Privacy experts consider it one of the safest email providers on the internet, but ProtonMail’s recent decision to hand over sensitive customer information to European law enforcement is raising questions about whether the company’s privacy claims are less of a promise and more of a mirage.
After French law enforcement requested—through Europol—that Swiss authorities share the IP address of a climate activist, the end-to-end encrypted email provider ProtonMail shared the user’s information. (Switzerland-based ProtonMail isn’t subject to French or EU jurisdiction, but ProtonMail is obligated to respond to Swiss authorities.)
French police came across the email address in the course of investigating a group that’s been protesting gentrification in a hip neighborhood of Paris since late 2020, and wanted to know who was behind it, according to local news sources. The investigation has led to a series of arrests on the ground.
“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities,” ProtonMail founder Andy Yen tweeted.
But on its site, ProtonMail has claimed in the past that, “No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first.” And since TechCrunch first reported the company shared one of its users’ sensitive information with law enforcement, some ProtonMail users are starting to question whether the so-called “anonymous” email provider has been two-faced in its claims that it puts user privacy first.
Users can be frustrated with ProtonMail all they want, but the company’s compliance with the Swiss authorities is out of the company’s hands, according to Matthieu Audibert, a cyber expert working for French law enforcement.
“I see people who are upset ProtonMail responded but it is because a Swiss court deemed the request valid and because a crime was indeed committed in France,” Audibert said.
But it’s still unclear whether ProtonMail has been disingenuous about its privacy policies. Now that it’s under fire for sharing IP address information with the authorities, the company has started changing some of its marketing materials; in recent days, the company deleted the claim that they do not keep IP logs from its website.
What people often miss in signing up for services like ProtonMail is whether the company keeps track of metadata, such as IP addresses, or the contents of emails, according to the Electronic Frontier Foundation’s director of cybersecurity Eva Galperin.
User information that the company may share with Swiss authorities includes email address, email subject lines, sender or recipient email addresses, last login time, and IP addresses of incoming messages, according to ProtonMail policy.
“Privacy and security are not some sort of magic wand where you just use the right tools and wave the wand around and everything is secure and private ‘forever and ever, amen,’” Galperin told The Daily Beast.
As an end-to-end encrypted email provider, however, ProtonMail cannot share the content of emails with law enforcement.
End-to-end encryption isn’t always going to protect the contents of emails in cases where recipients screenshot or forward emails to other parties, of course. End-to-end encryption—and its ability to keep user messages totally private—is only as good as the trust users have in the other people they’re communicating with, security experts warn.
Other end-to-end encrypted service providers are starting to weigh in on the uproar. Stretching the truth in marketing materials about privacy is not helpful in any case, warns popular end-to-end encrypted email provider Tutanota.
“Privacy-focused services must be very precise when it comes to marketing, particularly not to overstate their promises,” the head of marketing for Tutanota, Hanna Bozakov, told The Daily Beast. “This is why in our opinion privacy and security go hand in hand with transparency. As a privacy-focused service you must be very transparent, particularly when things go wrong.”
While ProtonMail has always made it clear it is a Switzerland-based company and that it will respond to court orders, its advertising on privacy has fallen short, Galperin said.
“If you take a look at ProtonMail’s marketing and advertising, you will see that they advertise themselves as a privacy protecting mail service… they make a very big deal out of the fact that they don’t log IPs,” Galperin told The Daily Beast.
Other concerns abound. ProtonMail said in a statement on the incident that “the only law that matters is Swiss law”—a statement which isn’t entirely true. Swiss authorities clearly work with other governments, as demonstrated in this case.
Galperin said that, when deciding on an email service provider, messaging platform, or VPN, people ought to consider what risks they are willing to take—and ought to take into account the fact that governments cooperate with one another.
“It is very important to understand that some governments cooperate with other governments,” Galperin told The Daily Beast. “If you use a service that you know does not respond to court orders from a particular government, and you are concerned about court orders from a particular government, then that is a safe place for your threat model.”
ProtonMail declined to comment on this story.
ProtonMail isn’t a stranger to tools that help users skirt monitoring. The company allows customers to use Tor to access their ProtonMail accounts and possibly avoid any monitoring. The company also has a VPN service that could mask users’ IP addresses. If the climate activist had taken advantage of those tools, they may not have been discovered and arrested.
“This particular user would have never been de-anonymized if they had always logged into their account using Tor,” Galperin theorized to The Daily Beast.
ProtonMail also tackles some of the requests from Swiss authorities and contests them. Last year alone, the company contested 750 requests, according to numbers the company listed in a transparency report.
This is almost certainly not the end of these kinds of incidents, according to Tresorit, another Swiss end-to-end encrypted platform. It is likely that the number of these kinds of incidents—in which providers share information about users with law enforcement—will only grow in the coming months, according to Gyorgy Szilagyi, chief product officer at Tresorit.
“As, fortunately, more and more people are switching to end-to-end encrypted services to protect their data, the number of law enforcement requests to these services is also growing,” Szilagyi told The Daily Beast. “As these services are incapable to hand over contents, metadata is going to be even more important.”
The news comes at a time when government officials around the world have been looking for various ways to beat back end-to-end encryption providers and degrade encryption. Law enforcement authorities have been clamoring for years to eliminate end-to-end encryption, claiming that it impedes their investigations into criminals.
“End to end encryption is still under attack… Every day we see new proposals trying to pressure the platforms that provide end-to-end encrypted communications and to allowing backdoors for law enforcement,” Galperin said. “But it is very important to resist those pressures to create backdoors because… once you create that backdoor it can and will be found by people that you don’t want using it. You can’t uncreate that backdoor once it’s already there. The risk of abuse is very high.”