ProtonMail, widely acknowledged as one of the most secure email services, recently changed its IP logging policy after a police investigation resulted in the arrest of a user.
The company logged a user’s account and collected their IP address, which was then handled by the French authorities, who subsequently arrested the user in France.
The data handover resulted from a legal request from a Swiss court, something ProtonMail was legally obliged to comply with.
ProtonMail commented that it was not legally allowed to challenge this order.
We believe security online security matters and its our mission to make it a safer place.
A recently released court document revealed that ProtonMail provided IP address logs of a user to the French authorities, and this was instrumental in the arrest of the respective user.
After the court document surfaced, Twitter and various media outlets leaped on occasion. Everyone cried for blood because of ProtonMail’s alleged “betrayal” of its users’ privacy and anonymity.
But is this an accurate and fair characterization of the case?
In a clarification about the case, ProtonMail published a blog post in which they commented the following:
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.“
Proton also clarified the following important points:
“1. Under no circumstances can our encryption be bypassed, meaning emails, attachments, calendars, files, etc., cannot be compromised by legal orders.”
“2. ProtonMail does not give data to foreign governments; that’s illegal under Article 271 of the Swiss Criminal code. We only comply with legally binding orders from Swiss authorities.”
The blog post also explained that the company’s VPN service, ProtonVPN, is being treated differently from a legal perspective:
“6. Under current Swiss law, email and VPN are treated differently, and ProtonVPN cannot be compelled to log user data.”
The post further explained that the company could not know users’ identities:
“7. Due to Proton’s strict privacy, we do not know the identity of our users […]”
ProtonMail’s main argument is that there was no legal basis for them to fight this court order, and there wasn’t anything else they could do in this particular and individual case.
Analyzing current Swiss legislation and regulations, this does seem to be the case, meaning that Proton had no other legal option than to comply with this order.
As such, one can conclude that the backlash against the company might be unwarranted and exaggerated. It does seem that Proton had no other option than to comply with this individual order.
ProtonMail has also changed its terms of service about IP logging.
Let’s make a comparison between what the ProtonMail website used to say and what it says now regarding IP logs:
“No personal information is required to create your secure email account. By default, we do not keep any IP logs that can be linked to your anonymous email account. Your privacy comes first.”
“ProtonMail is email that respects the privacy and puts people (not advertisers) first. Your data belongs to you, and our encryption ensures that. We also provide an anonymous email gateway.”
This is the same section of text on their website, before and after the modification.
ProtonMail CEO Andy Yen reached out to Privacy Affairs by email and explained that contrary to what various news sites have reported, the company did not “stealthily implement” these changes.
Rather, these changes were publicly announced in the linked blog post.
Yen wrote that “It [the changing of the IP log policy] was not a stealthy replacement because actually in the blog post linked above, we mentioned explicitly that we would be making the change.”
From the company’s inception, ProtonMail punctuated that their Swiss jurisdiction confers them legal independence and that the Swiss Federal Supreme Court can compel them to only release extremely limited information.
Here’s a quote from their official website:
“As ProtonMail is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.”
What was previously unknown was what this “extremely limited information” actually meant. Seemingly, in the past this did not include IP logs. However, now this seems to have changed as per Swiss regulations.
Again, it’s important to point out here that contrary to what’s being reported in other media outlets, it seems that it was not ProtonMail who was at fault in this case.
The data handover happened as a consequence of a legal request by a Swiss court, something the email provider was legally unable to challenge.
Therefore, the essence of this case is not the fact how ProtonMail handled this situation, but the fact that seemingly Swiss jurisdiction does not offer as many protections anymore as it was assumed in the past.
Riseup, a US-based email and VPN provider, was legally compelled to cooperate on two sealed warrants from the FBI. The consequences should they not obey – jail time and premature closing of the Riseup company.
In their defense, they had a gag order preventing them from warning users of these events. They couldn’t even update their Warrant Canary because of this. Only when the gag orders expired could they breathe a word about it.
Another famous case is that of Tutanota, a German email provider. In 2020, a German court compelled Tutanota to log incoming and outgoing unencrypted emails for a German user.
The German court could access all unencrypted emails sent to and from the user’s email address, while the encrypted correspondence stayed that way.
The situation with Tutanota is strikingly similar to ProtonMail, in that a court-issued order targeted one individual. The email providers had to log that specific user’s activities and collect the IP address. Other users were not affected at all.
Court orders don’t always go down the path of no resistance.
This was the case with ExpressVPN, Private Internet Access, and OVPN. They were all successful in denying government-issued logging requests to their users.
OVPN, in particular, met with a resounding success in the court of law. The Swedish-based VPN service was ordered by a court to start logging several users who had been accused of violating copyright laws.
They were downloading movies, so a group called “Rights Alliance” wanted their heads on a stick.
On the other hand, IPVanish and PureVPN are just two examples of compliant behavior to the government’s demands. Their customer base has never risen to the same heights ever since.
However, it must be noted that the outcome of such cases depends on the particular laws in different jurisdictions. No two cases are the same.
Just because someone successfully fought a court order in one country does not mean they would have reached the same outcome if the same case had happened in a different jurisdiction.
While we’re touching on VPNs, we strongly recommend you always use one with no history of data sharing.
Even if your email provider stores logs, they won’t have much information if you use a strong VPN. Your IP address and logs are all anonymous under the VPN’s security blanket.
Note: This news piece was amended to include comments provided by ProtonMail CEO Andy Yen and further clarifications about this case. The initial article incorrectly reported that ProtonMail “stealthily” changed its IP logging policies, but this change was publicly announced in reality.