A scandal erupted over the secure email service ProtonMail over the weekend. The fact is that the service management reported that it was recently forced to retain the IP address of one of its clients, as ProtonMail received a relevant order from the Swiss authorities that could not be appealed or rejected.
“It doesn’t matter which service you use, if it’s not 15 miles offshore in international waters, the company will have to comply with the law,” Andy Yen, head of ProtonMail, wrote in a blog post.
The incident is related to a series of protests against gentrification that passed in Paris in summer and autumn 2020. Then a group of activists Youth for Climate took over a number of squares and buildings in Paris, in protest against companies buying up real estate and raising rents for local residents fourfold. Then the activists used the mailbox on ProtonMail to organize protests (jmm[***] @ protonmail.com), and it attracted both the attention of real estate companies and the French police.
Last week site Paris Struggles (Paris Struggles) reported that the French police and Europol have contacted the Swiss government and asked for help, seeking details about the identity of the mailbox owner.
“Proton received a legally binding order from the Federal Department of Justice and Police that we were required to comply with,” explains ProtonMail. “According to Swiss law, the suspect must be notified that his information has been requested, which is not the case in most countries.”
However, Andy Yen said that a separate nondisclosure order prevented the company from notifying the user in time about what was happening. That is, the service was forced to save the IP address that the French activist used to log into his mailbox on ProtonMail and hand it over to the authorities.
“Proton may be required to collect information on accounts belonging to users that are under criminal investigation in Switzerland. Obviously, this is not done by default, but only if Proton receives a legal order for a specific account. The Internet is mostly not anonymous, and if you are breaking Swiss law, a law-abiding company like ProtonMail may be legally obligated to keep your IP address. “
In doing so, Ian tried to defend the Swiss legal system as a whole:
“The Swiss legal system is not perfect, but it has a number of checks and balances, and it is worth noting that even in this case, the approval of three governing bodies from two countries was required, which is a fairly high bar that prevents most (but not all) abuse of the system. […] Finally, Switzerland is generally not conducive to prosecutions that come from countries where there is no fair justice system. ”
However, ProtonMail users, of course, did not like what happened. Many remembered that the ProtonMail service has been used by ransomware operators, blackmailers and other criminals for many years, but the company’s management eventually helped the investigation, which concerned the activist, and not the capture of another extortionist group.
So France police manages to get ProtonMail to release information about /climate activists/?
Good thing they don’t take ransomware that seriously, I guess 🤷♀️
– E (@ nemesis09) September 6, 2021
ProtonMail has also been heavily criticized for its marketing, as the company has been promising users “anonymous email” for years, although according to the latter transparency report, the number of claims the company receives from the authorities is growing exponentially: from 13 requests in 2017 to 3,572 last year (195 of them were foreign).