Easily the favorite free email service of the privacy-conscious, Switzerland-based ProtonMail has built its reputation in no small part because of its pledge to not keep user IP logs except in “extreme criminal cases.” A recent case, developing originally in France and handed off to Swiss police via Interpol, indicates that the circumstances may not need to be all that extreme for IP logs to be turned over.
ProtonMail says that it was legally compelled by Swiss authorities and could do nothing to resist. The issue seems to have prompted a recent update to clarify the ProtonMail privacy policy, which now uses more general language in saying that accounts suspected of “breaking Swiss law” can have their IP logs turned over as part of a “Swiss criminal investigation.” ProtonMail still does not collect IP addresses by default.
ProtonMail IP logs requested in investigation of French activist
ProtonMail is popular for its end-to-end encryption and promise to protect user privacy to the utmost possible, even for its no-cost tier of accounts. While the service has always acknowledged that it may have to comply with legitimate law enforcement requests for information, it says that it fights those requests whenever possible and limits the information it turns over to “extreme” cases. A cornerstone of its policy is that it does not keep IP logs by default, only doing so when legally compelled to.
A recent case involving a user in France paints a different picture. A Paris anti-gentrification activist involved in a high-profile campaign was targeted after his group published information about police investigations and legal cases the group was involved in. The ProtonMail email address appears to have been shared between multiple members of the group, and was found listed on anarchist websites. That, and the group’s targeting of the Le Petit Cambodge restaurant that was hit by a terrorist attack in late 2015, seems to have prompted the French authorities to uncover the identity of the email account’s creator.
In a process that has still not been made fully clear, the French authorities (with the apparent facilitation of Europol serving as an intermediary) somehow compelled the Swiss authorities to reveal the email account owner’s IP address, device identifier and date of account creation. ProtonMail CEO Andy Yen attempted to comment on the case on Twitter without actually directly addressing it, making general comments about how the company is subject to Swiss law and must respect legal requests from Swiss authorities. Yen appeared to stress that the request came directly from Swiss law enforcement, not from France or from Interpol. ProtonMail only responds to legally-binding requests approved by the Swiss.
Requirements of Swiss law
Swiss law requires that users be notified if a request of this nature is made, but Yen could not tell the press exactly when this happened due to privacy rules. The law does allow for a certain amount of delay in certain cases; in this case, it appears that there was about eight months between when the IP logs began and when the user was notified. A delay of this length generally requires demonstration of “injury, death, or irreparable damage” if the notification is not withheld; it is difficult to tell exactly what the authorities would have based this assessment on if that was indeed the reason.
Valid requests under the law entitle the Swiss authorities to more than just IP logs. Law enforcement can additionally request the contents of unencrypted messages in the account, account profile information and assorted metadata, storage use and login times among other items. However, they cannot compel ProtonMail to attempt to decrypt any encrypted messages in the account. The company did not miss the opportunity to pitch its optional Tor onion address and VPN service, which would fully encrypt and obfuscate an account in such a way that little of use could be legally gleaned from it under such an order.
Privacy concerns over law enforcement requests
The removal of the notification about IP logs from the privacy policy seems meant to cover the circumstances of this situation, rather than as change in policy that Proton now intends to log this information by default. This story has nevertheless created concerns about the privacy of accounts, particularly free accounts that do not make use of the ProtonVPN service.
Even with encryption enabled, the email sender, email recipient, and message timestamps are still made available (to work with the SMTP protocol) and could be collected from an account that is under investigation. If a foreign country is able to get Interpol involved, it appears that the Swiss authorities can be pressured into complying with an investigation and Proton will be compelled to create IP logs (and may do so surreptitiously for months before notifying the user).
ProtonMail says that it was legally compelled by Swiss authorities to reveal the email account owner's IP address, device identifier and date of account creation. #privacy #respectdataClick to TweetProton has since released several social media posts vowing to continue fighting requests that are not fully legal, and calling for legislative solutions to this potential end-run around user privacy.
Updated Sep 25, 2021 based on clarifications provided by ProtonMail.