Privacy-minded Protonmail users were left disappointed this week, as the popular email service provider handed over user-identifying data to Swiss authorities, which led to the arrest of French climate activists.
As is often the case with the popular email providers, they were forced to collect data on users who were under criminal investigation. It would be naive to assume that a provider as big as Protonmail would risk their business for random users.
To put it bluntly, never expect any company to do jail time for you.
IP logging is not something that is done by default, but rather a process initiated after getting a legal order, which Protonmail couldn’t appeal or dispute. We can assume that Protonmail didn’t want to comply, as user privacy and protection from government agencies is something that means a lot to them.
But at the end of the day, many loyal customers will consider changing their secure email provider now that Protonmail is bombarded more and more with orders for user information.
What Are Users Paying for if Proton’s Hands Are Tied?
While on the paper Protonmail was just following the law of Switzerland, the whole situation still leaves a bitter aftertaste for paying subscribers.
The users deserve to know exactly what they are getting and not getting with the service. As it became apparent, the privacy terms of the company did not clarify a lot of details over the logging policy. We got the most answers after journalists confronted Andy Yen directly.
The Founder and CEO of Proton encouraged its users to access the service exclusively through Tor and use ProtonVPN since VPNs are subject to different requirements under Swiss law.
The problem is, the onion router version of Proton reeks of a honeypot, trying to constantly de-anonymize you, and paying for another service after this unfortunate situation doesn’t look attractive in the slightest.
By all means, this situation gets even messier, as the target of the legal process are the members of the green movement.
Those members were charged after initiating ‘climate camp’ occupations in Paris over the past few years. The French government believes that people behind the green movement were involved in terrorist activities, which Switzerland could not be neutral about.
As Proton couldn’t know the identity of the users, they were unable to prove that the users did not engage in terrorist activities.
Protonmail could not appeal the court order, thus releasing the metadata of the account.
How To Stay Anonymous? Do Not Step on the Big Toes
When your actions, no matter how noble and pure in intentions, make the big wigs angry, you can’t expect any serious protection as a given.
As we all know, the world climate situation is getting worse each year, so the governments are getting more concerned with activists doing something drastic.
The group is fighting against gentrification, real estate speculation, Airbnb, and high-end restaurants. The activists attracted lots of eyes to the problem by occupying Le Petit Cambodge, the same restaurant that terrorists targeted in 2015. They also took over a few commercial premises near Place Sainte Marthe too, which got their campaign national exposure.
And while the group members tried to stay anonymous, they failed to hide all the tracks.
They posted photos of their actions on social media and didn’t blur their clothes like they blurred their faces. Additionally, one of the activists linked the Protonmail address in online postings, which attracted the attention of the French authorities.
They were able to lodge their request through Europol, and so ProtonMail began logging IP information. This subsequently led to the identification and arrest of the activists.
Proton Complied With Over 3,000 Data Orders
The number of requests from the Swiss authorities has grown tremendously over the last few years.
In 2020 it received 3,572 orders for user information, contested 750 of them, and ultimately complied with 3,017 requests. This issue has been addressed and warned about by Andy Yen, but the fact is more than double the number issued in the previous year.
Protonmail is not able to change the trend of new laws adding more levels of surveillance.
Furthermore, Switzerland's reputation as the household of autonomy and privacy is no longer the case, as the country has to cooperate with other sovereign nations. That is why "swiss law" is not a good argument when choosing an email security solution. Proton’s Terms of Service state that they only log IP addresses in extreme criminal cases. Let’s look over that section.
“IP Logging: By default, we do not keep permanent IP logs in relation with your use of the Services. However, IP logs may be kept temporarily to combat abuse and fraud, and your IP address may be retained permanently if you are engaged in activities that breach our terms and conditions (spamming, DDoS attacks against our infrastructure, brute force attacks, etc.)
The legal basis of this processing is our legitimate interest to protect our Services against nefarious activities.
Your login IP address is also kept permanently (until you delete it) if you enable authentication logging for your account (by default this is off). The legal basis of this processing is consent, and you are free to opt-in or opt-out at any time in the security panel of your account.”
Technically, IP is not necessarily personal, but if the VPN isn't running when a request comes, it gets personal fast. The only positive is, Protonmail doesn’t hand over email contents, location history, contacts, or cloud photos like Google and Apple do.
Here’s what they can pass on:
- Sender and recipient email addresses
- The IP address incoming messages originated from
- Message subject
- Message sent and received times
You must also know the following things if you are worried about your online anonymity:
- Simple Mail Transfer Protocol always gives the IP address of the sender;
- Email headers cannot be encrypted because the email servers would not be able to process them. To, from, and the subject are always cleartext, and legal entities never shied away from saying that they operate based on metadata;
- If you send an email from, let’s say, a Gmail domain, both the content and the headers of the email will still be unencrypted.
As you can see by now, just using a secure solution doesn’t make your information private.
What Could Be Done Differently by Protonmail?
No technology is safe from the law, but some companies are taking a stance.
While Protonmail gives you the tools to protect your email conversations, the decision on how to use them is entirely up to the user. Therefore every user should understand the consequences of their actions and know in advance that nobody will bite the bullet for them.
But even though this scandal will boil over and Protonmail will continue delivering their service as usual, one question from Techcrunch representatives highlights the bigger problem at hand. Andy Yen was asked the following question:
“When the targeted account holder was notified that their data had been requested by Swiss authorities since, per Protonmail, notification is obligatory under Swiss law.”
The answer?
“For privacy and legal reasons” he is unable to comment on specific details of the case or provide “non-public information on active investigations,” adding: “You would have to direct these inquiries to the Swiss authorities.”
This answer suggests that the company was under another legal order to delay the notification of the users. Reports suggest that logging was active for up to eight months from its start to disclosure. Perhaps the decision to postpone the notification was enforced to avoid the risk of injury, death, and irreparable damage, which doesn’t necessarily mean bodily harm.
Long gone are the days of Lavabit, who took the stand and suspended its operations in 2013. The US Federal Government ordered them to turn over SSL private keys to spy on Edward Snowden’s email.
"In 2013, we suspended service to protect our global customers when the U.S. government ordered us to release our Transport Layer Security private keys. To protect your digital privacy and freedom, we said no."
Still though, even Lavabit records information in the message header so that law enforcement officials in possession of a message can identify the original sender.
It’s unfair to compare two different companies and unethical to talk about StealthMail under these circumstances. Which can only lead us to the following final thought. Email security solutions are still managed and used by people.
As long as that is the case, we should never expect to achieve absolute safety and privacy.
Link in die Zwischenablage kopiert!