrypted and useless to law enforcement.
The company’s blog post (hyperlinks expanded to reveal destination by this author):
Important clarifications regarding arrest of climate activist


We would like to provide important clarifications regarding the case of the climate activist who was recently arrested by French police on criminal charges. We are also deeply concerned about this case and deplore that the legal tools for serious crimes are being used in this way. In the interest of transparency, we would like to provide additional context.

In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.

As detailed in our transparency report (https://protonmail.com/blog/transparency-report/), our published threat model (https://protonmail.com/blog/protonmail-threat-model/), and also our privacy policy (https://protonmail.com/privacy-policy) under Swiss law, Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account.

We would like to provide the following clarifications:
[list=1]*
Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc. cannot be compromised by legal orders.*
ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities.*
Swiss authorities will only approve requests which meet Swiss legal standards (the only law that matters is Swiss law)*
Transparency with our user community is extremely important to us. Since 2015, we have published a transparency report publicizing how we handle Swiss law enforcement requests: https://protonmail.com/blog/transparency-report/*
Under Swiss law, it is obligatory for a user to be notified if a third party makes a request for their private data and such data is to be used in a criminal proceeding. More information can be found here https://protonmail.com/law-enforcement.*
Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data.*
Due to Proton’s strict privacy, we do not know the identity of our users, and at no point were we aware that the targeted users were climate activists. We only know that the order for data from the Swiss government came through channels typically reserved for serious crimes.*
There was no legal possibility to resist or fight this particular request.[/list]
What we are changing


We will be making updates to our website to better clarify ProtonMail’s obligations in cases of criminal prosecution and we apologize if this was not clear. As a Swiss company, we must follow Swiss laws. We will also clarify that the use of our onion site (details below) is highly recommended for users with heightened privacy needs. Finally, we will also be updating our privacy policy to make clearer our legal obligations under Swiss law.

What does this mean for activists using ProtonMail?


We understand your concerns and we stand with you – we are activists, too. There are a couple things we want to share.
Proton does fight for users

Unlike other providers, we do fight on behalf of our users. Few people know this (it’s in our transparency report), but we actually fought over 700 cases in 2020 alone. Whenever possible, we will fight requests, but it is not always possible.
Use Tor for anonymous access

There is a difference between security/privacy, and anonymity. As we wrote in our public threat model (https://protonmail.com/blog/protonmail-threat-model/) (published back in 2014), “The Internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.” This cannot be changed due to how the internet works. However, we understand this is concerning for individuals with certain threat models, which is why since 2017, we also provide an onion site (http://protonmail.com/tor) for anonymous access (we are one of the only email providers that supports this).
There are worse laws than Swiss law

No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law. The Swiss legal system, while not perfect, does provide a number of checks and balances, and it’s worth noting that even in this case, approval from 3 authorities in 2 countries was required, and that’s a fairly high bar which prevents most (but obviously not all) abuse of the system. Under Swiss law, it is also obligatory for the suspect to be notified that their data was requested, which is not the case in most countries. Finally, Switzerland generally will not assist prosecutions from countries without fair justice systems.

What should we do?


We need to help the youth activists, but ProtonMail cannot do that by breaking the law and ignoring court orders. We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world (for example in France where terror laws are inappropriately used).

We will continue to campaign against such laws and abuses, and we will continue to challenge unjustified government requests whenever possible.