Activists against climate change have been arrested in France, after ProtonMail provided its information at a request from Europol.
ProtonMail is considered the most private email service, due to the features such as end-to-end encryption. But the two details that make it more special, and that it promotes the most on its website, are that the servers are in Switzerland, where there are “stricter” laws to protect privacy, and that the company does not register IP addresses, which has each user that connects to the Internet and that can be used to track and identify them.
And yet, this weekend the opposite has been revealed: that the company can register the IP address, and that being in Switzerland is not a ‘magic’ protection for our data. Members of the Youth for Climate movement, inspired by Greta Thunberg, have been arrested for having installed “climate camps” in protests organized in 2020 and 2021; Like many activists, they used ProtonMail to communicate securely.
ProtonMail CEO Andy Yen has confirmed that they received a legal request from Europol, via the Swiss authorities, which they could not refuse. In this way, they provided the IP addresses and information on the type of device used to connect to the service. It has not been confirmed that they have shared emails, which in theory are end-to-end encrypted, and therefore, only participants can read, according to their website.
However, the web also promises that the service does not record the IP address, nor can it associate it with our email account. Given this, the company has used Reddit to explain that, under Swiss law, Proton can be forced to register information from the accounts of users who are under a criminal investigation; but it also affirms that “unlike others”, ProtonMail fights to avoid that, affirming that in 2020 it denied 700 such cases.
He also remembers that any other service would also have to have provided the data, and that his case is better because it took three authorities in two countries to obtain the ProtonMail information.
But that’s the thing, that ProtonMail was supposed to be different from the rest. To say that users are disappointed with this revelation is an understatement, and responses on Twitter and Reddit are filled with confused and angry users, with more than one threatening to terminate their account.
Some thoughts on the French “climate activist” incident. It’s deplorable that legal tools for serious crimes are being used in this way. But by law, @ProtonMail must comply with Swiss criminal investigations. This is obviously not done by default, but only if legally forced.
?? Andy Yen (@andyyen) September 5, 2021
In response, Andy Yen and ProtonMail have focused on criticizing Europol’s action, calling it “deplorable” that they used legal tools “in this way”, calling the prosecutors in the case “aggressive” and drawing attention to the use in France of laws designed against terrorism . However, they have also confessed that they want to change the language used on the website, and encourage the use of TOR (the so-called ‘deep web’) to avoid IP address tracking.