Reading Time: 3 minutes

Despite its “no logs” policy, end-to-end encrypted email service, ProtonMail discloses the IP address of anti-gentrification activists to law enforcement authorities, leading to arrests in France.

An activist group in France has been fighting against gentrification, real estate speculation, and more. On September 1st, the group posted an article on focusing on police investigations against various members of the group. The French police sent a request to Europol for ordering ProtonMail to uncover the identity of group members.

According to the company, it received a “legally binding order from the Swiss Federal Department of Justice” regarding Youth of Climate, a collective with which Proton was obligated to comply. The service handed over IP addresses and related information used by the activist group to access ProtonMail.

In a response on Reddit, the company said:

“Proton received a legally binding order from the Swiss Federal Department of Justice which we are obliged to comply with. There was no possibility to appeal or fight this particular request because an act contrary to Swiss law did, in fact, take place (and this was also the final determination of the Federal Department of Justice which does a legal review of each case).”

ProtonMail Privacy Stance

The Swiss-based company Proton offers an email service called ProtonMail, and a VPN called ProtonVPN. On its website, ProtonMail says that they do not keep any personal information and IP logs. However, we did notice that after this incident they completely changed their statement on their website.


Image: Thehackernews

Just after a few hours of the incident, we checked its website, and they have removed the ‘no IP logs’ claim from their home page. Before the incident, ProtonMail advertised:

“No personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first.”

After the incident, however, ProtonMail has changed its stance regarding no IP logs, as can be seen on their website.


‘ProtonMail is email that respects privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that. We also provide an anonymous email gateway.”

ProtonMail’s Official Response to the Incident

Despite its no logs claim, the company said that they had no choice but to comply with the requests of foreign agencies like Europol.

After the incident, ProtonMain CEO and founder Andy Yen tweeted:

“Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we’re required by Swiss law to answer requests from Swiss authorities.”

He further added that “ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.

After the incident, ProtonMail users are concerned about the privacy and visibility of their IP address even if they use a VPN for encryption, or access the email service over Tor for anonymity.

After the French incident, ProtonMail has revised their privacy policy stating that they will be logging user’s IP addresses if they are found in violation of Swiss law. Their privacy policy states:

“By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc). The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities. If you are breaking Swiss law, ProtonMail can be legally compelled to log your IP address as part of a Swiss criminal investigation.

ProtonMail’s public disclosure of its logging policy is alarming as the company has received over 13 requests from the Swiss authorities back in 2017. However, the users are uncertain as the illegal activities were outside Switzerland, as the protests took place in France.

Moreover, few people would believe anti-gentrification to meet the criteria of “extreme criminal cases” under which ProtonMail logs IP addresses.

Proton also offers a VPN service, which Andy Yen says does not log any IP information and is outside the legal basis of Swiss Law.

He also said that if users are deploying both ProtonVPN and Tor, they would not be able to get the actual IP address, as it shows the IP of the VPN server the user is connected to.

Despite such claims, users of ProtonMail are enraged and concerned about their online privacy and anonymity “advertised” by the service. European Union lawmakers have also given a signal that they are trying to find a way to get legal access to encrypted data, raising privacy concerns.