Despite its “no logs” policy, end-to-end encrypted email service, ProtonMail discloses the IP address of anti-gentrification activists to law enforcement authorities, leading to arrests in France.
An activist group in France has been fighting against gentrification, real estate speculation, and more. On September 1st, the group posted an article on Paris-luttes.com focusing on police investigations against various members of the group. The French police sent a request to Europol for ordering ProtonMail to uncover the identity of group members.
According to the company, it received a “legally binding order from the Swiss Federal Department of Justice” regarding Youth of Climate, a collective with which Proton was obligated to comply. The service handed over IP addresses and related information used by the activist group to access ProtonMail.
In a response on Reddit, the company said:
“Proton received a legally binding order from the Swiss Federal Department of Justice which we are obliged to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did, in fact, take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).”
ProtonMail Privacy Stance
The Swiss-based company Proton offers an email service called ProtonMail, and a VPN called ProtonVPN. On its website, ProtonMail says that they do not keep any personal information and IP logs. However, we did notice that after this incident they completely changed their statement on their website.
Just after a few hours of the incident, we checked its website, and they have removed the ‘no IP logs’ claim from their home page. Before the incident, ProtonMail advertised:
After the incident, however, ProtonMail has changed its stance regarding no IP logs, as can be seen on their website.
ProtonMail’s Official Response to the Incident
Despite its no logs claim, the company said that they had no choice but to comply with the requests of foreign agencies like Europol.
After the incident, ProtonMain CEO and founder Andy Yen tweeted:
“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.”
He further added that “ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.”
After the incident, ProtonMail users are concerned about the privacy and visibility of their IP address even if they use a VPN for encryption, or access the email service over Tor for anonymity.
Then why don’t you make it bold and clear on your website that you may have to provide IP addresses to the police and that your users should use your @torproject service? The current marketing say “anonymous”, and the result is that these people are under arrest.
— onestla.tech (@OnEstLaTech) September 5, 2021
After the French incident, ProtonMail has revised their privacy policy stating that they will be logging user’s IP addresses if they are found in violation of Swiss law. Their privacy policy states:
ProtonMail’s public disclosure of its logging policy is alarming as the company has received over 13 requests from the Swiss authorities back in 2017. However, the users are uncertain as the illegal activities were outside Switzerland, as the protests took place in France.
Moreover, few people would believe anti-gentrification to meet the criteria of “extreme criminal cases” under which ProtonMail logs IP addresses.
Proton also offers a VPN service, which Andy Yen says does not log any IP information and is outside the legal basis of Swiss Law.
No, there is no legal basis for logging VPN under current Swiss law.
— Andy Yen (@andyyen) September 6, 2021
He also said that if users are deploying both ProtonVPN and Tor, they would not be able to get the actual IP address, as it shows the IP of the VPN server the user is connected to.
Despite such claims, users of ProtonMail are enraged and concerned about their online privacy and anonymity “advertised” by the service. European Union lawmakers have also given a signal that they are trying to find a way to get legal access to encrypted data, raising privacy concerns.