Screenshot via ProtonMail.com
ProtonMail is an email hosting service that stores and transmits your emails in an encrypted format that only you and your recipient can read. Messages are encrypted end-to-end and at rest on the server. This keeps them safe from anyone, even ProtonMail. No one can read your messages. ProtonMail is the email service you use if you want to protect your privacy online. That’s why the arrest of a French climate activist thanks to ProtonMail is especially worrisome. Swiss authorities asked ProtonMail to log the IP address for a certain user. ProtonMail didn’t know the reason or the user, and they couldn’t access the user’s emails. However, they did comply with the Swiss order. They logged a user’s IP address, which lead to their eventual arrest and capture.
Is ProtonMail still safe?
ProtonMail’s Reluctant Compliance
For some time now, a small area in France has become home to protests. Literally. Squatters took up locations in an area of Paris that they did not want to be gentrified by new, more expensive businesses. Initially, it was a protest against gentrification, but it evolved and grew into a larger protest against capitalism in general. And, frankly, any protest against capitalism is also a protest against climate change, so it grew more.
French authorities, through Europol, eventually convinced the Swiss government to get ProtonMail to give up details on a user. The approval required multiple agencies and governments before Swiss authorities agreed. Switzerland only respects their own laws, and does not make these exceptions often. That’s why many privacy-focused businesses set up shop there.
“In this case, Proton received a legally binding order from Swiss authorities which we are obligated to comply with. There was no possibility to appeal this particular request.”
– Andy Yen
From there, ProtonMail began logging the IP address of the requested user, something they only do in cases like this. According to ProtonMail’s CEO, Andy Yen, the company wasn’t able to fight the order. It was a high level of prosecution and urgency, and they were not allowed to appeal. It was comply or face charges themselves. They complied. While ProtonMail cannot go through user’s email, they could log IP addresses for people accessing their accounts. With this, police were able to track down a user who organized protests and sit-ins.
How ProtonMail Protects Users
ProtonMail obviously didn’t want to comply with requests for climate activists. Yen’s letter to ProtonMail users highlighted this fact, “Due to Proton’s strict privacy, we do not know the identity of our users, and at no point were we aware that the targeted users were climate activists.” They also stated that they only follow Swiss law, and their VPN service has extra protections under Swiss law that stops such tracking.
With ProtonMail, the contents of your messages can’t be read. But what about the IP address? Was there anything this climate protester could have done to avoid arrest? As it turns out, yes. ProtonMail has protections for IP tracking as well.
ProtonMail has a website only accessible through a Tor browser. For those who don’t know, these are websites on the Tor network, a network that anonymizes traffic by sending it, encrypted, through multiple nodes. It disguises your IP address, making it nearly untraceable. It’s where the so-called, “Dark Web” exists. If you want true privacy, you can use a secure VPN like NordVPN or ProtonVPN, or, you can go the extra mile and use the Tor network. ProtonMail is one of very few email hosting services that features a Tor website.
How ProtonMail Failed Users (Hint: It Didn’t)
Really, if you’re going to do something illegal, you can’t expect normal consumer-level privacy protections to be enough. You really should be using a Tor browser. It’s not perfect, there are some nodes in the Tor network managed by governments for tracking users, so it’s like a data landmine that could expose you, but it’s far more trustworthy than using your own IP address or even a VPN service that might log metadata. That’s why it’s better to use a paid VPN service that protects your location, IP, and data, like NordVPN, but not perfect. Nothing online is completely private. Peer to peer communication networks offer more privacy, but not the reach of the internet. Therefore, ProtonMail is still one of the best options for an email experience that looks and feels like normal email, but is actually very secure.
Requests for data are increasing. According to ProtonMail, they received 3,517 and complied with 3,017 requests this year. That’s double what they saw in the previous year. Authorities have learned to invade privacy and security. However, there are still workarounds. This isn’t so much of a breach of ProtonMail’s security, more like a warning to be a bit safer when you’re using it for anything that’s maybe a little illegal. Authoritarians in world governments are especially cracking down on climate protesters, so perhaps take extra caution if you’re trying to save the planet.
Sources:
- Russell Brandom, The Verge
- D. Hardawar, Engadget
- Natasha Lomas, Romain Dillet, TechCrunch
- Andy Yen, ProtonMail