Over the last couple of days, the news of the email service ProtonMail giving up an activist’s IP addresshas been a big topic of conversation for the international security community.
All reports indicate that the French police arrested the climate activist fighting against gentrification. However, ProtonMail is not under obligation to provide any details to the French authorities. So how did they get the IP address details?
So @ProtonMail received a legal request from Europol through Swiss authorities to provide information about Youth for Climate action in Paris, they provided the IP address and information on the type of device used to the police https://t.co/KtKF4wn3wv
— Etienne – Tek (@tenacioustek) September 5, 2021
As TechCrunch noted, ProtonMail is obliged to comply with Swiss law, as they’re based out of Geneva. To get information about the activist, the French police sent a request to the Swiss authorities through Europol. The company’s CEO, Andy Yen, clarified on Twitter that the company only co-ordinated with the Swiss authorities — not French police or Europol.
Proton must comply with Swiss law. As soon as a crime is committed, privacy protections can be suspended and we're required by Swiss law to answer requests from Swiss authorities.
— Andy Yen (@andyyen) September 5, 2021
Switzerland’s law requires tech companies to notify the person whose data is being requested by the government. However, Yen didn’t specify if ProtonMail followed through in this case, and told TechCrunch that he can’t comment on this because of “for privacy and legal reasons.”
In the ongoing case, ProtonMail delayed the notification by up to eight moths and kept logging IP address and other details of the activist in question. The firm could’ve been under the legal obligation to not disclose these details.
The company can provide metadata information about the account, including IP address, email address, and recipient emails — but can’t share email content because of end-to-end encryption protection.
Over the years, the country’s government has had increasing amount of data requests sent to the email service. In 2020, it sent 3,572 such requests — more than double of 1,465 requests it sent in 2019.
Governments requests for user data is a common practice across the world, but ProtonMail markets itself as privacy-first email service. The company only does IP logging in “extreme criminal cases,” and that sounds far fetched for an environmental activist.
It also provides anonymous email service through its Tor-based service, but it is facing criticism for not specifying that clearly on its website. In response, Yen said that the company will promote this option more prominently.
The CEO tweeted that it’s deplorable that the law is being used in this way to force information out of companies, but it doesn’t have any option but to comply with it. While some users might be questioning the company’s commitment to privacy, Yen’s vocal response might restore some faith in the service.
You can read about the whole incident in detail on TechCrunch.