Evidence has come to light revealing the secure mail service's compliance with Swiss authorities in an American criminal case.
ProtonMail is a well-known and well-regarded mail service and is often recommended to users looking to distance themselves from Google's less-than-ideal security practices. Unfortunately, however, ProtonMail was recently forced to cooperate with Swiss authorities in providing user data (date of account creation), which was subsequently handed over to American security authorities and enforcement agencies.
The exchanged data concerned threats of violence, some of which were directed towards Dr. Anthony Fauci, immunologist and Chief Medical Advisor to the President, as well as his family.
The US Justice Department was able to determine that the accused used "an email account from a provider of secure, encrypted email services based in Switzerland", and the relevant affidavit confirms that the service in question was ProtonMail. It was also determined that multiple accounts were used simultaneously.
It's likely that the accused assumed that Swiss data protection law would keep them from the clutches of the authorities – US or otherwise. ProtonMail's end-to-end encryption no doubt had a part to play in the accused's confidence, too.
A recent article published by Tages-Anzeiger cites that Switzerland's Federal Office of Police (Fedpol) confirmed the exchange of user data between ProtonMail and the US authorities. Fedpol also heads the Swiss internal intelligence agency, and commented on the smooth cooperation between parties, praising ProtonMail's acquiescence.
Proton reached out to us to confirm that the only data provided to Swiss authorities was the date of account creation.
A not-so safe haven
That ProtonMail made its home in Switzerland has previously been a point of praise for the mail service. However, despite the fact that Switzerland is not a member of the Five or Fourteen Eyes surveillance alliance, the country is by no means a bastion of digital privacy.
This is due in no small part to new laws passed in response to the 2015 terrorist attacks in Paris. ProtonMail previously slammed the introduction of these surveillance laws (the Nachrichtendienstgesetzt, or NDG, and the "BÜPF), claiming that they would lead to the creation of a "mini NSA" within Switzerland. ProtonMail's founder, Andy Yen, also claimed that the service would leave Switzerland entirely rather than cooperate with the BÜPF.
Fortunately, the Swiss Supreme court ruled that email and VPN services should be treated differently. VPN services are not telecommunications providers, and are therefore not required to hand over information under such legislation. However, ProtonMail is subject to the full extent of these laws. Proton remains anchored in the country and is thus required to comply with the 1977 Mutual Legal Assistance Treaty With Switzerland that supports the US in such instances. While this doesn't affect the efficacy of Proton VPN, we are deeply concerned about ProtonMail.