It was revealed this week that ProtonMail provided information yet again to the Swiss police regarding a French activist.
The news is a huge blow to the company, often lauded for its attitude to privacy and its thousands of worldwide users, who are now unsure of who they should trust to keep their information safe.
What happened?
The alleged cooperation between the authorities and ProtonMail was confirmed by the email and VPN provider this week. A blog post explained why the provider turned over information to the Swiss police regarding a French activist operating in Paris. The data was requested as part of a much wider-reaching investigation into a number of French activists squatting in buildings in Paris. The buildings, reports claim, are a mixture of apartments and commercial premises.
Although ProtonMail does not cooperate with governments outside of Switzerland, it was obliged to act in this case because the French Police sent a request to the Swiss authorities through Europol, the EU's law enforcement agency.
The news that one of the activists had been discovered via ProtonMail was broken by the activists themselves on French anticapitalist website Paris-luttes.info. Questions still remain on when – if at all – the French activist in question was notified his data was being tracked (which is a legal obligation outlined in Swiss law).
Why is this so controversial?
The core reason this news is so troubling is that ProtonMail markets itself as a secure and privacy-preserving email service, one that is particularly unique in a global marketplace lacking secure email providers. Gmail, for instance, is not very secure at all. But If ProtonMail has started cooperating with the authorities in any country, then the service isn't anonymous as is often advertised.
Admittedly, in ProtonMail's Privacy Policy, the company states that IP addresses can be logged in 'criminal cases' – but that's also part of the problem. If it's possible for ProtonMail to start logging your IP address at all, then the platform as a whole is not very anonymous.
On top of this, elsewhere – such as their 2021 transparency report – it is suggested that this only pertains to extreme criminal cases. But this case seems far from the sort that a privacy-conscious person would see it fit to meddle in. A user commented last year asking for clarification on this point, to which a ProtonMail writer replied:
The perpetrator in this case, at least in most people's eyes, has not committed a serious offense. They're a climate change activist who has been squatting buildings, something which few observers would classify as an extreme criminal act.
It's an odd situation for ProtonMail: if you're compelled by the law of the country you're in to do something for the government, you have to do it – but their reputation was built on the notion of them being an anonymous mail service, despite the surveillance law being passed in 2015.
How did ProtonMail respond?
ProtonMail has issued a response to this specific case, in which they said that "there was no legal possibility to resist or fight this particular request", and that they were unaware that the individual being pursued by the police was a climate activist.
In the response, ProtonMail claims the request came through 'channels typically reserved for serious crimes', provides a number of other reasons as to why this action to place, and clarifies what authorities can and can't compel them to give over user data.
ProtonMail in crisis
This is, unfortunately, the second time in a matter of weeks that ProtonMail's reputation has been dragged through the dirt due to cooperating with the authorities. Two weeks ago, it was revealed that the US government was able to obtain information about a user that had been making death threats about Dr. Anthony Fauci, the incredibly well-regarded scientist heading up the US's response as the President's Chief Medical Advisor.
ProPrivacy's Hannah Hart explained in a recent article that this cooperation with authorities is due "in no small part to new laws passed in response to the 2015 terrorist attacks in Paris. ProtonMail previously slammed the introduction of these surveillance laws (the Nachrichtendienstgesetzt, or NDG, and the BÜPF), claiming that they would lead to the creation of a 'mini NSA' within Switzerland. ProtonMail's founder, Andy Yen, also claimed that the service would leave Switzerland entirely rather than cooperate with the BÜPF".
Importantly, Proton VPN, a VPN network run by the same company, has confirmed that VPNs are not subject to the same surveillance under Swiss law, so they cannot be compelled to give out information on VPN users in the same way.